Recommended
More Related Content
What's hot
What's hot (20)
Similar to What happens if you’re not ready for the GDPR?
Similar to What happens if you’re not ready for the GDPR? (20)
More from Digital Transformation EXPO Event Series
More from Digital Transformation EXPO Event Series (20)
Recently uploaded
Recently uploaded (20)
What happens if you’re not ready for the GDPR?
- 1. © 2017 Sungard Availability Services, all rights reserved IP EXPO 2018 What happens if you’re not ready for the GDPR? Rogelio Aguilar, MSc (InfoSec), FIP CIPPM, CIPP/E, MBCI, MBCP, CISSP, CISM, CISA, ISO27001LA, BEng (Cyber) Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 2. 2© 2017 Sungard Availability Services, all rights reserved Sungard AS is a Leading Provider of Critical Production and Recovery Services Public
- 3. © 2017 Sungard Availability Services, all rights reserved Disclaimer: This presentation does not constitute legal advice. Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 4. 4© 2017 Sungard Availability Services, all rights reserved Time flies when you’re having fun! 2012 – The EC proposes to reform the Directive and create a General Data Protection Regulation. The trialogue starts European Commission European Parliament Council of the EU GDPR enters into force in May 2016 Grace period 25 May 2018 – GDPR will become fully enforceable by DPAs Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 5. 5© 2017 Sungard Availability Services, all rights reserved Quick re-cap: What is the GDPR? • The European Union's General Data Protection Regulation [GDPR] is a legal framework for handling personal data of individuals based in the EU, wherever in the world their data ends up being held or used. • It will be enforceable from 25th May 2018 and impacts any business inside and outside the EU, regardless of vertical, business model, geographical location or jurisdiction. To the extent that they offer products or services to EU-based individuals or track their online behaviour, it will impact also businesses with no physical offices in the EU and businesses who store and handle personal data exclusively out of the EU. • Given this extraterritorial impact of the law, a great many businesses round the world will come within scope of EU data protection laws for the first time in May 2018. Source: Rustici, GDPR: The Functional Specifications of EU-Grade Privacy Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 6. 6© 2017 Sungard Availability Services, all rights reserved Differences between a standard and the law. ISO 27001 • It’s voluntary • The scope is decided by the organization: The organization shall determine the boundaries and applicability of the information security management system to establish its scope. ISO 27001, Clause 4.3 • There are no penalties for not implementing • Recertification required every three years (ISO 27001, Clause 9.6.3) GDPR • It’s compulsory • The scope is defined by the law: This regulation lays down rules relating to the protection of natural persons with regards to processing of personal data….protects fundamental rights and freedoms…(Art 1) • Tough penalties for non compliance • Accountability - The controller shall be responsible for, and be able to demonstrate compliance with...(the law) Art. 5.
- 7. © 2017 Sungard Availability Services, all rights reserved GDPR should be a Business Strategy The framework outlined by the GDPR is designed to facilitate digital business, and once compliance is achieved, your organization will have the solutions and process in place to maximize the value of personal data securely... To take advantage of these opportunities and mitigate risk, business must be flexible and embrace GDPR as a strategic initiative. TrustHub blog Oct 2016. Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 8. 8© 2017 Sungard Availability Services, all rights reserved Some important GDPR matters (but not all!) Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED AWARENESS PRIVACY NOTICES ACCOUNTABILITY DATA SUBJECT RIGHTS PERSONAL DATA HOLD SUBJECT ACCESS REQUEST (SAR) DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS. PERSONAL DATA BREACHES DATA PROTECTION OFFICER LEAD SUPERVISORY AUTHORITY LAWFUL BASIS FOR PROCESSING PERSONAL DATA INTERNATIONAL TRANSFERS OF PERSONAL DATA MANAGEMENT OF CONSENT VENDOR MANAGEMENT CHILDRENS’ PERSONAL DATA PRIVACY SEALS
- 9. 9© 2017 Sungard Availability Services, all rights reserved Common causes of readiness’ delay. CLIENT CONFIDENTIAL • We just learnt about the GDPR • Our teams were busy with other priorities (MiFID 2) • We don’t have in-house experience. • Budget was not allocated for GDPR work. • (In the UK) Uncertainty on Brexit related matters. • We have moved our systems to the cloud. There’s still time, but there’s no time to spare.
- 10. 10© 2017 Sungard Availability Services, all rights reserved What will happen if we are not ready by the deadline? CLIENT CONFIDENTIAL • Your company will be in breach of the law and can be sanctioned. • It is possible to get a massive fine on the first few days of enforcement, but it’s unlikely, however • Non-compliance will make it difficult to sign and/or renew contracts. • Class actions, and no-win/no-fee (PPI style) are a possibility.
- 11. 11© 2017 Sungard Availability Services, all rights reserved • It is more stringent than the UK Data Protection Act introducing multiple requirements for businesses with wide implications on people, process and technology. • ACCOUNTABILITY – Demonstrate compliance • TRANSPARENCY – No surprises for the individual General Data Protection Regulation 2Pillars of GDPR: • Accountability • Transparency GDPR – Article 5 Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 12. 12© 2017 Sungard Availability Services, all rights reserved • Create or review your records of processing activites. • Make sure to do it as indicated in the GDPR Art. 30 • Identify processing activities that are high risk FOR THE INDIVIDUAL and conduct DPIAs • N.B. PIA ≠ DPIA • Follow Art 35 prescriptions (and recitals) • Supply chain matters! Data processors must ensure they use, store and protect personal data in accordance with controller’s requirements. • Create adequate Privacy Notices 1. KYB – Know your Business 4Vital actions that need careful consideration DeLL GDPR Global Survey, Oct 2016 Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 13. 13© 2017 Sungard Availability Services, all rights reserved • Ensure top management sponsorship. • Hint: CEO is responsible for regulatory compliance • Appoint a Data Protection Officer • (or a Privacy Officer if a DPO is not required). • Create a roadmap to guide your efforts towards compliance. Create a Data Protection Programme GDPR is for life not Just for May Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED
- 14. © 2017 Sungard Availability Services, all rights reserved Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED Sungard AS can help Some of our Services: • GDPR Masterclasses for the C-Suite • Data Protection Impact Assessments (DPIA) • DPO Coaching (Cyber Security, Privacy & Resilience) • Gap Assessments and Development of Roadmaps • Setting-up a Data Protection Programme • Personal Data Breach Response Plan • Privacy policies and notices, etc.
- 15. 15© 2017 Sungard Availability Services, all rights reserved Q A Data Classification: RESTRICTED - NOT TO BE DISTRIBUTED