Upload
truongque
View
213
Download
0
Embed Size (px)
Citation preview
General Data Protection Regulation Awareness
WELCOME
Katie LehoullierHost
Academy CoordinatorTUV USA, Inc.
• Welcome
Uwe RühlPresenter
Owner & Managing Director RUCON Group
• GDPR Overview
Scott WilsonPresenter
Chief Security & Privacy OfficerVentiv Technology Inc.
• GDPR implementation experience in USA and Globally
Scott GrossmanPresenter
Sales DirectorTUV USA, Inc.
• What TUV USA can do for you?
GENERAL DATA PROTECTION REGULATION (GDPR) AND DATA PROTECTION MANAGEMENT SYSTEMSTUEV Nord Webinar – November, 1st 2017
HI, MY NAME IS UWE…
Uwe RUEHL│ RUCON-Group.com │ Nov, 1st 20173
Source: https://danubeonthames.wordpress.com/germanyaustria/germanyaustria-summer-school-2016/german-an-angry-language-or-a-poor-perception-by-non-native-speakers/
Living in and working out ofNuremberg, Germany
45 years old
Job experience in Telecoms, Emergency Services and Emergency Dispatch Centers, B2B Services
Master‘s degree in Risk and Compliance Management and Business Administration
Personal motto: „The morestandards, the more fun“!
WHY I AM TALKING ABOUT GDPR HERE…
Uwe RUEHL│ RUCON-Group.com │ Nov, 1st 20174
Experience in Information Security, Data Privacy, Business Continuity and Risk Management for over 20 years
Data Privacy Officer since 2001
Have been doing audits in management systems since 2004
My team and I have been consulting, training and auditing organizationsglobally in ISO/IEC 27001, ISO 22301, ISO … and BS 10012 since 2005
We are the-management-system-artists.com and will be available in the US from 2018 on
Email: [email protected]
Twitter: @Uwe_Ruehl
Follow me on LinkedIn
Principal Data OwnerRights and freedom with respect to Personal Identifyable Information
(PII) given by EU Human Rights
Access to information; Rectification; Erasure; Restriction ofprocessing; Data portability; Objection
• Clear and unambiguous consent• Necessary to perform a contract or take steps to enter a contract
• Necessary for compliance with legal obligation• Necessary to protect vital interests of the principal• Necessary to perform a task in the public interest
• Necessary for legitimate interests of the data controller
• Controller may be processor or sub-contracted processing
• Certification on a voluntarily basis possible as evidence of accountability and conformity
• EU Data Privacy Authorities and certifcation bodies may offer certification
• Certification bodies should be accredited based on art. 43 of GDPR
• Certification addresses both the controller and processor
• Accreditation scheme no yet available!
GDPR – ART. 42/43
ISO 29100 series
-complex, noData Protection Management System standard available yet
-but a good extension to existing management systems
ISO/IEC 27001
-suitable, but scope of management system needs to cover all aspect of processing PII
ISO/IEC 27018
-good approach, but limited to public cloud services
BS 10012:2017
-covers all relevant aspects of GDPR in a Data Protection Management System
ISO/IEC 27018• Extension to an ISMS• Protecting PII in Public Cloud
Services
ISO/IEC 27001• Information Security
Management System can beused as basis by integratingData Privacy principles and controls
BS 10012:2017• National British standard –
Personal Information Management System
ISO 29100 series• Series of data privacy and
privacy management standards• Not yet a Data Privacy
Management System standard available
ISO 29100 series
-complex, noData Protection Management System standard available yet
-but a good extension to existing management systems
ISO/IEC 27001
-suitable, but scope of management system needs to cover all aspect of processing PII
ISO/IEC 27018
-good approach, but limited to public cloud services
BS 10012:2017
-covers all relevant aspects of GDPR in a Data Protection Management System
ISO 29100 – ISO data privacyprinciples
In line with OECD and EU principles!
