SlideShare a Scribd company logo

GDPR Compliance Guide

"
"John "Jeb"" Beckwith

1) The GDPR grants EU citizens various personal data rights and requires organizations to respond to data requests within 72 hours or face penalties up to 4% of global revenues. 2) To assess GDPR risk, companies should consider if they have any interaction with EU citizens through business activities, employees, investors, or incidental data collection that could include EU personal data. 3) If any risk is found, companies must establish a written GDPR compliance structure that defines responsible parties for data controller, processor, and protection officer roles to oversee personal data processing, storage, and deletion according to GDPR requirements.

Business
1 of 4
Download to read offline
GDPR Refresher The General Data Protection Regulation (GDPR)1 is the new, overarching regulation governing the security of personal data across all companies doing business in Europe or with Europeans. GDPR grants EU citizens eight specific personal data rights2 including the Right of Access3 to their personal data, the Right to be Forgotten,4 and the Right of Data Portability. Organizations must be able to respond to requests within seventy-two hours, and penalties can amount to 4 percent of global revenues. Three Steps to Solving the GDPR Challenge 1. Initial Risk Assessment. If you have no interaction with European Union (EU) citizens, then you have no GDPR exposure, but consider this question broadly. Even if you have no direct business operations in Europe, or your businesses are all business-to-business, you could still be exposed through incidental contact to Personal Data (PD).5 PD under GDPR include not only basic identity information such as name, address, and identification numbers,6 but also personally indefinable data on biometrics, political opinions, race, ethnicity, sexual orientation, and genetics. Consider the following questions prior to ruling out the need for a GDPR remediation plan: a. Do any of your businesses sell or market to EU citizens? b. Is there a possibility you might employ any EU citizen? c. Do you have any investors who might reside in the EU or be citizens of the EU? REGULATORY PERSPECTIVES January 30th , 2018 Volume - 2 Series - 2 By Jeb Beckwith – Managing Director, GreenPoint Financial and Sanjay Sharma, Ph.D. – Chairman, GreenPoint Financial GreenPoint> Financial sanjay@greenpoint.financial jeb@greenpoint.financial www.greenpoint.financial OUR SECOND PUBLICATION IN THE GDPR SERIES Solving the GDPR Tangle, Without Costing a Fortune
2 d. Do you gather any personal data under requirements of other regulations such as anti-money laundering (AML), know your customer (KYC), HIPAA,7 or other regulatory mandates? e. Is it possible that any employee uses social media sites at work which could incidentally capture PD on E.U. citizens. Examples could include FaceBook, LinkedIn, Instagram, and Snapchat, as well as communications apps such as WhatsApp and Bloomberg Messenger. f. Is it possible that any computer on your network might incidentally capture the political opinions or “personally identifiable web data”8 of any EU citizen? Incidental data ingestion at the corporate level can be insidious and costly under GDPR. If you answer yes to any of the questions above, then you’ll need to establish a GDPR assessment and governance strategy. Even if you answer no to all these questions, you should establish a governance control that addresses any new initiative. 2. Establish a Written, Transparent, Data Governance Structure. GDPR defines three mandatory roles for compliance. These roles can be vested within stand-alone full- time equivalents (FTEs) or can be added responsibilities and authorities vested with existing staff. Attribution of these roles will vary based on the size of a company and the size of its potential overlap with EU PD. The important point is that companies must ensure there is an accountable person assigned to each of the roles below. a. Data Controller (DC). The DC defines and controls the processing of PD, both internally and through third-party vendors. This includes how PD are processed as well as the purpose for collecting, storing, and disposing of PD. b. Data Processor (DP). DPs engage in the daily processing of PD. DPs may be internal to the company or may exist as third-party vendors. c. Data Protection Officer (DPO). The DPO is the principally responsible party for overall GDPR compliance. Specific responsibilities under Article 399 are to: i. Inform and advise the DC and DPs of their obligations; ii. Monitor compliance with this and other EU or Member State regulations related to PD; iii. Provide advice and education to other areas of the company regarding PD compliance; iv. Cooperate with supervisory authorities; v. Act as the contact point for supervisory authorities and consult with supervisors where appropriate. Roles, responsibilities, and authorities for each of these positions should be communicated to and acknowledged by the responsible party or parties in writing at least annually. Revised acknowledgments should also accompany any change in responsible party. These records should be retained and available for