General Data Protection Regulation Awareness

WELCOME

Katie LehoullierHost

Academy CoordinatorTUV USA, Inc.

• Welcome

Uwe RühlPresenter

Owner & Managing Director RUCON Group

• GDPR Overview

Scott WilsonPresenter

Chief Security & Privacy OfficerVentiv Technology Inc.

• GDPR implementation experience in USA and Globally

Scott GrossmanPresenter

Sales DirectorTUV USA, Inc.

• What TUV USA can do for you?

GENERAL DATA PROTECTION REGULATION (GDPR) AND DATA PROTECTION MANAGEMENT SYSTEMSTUEV Nord Webinar – November, 1st 2017

HI, MY NAME IS UWE…

Uwe RUEHL│ RUCON-Group.com │ Nov, 1st 20173

Source: https://danubeonthames.wordpress.com/germanyaustria/germanyaustria-summer-school-2016/german-an-angry-language-or-a-poor-perception-by-non-native-speakers/

Living in and working out ofNuremberg, Germany

45 years old

Job experience in Telecoms, Emergency Services and Emergency Dispatch Centers, B2B Services

Master‘s degree in Risk and Compliance Management and Business Administration

Personal motto: „The morestandards, the more fun“!

WHY I AM TALKING ABOUT GDPR HERE…

Uwe RUEHL│ RUCON-Group.com │ Nov, 1st 20174

Experience in Information Security, Data Privacy, Business Continuity and Risk Management for over 20 years

Data Privacy Officer since 2001

Have been doing audits in management systems since 2004

My team and I have been consulting, training and auditing organizationsglobally in ISO/IEC 27001, ISO 22301, ISO … and BS 10012 since 2005

We are the-management-system-artists.com and will be available in the US from 2018 on

Email: mail@RUCON-Group.com

Twitter: @Uwe_Ruehl

Follow me on LinkedIn

Principal Data OwnerRights and freedom with respect to Personal Identifyable Information

(PII) given by EU Human Rights

Access to information; Rectification; Erasure; Restriction ofprocessing; Data portability; Objection

• Clear and unambiguous consent• Necessary to perform a contract or take steps to enter a contract

• Necessary for compliance with legal obligation• Necessary to protect vital interests of the principal• Necessary to perform a task in the public interest

• Necessary for legitimate interests of the data controller

• Controller may be processor or sub-contracted processing

• Certification on a voluntarily basis possible as evidence of accountability and conformity

• EU Data Privacy Authorities and certifcation bodies may offer certification

• Certification bodies should be accredited based on art. 43 of GDPR

• Certification addresses both the controller and processor

• Accreditation scheme no yet available!

GDPR – ART. 42/43

ISO 29100 series

-complex, noData Protection Management System standard available yet

-but a good extension to existing management systems

ISO/IEC 27001

-suitable, but scope of management system needs to cover all aspect of processing PII

ISO/IEC 27018

-good approach, but limited to public cloud services

BS 10012:2017

-covers all relevant aspects of GDPR in a Data Protection Management System

ISO/IEC 27018• Extension to an ISMS• Protecting PII in Public Cloud

Services

ISO/IEC 27001• Information Security

Management System can beused as basis by integratingData Privacy principles and controls

BS 10012:2017• National British standard –

Personal Information Management System

ISO 29100 series• Series of data privacy and

privacy management standards• Not yet a Data Privacy

Management System standard available

ISO 29100 series

-complex, noData Protection Management System standard available yet

-but a good extension to existing management systems

ISO/IEC 27001

-suitable, but scope of management system needs to cover all aspect of processing PII

ISO/IEC 27018

-good approach, but limited to public cloud services

BS 10012:2017

-covers all relevant aspects of GDPR in a Data Protection Management System

ISO 29100 – ISO data privacyprinciples

In line with OECD and EU principles!

