Presentation on GDPR which is not technical, nor product specific, focusing on manufacturing industry and providing a non expert view on what the regulation is all about.
Targeted to Senior Management who has a direct responsibility on the treatment (direct or indirect) of personal data.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Getting to grips with General Data Protection Regulation (GDPR)Zoodikers
Leading employment lawyer Pam Loch, and digital expert Katie King share their advice on how to get to grips with the topic of the moment - GDPR.
They look at who is liable, the impact of Brexit, how it affects marketing and what steps you can take to prepare.
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Impact of GDPR on Data Collection and ProcessingPromptCloud
This presentation covers how GDPR will impact various aspects of user data collection and processing along with the way to achieve compliance with the regulations.
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
This free Lasa webinar looks at why data protection is important in a digital world, and what practical things charities and civil society organisations can do to prepare for when the EU General Data Protection Regulations come into force in May 2018.
It is vital charities use the next 12 months to understand their new responsibilities and put the required processes in place.
Our webinar gives you the opportunity to ensure you are prepared for what’s to come by putting your #GDPR questions to our data protection expert and published author, Paul Ticher.
Lasa does lots more charity tech help and advice - find out more at: Twitter: @lasaict
Acknowledgements:
Lasa actively promotes and supports the Way Ahead – Civil Society at the Heart of London. See www.citybridgetrust.org.uk/publications/way-ahead/
This webinar is supported by the City of London Corporation's charity, City Bridge Trust. www.citybridgetrust.org.uk
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
With GDPR coming into effect, we can see a lot of changes in the privacy policies of companies doing business online. The presentation is a description of GDPR and its implications in India and worldwide. The main aim of the presentation is to identify the key issues of data privacy and the rights available to the consumer who's data is to be shared.
In general, the GDPR applies to any business that processes personal data by automated or manual processing
A strategic approach is introduced to regulating personal data and the normative foundations of the European Unions General Data Protection Regulation (GDPR)
Existing Requirements imposed by the 1995 Data Protection Directive are refined.
It does this by establishing a uniform framework for data protection legislation across the EU
Impact of GDPR on Data Collection and ProcessingPromptCloud
This presentation covers how GDPR will impact various aspects of user data collection and processing along with the way to achieve compliance with the regulations.
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
This study provides guidance on some of the most important aspects of the GDPR for companies outside the EU and describes some of its key implications with regards to organisational IT and governance. It also offers some key practical advice on steps that can ensure compliance with the GDPR.
The engaging white paper delivers the core facts you need to understand the fundamental nature of the GDPR regulations and what it means for your business and the management of its data.
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
Data breaches, privacy programs and what will change for processorsExove
Data breaches, privacy programs and what will change for processors, Tobias Bräutigam, Bird & Bird
Exove and Bird & Bird seminar on Nov 23rd 2016: "GDPR - Practical Effects on Digital Business - juridical, technical, and customer point of view"
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
GDPR - a view for the non experts
1. EU General Data
Protection Regulation
A N NO N EXPERT INT ERPRETATION T A RGETED T O MA NUFACTURING/B2 B CO MPA NIES
C L A U D I O B O L L A
2. Personal introduction and disclaimer
I have been working for over 20 years in the Information Technology space in various countries
and roles. In the past 5 years I specialized in IT Security, obtaining formal and professional
certificates on the subject, I am not a lawyer and this presentation is not to be considered a legal
advice, but it mean to provide additional insight onto the topic!
In the last 20 plus months I followed closely the various GDPR discussions and presentations.
None seemed to be geared toward the manufacturing sector and to companies that work in the
B2B space, where there is restricted amount of personal data.
This presentation is my collected knowledge on the topic gathered during the past months from
various presentations I attended and from my interpretation of the written regulation.
The document is not a guide, but a tool geared toward manufacturing industry and small
companies that operate in the B2B space. Where I try to bring a logical vendor neutral view of
what is required and how it may affect companies.