ISO 29100 series
-complex, noData Protection Management System standard available yet
-but a good extension to existing management systems
ISO/IEC 27001
-suitable, but scope of management system needs to cover all aspect of processing PII
ISO/IEC 27018
-good approach, but limited to public cloud services
BS 10012:2017
-covers all relevant aspects of GDPR in a Data Protection Management System
ISO/IEC 27001
Source: https://www.nuernbergwiki.de/index.php/Schedelsche_Weltchronik; Schedel 1493
ISO 29100 series
-complex, noData Protection Management System standard available yet
-but a good extension to existing management systems
ISO/IEC 27001
-suitable, but scope of management system needs to cover all aspect of processing PII
ISO/IEC 27018
-good approach, but limited to public cloud services
BS 10012:2017
-covers all relevant aspects of GDPR in a Data Protection Management System
ISO/IEC 27018
Source: https://www.nuernbergwiki.de/index.php/Schedelsche_Weltchronik; Schedel 1493
ISO 29100 series
-complex, noData Protection Management System standard available yet
-but a good extension to existing management systems
ISO/IEC 27001
-suitable, but scope of management system needs to cover all aspect of processing PII
ISO/IEC 27018
-good approach, but limited to public cloud services
BS 10012:2017
-covers all relevant aspects of GDPR in a Data Protection Management System
BS 10012:2017
At this time the only Data Protection Management System standard available!
Conform to GDPR requirements as addressedto Controller and Processor!
No specific data security and data privacy controls!
Basic Management System StandardBS 10012 (non-accredited) ISO/IEC 27001 (or ISO 9001)
GDPR related proceduresBS 10012 chapter 6.1 and 8.2
Data Security and Data Privacy Controls ISO/IEC 29151
Data Privacy Impact Assessment ISO/IEC 29134
GDPR conform DPMS =
WHAT STANDARDS CAN DO TO HELP TO COMPLY WITHGDPR
Conclusion:
All relevant material for a GDPR conformData Privacy Management System is alreadyavailable!
Please do not under-estimate theimplementation effort
Alex Pentland, Professor at MIT and Multi-Entrepreneur and author of
http://socialphysics.media.mit.edu/
EU DATA PRIVACY PRINCIPLES AS ROLE MODEL?
19
Scott Wilson, Chief Security & Privacy Officer for Ventiv Technology.Scott has been with Ventiv for over 8 years and is a member of the executive team. He currently oversees the security, privacy, & compliance functions globally for the company. This includes operations in the U.S, Europe, Middle East, and APEC.
Scott possesses 20+ years IT Operations, Service delivery, Security and Privacy experience. Prior to joining Ventiv, Scott served in several Director level roles (Systems Engineering, Service Desk & Data Center Operations, Network Operations) at EarthLink running both internal MIS systems and all customer facing systems/services. Scott has also held various Technology Leadership roles at Bridge Information Systems (Thompson Reuters) and at Savvis.
EMAIL: [email protected]: https://www.linkedin.com/in/scottrichardwilson/
If your organization can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organization open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.”
Elizabeth Denham, Chair, Information Commissioner’s Office
Agenda
GDPR
About Ventiv Technology & setting the stage
Why Ventiv Tech falls under the scope of the GDPR
Why should your company care about GDPR
Scope of the GDPR
Organizational
Path to compliance
Records of processing
Demonstrating Compliance
GENERAL DATA PROTECTION REGULATION (GDPR)
What is the GDPR?
• GDPR is a complete overhaul/replacement of the EU Data protection directive
This is the most wide-reaching privacy regulation in the world (more geographies will be following suit)
• It is binding on all EU member states and becomes enforceable on May 25,2018
Harmonizes data privacy laws across the EU member states
• Material & territorial scope increase
Applies to all organizations (based inside or outside the EU) that handle, store or process EU personal data regardless of where the data is processed
Customer & Employee data
Broadens the definition of personal data: (IP, MAC addresses, physical addresses, cookies, biotmetrics, geolocation, VIN, email addresses, etc…)
Increase in data subject rights: access requests, objection to processing, erasure, rectification, etc…)
Raises the bar for establishing legal basis of processing (consent, fulfillment of a contract, legitimate interest, etc…)
Cross-border data transfers
• Allows for administrative sanction and financial penalties
You do not have to have a data breach to be fined. Simply being non-compliant with the regulation opens an organization up to administrative sanction & fines)
Cease & Desist Order
Processors now have statutory obligations under the regulation
ABOUT VENTIV TECHNOLOGY
Setting the stage
Ventiv is the largest independent risk, safety, and insurance technology provider (software and Saas) in the insurtech market
Our solutions serve some of the most innovative and complex companies and empower them to reduce costs, streamline processes and improve overall performance
500+ global customers
Several fortune 50 companies
Operations in the U.S, Europe, & Asia
1 Billion+ records hosted across 4 global data centers
12 Billion+ transactions a year
DOES THE GDPR APPLY TO US?Does your organization have a legal entity established?