ISO 29100 series

-complex, noData Protection Management System standard available yet

-but a good extension to existing management systems

ISO/IEC 27001

-suitable, but scope of management system needs to cover all aspect of processing PII

ISO/IEC 27018

-good approach, but limited to public cloud services

BS 10012:2017

-covers all relevant aspects of GDPR in a Data Protection Management System

ISO/IEC 27001

Source: https://www.nuernbergwiki.de/index.php/Schedelsche_Weltchronik; Schedel 1493

ISO 29100 series

-complex, noData Protection Management System standard available yet

-but a good extension to existing management systems

ISO/IEC 27001

-suitable, but scope of management system needs to cover all aspect of processing PII

ISO/IEC 27018

-good approach, but limited to public cloud services

BS 10012:2017

-covers all relevant aspects of GDPR in a Data Protection Management System

ISO/IEC 27018

Source: https://www.nuernbergwiki.de/index.php/Schedelsche_Weltchronik; Schedel 1493

ISO 29100 series

-complex, noData Protection Management System standard available yet

-but a good extension to existing management systems

ISO/IEC 27001

-suitable, but scope of management system needs to cover all aspect of processing PII

ISO/IEC 27018

-good approach, but limited to public cloud services

BS 10012:2017

-covers all relevant aspects of GDPR in a Data Protection Management System

BS 10012:2017

At this time the only Data Protection Management System standard available!

Conform to GDPR requirements as addressedto Controller and Processor!

No specific data security and data privacy controls!

Basic Management System StandardBS 10012 (non-accredited) ISO/IEC 27001 (or ISO 9001)

GDPR related proceduresBS 10012 chapter 6.1 and 8.2

Data Security and Data Privacy Controls ISO/IEC 29151

Data Privacy Impact Assessment ISO/IEC 29134

GDPR conform DPMS =

WHAT STANDARDS CAN DO TO HELP TO COMPLY WITHGDPR

Conclusion:

All relevant material for a GDPR conformData Privacy Management System is alreadyavailable!

Please do not under-estimate theimplementation effort

Alex Pentland, Professor at MIT and Multi-Entrepreneur and author of

http://socialphysics.media.mit.edu/

EU DATA PRIVACY PRINCIPLES AS ROLE MODEL?

IMPLEMENTING GDPR IN A GLOBAL COMPANYTUV Nord Webinar – November, 1st 2017

19

Scott Wilson, Chief Security & Privacy Officer for Ventiv Technology.Scott has been with Ventiv for over 8 years and is a member of the executive team. He currently oversees the security, privacy, & compliance functions globally for the company. This includes operations in the U.S, Europe, Middle East, and APEC.

Scott possesses 20+ years IT Operations, Service delivery, Security and Privacy experience. Prior to joining Ventiv, Scott served in several Director level roles (Systems Engineering, Service Desk & Data Center Operations, Network Operations) at EarthLink running both internal MIS systems and all customer facing systems/services. Scott has also held various Technology Leadership roles at Bridge Information Systems (Thompson Reuters) and at Savvis.

EMAIL: SCOTT.WILSON@VENTIVTECH.COMLinkedin: https://www.linkedin.com/in/scottrichardwilson/

If your organization can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”

Elizabeth Denham, Chair, Information Commissioner’s Office

Agenda

GDPR

About Ventiv Technology & setting the stage

Why Ventiv Tech falls under the scope of the GDPR

Why should your company care about GDPR

Scope of the GDPR

Organizational

Path to compliance

Records of processing

Demonstrating Compliance

GENERAL DATA PROTECTION REGULATION (GDPR)

What is the GDPR?

• GDPR is a complete overhaul/replacement of the EU Data protection directive

This is the most wide-reaching privacy regulation in the world (more geographies will be following suit)

• It is binding on all EU member states and becomes enforceable on May 25,2018

Harmonizes data privacy laws across the EU member states

• Material & territorial scope increase

Applies to all organizations (based inside or outside the EU) that handle, store or process EU personal data regardless of where the data is processed

Customer & Employee data

Broadens the definition of personal data: (IP, MAC addresses, physical addresses, cookies, biotmetrics, geolocation, VIN, email addresses, etc…)

Increase in data subject rights: access requests, objection to processing, erasure, rectification, etc…)

Raises the bar for establishing legal basis of processing (consent, fulfillment of a contract, legitimate interest, etc…)

Cross-border data transfers

• Allows for administrative sanction and financial penalties

You do not have to have a data breach to be fined. Simply being non-compliant with the regulation opens an organization up to administrative sanction & fines)

Cease & Desist Order

Processors now have statutory obligations under the regulation

ABOUT VENTIV TECHNOLOGY

Setting the stage

Ventiv is the largest independent risk, safety, and insurance technology provider (software and Saas) in the insurtech market

Our solutions serve some of the most innovative and complex companies and empower them to reduce costs, streamline processes and improve overall performance

500+ global customers

Several fortune 50 companies

Operations in the U.S, Europe, & Asia

1 Billion+ records hosted across 4 global data centers

12 Billion+ transactions a year

DOES THE GDPR APPLY TO US?Does your organization have a legal entity established?

