SlideShare a Scribd company logo

GDPR - a view for the non experts

Claudio Bolla, CISM
Claudio Bolla, CISM

Presentation on GDPR which is not technical, nor product specific, focusing on manufacturing industry and providing a non expert view on what the regulation is all about. Targeted to Senior Management who has a direct responsibility on the treatment (direct or indirect) of personal data.

Technology
1 of 35
Download to read offline
EU General Data Protection Regulation A N NO N EXPERT INT ERPRETATION T A RGETED T O MA NUFACTURING/B2 B CO MPA NIES C L A U D I O B O L L A
Personal introduction and disclaimer I have been working for over 20 years in the Information Technology space in various countries and roles. In the past 5 years I specialized in IT Security, obtaining formal and professional certificates on the subject, I am not a lawyer and this presentation is not to be considered a legal advice, but it mean to provide additional insight onto the topic! In the last 20 plus months I followed closely the various GDPR discussions and presentations. None seemed to be geared toward the manufacturing sector and to companies that work in the B2B space, where there is restricted amount of personal data. This presentation is my collected knowledge on the topic gathered during the past months from various presentations I attended and from my interpretation of the written regulation. The document is not a guide, but a tool geared toward manufacturing industry and small companies that operate in the B2B space. Where I try to bring a logical vendor neutral view of what is required and how it may affect companies. This presentation will help you to rationalize and better judge vendor or expert advice that you will anyway require
Introduction There is a lot of talk about the new EU Regulation on Personal data… ◦ It will be implemented in the upcoming months ◦ All companies will need to adapt and adjust to comply Data protection may become as important in internal compliance efforts as is antitrust compliance today (but it will require much more efforts) The Regulation is not prescriptive and will need some interpretation ◦ It does not state how and when to protect data ◦ It does not impose a process or security measure to data processing ◦ It only defines what data has to be protected and what needs to be communicated Data Protection is a Business process and risk objective ◦ IT & Information Security provides the technical measures to mitigate the risk and comply with regulation for electronic stored data (the regulation applies also to physical/paper data)
Key points (1/2) Under EU law, any processing of personal data requires a justification ◦ (e.g., consent, compliance with law, legitimate interests) Territorial applicability: ◦ The GDPR also applies to all EU entities and many foreign companies working with EU data Personal data: Definition widened (i.e. less room for anonymization) ◦ Anything that identifies directly or indirectly a physical person Consent: Conditions for valid consent become stricter ◦ You need explicit consent Information obligations: ◦ Much more information has to be provided that in previous regulations
Key points (2/2) Data subject rights: Data subjects get new access and intervention rights on the use and purpose of the data Governance: The work load in particular regarding the documentation increases ◦ Need to keep track of explicit consent, need to do a Privacy Impact Assessment Buzzwords: Privacy by Design in developing applications and tools Sanctions: Severe sanctions Time to national law: May 22, 2016 ◦ EU Regulations are applied straight into national law without additional requirements Time to implement/enforce: May 25, 2018 ◦ Time by when companies and governments need to be ready to comply and to audit. ◦ No apparent extension is foreseen or published (at least not at this stage)
Who is covered by the GDPR? All EU based companies (including UK based) Many non-EU companies who hold or process EU citizen personal data Whoever participates in processing activities of companies in the EU Whoever processes data of clients who are served and located in the EU Whoever analyses the activities of EU visitors of its own website or app But: The applicable rules are not the same for companies outside the EU ◦ Concept of a "lead authority" (for the purposes of a one-stop-shop) does not apply, i.e. each authority can act in a competing manner (within its territory) ◦ Foreign company may not be able to rely to exceptions and justifications set forth by EU law (i.e. Union or member state law) (e.g., Art. 6(1)(c), 22(2), 23) ◦ Obligation of foreign companies to designate a person within the EU, who "represents" them "with regard to their respective obligations" (cf. Cons. 80) ◦ But: Direct enforcement of administrative measures and sanctions against companies outside of the EU may not work legally and practically
Who is covered by the GDPR? 1 Controller 2 Processor 3 Controller or Processor Monitoring Behavior Offering of goods or Services Participation Participation Choice of law 1 2 3
Talking about sanctions ... Each (national) authority may issue administrative sanctions ◦ They shall be "effective, proportionate and dissuasive" ◦ Concerning governance & data of children: EUR 10m or 2% of worldwide turnover, whichever is higher (revenue of the legal entity at issue, not the entire group) ◦ With regards to substantive breaches of regulation: EUR 20m or 4% of worldwide turnover (tied to Group of companies and not legal entities) If administrative sanctions are not possible, other penalties are permitted Authorities have the powers to intervene against data processing activities ◦ They can temporarily or permanently stop a certain data processing ◦ They are obliged to deal with each complaint of a data subject ◦ Data subjects can enforce their rights and claims (e.g., damages) by court Associations can act on behalf of data subjects or on their own Note: Non-EU countries already have or will have sanctions, as well Applies also to manufacturing/B2B
Personal Data - Definition Legal entities and related data do not fall into the definition of personal data Most of B2B data will therefore be personnel related But not only!! The EU increasingly follows an "absolute" approach with regard to the definition of personal data
Consent Relevance: Apart from the performance of a contract, a legal obligation and "legitimate interests", consent is the most important grounds for data processing Consent must be presented clearly distinguishable from other matters Consent can always be withdrawn (with effect for the future; right to erasure) Consent that has already been validly obtained in the past continues to be valid (need to have proof). Shall the consent provided within a contract be optional with regard to all data processing activities that are not necessary for the performance of the contract (Art. 7(4))? Will Manufacturing/B2B need to request consent to all physical persons for data processing? Including Employees ??
Information duties Principle of transparency is supplemented by an obligation to inform on a number of defined points ◦ To the extent the data subject has not yet been informed ◦ Also applies in case of indirect data collection (max. 1 month), except where it is impossible, result in a disproportionate effort or defeats the purpose (in which case alternatives such as information on a website shall be pursued) ◦ Obligation to inform also applies in case of (later) secondary purposes Consequence: Extensive privacy notices become mandatory ◦ Upon first contact or collection ◦ On the website for all cases of indirect data collection not covered otherwise ◦ Few exceptions, such as internal investigations Pro memoria: An obligation to inform may also exist in cases of data breaches Applies to manufacturing/B2B
Inform on what? (1/2) Name, contact details of the controller and data protection officer Purposes of use, data categories, categories of recipients (if any) Legitimate interests, if relied upon Whether exports are intended, whether to a whitelisted country, and if not, where the data subject can obtain a copy of the safeguards used Data sources (if data is collected indirectly) Period for which data will be stored (or criteria used to determine it) Manufacturing and B2B will need to inform employees and 3rd party of the data processing and related changes in the processing For example change in payroll provider or new location of data repository