This presentation will help you to rationalize and better judge vendor or expert advice that you
will anyway require
3. Introduction
There is a lot of talk about the new EU Regulation on Personal data…
◦ It will be implemented in the upcoming months
◦ All companies will need to adapt and adjust to comply
Data protection may become as important in internal compliance efforts as is
antitrust compliance today (but it will require much more efforts)
The Regulation is not prescriptive and will need some interpretation
◦ It does not state how and when to protect data
◦ It does not impose a process or security measure to data processing
◦ It only defines what data has to be protected and what needs to be communicated
Data Protection is a Business process and risk objective
◦ IT & Information Security provides the technical measures to mitigate the risk and comply with
regulation for electronic stored data (the regulation applies also to physical/paper data)
4. Key points (1/2)
Under EU law, any processing of personal data requires a justification
◦ (e.g., consent, compliance with law, legitimate interests)
Territorial applicability:
◦ The GDPR also applies to all EU entities and many foreign companies working with EU data
Personal data: Definition widened (i.e. less room for anonymization)
◦ Anything that identifies directly or indirectly a physical person
Consent: Conditions for valid consent become stricter
◦ You need explicit consent
Information obligations:
◦ Much more information has to be provided that in previous regulations
5. Key points (2/2)
Data subject rights: Data subjects get new access and intervention rights on the use
and purpose of the data
Governance: The work load in particular regarding the documentation increases
◦ Need to keep track of explicit consent, need to do a Privacy Impact Assessment
Buzzwords: Privacy by Design in developing applications and tools
Sanctions: Severe sanctions
Time to national law: May 22, 2016
◦ EU Regulations are applied straight into national law without additional requirements
Time to implement/enforce: May 25, 2018
◦ Time by when companies and governments need to be ready to comply and to audit.
◦ No apparent extension is foreseen or published (at least not at this stage)
6. Who is covered by the GDPR?
All EU based companies (including UK based)
Many non-EU companies who hold or process EU citizen personal data
Whoever participates in processing activities of companies in the EU
Whoever processes data of clients who are served and located in the EU
Whoever analyses the activities of EU visitors of its own website or app
But: The applicable rules are not the same for companies outside the EU
◦ Concept of a "lead authority" (for the purposes of a one-stop-shop) does not apply, i.e. each authority can act in a competing
manner (within its territory)
◦ Foreign company may not be able to rely to exceptions and justifications set forth by EU law (i.e. Union or member state law)
(e.g., Art. 6(1)(c), 22(2), 23)
◦ Obligation of foreign companies to designate a person within the EU, who "represents" them "with regard to their respective
obligations" (cf. Cons. 80)
◦ But: Direct enforcement of administrative measures and sanctions against companies outside of the EU may not work legally
and practically
7. Who is covered by the GDPR?
1 Controller
2 Processor
3 Controller or
Processor
Monitoring Behavior Offering of goods
or Services
Participation
Participation
Choice of law
1
2
3
8. Talking about sanctions ...
Each (national) authority may issue administrative sanctions
◦ They shall be "effective, proportionate and dissuasive"
◦ Concerning governance & data of children: EUR 10m or 2% of worldwide turnover, whichever is higher
(revenue of the legal entity at issue, not the entire group)
◦ With regards to substantive breaches of regulation: EUR 20m or 4% of worldwide turnover (tied to Group of
companies and not legal entities)
If administrative sanctions are not possible, other penalties are permitted
Authorities have the powers to intervene against data processing activities
◦ They can temporarily or permanently stop a certain data processing
◦ They are obliged to deal with each complaint of a data subject
◦ Data subjects can enforce their rights and claims (e.g., damages) by court Associations can act on behalf of
data subjects or on their own
Note: Non-EU countries already have or will have sanctions, as well
Applies also to manufacturing/B2B
9. Personal Data - Definition
Legal entities and related data do not fall into the definition
of personal data
Most of B2B data will therefore be personnel related
But not only!!
The EU increasingly follows
an "absolute" approach
with regard to the
definition of personal data
10. Consent
Relevance: Apart from the performance of a contract, a legal obligation and "legitimate interests",
consent is the most important grounds for data processing
Consent must be presented clearly distinguishable from other matters
Consent can always be withdrawn (with effect for the future; right to erasure)
Consent that has already been validly obtained in the past continues to be valid (need to have proof).
Shall the consent provided
within a contract be
optional with regard to all
data processing activities
that are not necessary for
the performance of the
contract (Art. 7(4))?
Will Manufacturing/B2B need to request consent
to all physical persons for data processing?
Including Employees ??
11. Information duties
Principle of transparency is supplemented by an obligation to inform on a number of
defined points
◦ To the extent the data subject has not yet been informed
◦ Also applies in case of indirect data collection (max. 1 month), except where it is impossible, result
in a disproportionate effort or defeats the purpose (in which case alternatives such as information
on a website shall be pursued)
◦ Obligation to inform also applies in case of (later) secondary purposes
Consequence: Extensive privacy notices become mandatory
◦ Upon first contact or collection
◦ On the website for all cases of indirect data collection not covered otherwise
◦ Few exceptions, such as internal investigations
Pro memoria: An obligation to inform may also exist in cases of data breaches
Applies to manufacturing/B2B
12. Inform on what? (1/2)
Name, contact details of the controller and data protection officer
Purposes of use, data categories, categories of recipients (if any)
Legitimate interests, if relied upon
Whether exports are intended, whether to a whitelisted country, and if not, where
the data subject can obtain a copy of the safeguards used
Data sources (if data is collected indirectly)
Period for which data will be stored (or criteria used to determine it)
