Dovetail Software (hr.dovetailsoftware.com) sponsors this informative and important webinar hosting experts Grant D. Petersen (ogletree.com/) and Estella Cohen (trustarc.com/) who shared information with HR practitioners and Organizations that need to be GDPR compliant by May 25, 2018.
Here's the link to view the recording: http://hr.dovetailsoftware.com/dsadmin/2018/01/31/hr-gdpr-preparing-2018-compliance/
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
With the new General Data Protection Regulation (GDPR) set to launch in May of 2018, many are wondering how it will change the way they do business. In this presentation, we explore how to ensure compliance of the new regulation.
Want more on GDPR compliance? Join us for this FREE virtual event: http://info.aiim.org/data-privacy-data-protection-gdpr
This Presentation explains what GDPR is and the impact it'll have for Companies who process data of EU Citizens.
This Guide explains the principles of GDPR, Consent, User Rights and also explains how to implement GDPR in your organization.
Originally appeared at
http://backlinkme.net/definitive-guide-for-general-data-protection-regulation-gdpr-compliance/
With the new General Data Protection Regulation (GDPR) set to launch in May of 2018, many are wondering how it will change the way they do business. In this presentation, we explore how to ensure compliance of the new regulation.
Want more on GDPR compliance? Join us for this FREE virtual event: http://info.aiim.org/data-privacy-data-protection-gdpr
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
An Overview of the new GDPR regulations including:
• Data Protection Frame Work
• GDPR – Responsibilities
• GDPR – Changes
• GDPR - Exemptions
• GDPR – Rights
• Penalty
• Ten High Level Steps
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
Gdpr demystified - making sense of the regulationJames Mulhern
Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
This webinar covers:
-The definitions of ‘data controller’ and ‘data processor’ under the GDPR.
-The responsibilities and obligations of controllers and processors.
-The data breach reporting responsibilities of controllers and processors.
-The liability of, and penalties that may be imposed on, data processors and controllers.
-The appointment of joint controllers and subcontracting processors
The webinar can be found here https://www.youtube.com/watch?v=cyUPGGD3iVg&t=8s
Full GDPR toolkit: https://quality.eqms.co.uk/gdpr-general-data-protection-regulation-eu-toolkit
This free online training presentation provides you with information about how to comply with the General Data Protection Regulation, managing breaches, engaging employees, key requirements and more.
An Overview of the new GDPR regulations including:
• Data Protection Frame Work
• GDPR – Responsibilities
• GDPR – Changes
• GDPR - Exemptions
• GDPR – Rights
• Penalty
• Ten High Level Steps
This is a slightly modified version of a presentation that I gave to fellow lawyers last week. It explains what GDPR is, the policy of data protection and the evolution of data protection legislation from the OECD Guidelines and Council of Europe Convention to the GDPR. It explores the regulation focusing on the data protection principles and, in particular, the lawfulness requirement and the validity of consent. The presentation mentions the Law enforcement data protection directive, the Data Protection Bill and the arrangements post Brexit. Finally, it considers the preparations recommended by the Information Commissioner for small busiesses
GDPR is coming for you whether you’re ready or not. Companies must show compliance by May 25, 2018. Take a look at the presentation to learn more about the new law that is going to change the way data is handled across the world. Read about the how it affects you and the steps you can take to make sure you’re GDPR ready!
About Extentia Information Technology:
Extentia is a global technology and services firm that helps clients transform and realize their digital strategies. With a focus on enterprise mobility, cloud computing, and user experiences, Extentia strives to accomplish and surpass your business goals. Our team is differentiated by an emphasis on excellent design skills that we bring to every project. Extentia’s work environment and culture inspire team members to be innovative and creative, and to provide clients with an exceptional partnership experience.
www.extentia.com
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
Whether you’re an event or hospitality professional in a small, medium or large organization, the General Data Protection Regulation (GDPR) is going to affect you. Get prepared with Cvent and Debrah Harding of Market Research Society before the 25th May deadline. GDPR is a new EU regulation, designed for the digital age. GDPR will strengthen an individual's rights and increase business accountability for data privacy and holding personal information. Organizations found breaching the regulations can face fines of up to 20 million Euros or up to 4% of annual global turnover. At Cvent we are already on track to becoming GDPR compliant and we want to advise our industry partners on how to become compliant too.