Inform on what? Information on the right of the data subject for access, rectification, erasure, restriction, objection and data portability Right to withdraw a consent (and eventually the consequences) Right to lodge a complaint with the supervisory authority Whether the data requested is necessary for the performance of a contract and the consequences of not disclosing the data requested Automated decision-making (including profiling), the logic and consequences Applies to manufacturing/B2B
Data subject rights Data subject rights are significantly extended and become more complicated ◦ It remains unclear to which extent data subjects will make use of them ◦ They may require changes to data processing procedures and systems All requests must be complied with at no charge and within one month ◦ Extension of deadline is possible by two months ◦ In case of "manifestly unfounded or excessive" requests it is possible to ◦ charge a reasonable fee or refuse to act upon the request ◦ Previous data recipients may have to be informed of the request Right of access and data portability (= return of own data) Right to rectification Right to erasure ("right to be forgotten"), restriction (= partial usage ban) and objection (= complete usage ban) Right to "human intervention" in case of automated decision-making Applies to manufacturing/B2B
Erasure, restriction and objection Are you able to erase data from your systems in case a data subject withdraws his or her consent you have relied upon? Are you able to suspend the processing of data where you failed to fully comply with the GDPR, where the accuracy of the data is contested or where an objection has been filed? Which data do you really need for the establishment, exercise or defense of legal claims or compliance with EU law (the two main reasons you have for justifying not to delete data upon request)?
Data portability 1/2 Five preconditions (cumulative) ◦ Personal data of the data subject ◦ Provided (by the data subject) to a controller (not just processor) ◦ Processing is based on consent or a contract ◦ Processing is carried out by automated means ◦ Rights and freedoms of other persons are not adversely affected
Data portability 2/2 What can the data subject ask for? ◦ Return of the data in a "structured, commonly used and machine-readable format" in order to pass it along to another controller ◦ Where technically feasible to have it transmitted directly to the other controller A typical use cases are still unclear, but may include ◦ Doctors (patient data)? Banks (orders)? Auction platforms (offerings)? Telcos (CDRs)? Online-shops (past orders)? Employers (job application data & payroll)? May apply to manufacturing/B2B depending on the data
Automated decisions, profiling Prohibition or a right to object? Option 1: Profiling or automated decisions are used only where they do not produce legal or similar effects to the data subject (e.g., personalized ads) Option 2: Profiling or automated decisions are used only for entering into or performing a contract, without sensitive data, and the data subject has the right to present his or her view to a human and have the decision reconsidered Option 3: The explicit consent is obtained beforehand, and steps are taken to deal with its withdrawal; human intervention must still be possible The provision aims at automated credit- or e-recruitment decisions without human intervention, but applies to many other cases, e.g., personalized prices, activation of software, security monitoring Should not apply to manufacturing/B2B depending on the data
Governance 1/2 Concept of "accountability": Controller has to be able to "prove" its compliance Contracts with processors: Detailed requirements as to what the contract has to cover, but not many changes in substance (exception: veto on sub-processors) Maintaining records of processing activities becomes mandatory, also for processors; the minimum required content corresponds plus/minus to what is required pursuant to Art. 11a DPA, plus information on exports, retention periods, and technical and organizational measures undertaken
Governance 2/2 Obligation to undertake a formal privacy impact assessment (PIA) in case of likely "high risk" projects, and to prior consultation of the supervisory authority if the project is indeed of a high (privacy) risk high absent mitigation measures If the business of a company is based on the monitoring of individuals or on the processing of sensitive data, then a data protection officer must be appointed Applies to manufacturing/B2B
Data Breach Notifications 1/2 All breaches against measures to protect personal data have to be recorded and – if privacy risk to data subjects are likely – notified to the supervisory authority (within 72 hours) What has happened? Who is affect? Consequences? Measures? Contacts? The provision focuses on IT security breaches (hacking, data theft, wrongly sent e- mails, invoice mix-ups), but can also apply to other violations of data protection provisions (e.g., use of data in violation of binding instructions)
Data Breach Notifications 2/2 Notification of data subjects is necessary (only) in case of a high risk to them ◦ Not necessary in case of measures to prevent access by third parties (e.g., encrypted data) or if the risk has in all likelihood been eliminated If informing involves a disproportionate effort: A publication of the notification or an "equally effective" measure is possible, too Data Encryption does not remove the requirement to notify Applies to manufacturing/B2B
The privacy buzzwords ... Data minimization (Art. 5 GDPR) ◦ Collect, use, store and other process data only insofar adequate, relevant and necessary for the purpose (f.k.a. "principle of proportionality") Privacy by Design (Art. 25 GDPR) ◦ "... implement appropriate technical and organisational measures, ..., which are designed to implement data-protection principles, such as data minimisation, in an effective manner ..."
The privacy buzzwords ... Privacy by Default (Art. 25 GDPR) ◦ "... implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed." By default, personal data should not be made accessible without the individual's direct and explicit intervention
Privacy by Design (1) Taking into account the state of the art, the cost of implementation and the nature, scope, con-text and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of determination of the means for processing and at the time of principles, such as data , in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. To summarize… you need to, when necessary, build into all new system or applications or processes the necessary protection against the lost of personal data. All clear…? Easier: Art. 7 para. 1 CH DPA Applies to all including manufacturing/B2B
Exporting Data (to other countries) The good news: Exports that are permitted today in principle remain permitted also under the GDPR Concept of adequacy decisions by the European Commission remains ◦ Existing decisions keep their validity; Switzerland and Canada has the right to be found adequate provided it complies with the revised CoE Convention 108 Concept of contractual safeguards and binding corporate rules (BCRs) continues to work for unsafe third countries (Including USA, despite the safe harbor decision) ◦ BCRs are still subject to approval by the National supervisory authority ◦ EU model clauses continue to be valid (but are likely to be revised)
Exporting Data Exports to unsafe third countries may also be undertaken on the basis of approved code of conducts and approved certification mechanisms The provisions are only of limited relevance for exports from non-EU countries The new GDPR concepts are already supported by the existing DPA Manufacturing/B2b may exports personal data to the USA Example include: eMail address book, HR data and data contained in ERP systems and unstructured data