Manufacturing and B2B will need
to inform employees and 3rd
party of the data processing and
related changes in the processing
For example change in payroll provider or new
location of data repository
13. Inform on what?
Information on the right of the data subject for access, rectification, erasure, restriction,
objection and data portability
Right to withdraw a consent (and eventually the consequences)
Right to lodge a complaint with the supervisory authority
Whether the data requested is necessary for the performance of a contract and
the consequences of not disclosing the data requested
Automated decision-making (including profiling), the logic and consequences
Applies to manufacturing/B2B
14. Data subject rights
Data subject rights are significantly extended and become more complicated
◦ It remains unclear to which extent data subjects will make use of them
◦ They may require changes to data processing procedures and systems
All requests must be complied with at no charge and within one month
◦ Extension of deadline is possible by two months
◦ In case of "manifestly unfounded or excessive" requests it is possible to
◦ charge a reasonable fee or refuse to act upon the request
◦ Previous data recipients may have to be informed of the request
Right of access and data portability (= return of own data)
Right to rectification
Right to erasure ("right to be forgotten"), restriction (= partial usage ban) and objection (= complete
usage ban)
Right to "human intervention" in case of automated decision-making
Applies to manufacturing/B2B
15. Erasure, restriction and
objection
Are you able to erase data from your systems in case a data
subject withdraws his or her consent you have relied upon?
Are you able to suspend the processing of data where you failed
to fully comply with the GDPR, where the accuracy of the data
is contested or where an objection has been filed?
Which data do you really need for the establishment, exercise
or defense of legal claims or compliance with EU law (the two
main reasons you have for justifying not to delete data upon
request)?
16. Data portability 1/2
Five preconditions (cumulative)
◦ Personal data of the data subject
◦ Provided (by the data subject) to a controller (not just processor)
◦ Processing is based on consent or a contract
◦ Processing is carried out by automated means
◦ Rights and freedoms of other persons are not adversely affected
17. Data portability 2/2
What can the data subject ask for?
◦ Return of the data in a "structured, commonly used and machine-readable format" in
order to pass it along to another controller
◦ Where technically feasible to have it transmitted directly to the other controller
A typical use cases are still unclear, but may include
◦ Doctors (patient data)? Banks (orders)? Auction platforms (offerings)? Telcos (CDRs)?
Online-shops (past orders)? Employers (job application data & payroll)?
May apply to manufacturing/B2B
depending on the data
18. Automated decisions, profiling
Prohibition or a right to object?
Option 1: Profiling or automated decisions are used only where they do not produce legal or similar effects to the data
subject (e.g., personalized ads)
Option 2: Profiling or automated decisions are used only for entering into or performing a contract, without sensitive
data, and the data subject has the right to present his or her view to a human and have the decision reconsidered
Option 3: The explicit consent is obtained beforehand, and steps are taken to deal with its withdrawal; human
intervention must still be possible
The provision aims at automated credit- or
e-recruitment decisions without human
intervention, but applies to many other
cases, e.g., personalized prices, activation of
software, security monitoring
Should not apply to manufacturing/B2B
depending on the data
19. Governance 1/2
Concept of "accountability": Controller has to be able to "prove" its compliance
Contracts with processors: Detailed requirements as to what the contract has to
cover, but not many changes in substance (exception: veto on sub-processors)
Maintaining records of processing activities becomes mandatory, also for
processors; the minimum required content corresponds plus/minus to what is
required pursuant to Art. 11a DPA, plus information on exports, retention
periods, and technical and organizational measures undertaken
20. Governance 2/2
Obligation to undertake a formal privacy impact assessment (PIA) in case of
likely "high risk" projects, and to prior consultation of the supervisory authority
if the project is indeed of a high (privacy) risk high absent mitigation measures
If the business of a company is based on the monitoring of individuals or on the
processing of sensitive data, then a data protection officer must be appointed
Applies to manufacturing/B2B
21. Data Breach Notifications 1/2
All breaches against measures to protect personal data have to be recorded and
– if privacy risk to data subjects are likely – notified to the supervisory authority
(within 72 hours)
What has happened? Who is affect? Consequences? Measures? Contacts? The
provision focuses on IT security breaches (hacking, data theft, wrongly sent e-
mails, invoice mix-ups), but can also apply to other violations of data protection
provisions (e.g., use of data in violation of binding instructions)
22. Data Breach Notifications 2/2
Notification of data subjects is necessary (only) in case of a high risk to them
◦ Not necessary in case of measures to prevent access by third parties (e.g., encrypted
data) or if the risk has in all likelihood been eliminated
If informing involves a disproportionate effort: A publication of the notification