audit or supervisory review at any time. 3. Establish Clear Policies and Procedures to Prove High Data Hygiene Standards. These should be openly communicated throughout your organization and should include: a. A Culture of PD Minimization. PD can be ingested in in many diverse ways. To protect the firm, consider the following protections: i. Restrict the use of social media sites using company infrastructure, particularly sites in which political opinions are regularly expressed; ii. Establish clear policies for the retention and processing of PD. These should include guidance on when PD must be retained for compliance with other regulations; iii. Establish policies and procedures for how and where required PD will be ingested, processed, stored, and removed. These should include time frames for retention and disposition; iv. Establish policies and procedures for regular scrubbing and removal of unneeded PD; v. Establish annual internal audits and compliance checks against policies and procedures. You should understand and remediate deficiencies prior to your supervisory audit. b. End-User Computing (EUC) Tracking. As discussed, PD can be ingested, processed, and stored in
3 multiple ways and locations within your organization. Clearly articulated and communicated EUC policies are your first line of defense for passing supervisory scrutiny. Comprehensive EUC policies should include direction to all employees on: i. The definition of PD; ii. Prohibited and allowed vehicles for PD ingestion; iii. Procedures for reporting PD; iv. Procedures for responding to and escalating PD requests on a timely (e.g., well within seventy-two-hour) basis; v. Responsibilities and authorities of the DC, DPs, and DPO in monitoring and enforcing EUC policy compliance. c. Robust Data Compliance Technology. Consistent GDPR compliance will not be possible without some assistance from EUC technology. Analysis of any internal or vendor solutions should include an assessment of the following capabilities: i. Tracking changes to critical XL, Word, PDF, email, and system files with similar or identical names stored in multiple locations; ii. Establishing reviewers and approvers for changes to critical files, particularly XL files; iii. Auditable reports and easy reconciliation creating reliable evidence for supervisory and internal audit review. d. A Culture of Responsiveness. Consequences for GDPR noncompliance escalate dramatically with high-response latency. EU citizens have the right to request their PD be moved, destroyed, or revealed in a prompt and robust manner. Detailed policies and procedures that have considered the legitimate reasons for your company to retain data will expedite response times and mitigate the consequences of mistakes. 4. Plan for Data Breaches. It is estimated that only 4 percent of global data today is encrypted. Data breaches are now ubiquitous; it is no longer a matter of if your company will be breached, but when. Under GDPR, the consequences of a data breach are significant, but they can be greatly mitigated by rapid response. Consider taking the following steps before a breach. a. Prepare a Written Plan. The plan for a data breach must include roles and responsibilities for any employee who might encounter PD from an EU citizen. The plan should include specific details about identifying a potential breach, escalating the threat to the DPO, and the importance of rapid escalation. The plan should also include procedures for notifying the supervisor and any impacted individual. b. Test the Plan. GDPR requires that companies report breaches within seventy-two hours of an incident. You will only know if your processes and procedures can meet this test through periodic testing and evaluation. Results of these tests can be shared with your supervisor and/or compliance staff. c. Limit Sharing. PD must be carefully controlled. Restrictions should be put on sharing data with counter-parties or within jurisdictions that are known to have compromised data security protocols. This is the second in our series regarding GDPR implementation. As we move closer to the May effective date, please look for further publications on lessons learned and best practices.
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, found at http:// ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. 2. Ibid., Chapter 3 3. Ibid., Article 15 4. Ibid., Article 17 5. Note that the EU definition of PD is significantly broader than other jurisdictions, such as the US definition of Personally Identifiable Information (PII). The EU definition of PD under the Data Protection Directive 95/46/EC is found at https://ec.europa.eu/health/data_collection/data_protection/in_eu_en. 6. Note that ID numbers i nclude not only government issued IDs but may also include IP addresses, cookie data, and RFID tags that can be traced back to an individual. 7. Health Insurance Portability and Accountability Act of 1996, https://www.enisa.europa.eu/topics/threat-risk- management/risk-management/current-risk/laws-regulation/data-protection-privacy/health-insurance- portability-and-accountability-act 8. Such as IP addresses, RFID tags, cookie data, or location tracking 9. https://gdpr-info.eu/art-39-gdpr/