WHAT do we need to do? INTERPRETATION OF KEY POINTS INTO TANGIBLE ACTIONS
 Group data protection policies  Establishing group-wide data protection policies step-by-step  Start with a general data protection policy, then continue with policies for key areas and applications such as HR, data from website and consumers  Local law adjustments where required  Definition of responsibilities for data protection compliance (1st, 2nd and 3rd line of defense), including local law obligations (e.g., local registrations|filings)  Group-wide data protection training program for dealing with personal data  Integration of policies into the IGDTA framework, local management to put in place policies  As opposed to the IGDTA, the policies define standards that Group companies must abide to also for their own personal data (e.g., HR data), even when stricter than local law  Inventory of data files and data processing procedures  Centrally documented the way how the Group and its entities is collecting, using, storing, disclosing and otherwise processing personal data  Centrally documented Group data protection compliance, including local authority filings, etc.  Part of this task will have to be done already for the purpose of creating data protection policies  Also focusing on decentralized data files since they are likely to be processed with less care and coordination than in the case of Group wide applications  Task requires local assistance; can be performed by the local data protection coordinator  Allows early identification of data protection issues  Easier compliance with legal standards (e.g., obligation to notify or register with data protection authorities)  Data Protection Officer and standardization of compliance procedures  Key procedures/tasks to ensure compliance with data protection policies and legal requirements are standardized (instead of ad-hoc and potentially  inconsistent handling of issues)  Shall cover data subject access requests, data protection review of new projects, IT applications and reviews of third party contracts for data protection compliance  Creation of standard clauses for service provider contracts, data subject requests, etc.  Group data protection officer as a center of competence with a network of local data protection compliance managers  Early identification of Group internal data protection issues and developments in the legal environment and ability to approach them strategically  Defined procedures for regular audits of Group entities and service providers  Intra-Group Data Transfer Agreement (IGDTA)  Multilateral data agreement that regulates Group internal cross- border and outsourcing transfers  Serves a nucleus for establishinga global data protection governance framework  Ability to cover all data within the company as well as all entities ("big bang" or "step-by-step")  A proven, cost effective approach already followed by many other multinationals  Recognized by the European Commission and the European data protection authorities  Roll-out possible within six months (if no local pushback)  Does not limit Group companies in the processing of their own data; it only sets forth rules on how they have to treat data of other Group companies and does so based on Group policies  Appointment of local data protection coordinator for local implementation and notifications with authorities  Data Protection Management System (DPMS)  Implement a Group wide data protection management system, i.e. the necessary documentation and processes to ensure that data protection compliance (prevent, detect, respond violations) is done systematically instead of ad-hoc and that any need for changes to the processing of data is addressed early on  All procedures involving the processing of personal data have been documented, have been reviewed and adapted for compliance with applicable data protection laws and group policies and the IGDTA, where stricter, and are periodically reviewed for improvement  All systems used for processing personal data shall provide an adequate level of data security in line with the recommended controls and measures as per the ISO 27001 standard  Eventually, the Group may have certain aspects of its data protection compliance externally audited and certified 1A Real MUST 2 Must have 3 Should have 4Good to have 5Nice to have Situation pre – GDPR
Setting the Stage 1/2 Most companies have achieved only level 1 and/or 2 (in the past) ◦ No end-to-end data protection governance ◦ Data protection is handled ad hoc, and most companies can live well with it The three biggest challenges… ◦ Establishing the information necessary for assessing the situation ◦ Where is the data, what is the purpose, what ◦ Lack of (human) resources and internal cooperation (IT, business, legal) ◦ Amendments of IT systems and business processes, and eventually the need to give up the processing of personal data that can no longer be justified ◦ ie storing in any form the health status of the client contact and/or it’s family
Setting the Stage 2/2 Pressure on the part of the to management should increases due to the sanctions But: The GDPR follows (and permits) a risk-based approach (whereas "risk" refers to the data subject's privacy risk) ◦ No company will be able to comply with the GDPR in every respect ◦ The risk have to be recorded, assessed and accepted.
ImplementPrepare Organize  Manage consent  Determine request handling procedures  Remove old data where possible  Identify and document processing purpose  Conduct Risk Assessment  Train all (key) staff  Appoint a Data Protection Officer*  Review privacy policies  Prepare breach notification How to Handle the issue  Identify processes impacted  Assemble a team  Appoint mandated owners  Document risks *DPO is a subject matter expert and coordinates the ongoing compliance Can be an external roleHow to handle the issue
General steps to undertake 1/2 Create/appoint a data protection office/officer ◦ A subject matter expert is required (even if not mandated by law) ◦ This figure is a legal expert, located within region, can be external and represent the organization (organization can be legal entities or business units or group), depending on organization it can become a full time role or can be outsourced Document data processing activities and data protection compliance measures ◦ What data the company collects, why and who is responsible, where is stored and how we protect it (both in physical or electronic format). Data protection notices (internal, external), contracts with clients and other information have to be reviewed; options going forward need to be determined Consent declarations need to be review and amended going forward Contracts with providers (and templates) need to be reviewed and amended
General steps to undertake 2/2 Processes and policies in case of data subject requests are to be established Processes for assessing new data protection activities need to be created; guidelines for "privacy by design" and "privacy by default" are to be defined Data transfer contracts with group companies and partners are to be reviewed and changed, or entered into, to the extent they do not yet exist ◦ Technical and organizational data security measures are to be verified and updated; a process for handling data breaches is to be established Check on the need to designate an EU representative as per Art. 27 GDPR
Final thoughts Things are never as bad as advertised! – this also is true with the GDPR ◦ Administrative sanctions will be proportional (this does not mean that you should not do anything!!) But: Unclear operational rules increase the risk of misunderstandings ◦ Improvements in data governance and compliance are required throughout the company Even if there won't be many changes in substance to company processes ◦ Data protection may become as important in internal compliance efforts as is antitrust compliance today (but it will require much more efforts) Risk-based approach is essential ◦ Works only when you understand your own data processing activities External support helps, but internal resources are nevertheless necessary Regular Training will be required on this subject to remain compliant over time