Does your organization have any other form of establishment in the EU. Establishment can mean any of the following:A. A website which operates in a language of a EU country (other than English)B. A branch or subsidiary of your firm is located in the EU (employees)C. Equipment (computers or a local address for post) in EUD. Does your organization process EU personal data

Does your organization offer goods or services to residents in the EU?(Offer goods or services in language other than English? EU currency? Reference EU customers?

Does your organization monitor the behavior of EU residents?This could be tracking EU residents on the internet. Website cookies

Your organization likely falls under the scope of GDPR

Your organization may not fall under the scope of the GDPR

No

No

No

No

Yes

Yes

Yes

Yes

WHY VENTIV TECHNOLOGY FALLS UNDER THE GDPRVentiv meets a number of the legal tests and is required to be compliant with the GDPR

Established legal entities in the EU

Employees in the EU

Sell goods and services in the EU (B2B)

Process the personal data of EU data subjects

Contracts with both EU and non-EU companies

Ventiv is both a controller & a processor

Core business involves the processing both personal data & sensitive data (high volume)

**Need to be very deliberate & methodical when going through the process:

What is personal data? Definition has been significantly expanded (use of terms such as: identified, identifiable, directly, indirectly)

Can you put data elements together and potentially identify a person?

Online identifiers (IP addresses, cookies,etc…), email addresses, geolocation, healthcare, biometrics, genetics, trade union membership,etc…

Legal establishment definition

Processing: Office365 in the EU would fall under the GDPR

Client hosts in EU and processes non-EU personal data- this would fall under the scope

WHY SHOULD YOUR COMPANY CARE ABOUT THE REGULATION

We are not located in the EU why should we worry about GDPR? How can they enforce compliance with non-EU companies?

GDPR has extra-territorial reach: meaning, you do not have to be established in the EU to fall under the regulation

U.S regulators (FTC & Commerce) have already indicated that they will assist in enforcement actions (civil & criminal (DOJ))

FTC consent decrees against companies claiming EU-US Privacy shield certification

U.S will sign agreements to support global commerce

Processors have statutory obligations under GDPR

Data subjects can now sue for both material and non-material damages

Potential new “cash cow” industry for lawyers

DPAs will be actively enforcing the regulation

Germany, France, UK

GDPR HAS EXTENSIVE REQUIREMENTS FOR COMPLIANCEHTTP://EC.EUROPA.EU/JUSTICE/DATA-PROTECTION/REFORM/FILES/REGULATION_OJ_EN.PDF

99 Articles

173 Recitals

Chapter 1 – General Provisions

Chapter II – Principles

Chapter III – Rights of the data subject

Chapter IV – Controller and processor

Chapter V – Transfers of personal data to 3rd countries (or international organizations

Chapter VI – Independent supervisory authorities

Chapter VII – Cooperation and consistency

Chapter VIII – Remedies, liabilities, & penalties

Chapter IX – Specific processing situations

Chapter X – Delegated Acts and implementing acts

Chapter XI – Final provisions

* It is important to read the regulation and be familiar with the requirements

ORGANIZATIONAL CHALLENGES

GDPR is not an IT project. It requires the involvement of the full business

Legal, contracts, IT, sales, marketing, HR, operations, support, etc…

Executive buy-in

Risk of fines (admin. & financial) demand executive & board involvement

Requires investment (resources & dollars)

Requires fundamental changes to how businesses operate

Business processes & relationships need to be reviewed

Internal workflows

Data Governance

New big data problem

Data inventory/mapping

HRIS, recruiting, OS, sys logs, Office365, T&E, LMS, etc…

GDPR compliance is not a “one and done” project but needs to be an ongoing effort

While GDPR “harmonizes” privacy laws in the EU, member-states have the ability to customize certain provisions

PATH TO COMPLIANCE

Inventory all customers and vendors

Contracts in place with both customers and vendors?