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
MWLUG - 2017
Tim Clark & Stephanie Heit
Tim & Steph explain the basics of GDPR and give some recommendations about what you can do to be ready.
Data sources are in the final slides.
For more information about how BCC can help you get your Domino data ready for GDPR please contact us here.
http://bcchub.com/bcc-domino-protect/
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
Gdpr demystified - making sense of the regulationJames Mulhern
Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.
MyComplianceOffice presents our Oct 26th webinar, “ Prepare Your Firm for GDPR", co-hosted by MCO and Emily Mahoney a Technology Lawyer at Mason Hayes & Curran
On 25 May 2018 the new General Data Protection Regulation (GDPR) will come into force, replacing all existing data protection regulations.
Payroll bureaus process large amounts of personal data in relation to their customers, their customers’ employees, and their own employees. Consequently, the GDPR will impact most if not all areas of the business and the impact it will have cannot be overstated.
BrightPay hosted a free CPD accredited webinar alongside Bright Contracts where we discussed everything that accountants, bookkeepers and payroll bureaus need to know about GDPR.
For more information visit https://www.brightpay.co.uk
ABM Display Advertising Success in the World of GDPR [PPT]Kwanzoo Inc
In this webinar, see the specific impacts of GDPR on B2B companies as they plan, budget, launch and measure success from ABM advertising programs that reach and engage the 500 Million+ citizens of EU countries and the UK. Our panel of experts will cover the IT, Legal, Marketing, Data and Technology Provider side of GDPR compliance. All of these dimensions need to be addressed as you plan for the world of GDPR.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
Introduction to EU General Data Protection Regulation: Planning, Implementati...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data.The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-eu-general-data-protection-regulation-planning-implementation-and-compliance-2021/
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Introduction to EU General Data Protection Regulation: Planning, Implementat...Financial Poise
The GDPR changed the way the world collects, stores, and sends personal data. The GDPR is a broad EU regulation that requires businesses to protect the personal data of EU citizens, whether the business itself is in the EU or elsewhere. Since its implementation in 2018, companies that collect data on EU citizens must comply with strict rules for the protection of personal data or face heavy fines for non-compliance. This webinar will provide an overview of GDPR’s applicability and requirements, as well as how your organization may meet those standards.
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. This Accenture Finance & Risk presentation explores the impact of GDPR on Canadian firms, including lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.
The General Data Protection Regulation and the DAMA DMBOK – Tools you can use for Compliance
Abstract: The General Data Protection Regulation will be the law governing data privacy in Europe in 2018. Surveys show that less than 50% of organisations are aware of the changes within the legislation, and even fewer have any plan for achieving compliance. In this session, Daragh O Brien takes us on a high level overview of the GDPR and how the disciplines of the DMBOK can help compliance.
Notes: DMBOK is an abbreviation for the "Data Management Book of Knowledge" which is published by DAMA International (The Data Management Association)
QA Fest 2017. Per Thorsheim.GDPR - An overview and its relevance for QAQAFest
This talk will give you a quick overview of the General Data Protection Regulation (GDPR), that goes into law in Europe starting May 25, 2018. Additionally the talk will primarily focus on the parts that are especially important for people working with testing & quality assurance. Organisations outside EU will also be heavily affected by this, as european organisations will require "GDPR compliance" from service providers, no matter their location.
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
2. Today’s Webinar
• Ask questions using the GTW control panel
• Share to Twitter & other social channels
• Twitter: @Dovetail
@TrustArc
@OgletreeDeakins
• Hashtag: #GDPRcompliance
• Q & A at 10 minutes before the hour
• Big thanks to our presenters:
Estella Cohen and Grant D. Petersen
3. GDPR
General Data Protection Regulation
A legal mandate that requires organizations to
store and manage EU based individuals’ personal
data: basic information, racial & ethnic origin,
genetic & biometric information, and even
political opinions.
Inventory & Store -> security
5. Estella Cohen
Ms. Cohen holds dual designations from the
International Association of Privacy Professionals
(IAPP) as a Certified Information Privacy Professional
(CIPP/C), and a Certified Information and Privacy
Manager, (CIPM) and just recently was accepted as
an IAPP Fellow of Information Privacy (FIP).