Recommended

General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 

Recommended

General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
 
Quick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami ZahranQuick Introduction to the EU GDPR by Sami Zahran
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
Findwise
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
Fahad Ameen
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
PromptCloud
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 

More Related Content

What's hot

Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
Cliff Ashcroft
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
Findwise
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
DipanjanDey12
 

What's hot (18)

Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
 
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 

Similar to GDPR - a view for the non experts

General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
Fahad Ameen
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
PromptCloud
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
"John "Jeb"" Beckwith
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
Chris White
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)
Cody Bess
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
Elliot Reeman
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
Shane Gray
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
Exove
 
Data protection
Data protectionData protection
Data protection
RaviPrashant5
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessMark Baker
 

Similar to GDPR - a view for the non experts (20)

General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, EcosystmGDPR & You, Claus Mortensen, Ecosystm
GDPR & You, Claus Mortensen, Ecosystm
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)GDPR Quick Reference for American Accountants (CPA Seminar)
GDPR Quick Reference for American Accountants (CPA Seminar)
 
GDPR
GDPRGDPR
GDPR
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
 
The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018The implications of gdpr for the solutions industry tatech 2018
The implications of gdpr for the solutions industry tatech 2018
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Data breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processorsData breaches, privacy programs and what will change for processors
Data breaches, privacy programs and what will change for processors
 
Data protection
Data protectionData protection
Data protection
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 