Educate both on GDPR

Contracts compliant with GDPR

Update Privacy program

Privacy Notice, Policy, *Data Subject Access Request (DSAR)

Data Protection Officer (DPO)

Legal Basis for processing

Right legal mechanisms in place for cross-border data transfers (intra-group & 3rd

party”)

Data categorization and mapping

DPIAs

Record Keeping

*Very important: Material & non-material damages allowed for violations

RECORD KEEPING – DEMONSTRATING COMPLIANCE (ARTICLE 30)52 out of the 99 articles require evidence to demonstrate compliance with the GDPR

• The name and contact details of the controller and where applicable, the data protection officer

• The purposes of the processing• A description of the categories of data

subjects and of the categories of personal data

• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations

• The transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards

• Consent • Data Mapping

• The envisaged time limits for erasure of the different categories of data

• A general description of the applied technical and organizational security measures

• Data Retention periods• Data Subject Requests (SARs, rectification, objections,

transfer)• Privacy/Fairness statement acknowledgement• Opt-in/out

• Legal basis for processing• Privacy Notices • Consent tracking• DPIA(s)• RISK Assessment• Data Breach• Vendor Assessments

DEMONSTRATING COMPLIANCE• It’s not enough to be compliant - you have to be able to demonstrate compliance. The regulation allows

the DPAs to audit for compliance

Privacy Framework

Establish a framework that allows us to meet the requirements of the GDPR but is also “flexible” enough to meet other regulatory requirements as they come out

Certifications (Seals) & 3rd party attestations (Art. 42)

ISO27001:2013

ISO27018

HIGHLIGHTS OF SOME GDPR ‘GAME CHANGERS’While the GDPR strengthens existing data protection laws, it also introduces a number of new requirements which will have significant legal, process, and technology implications for organizations.

Data Processors

Breach notifications

Right to erasure

Data Retention

Penalties

Privacy by design/Defalut

GDPR now mandates that data controllers notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of a data breach.

Extensive record keeping required detailing: processing activities, transfers, data mapping, legal basis for consent.

Data subjects now have the power to request the deletion or removal of their personal data, including from backups, archived data and from third parties (e.g., cloud storage). Downstream recipients need to be notified.

Organizations can no longer hold onto personal data indefinitely.

The GDPR allows for both administrative sanctions & financial penalties for non-compliance. Two tiers of penalties:- $10M Euros or 2% of global gross

turnover (prior year) whichever is greater.

- $20M Euros or 4% of global gross turnover (prior year) whichever is greater.

Privacy-by-design/default means organizations need to incorporate GDPR requirements in data collection/processing processes (considerations include data minimization,encryption, pseudonymisation) and new tech e.g., IoT, digital platforms etc. “State pf the art”.

Record Keeping

For the first time, GDPR places direct statutory obligations on data processors. (Ventiv is both a data controller & a processor).

Data Protection Officer

Appointment of a DPO in certain circumstances- .

AccountabilityPrinciple

ACCOUNTABILITY: The GDPR introduces an accountability principle which requires organizations to demonstrate compliance. Supervisory authorities can ask for our documentation.

WHAT TUV USA CAN DO FTUV Nord Webinar – November, 1st 2017

TUV USA, Inc. 34

GLOBAL PRESENCE: TÜV NORD GROUP

Present in over

countries

40 subsidiaries

13,000employees

Turnover of more than

EUR 1 billion

40,000customers in the field of system certification

worldwide

63,000certified systems

QUALITY SYSTEM DIVISION

TUV USA, Inc. 35

DakkS Accreditation for ISO 9001, 14001 and 18001 Expert for automotive and IT systems ANAB accreditation for ISO 9001 and AS9100 series Access to a global network of auditors approved under

DakkS and ANAB Short turn around times Web-based system to manage system certification

Certification of Quality Management Systems ISO 9001:2015 ISO 14001:2015 OHSAS 18001 (ISO

45001) AS 9100 series TS16494, IT27001,

ISO50001 Security 4 Safety Information Technology BS10012

Benefits of certification Increase in economic

efficiency Time and cost savings Image enhancement and

increased trust on the part of customers and staff

Increase in customer satisfaction

Clear quality status

TUV USA, Inc. 36

QUESTIONS & CONCLUSION

Scott WilsonChief Security & Privacy Officer

Ventiv Technology

Email:scott.Wilson@ventivtech.com

LinkedIn:www.linkedin.com/in/scottrichardwilson/

Phone: +1.770.308.5499

Uwe RühlOwner and Managing Director

RUCON Groupwww.RUCON-Gruppe.de

Email: mail@RUCON-Group.comTwitter: @Uwe_RuehlFollow me on LinkedIn

Phone: +49 911/47 75 28-30

Scott GrossmanSales Director

TUV USA, INC.www.tuv-usa.com

Email: sgrossman@tuv-nord.comTwitter:@TUV_USALinkedIn: TUV USA, Inc.https://www.linkedin.com/company-beta/3812830/Phone: 844-488-8872 or603 870-8023

TUV USA, Inc.37

THANK YOU FOR JOINING US!