Recommended

Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR"John "Jeb"" Beckwith
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR"John "Jeb"" Beckwith
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 

Recommended

Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR"John "Jeb"" Beckwith
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR"John "Jeb"" Beckwith
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Cross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldCross Border Data Transfers and the Privacy Shield
Cross Border Data Transfers and the Privacy ShieldParsons Behle & Latimer
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmChris White
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataChristina Gagnier
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Data Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce InsightData Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce Insightbabelforce
 
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...Ben Allen
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Securitysatyakam_biswas
 
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)WBDC of Florida
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber AttackBrian Miller, Solicitor
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paperGraeme Cross
 

More Related Content

What's hot

GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmChris White
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationJoseph V. Moreno
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataChristina Gagnier
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?Faidepro
 
Data Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce InsightData Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce Insightbabelforce
 
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...Ben Allen
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Securitysatyakam_biswas
 
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...Feroot
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpraudrey miguel
 
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)WBDC of Florida
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)BenjaminShalevSalovi
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.Steven Salter
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?David Erdos
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate RulesJan Dhont
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet LawKlemchuk LLP
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliantSiddharth Ram Dinesh
 

What's hot (20)

GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
GAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big DataGAMABrief: When Education Meets Big Data
GAMABrief: When Education Meets Big Data
 
What is GDPR?
What is GDPR?What is GDPR?
What is GDPR?
 
Data Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce InsightData Protection in the EU | babelforce Insight
Data Protection in the EU | babelforce Insight
 
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
Navigating Privacy Laws When Developing And Deploying Location Tracking Appli...
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
Best Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information SecurityBest Practices In Corporate Privacy & Information Security
Best Practices In Corporate Privacy & Information Security
 
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
EXPERT WEBINAR: GDPR One Year Later — What Can We Learn from Investigations a...
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
Treasure Data Marketers Guide to GDPR (Global Data Protection Regulation)
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
Understanding Binding Corporate Rules
Understanding Binding Corporate RulesUnderstanding Binding Corporate Rules
Understanding Binding Corporate Rules
 
20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law20 New Trends and Developments in Computer and Internet Law
20 New Trends and Developments in Computer and Internet Law
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 

Similar to GDPR Compliance Guide

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paperGraeme Cross
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowVisitor Analytics
 
Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Kwanko
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Gerson Trigueiros
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliancePeter Goldbrunner
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadVisitor Analytics
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Pat Coyle
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulationFahad Ameen
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPRNeha Patel
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
 

Similar to GDPR Compliance Guide (20)

GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
GDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to KnowGDPR's Impact on Social Media - Everything You Need to Know
GDPR's Impact on Social Media - Everything You Need to Know
 
Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)Infographic : What's going to change with the GDPR (2018)
Infographic : What's going to change with the GDPR (2018)
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
Five strategies for gdpr compliance
Five strategies for gdpr complianceFive strategies for gdpr compliance
Five strategies for gdpr compliance
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free Download
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017Rollits Education Focus Summer 2017
Rollits Education Focus Summer 2017
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
BDVe Webinar Series - Making GDPR for SMEs
BDVe Webinar Series - Making GDPR for SMEsBDVe Webinar Series - Making GDPR for SMEs
BDVe Webinar Series - Making GDPR for SMEs
 
A Brief Overview on GDPR
A Brief Overview on GDPRA Brief Overview on GDPR
A Brief Overview on GDPR
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 

Recently uploaded

Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCRsoniya singh
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfmuskan1121w
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCRsoniya singh
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedKaiNexus
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableDipal Arora
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 

Recently uploaded (20)

Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Mehrauli Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Mahipalpur 🔝 Delhi NCR
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdf
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… AbridgedLean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
Lean: From Theory to Practice — One City’s (and Library’s) Lean Story… Abridged
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Best Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting PartnershipBest Practices for Implementing an External Recruiting Partnership
Best Practices for Implementing an External Recruiting Partnership
 