She currently provides consulting and research
services to private sector companies who do business
in Europe and will need to demonstrate compliance
with both the Privacy Shield Framework and the
General Data Protection Regulation. Fluent in
Spanish with an excellent working knowledge of
French, she has shared her knowledge of access and
privacy issues internationally.
CIPM, CIPP/C, FIP
Senior Privacy
Consultant
Toronto, Canada
6. Introduction of TrustArc
Solutions backed by unmatched people, process, and technology
Deep Privacy Expertise
• Large, global, 175+ person
team
• Dozens of CIPPs, former
CPOs, world renowned
policy experts
• Many with decades of
experience at top brands
across all industries
Proven Methodology
• Informed by 20 years &
thousands of engagements
• Based on key global
standards: GDPR, FIPPs,
OECD, etc.
• Developed by privacy
experts, powered by
industry leading technology
Powerful Technology
• Purpose build for privacy
• Flexible SaaS architecture
• Used by 1,000+ clients
• Operating at high scale
for 6 years
• Ongoing enhancements
• Large engineering &
support team
www.trustarc.com
7. Grant D. Petersen
Represents and Counsels Employers on:
• U.S. and International Labor and Employment Laws
• U.S. and Global Data Privacy and Data Protection Laws
• Foreign Corrupt Practices Act and other international
anti-corruption laws.
• Founder of Ogletree Deakins’ Data Privacy Practice
Group
• Co-Founder of Ogletree Deakins’ International Practice
Group.
Additionally, Mr. Petersen advises clients regarding the
impact of global data privacy laws in the workplace, the
complexities of international transfers of human resources
data, and practical steps for compliance with the
upcoming General Data Protection Regulation. He speaks
and writes on data privacy and employment issues
regularly.
Shareholder
Tampa, FL
8. Introduction of Ogletree Deakins
With offices across North America and Europe, Ogletree
Deakins’ practice and industry groups include: Data Privacy,
Employment Law, International Law, and Traditional Labor
Relations. Ogletree Deakins has a team comprised of experts
who specifically cover GDPR Data Privacy
www.ogletree.com
9. What You Need to Know about GDPR
• Most important thing to know
• Knowing where to start
• How will GDPR impact HR?
• Who does it impact?
• Why does is matter
• Accountability and Security
• How to get more help or information
10. GDPR
General Data Protection Regulation
GOAL: One single privacy law for the EU
▫ Replaces previous 1995 Directive and national laws that had variations
▫ Applicability is now extra-territorial
– Based on “residency of individuals in EU”
– Applies to any business offering goods or services
▫ Where the organization is processing personal data
– Data that relates to an individual who can be identified from it (or
other data associated with it)
– Regardless of format (digital, paper, audio, video, etc.)
– Doesn’t have to be names (ID by picture, IP addresses, device IDs,
Cookies, etc.)
▫ Evidence of demonstrable compliance is the standard
▫ Takes effect May 25, 2018
12. Effective Date: 25 MAY 2018
The GDPR took 4
years to negotiate
and is the most
comprehensive data
protection regulation
ever enacted.
To Do
• Determine your exposure (more on that in a moment…)
• Determine your action plan for compliance, if needed
• Determine your response to customers who ask for your compliance status
• … because they will ask!
13. Core Rules remain the same
• GDPR retains same core rules as the current
Data Protection Directive, with some notable changes
• "Sensitive" personal data has been expanded to include
genetic and biometric data
• "New" rights have been codified, such as data portability
and the "right to be forgotten"
• New obligations have been added around management,
documentation,
data breach notification, and more
To Do
• Review existing compliance (you are compliant, right?)
• Review new requirements
14. Cross-Border Transfers
• Transfer of personal data outside of EU is prohibited unless
certain conditions are met (same as today)
• "Adequacy" can be met through
▫ Binding Corporate Rules
▫ Standard Contractual Clauses
▫ Code of Conduct and Certification Programs (tbd)
▫ EU-US Privacy Shield
▫ Allows for "explicit consent" but regulators have expressed
skepticism
To Do
• Review your current transfers
• Determine and implement appropriate transfer mechanism
15. Special Categories of Personal Data
• “Special categories of personal data”
• “Particularly sensitive in relation to fundamental rights
and freedoms” and, therefore, “merit specific protection.”