Recently uploaded

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

GDPR - a view for the non experts

  • 1. EU General Data Protection Regulation A N NO N EXPERT INT ERPRETATION T A RGETED T O MA NUFACTURING/B2 B CO MPA NIES C L A U D I O B O L L A
  • 2. Personal introduction and disclaimer I have been working for over 20 years in the Information Technology space in various countries and roles. In the past 5 years I specialized in IT Security, obtaining formal and professional certificates on the subject, I am not a lawyer and this presentation is not to be considered a legal advice, but it mean to provide additional insight onto the topic! In the last 20 plus months I followed closely the various GDPR discussions and presentations. None seemed to be geared toward the manufacturing sector and to companies that work in the B2B space, where there is restricted amount of personal data. This presentation is my collected knowledge on the topic gathered during the past months from various presentations I attended and from my interpretation of the written regulation. The document is not a guide, but a tool geared toward manufacturing industry and small companies that operate in the B2B space. Where I try to bring a logical vendor neutral view of what is required and how it may affect companies. This presentation will help you to rationalize and better judge vendor or expert advice that you will anyway require
  • 3. Introduction There is a lot of talk about the new EU Regulation on Personal data… ◦ It will be implemented in the upcoming months ◦ All companies will need to adapt and adjust to comply Data protection may become as important in internal compliance efforts as is antitrust compliance today (but it will require much more efforts) The Regulation is not prescriptive and will need some interpretation ◦ It does not state how and when to protect data ◦ It does not impose a process or security measure to data processing ◦ It only defines what data has to be protected and what needs to be communicated Data Protection is a Business process and risk objective ◦ IT & Information Security provides the technical measures to mitigate the risk and comply with regulation for electronic stored data (the regulation applies also to physical/paper data)
  • 4. Key points (1/2) Under EU law, any processing of personal data requires a justification ◦ (e.g., consent, compliance with law, legitimate interests) Territorial applicability: ◦ The GDPR also applies to all EU entities and many foreign companies working with EU data Personal data: Definition widened (i.e. less room for anonymization) ◦ Anything that identifies directly or indirectly a physical person Consent: Conditions for valid consent become stricter ◦ You need explicit consent Information obligations: ◦ Much more information has to be provided that in previous regulations
  • 5. Key points (2/2) Data subject rights: Data subjects get new access and intervention rights on the use and purpose of the data Governance: The work load in particular regarding the documentation increases ◦ Need to keep track of explicit consent, need to do a Privacy Impact Assessment Buzzwords: Privacy by Design in developing applications and tools Sanctions: Severe sanctions Time to national law: May 22, 2016 ◦ EU Regulations are applied straight into national law without additional requirements Time to implement/enforce: May 25, 2018 ◦ Time by when companies and governments need to be ready to comply and to audit. ◦ No apparent extension is foreseen or published (at least not at this stage)
  • 6. Who is covered by the GDPR? All EU based companies (including UK based) Many non-EU companies who hold or process EU citizen personal data Whoever participates in processing activities of companies in the EU Whoever processes data of clients who are served and located in the EU Whoever analyses the activities of EU visitors of its own website or app But: The applicable rules are not the same for companies outside the EU ◦ Concept of a "lead authority" (for the purposes of a one-stop-shop) does not apply, i.e. each authority can act in a competing manner (within its territory) ◦ Foreign company may not be able to rely to exceptions and justifications set forth by EU law (i.e. Union or member state law) (e.g., Art. 6(1)(c), 22(2), 23) ◦ Obligation of foreign companies to designate a person within the EU, who "represents" them "with regard to their respective obligations" (cf. Cons. 80) ◦ But: Direct enforcement of administrative measures and sanctions against companies outside of the EU may not work legally and practically
  • 7. Who is covered by the GDPR? 1 Controller 2 Processor 3 Controller or Processor Monitoring Behavior Offering of goods or Services Participation Participation Choice of law 1 2 3
  • 8. Talking about sanctions ... Each (national) authority may issue administrative sanctions ◦ They shall be "effective, proportionate and dissuasive" ◦ Concerning governance & data of children: EUR 10m or 2% of worldwide turnover, whichever is higher (revenue of the legal entity at issue, not the entire group) ◦ With regards to substantive breaches of regulation: EUR 20m or 4% of worldwide turnover (tied to Group of companies and not legal entities) If administrative sanctions are not possible, other penalties are permitted Authorities have the powers to intervene against data processing activities ◦ They can temporarily or permanently stop a certain data processing ◦ They are obliged to deal with each complaint of a data subject ◦ Data subjects can enforce their rights and claims (e.g., damages) by court Associations can act on behalf of data subjects or on their own Note: Non-EU countries already have or will have sanctions, as well Applies also to manufacturing/B2B
  • 9. Personal Data - Definition Legal entities and related data do not fall into the definition of personal data Most of B2B data will therefore be personnel related But not only!! The EU increasingly follows an "absolute" approach with regard to the definition of personal data