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Greater Noida ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 

GDPR Compliance Guide

  • 1. GDPR Refresher The General Data Protection Regulation (GDPR)1 is the new, overarching regulation governing the security of personal data across all companies doing business in Europe or with Europeans. GDPR grants EU citizens eight specific personal data rights2 including the Right of Access3 to their personal data, the Right to be Forgotten,4 and the Right of Data Portability. Organizations must be able to respond to requests within seventy-two hours, and penalties can amount to 4 percent of global revenues. Three Steps to Solving the GDPR Challenge 1. Initial Risk Assessment. If you have no interaction with European Union (EU) citizens, then you have no GDPR exposure, but consider this question broadly. Even if you have no direct business operations in Europe, or your businesses are all business-to-business, you could still be exposed through incidental contact to Personal Data (PD).5 PD under GDPR include not only basic identity information such as name, address, and identification numbers,6 but also personally indefinable data on biometrics, political opinions, race, ethnicity, sexual orientation, and genetics. Consider the following questions prior to ruling out the need for a GDPR remediation plan: a. Do any of your businesses sell or market to EU citizens? b. Is there a possibility you might employ any EU citizen? c. Do you have any investors who might reside in the EU or be citizens of the EU? REGULATORY PERSPECTIVES January 30th , 2018 Volume - 2 Series - 2 By Jeb Beckwith – Managing Director, GreenPoint Financial and Sanjay Sharma, Ph.D. – Chairman, GreenPoint Financial GreenPoint> Financial sanjay@greenpoint.financial jeb@greenpoint.financial www.greenpoint.financial OUR SECOND PUBLICATION IN THE GDPR SERIES Solving the GDPR Tangle, Without Costing a Fortune
  • 2. 2 d. Do you gather any personal data under requirements of other regulations such as anti-money laundering (AML), know your customer (KYC), HIPAA,7 or other regulatory mandates? e. Is it possible that any employee uses social media sites at work which could incidentally capture PD on E.U. citizens. Examples could include FaceBook, LinkedIn, Instagram, and Snapchat, as well as communications apps such as WhatsApp and Bloomberg Messenger. f. Is it possible that any computer on your network might incidentally capture the political opinions or “personally identifiable web data”8 of any EU citizen? Incidental data ingestion at the corporate level can be insidious and costly under GDPR. If you answer yes to any of the questions above, then you’ll need to establish a GDPR assessment and governance strategy. Even if you answer no to all these questions, you should establish a governance control that addresses any new initiative. 2. Establish a Written, Transparent, Data Governance Structure. GDPR defines three mandatory roles for compliance. These roles can be vested within stand-alone full- time equivalents (FTEs) or can be added responsibilities and authorities vested with existing staff. Attribution of these roles will vary based on the size of a company and the size of its potential overlap with EU PD. The important point is that companies must ensure there is an accountable person assigned to each of the roles below. a. Data Controller (DC). The DC defines and controls the processing of PD, both internally and through third-party vendors. This includes how PD are processed as well as the purpose for collecting, storing, and disposing of PD. b. Data Processor (DP). DPs engage in the daily processing of PD. DPs may be internal to the company or may exist as third-party vendors. c. Data Protection Officer (DPO). The DPO is the principally responsible party for overall GDPR compliance. Specific responsibilities under Article 399 are to: i. Inform and advise the DC and DPs of their obligations; ii. Monitor compliance with this and other EU or Member State regulations related to PD; iii. Provide advice and education to other areas of the company regarding PD compliance; iv. Cooperate with supervisory authorities; v. Act as the contact point for supervisory authorities and consult with supervisors where appropriate. Roles, responsibilities, and authorities for each of these positions should be communicated to and acknowledged by the responsible party or parties in writing at least annually. Revised acknowledgments should also accompany any change in responsible party. These records should be retained and available for audit or supervisory review at any time. 3. Establish Clear Policies and Procedures to Prove High Data Hygiene Standards. These should be openly communicated throughout your organization and should include: a. A Culture of PD Minimization. PD can be ingested in in many diverse ways. To protect the firm, consider the following