• Includes data “revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade-union
membership, and the processing of genetic data, biometric
data for the purpose of uniquely identifying a natural person,
data concerning health or data concerning a natural person’s sex
life or sexual orientation”
To Do
• Review data sets for any sensitive data elements
• Review whether sensitive data is necessary for services
• Determine adequacy of consent mechanisms
16. Data Subject Rights
• Enhanced rights to notice, access, correction
• "Right to be forgotten" – erase data "without undue delay"
▫ If no longer necessary, objection, or unlawful processing
• Data Portability
▫ "Automated" processes, Controller must provide data in "machine-
readable" format, transmittable to any other controller, even
directly
to a competitor
• Profiling and the Right to Object
▫ "Automated" processes that assess or predict things like:
performance, economic situation (e.g., credit), health, personal
preferences, interests and behavior, location and movements
To Do
• Review the applicability of these rights to your processes and impact of any exercise of
those rights
• Develop processes to receive and process requests
17. Accountability
• You must not only comply, you must be able to
demonstrate your compliance
• You must have a privacy impact assessment program for
any "high risk to rights and freedoms" from processing
and may be required to consult with your regulator
To Do
• Create and maintain a record of your data processing activities and privacy risk
management activities
• Develop Privacy by Design, privacy-related training, etc., to ensure integration of privacy
considerations into product development and engineering processes
• Develop a Privacy Impact Assessment program for any processing where data risk may
arise
18. Security
• Controllers and Processors must “implement appropriate
technical and organizational measures” taking into
account “the state of the art and the costs of implementation”
and “the nature, scope, context, and purposes of the
processing as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons.”
• Few specific requirements, but things like encryption,
pseudonymization,
data recovery, regular testing/assessments, are all referred to
• Breach notification standards: 72 hours after awareness (unless
"reasoned justification" which will need to be communicated to DPA)
To Do
• Develop a Breach Response plan with pre-defined notification templates
• Regularly test response plan, update with latest contacts and defined responsibilities
• Review adequacy of security audits, including review and audits of key service
providers
19. Foundation for Article 30
Who, What, Why Behind Article 30
Article 30 GDPR = Records of Processing Activities
Each controller and, where applicable, the controller's representative, shall
maintain a record of processing activities under its responsibility.
Each processor and, where applicable, the processor's representative shall
maintain a record of all categories of processing activities carried out on behalf
of a controller.
The records shall be in writing, including in electronic form.
The controller or the processor and, where applicable, the controller's or the
processor's representative, shall make the record available to the supervisory
authority on request.
The obligations shall not apply to an enterprise or an organization employing fewer
than 250 persons unless the processing it carries out is likely to result in a risk to
the rights and freedoms of data subjects, the processing is not occasional, or the
processing includes special categories of data as referred to in Article 9(1) or
personal data relating to criminal convictions and offences referred to in Article 10.
20. Data Mapping
• The GDPR doesn’t actually require data maps rather a
“record of processing activities”
• However it is hard to capture the multi-linear
connections between different data flows and assets
without some form of visualization
• Data visualizations or “maps” help companies
to understand the data they hold and build in controls to
manage any inherent risk
• Many different approaches exist –
common tools include Visio and LucidChart
21. Knowing Where to Start
Scope out the project
Don’t reinvent the wheel
Start small, then expand
22. HR Data is Unique Under GDPR
• The GDPR permits each EU country to enact their own, stricter
requirements for HR data
• EU regulators treat HR data differently (employee consent is not a
valid basis to process HR data)
• HR data processing involves more sensitive data (racial or ethnic
origin, health data, criminal record, etc.)
• Companies engage in more invasive monitoring regarding
employee data (computer & internet usage, GPS, etc.)
