As the European Union (EU) has enacted the General Data Protection Regulation (GDPR), it is easy to perceive this regulation would apply to only multinational or European companies. GDPR will certainly impact businesses in EU; but it will extend its applicability for international businesses, even those based in the United States.
In this webinar, Daniel Cohen-Dumani and Anupam Goradia of Withum cover what exactly GDPR is and why it is important to your business. We also share practical tips and best practice on how to ensure your compliance.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business
1. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 0SM
withum.com
Presented by:
Anupam Goradia, CPA, CISA, CITP
Daniel Cohen-Dumani, Partner, Market Leader
Introduction to GDPR:
WEBINAR
What It Is, How It Will Affect Your
Business and How to Stay
Compliant
2. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 1SM
About Daniel
Daniel Cohen-Dumani
@dcohendumani
dcohendumani@withum.com
Partner,
Market
Leader
15+ years of Digital Transformation
Expertise with Office 365, SharePoint and
Dynamics
SharePoint Visionary
Interests: Productivity in the
Modern Workplace. Work 2.0
Started working with
SharePoint when nobody
could spell it
3. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 2SM
About Anupam
Anupam Goradia
agoradia@withum.com
CPA, CISA,
CITP, Senior
Manager
15+ years of public accounting experience,
plus extensive experience in internal audit,
risk management and internal control related
consulting services.
Member of Withum’s
Cybersecurity team as well
as the Governance, Risk and
Compliance Services team.
Specializes in Construction,
Government, Not-for-Profit
and Education, and Real
Estate
4. BE IN A POSITION OF STRENGTH | withum.com
Agenda
Introduction: What Is GDPR?
How Does GDPR Impact Your Business?
What Can You Do to Stay Compliant?
The Role of Microsoft Technology in Ensuring Compliance
Q&A
digital.withum.com
5. BE IN A POSITION OF STRENGTH | withum.com
Providing clarity and consistency for the protection
of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods and
services to people in the EU, or that collect
and analyze data tied to EU residents, no
matter where they are located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
6. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 5SM
General Data Protection Regulation
(GDPR)
A European Union regulation
It is about the protection of privacy and
data of EU “data subjects”
Has implications beyond EU
Organization for Economic Co-
operation and Development (OECD)
Non-compliance can have penalties
7. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 6SM
Poll Number 1:
Do you currently have EU exposure that would require GDPR compliance?
Yes
No
8. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 7SM
History of Privacy Regulation in Europe
OECD documented
first guidelines in
1980
Data protection
directive was
issued in 1995
OCED revises
guidelines in 2013
EU Parliament
approves GDPR in
2016
Data protection
and its regulation
is a global
phenomenon
9. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 8SM
Implications Beyond EU
GDPR affects your organization if:
Your organization offers goods or services to
EU data subjects or monitors their behavior
Processes and holds “personal data” of data
subjects residing in EU (regardless of
organization’s location)
10. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 9SM
Penalties for
Non-
Compliance
Up to 4% of annual
global turnover or
20 Million Euros
(maximum).
Which businesses can be subject to
penalty?
• If your organization offers goods or
services EU data subjects or monitors
their behavior
• Processing and holding of “personal
data” of data subjects residing in EU
(regardless of organization’s location)
11. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 10SM
Personal Data
Includes
• Name
• An identification number
• Location data
• Computer IP address
• An online identifier to one more factors
specific to the:
Physical, physiological, genetic,
mental, economic, culture or social
identify of that natural person
Data Subjects
Identified or Identifiable natural person
12. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 11SM
Poll Number 2:
Which of the following is false:
1) GDPR extends to paper based records
2) GDPR stands for Gross Domestic Product Regulation
3) GDPR will not impact UK due to Brexit
13. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 12SM
Right to
Access
Data subjects have a right
to obtain a free copy of
their personal data in an
electronic format.
Data subjects can request
information on where the
data is being processed
and for what purposes.
14. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 13SM
Right to be
Forgotten
Also known as right of erasure
Data subjects can request to:
• Erase his/her personal data
• Cease further dissemination of the data
• Have third parties halt processing of data
Discretion in cases when there is
public interest in the availability
of data
15. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 14SM
Data
Portability
and
Conditions
of Consent
• Data subjects have the right to
transmit data to another data
controller
Data Portability
• Data subjects have to give their
informed consent; consent
cannot be assumed
Conditions of Consent
16. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 15SM
Privacy by
Design
Inclusion of data protection from the
onset of the designing of systems
Requires organizations to ‘implement
appropriate technical and
organizational measures….in an
effective way…in order to meet the
requirements of this Regulation and
protect rights of data subjects’.
17. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 16SM
Other
Requirement
s
Breach notifications
•Within 72 hours of
becoming aware of the
breach*
Data Controller and
Data Processor
•Processor has to meet
compliance
Data Protection
Officer “DPO”
•Most companies would be
required to designate a
DPO
* According to a recent report from FireEye, it takes an average of 146 days to discover a breach
18. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 17SM
Summary of Key Changes for GDPR
Personal
Privacy
Controls and
Notifications
Transparent
Policies
IT and Training
Organizations will need to:
• Train privacy personnel &
employees
• Audit and update data
policies
• Employ a Data Protection
Officer (if required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data using
appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate consents
for processing data
• Keep records detailing data
processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention and
deletion policies
19. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 18SM
Poll Number 3:
GDPR may not apply to the following:
1. A local dollar store
2. A company providing online education across borders
3. A data center hosting payroll records of EU citizens located in Virginia, United
States
20. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 19SM
Where Do We
Stand on GDPR
Compliance?
Over half of US multinationals say GDPR is their
top data protection priority
While 24% of respondents plan to spend under
$1 million for GDPR preparations, 68% said they
will invest between $1 million and $10 million.
Nine percent (9%) expect to spend over $10
million to address GDPR obligations
23% of surveyed respondents have not started
GDPR compliance
71% have begun GDPR preparation
Source : December 2016 PwC Survey
21. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 20SM
What Needs to be Done:
Data
Discovery
1
Information
Security
Enhancement
2
Third-Party
Risk
Management
3
GDPR Gap
Assessment
4
Remediation
5
22. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 21SM
Let’s Talk Small Business…
Do I Even Have to be
Compliant?
Now?
Maybe now?
In the future?
Never?
23. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 22SM
Regardless of the GDPR Compliance Requirements…
Data protection should be your number one priority!
These basics should always be in place at your organization:
• IT Policies and Procedures
• Cybersecurity Risk Assessment
• IT Audits
• Penetration Testing
Available framework - NIST Small Business IT Framework
GDPR is all about data protection!
Data protection should be every organization’s top priority!
24. BE IN A POSITION OF STRENGTH | withum.com
Preparing for the GDPR
Leverage guidance
from experts
Simplify your
privacy journey
GDPR
Compliance
GDPR
Compliance
GDPR
Compliance
Uncover risk &
take action
25. BE IN A POSITION OF STRENGTH | withum.com
How Do I Get Started?
Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4
27. WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 26SM
Poll Number 4:
Do you currently have Office 365?
1. Yes
2. No
3. Not sure
28. BE IN A POSITION OF STRENGTH | withum.com
Discover:
Identify what personal data you have and
where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Examples of Microsoft Solutions1
29. BE IN A POSITION OF STRENGTH | withum.com
2 Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Windows & Windows Server
Microsoft Data Classification Toolkit
Examples of Microsoft Solutions
30. BE IN A POSITION OF STRENGTH | withum.com
3 Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Enterprise Mobility + Security (EMS)
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows & Windows Server
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard
Examples of Microsoft Solutions
31. BE IN A POSITION OF STRENGTH | withum.com
4
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Enterprise Mobility + Security (EMS)
Azure Information Protection
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows & Windows Server
Windows Defender Advanced Threat Protection
Report: Examples of Microsoft Solutions
33. BE IN A POSITION OF STRENGTH | withum.com
NEXT STEPS
To learn more about GDPR visit digital.withum.com
Are You Prepared to Meet GDPR Compliance?
Take advantage of our no obligation consultation.
We’ll help you make sure you’re on the right path to being
prepared.
Schedule a Free Consultation
Click Here