or an "equally effective" measure is possible, too
Data Encryption does not remove the requirement to notify
Applies to manufacturing/B2B
23. The privacy buzzwords ...
Data minimization (Art. 5 GDPR)
◦ Collect, use, store and other process data only insofar adequate, relevant and necessary
for the purpose (f.k.a. "principle of proportionality")
Privacy by Design (Art. 25 GDPR)
◦ "... implement appropriate technical and organisational measures, ..., which are
designed to implement data-protection principles, such as data minimisation, in an
effective manner ..."
24. The privacy buzzwords ...
Privacy by Default (Art. 25 GDPR)
◦ "... implement appropriate technical and organizational measures for ensuring that, by
default, only personal data which are necessary for each specific purpose of the
processing are processed."
By default, personal data should not be made accessible without the individual's
direct and explicit intervention
25. Privacy by Design
(1) Taking into account the state of the art, the cost of implementation and the
nature, scope, con-text and purposes of processing as well as the risks of varying
likelihood and severity for rights and freedoms of natural persons posed by the
processing, the controller shall, both at the time of determination of the means for
processing and at the time of principles, such as data , in an effective manner and to
integrate the necessary safeguards into the processing in order to meet the
requirements of this Regulation and protect the rights of data subjects.
To summarize… you need to, when necessary, build into all new system or
applications or processes the necessary protection against the lost of personal data.
All clear…?
Easier: Art. 7 para. 1 CH DPA
Applies to all including
manufacturing/B2B
26. Exporting Data (to other countries)
The good news: Exports that are permitted today in principle remain permitted
also under the GDPR
Concept of adequacy decisions by the European Commission remains
◦ Existing decisions keep their validity; Switzerland and Canada has the right to be found
adequate provided it complies with the revised CoE Convention 108
Concept of contractual safeguards and binding corporate rules (BCRs) continues
to work for unsafe third countries (Including USA, despite the safe harbor
decision)
◦ BCRs are still subject to approval by the National supervisory authority
◦ EU model clauses continue to be valid (but are likely to be revised)
27. Exporting Data
Exports to unsafe third countries may also be undertaken on the basis of
approved code of conducts and approved certification mechanisms
The provisions are only of limited relevance for exports from non-EU countries
The new GDPR concepts are already supported by the existing DPA
Manufacturing/B2b may exports personal data to the USA
Example include: eMail address book, HR data and data contained in ERP systems and
unstructured data
28. WHAT
do we
need to do?
INTERPRETATION OF KEY POINTS INTO TANGIBLE ACTIONS
29. Group data protection
policies
Establishing group-wide data
protection policies step-by-step
Start with a general data protection
policy, then continue with policies
for key areas and applications such
as HR, data from website and
consumers
Local law adjustments where
required
Definition of responsibilities for data
protection compliance (1st, 2nd and
3rd line of defense), including local
law obligations (e.g., local
registrations|filings)
Group-wide data protection training
program for dealing with personal
data
Integration of policies into the IGDTA
framework, local management to put
in place policies
As opposed to the IGDTA, the
policies define standards that Group
companies must abide to also for
their own personal data (e.g., HR
data), even when stricter than local
law
Inventory of data files and
data processing procedures
Centrally documented the way
how the Group and its entities is
collecting, using, storing, disclosing
and otherwise processing personal
data
Centrally documented Group data
protection compliance, including
local authority filings, etc.
Part of this task will have to be done
already for the purpose of creating
data protection policies
Also focusing on decentralized
data files since they are likely to be
processed with less care and
coordination than in the case of
Group wide applications
Task requires local assistance; can be
performed by the local data
protection coordinator
Allows early identification of
data protection issues
Easier compliance with legal
standards (e.g., obligation to notify
or register with data protection
authorities)
Data Protection Officer and
standardization of
compliance procedures
Key procedures/tasks to ensure
compliance with data protection
policies and legal requirements are
standardized (instead of ad-hoc and
potentially
inconsistent handling of issues)
Shall cover data subject access
requests, data protection review of
new projects, IT applications and
reviews of third party contracts for
data protection compliance
Creation of standard clauses for
service provider contracts, data
subject requests, etc.