  • 10. Consent Relevance: Apart from the performance of a contract, a legal obligation and "legitimate interests", consent is the most important grounds for data processing Consent must be presented clearly distinguishable from other matters Consent can always be withdrawn (with effect for the future; right to erasure) Consent that has already been validly obtained in the past continues to be valid (need to have proof). Shall the consent provided within a contract be optional with regard to all data processing activities that are not necessary for the performance of the contract (Art. 7(4))? Will Manufacturing/B2B need to request consent to all physical persons for data processing? Including Employees ??
  • 11. Information duties Principle of transparency is supplemented by an obligation to inform on a number of defined points ◦ To the extent the data subject has not yet been informed ◦ Also applies in case of indirect data collection (max. 1 month), except where it is impossible, result in a disproportionate effort or defeats the purpose (in which case alternatives such as information on a website shall be pursued) ◦ Obligation to inform also applies in case of (later) secondary purposes Consequence: Extensive privacy notices become mandatory ◦ Upon first contact or collection ◦ On the website for all cases of indirect data collection not covered otherwise ◦ Few exceptions, such as internal investigations Pro memoria: An obligation to inform may also exist in cases of data breaches Applies to manufacturing/B2B
  • 12. Inform on what? (1/2) Name, contact details of the controller and data protection officer Purposes of use, data categories, categories of recipients (if any) Legitimate interests, if relied upon Whether exports are intended, whether to a whitelisted country, and if not, where the data subject can obtain a copy of the safeguards used Data sources (if data is collected indirectly) Period for which data will be stored (or criteria used to determine it) Manufacturing and B2B will need to inform employees and 3rd party of the data processing and related changes in the processing For example change in payroll provider or new location of data repository
  • 13. Inform on what? Information on the right of the data subject for access, rectification, erasure, restriction, objection and data portability Right to withdraw a consent (and eventually the consequences) Right to lodge a complaint with the supervisory authority Whether the data requested is necessary for the performance of a contract and the consequences of not disclosing the data requested Automated decision-making (including profiling), the logic and consequences Applies to manufacturing/B2B
  • 14. Data subject rights Data subject rights are significantly extended and become more complicated ◦ It remains unclear to which extent data subjects will make use of them ◦ They may require changes to data processing procedures and systems All requests must be complied with at no charge and within one month ◦ Extension of deadline is possible by two months ◦ In case of "manifestly unfounded or excessive" requests it is possible to ◦ charge a reasonable fee or refuse to act upon the request ◦ Previous data recipients may have to be informed of the request Right of access and data portability (= return of own data) Right to rectification Right to erasure ("right to be forgotten"), restriction (= partial usage ban) and objection (= complete usage ban) Right to "human intervention" in case of automated decision-making Applies to manufacturing/B2B
  • 15. Erasure, restriction and objection Are you able to erase data from your systems in case a data subject withdraws his or her consent you have relied upon? Are you able to suspend the processing of data where you failed to fully comply with the GDPR, where the accuracy of the data is contested or where an objection has been filed? Which data do you really need for the establishment, exercise or defense of legal claims or compliance with EU law (the two main reasons you have for justifying not to delete data upon request)?
  • 16. Data portability 1/2 Five preconditions (cumulative) ◦ Personal data of the data subject ◦ Provided (by the data subject) to a controller (not just processor) ◦ Processing is based on consent or a contract ◦ Processing is carried out by automated means ◦ Rights and freedoms of other persons are not adversely affected
  • 17. Data portability 2/2 What can the data subject ask for? ◦ Return of the data in a "structured, commonly used and machine-readable format" in order to pass it along to another controller ◦ Where technically feasible to have it transmitted directly to the other controller A typical use cases are still unclear, but may include ◦ Doctors (patient data)? Banks (orders)? Auction platforms (offerings)? Telcos (CDRs)? Online-shops (past orders)? Employers (job application data & payroll)? May apply to manufacturing/B2B depending on the data
  • 18. Automated decisions, profiling Prohibition or a right to object? Option 1: Profiling or automated decisions are used only where they do not produce legal or similar effects to the data subject (e.g., personalized ads) Option 2: Profiling or automated decisions are used only for entering into or performing a contract, without sensitive data, and the data subject has the right to present his or her view to a human and have the decision reconsidered Option 3: The explicit consent is obtained beforehand, and steps are taken to deal with its withdrawal; human intervention must still be possible The provision aims at automated credit- or e-recruitment decisions without human intervention, but applies to many other cases, e.g., personalized prices, activation of software, security monitoring Should not apply to manufacturing/B2B depending on the data
  • 19. Governance 1/2 Concept of "accountability": Controller has to be able to "prove" its compliance Contracts with processors: Detailed requirements as to what the contract has to cover, but not many changes in substance (exception: veto on sub-processors) Maintaining records of processing activities becomes mandatory, also for processors; the minimum required content corresponds plus/minus to what is required pursuant to Art. 11a DPA, plus information on exports, retention periods, and technical and organizational measures undertaken