• BOTTOM LINE: Companies need a robust GDPR compliance
program specific to HR data
24. GDPR HR Data
Country-Specific
Requirements Permitted
Comply with Local Labor
Laws
§ Appears to defeat the
purpose of the GDPR to
establish a single set of
data protection rules
§ Austria: Employers cannot
collect sensitive data
unless required by
employment law (i.e.,
collect trade union
membership data only for
deduction of union dues)
§ Belgium: Former
employers cannot provide
reason for termination to
new employers
§ Applies to all EU
residents including expat
employees
§ Germany: passed HR data
requirements in June
2017
§ Portugal: Employers
prohibited from
collecting unnecessary
data during recruitment
such as name and
profession of spouse,
number of children, and
bank account information
25. GDPR HR Data
Collective Agreements/
Works Councils
Data Minimization/ Legal
Basis
§ National or trade
collective agreements
often contain stricter
data privacy
requirements
§ Review HR data
collection practices to
collect only necessary
data
§ Use anonymization and
pseudonyms
§ Employers must
consult works councils
regarding data privacy
matters including
employee monitoring
policies
§ Employers cannot rely
on employee consent
§ Base collection on
performance of
employment contract,
legal obligation, or
legitimate interest of
employer v. employee
rights
26. GDPR HR Data
Recruitment
Employee Monitoring
§ Only collect data
necessary for job
§ Criminal history can be
processed only if
authorized under EU or
national law
§ Must provide advance
notice of monitoring
and reasons for
monitoring
§ Continuous monitoring
of computer and
internet usage is
improper
§ Employer must notify
applicant if it reviews
applicant’s social
media
§ Delete recruitment
data as soon as it is
clear that applicant
will not be hired
§ Implement preventative
measures rather than
monitor:
§ Block/notify
regarding suspicious
activities
§ Acceptable use
policy
§ Provide “personal
space”
27. GDPR HR Data
BYOD
GPS Tracking/
Surveillance
§ Avoid accessing private
areas of employee’s
device (i.e., photos,
etc.)
§ Use technologies that
provide privacy
safeguards (i.e.,
sandboxing)
§ Notice of location/
behavior tracking must
be placed within
eyesight of driver
§ Permit employees to
turn off vehicle or
device GPS during non-
working hours
§ If cannot prevent
monitoring of private
areas of employee
devices, prohibit
BYOD
§ Install preventative
measures: cell phone use
block, automatic
braking, lane departure
alerts
§ Use video surveillance
for security reasons, not
performance evaluation
28. GDPR HR Data
Employee Hotlines
Employee Access
Requests
§ Valid if applies to
violations of EU or
Member State laws (not
U.S. laws) or furthers
employer interest that
outweighs employee
privacy rights (accused’s
privacy rights must be
protected
§ Employers must provide
employees with access
to their data
§ Employees entitled to
see evaluations,
including subjective
assessments
§ Limit reports to
bribery, financial and
auditing issues, and
serious violations of
EU or local law
§ Cannot encourage but
can accept anonymous
reports
§ Employees have right to
correct inaccurate data,
object to improper
processing of data,
request rationale for any
automated decisions,
and request portability
of data
29. GDPR HR Data
Cross-Border Data
Transfers
Employee Access
Requests
§ Access to HR data of EU
employees stored on
HRIS by personnel
outside of the EU is a
cross-border transfer
§ Employers must have
legal purpose to transfer
HR data
§ DPIA is required for a
processing function
involving HR data if any
of the following criteria
is involved:
§ Evaluation of work
performance
§ Employer cannot
transfer HR data
outside of EU unless it
transfers data to a
country with adequate
protections or it uses
standard contract
clauses, BCRs, or
Privacy Shield
§ Systematic monitoring
§ Sensitive data
§ Cross-border transfers
§ Automated decisions
31. GDPR – what we’ve covered…
General Data Protection Regulation
HOW HR it impacted
WHY it matters
Are there fines associated with non-compliance?
Let’s talk about DPIAs.
32. Benefits of Knowing & Preparing
“HR’s role will encompass not just communication, but also training and
change management across all business units, such as IT and legal. As
well as pushing back on resistance to change., HR will need to figure out
incentives to insure employee engagement.”
– Jeremy Baker, Affiliate Professor at ESCP Europe Business School
• Focus on data allows HR to be more strategic
• More data points around engagement and diversity
• Boost to productivity and performance
• Increase trust in employees, as well as customers/clients that comes
from being a privacy entered organization
*from Workday Rising 2017 conference in Barcelona last November.
https://blogs.workday.com/european-data-protection-and-the-path-to-gdpr-compliance/