Group data protection officer as a
center of competence with a
network of local data protection
compliance managers
Early identification of Group internal
data protection issues and
developments in the legal
environment and ability to approach
them strategically
Defined procedures for regular
audits of Group entities and service
providers
Intra-Group Data Transfer
Agreement (IGDTA)
Multilateral data agreement that
regulates Group internal cross-
border and outsourcing transfers
Serves a nucleus for establishinga
global data protection governance
framework
Ability to cover all data within the
company as well as all entities ("big
bang" or "step-by-step")
A proven, cost effective approach
already followed by many other
multinationals
Recognized by the European
Commission and the European data
protection authorities
Roll-out possible within six months (if
no local pushback)
Does not limit Group companies in
the processing of their own data; it
only sets forth rules on how they
have to treat data of other Group
companies and does so based on
Group policies
Appointment of local data protection
coordinator for local implementation
and notifications with authorities
Data Protection
Management System (DPMS)
Implement a Group wide data
protection management system, i.e.
the necessary documentation and
processes to ensure that data
protection compliance (prevent,
detect, respond violations) is done
systematically instead of ad-hoc and
that any need for changes to the
processing of data is addressed early
on
All procedures involving the
processing of personal data have
been documented, have been
reviewed and adapted for
compliance with applicable data
protection laws and group policies
and the IGDTA, where stricter, and
are periodically reviewed for
improvement
All systems used for processing
personal data shall provide an
adequate level of data security in
line with the recommended controls
and measures as per the ISO 27001
standard
Eventually, the Group may have
certain aspects of its data protection
compliance externally audited and
certified
1A Real MUST 2 Must have 3 Should have 4Good to have 5Nice to have
Situation pre – GDPR
30. Setting the Stage 1/2
Most companies have achieved only level 1 and/or 2 (in the past)
◦ No end-to-end data protection governance
◦ Data protection is handled ad hoc, and most companies can live well with it
The three biggest challenges…
◦ Establishing the information necessary for assessing the situation
◦ Where is the data, what is the purpose, what
◦ Lack of (human) resources and internal cooperation (IT, business, legal)
◦ Amendments of IT systems and business processes, and eventually the need to give up
the processing of personal data that can no longer be justified
◦ ie storing in any form the health status of the client contact and/or it’s family
31. Setting the Stage 2/2
Pressure on the part of the to management should increases due to the
sanctions
But: The GDPR follows (and permits) a risk-based approach (whereas "risk"
refers to the data subject's privacy risk)
◦ No company will be able to comply with the GDPR in every respect
◦ The risk have to be recorded, assessed and accepted.
32. ImplementPrepare Organize
Manage consent
Determine request
handling procedures
Remove old data where
possible
Identify and document
processing purpose
Conduct Risk Assessment
Train all (key) staff
Appoint a Data Protection
Officer*
Review privacy policies
Prepare breach notification
How to Handle the issue
Identify processes
impacted
Assemble a team Appoint mandated
owners
Document risks
*DPO is a subject matter
expert and coordinates the
ongoing compliance
Can be an external roleHow to handle the issue
33. General steps to undertake 1/2
Create/appoint a data protection office/officer
◦ A subject matter expert is required (even if not mandated by law)
◦ This figure is a legal expert, located within region, can be external and represent the organization
(organization can be legal entities or business units or group), depending on organization it can become a
full time role or can be outsourced
Document data processing activities and data protection compliance measures
◦ What data the company collects, why and who is responsible, where is stored and how we
protect it (both in physical or electronic format).
Data protection notices (internal, external), contracts with clients and other
information have to be reviewed; options going forward need to be determined
Consent declarations need to be review and amended going forward
Contracts with providers (and templates) need to be reviewed and amended
34. General steps to undertake 2/2
Processes and policies in case of data subject requests are to be established
Processes for assessing new data protection activities need to be created;
guidelines for "privacy by design" and "privacy by default" are to be defined
Data transfer contracts with group companies and partners are to be reviewed
and changed, or entered into, to the extent they do not yet exist
◦ Technical and organizational data security measures are to be verified and updated; a
process for handling data breaches is to be established
Check on the need to designate an EU representative as per Art. 27 GDPR
35. Final thoughts
Things are never as bad as advertised! – this also is true with the GDPR
◦ Administrative sanctions will be proportional (this does not mean that you should not do anything!!)
But: Unclear operational rules increase the risk of misunderstandings
◦ Improvements in data governance and compliance are required throughout the company
Even if there won't be many changes in substance to company processes
◦ Data protection may become as important in internal compliance efforts as is antitrust compliance today (but it will
require much more efforts)
Risk-based approach is essential
◦ Works only when you understand your own data processing activities
External support helps, but internal resources are nevertheless necessary
Regular Training will be required on this subject to remain compliant over time