  • 20. Governance 2/2 Obligation to undertake a formal privacy impact assessment (PIA) in case of likely "high risk" projects, and to prior consultation of the supervisory authority if the project is indeed of a high (privacy) risk high absent mitigation measures If the business of a company is based on the monitoring of individuals or on the processing of sensitive data, then a data protection officer must be appointed Applies to manufacturing/B2B
  • 21. Data Breach Notifications 1/2 All breaches against measures to protect personal data have to be recorded and – if privacy risk to data subjects are likely – notified to the supervisory authority (within 72 hours) What has happened? Who is affect? Consequences? Measures? Contacts? The provision focuses on IT security breaches (hacking, data theft, wrongly sent e- mails, invoice mix-ups), but can also apply to other violations of data protection provisions (e.g., use of data in violation of binding instructions)
  • 22. Data Breach Notifications 2/2 Notification of data subjects is necessary (only) in case of a high risk to them ◦ Not necessary in case of measures to prevent access by third parties (e.g., encrypted data) or if the risk has in all likelihood been eliminated If informing involves a disproportionate effort: A publication of the notification or an "equally effective" measure is possible, too Data Encryption does not remove the requirement to notify Applies to manufacturing/B2B
  • 23. The privacy buzzwords ... Data minimization (Art. 5 GDPR) ◦ Collect, use, store and other process data only insofar adequate, relevant and necessary for the purpose (f.k.a. "principle of proportionality") Privacy by Design (Art. 25 GDPR) ◦ "... implement appropriate technical and organisational measures, ..., which are designed to implement data-protection principles, such as data minimisation, in an effective manner ..."
  • 24. The privacy buzzwords ... Privacy by Default (Art. 25 GDPR) ◦ "... implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed." By default, personal data should not be made accessible without the individual's direct and explicit intervention
  • 25. Privacy by Design (1) Taking into account the state of the art, the cost of implementation and the nature, scope, con-text and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of determination of the means for processing and at the time of principles, such as data , in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. To summarize… you need to, when necessary, build into all new system or applications or processes the necessary protection against the lost of personal data. All clear…? Easier: Art. 7 para. 1 CH DPA Applies to all including manufacturing/B2B
  • 26. Exporting Data (to other countries) The good news: Exports that are permitted today in principle remain permitted also under the GDPR Concept of adequacy decisions by the European Commission remains ◦ Existing decisions keep their validity; Switzerland and Canada has the right to be found adequate provided it complies with the revised CoE Convention 108 Concept of contractual safeguards and binding corporate rules (BCRs) continues to work for unsafe third countries (Including USA, despite the safe harbor decision) ◦ BCRs are still subject to approval by the National supervisory authority ◦ EU model clauses continue to be valid (but are likely to be revised)
  • 27. Exporting Data Exports to unsafe third countries may also be undertaken on the basis of approved code of conducts and approved certification mechanisms The provisions are only of limited relevance for exports from non-EU countries The new GDPR concepts are already supported by the existing DPA Manufacturing/B2b may exports personal data to the USA Example include: eMail address book, HR data and data contained in ERP systems and unstructured data
  • 28. WHAT do we need to do? INTERPRETATION OF KEY POINTS INTO TANGIBLE ACTIONS
  • 29.  Group data protection policies  Establishing group-wide data protection policies step-by-step  Start with a general data protection policy, then continue with policies for key areas and applications such as HR, data from website and consumers  Local law adjustments where required  Definition of responsibilities for data protection compliance (1st, 2nd and 3rd line of defense), including local law obligations (e.g., local registrations|filings)  Group-wide data protection training program for dealing with personal data  Integration of policies into the IGDTA framework, local management to put in place policies  As opposed to the IGDTA, the policies define standards that Group companies must abide to also for their own personal data (e.g., HR data), even when stricter than local law  Inventory of data files and data processing procedures  Centrally documented the way how the Group and its entities is collecting, using, storing, disclosing and otherwise processing personal data  Centrally documented Group data protection compliance, including local authority filings, etc.  Part of this task will have to be done already for the purpose of creating data protection policies  Also focusing on decentralized data files since they are likely to be processed with less care and coordination than in the case of Group wide applications  Task requires local assistance; can be performed by the local data protection coordinator  Allows early identification of data protection issues  Easier compliance with legal standards (e.g., obligation to notify or register with data protection authorities)  Data Protection Officer and standardization of compliance procedures  Key procedures/tasks to ensure compliance with data protection policies and legal requirements are standardized (instead of ad-hoc and potentially  inconsistent handling of issues)  Shall cover data subject access requests, data protection review of new projects, IT applications and reviews of third party contracts for data protection compliance  Creation of standard clauses for service provider contracts, data subject requests, etc.  