protections: i. Restrict the use of social media sites using company infrastructure, particularly sites in which political opinions are regularly expressed; ii. Establish clear policies for the retention and processing of PD. These should include guidance on when PD must be retained for compliance with other regulations; iii. Establish policies and procedures for how and where required PD will be ingested, processed, stored, and removed. These should include time frames for retention and disposition; iv. Establish policies and procedures for regular scrubbing and removal of unneeded PD; v. Establish annual internal audits and compliance checks against policies and procedures. You should understand and remediate deficiencies prior to your supervisory audit. b. End-User Computing (EUC) Tracking. As discussed, PD can be ingested, processed, and stored in
  • 3. 3 multiple ways and locations within your organization. Clearly articulated and communicated EUC policies are your first line of defense for passing supervisory scrutiny. Comprehensive EUC policies should include direction to all employees on: i. The definition of PD; ii. Prohibited and allowed vehicles for PD ingestion; iii. Procedures for reporting PD; iv. Procedures for responding to and escalating PD requests on a timely (e.g., well within seventy-two-hour) basis; v. Responsibilities and authorities of the DC, DPs, and DPO in monitoring and enforcing EUC policy compliance. c. Robust Data Compliance Technology. Consistent GDPR compliance will not be possible without some assistance from EUC technology. Analysis of any internal or vendor solutions should include an assessment of the following capabilities: i. Tracking changes to critical XL, Word, PDF, email, and system files with similar or identical names stored in multiple locations; ii. Establishing reviewers and approvers for changes to critical files, particularly XL files; iii. Auditable reports and easy reconciliation creating reliable evidence for supervisory and internal audit review. d. A Culture of Responsiveness. Consequences for GDPR noncompliance escalate dramatically with high-response latency. EU citizens have the right to request their PD be moved, destroyed, or revealed in a prompt and robust manner. Detailed policies and procedures that have considered the legitimate reasons for your company to retain data will expedite response times and mitigate the consequences of mistakes. 4. Plan for Data Breaches. It is estimated that only 4 percent of global data today is encrypted. Data breaches are now ubiquitous; it is no longer a matter of if your company will be breached, but when. Under GDPR, the consequences of a data breach are significant, but they can be greatly mitigated by rapid response. Consider taking the following steps before a breach. a. Prepare a Written Plan. The plan for a data breach must include roles and responsibilities for any employee who might encounter PD from an EU citizen. The plan should include specific details about identifying a potential breach, escalating the threat to the DPO, and the importance of rapid escalation. The plan should also include procedures for notifying the supervisor and any impacted individual. b. Test the Plan. GDPR requires that companies report breaches within seventy-two hours of an incident. You will only know if your processes and procedures can meet this test through periodic testing and evaluation. Results of these tests can be shared with your supervisor and/or compliance staff. c. Limit Sharing. PD must be carefully controlled. Restrictions should be put on sharing data with counter-parties or within jurisdictions that are known to have compromised data security protocols. This is the second in our series regarding GDPR implementation. As we move closer to the May effective date, please look for further publications on lessons learned and best practices.
  • 4. 1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, found at http:// ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf. 2. Ibid., Chapter 3 3. Ibid., Article 15 4. Ibid., Article 17 5. Note that the EU definition of PD is significantly broader than other jurisdictions, such as the US definition of Personally Identifiable Information (PII). The EU definition of PD under the Data Protection Directive 95/46/EC is found at https://ec.europa.eu/health/data_collection/data_protection/in_eu_en. 6. Note that ID numbers i nclude not only government issued IDs but may also include IP addresses, cookie data, and RFID tags that can be traced back to an individual. 7. Health Insurance Portability and Accountability Act of 1996, https://www.enisa.europa.eu/topics/threat-risk- management/risk-management/current-risk/laws-regulation/data-protection-privacy/health-insurance- portability-and-accountability-act 8. Such as IP addresses, RFID tags, cookie data, or location tracking 9. https://gdpr-info.eu/art-39-gdpr/