Group data protection officer as a center of competence with a network of local data protection compliance managers  Early identification of Group internal data protection issues and developments in the legal environment and ability to approach them strategically  Defined procedures for regular audits of Group entities and service providers  Intra-Group Data Transfer Agreement (IGDTA)  Multilateral data agreement that regulates Group internal cross- border and outsourcing transfers  Serves a nucleus for establishinga global data protection governance framework  Ability to cover all data within the company as well as all entities ("big bang" or "step-by-step")  A proven, cost effective approach already followed by many other multinationals  Recognized by the European Commission and the European data protection authorities  Roll-out possible within six months (if no local pushback)  Does not limit Group companies in the processing of their own data; it only sets forth rules on how they have to treat data of other Group companies and does so based on Group policies  Appointment of local data protection coordinator for local implementation and notifications with authorities  Data Protection Management System (DPMS)  Implement a Group wide data protection management system, i.e. the necessary documentation and processes to ensure that data protection compliance (prevent, detect, respond violations) is done systematically instead of ad-hoc and that any need for changes to the processing of data is addressed early on  All procedures involving the processing of personal data have been documented, have been reviewed and adapted for compliance with applicable data protection laws and group policies and the IGDTA, where stricter, and are periodically reviewed for improvement  All systems used for processing personal data shall provide an adequate level of data security in line with the recommended controls and measures as per the ISO 27001 standard  Eventually, the Group may have certain aspects of its data protection compliance externally audited and certified 1A Real MUST 2 Must have 3 Should have 4Good to have 5Nice to have Situation pre – GDPR
  • 30. Setting the Stage 1/2 Most companies have achieved only level 1 and/or 2 (in the past) ◦ No end-to-end data protection governance ◦ Data protection is handled ad hoc, and most companies can live well with it The three biggest challenges… ◦ Establishing the information necessary for assessing the situation ◦ Where is the data, what is the purpose, what ◦ Lack of (human) resources and internal cooperation (IT, business, legal) ◦ Amendments of IT systems and business processes, and eventually the need to give up the processing of personal data that can no longer be justified ◦ ie storing in any form the health status of the client contact and/or it’s family
  • 31. Setting the Stage 2/2 Pressure on the part of the to management should increases due to the sanctions But: The GDPR follows (and permits) a risk-based approach (whereas "risk" refers to the data subject's privacy risk) ◦ No company will be able to comply with the GDPR in every respect ◦ The risk have to be recorded, assessed and accepted.
  • 32. ImplementPrepare Organize  Manage consent  Determine request handling procedures  Remove old data where possible  Identify and document processing purpose  Conduct Risk Assessment  Train all (key) staff  Appoint a Data Protection Officer*  Review privacy policies  Prepare breach notification How to Handle the issue  Identify processes impacted  Assemble a team  Appoint mandated owners  Document risks *DPO is a subject matter expert and coordinates the ongoing compliance Can be an external roleHow to handle the issue
  • 33. General steps to undertake 1/2 Create/appoint a data protection office/officer ◦ A subject matter expert is required (even if not mandated by law) ◦ This figure is a legal expert, located within region, can be external and represent the organization (organization can be legal entities or business units or group), depending on organization it can become a full time role or can be outsourced Document data processing activities and data protection compliance measures ◦ What data the company collects, why and who is responsible, where is stored and how we protect it (both in physical or electronic format). Data protection notices (internal, external), contracts with clients and other information have to be reviewed; options going forward need to be determined Consent declarations need to be review and amended going forward Contracts with providers (and templates) need to be reviewed and amended
  • 34. General steps to undertake 2/2 Processes and policies in case of data subject requests are to be established Processes for assessing new data protection activities need to be created; guidelines for "privacy by design" and "privacy by default" are to be defined Data transfer contracts with group companies and partners are to be reviewed and changed, or entered into, to the extent they do not yet exist ◦ Technical and organizational data security measures are to be verified and updated; a process for handling data breaches is to be established Check on the need to designate an EU representative as per Art. 27 GDPR
  • 35. Final thoughts Things are never as bad as advertised! – this also is true with the GDPR ◦ Administrative sanctions will be proportional (this does not mean that you should not do anything!!) But: Unclear operational rules increase the risk of misunderstandings ◦ Improvements in data governance and compliance are required throughout the company Even if there won't be many changes in substance to company processes ◦ Data protection may become as important in internal compliance efforts as is antitrust compliance today (but it will require much more efforts) Risk-based approach is essential ◦ Works only when you understand your own data processing activities External support helps, but internal resources are nevertheless necessary Regular Training will be required on this subject to remain compliant over time