Does your organization have any other form of establishment in the EU. Establishment can mean any of the following:A. A website which operates in a language of a EU country (other than English)B. A branch or subsidiary of your firm is located in the EU (employees)C. Equipment (computers or a local address for post) in EUD. Does your organization process EU personal data
Does your organization offer goods or services to residents in the EU?(Offer goods or services in language other than English? EU currency? Reference EU customers?
Does your organization monitor the behavior of EU residents?This could be tracking EU residents on the internet. Website cookies
Your organization likely falls under the scope of GDPR
Your organization may not fall under the scope of the GDPR
No
No
No
No
Yes
Yes
Yes
Yes
WHY VENTIV TECHNOLOGY FALLS UNDER THE GDPRVentiv meets a number of the legal tests and is required to be compliant with the GDPR
Established legal entities in the EU
Employees in the EU
Sell goods and services in the EU (B2B)
Process the personal data of EU data subjects
Contracts with both EU and non-EU companies
Ventiv is both a controller & a processor
Core business involves the processing both personal data & sensitive data (high volume)
**Need to be very deliberate & methodical when going through the process:
What is personal data? Definition has been significantly expanded (use of terms such as: identified, identifiable, directly, indirectly)
Can you put data elements together and potentially identify a person?
Online identifiers (IP addresses, cookies,etc…), email addresses, geolocation, healthcare, biometrics, genetics, trade union membership,etc…
Legal establishment definition
Processing: Office365 in the EU would fall under the GDPR
Client hosts in EU and processes non-EU personal data- this would fall under the scope
WHY SHOULD YOUR COMPANY CARE ABOUT THE REGULATION
We are not located in the EU why should we worry about GDPR? How can they enforce compliance with non-EU companies?
GDPR has extra-territorial reach: meaning, you do not have to be established in the EU to fall under the regulation
U.S regulators (FTC & Commerce) have already indicated that they will assist in enforcement actions (civil & criminal (DOJ))
FTC consent decrees against companies claiming EU-US Privacy shield certification
U.S will sign agreements to support global commerce
Processors have statutory obligations under GDPR
Data subjects can now sue for both material and non-material damages
Potential new “cash cow” industry for lawyers
DPAs will be actively enforcing the regulation
Germany, France, UK
GDPR HAS EXTENSIVE REQUIREMENTS FOR COMPLIANCEHTTP://EC.EUROPA.EU/JUSTICE/DATA-PROTECTION/REFORM/FILES/REGULATION_OJ_EN.PDF
99 Articles
173 Recitals
Chapter 1 – General Provisions
Chapter II – Principles
Chapter III – Rights of the data subject
Chapter IV – Controller and processor
Chapter V – Transfers of personal data to 3rd countries (or international organizations
Chapter VI – Independent supervisory authorities
Chapter VII – Cooperation and consistency
Chapter VIII – Remedies, liabilities, & penalties
Chapter IX – Specific processing situations
Chapter X – Delegated Acts and implementing acts
Chapter XI – Final provisions
* It is important to read the regulation and be familiar with the requirements
ORGANIZATIONAL CHALLENGES
GDPR is not an IT project. It requires the involvement of the full business
Legal, contracts, IT, sales, marketing, HR, operations, support, etc…
Executive buy-in
Risk of fines (admin. & financial) demand executive & board involvement
Requires investment (resources & dollars)
Requires fundamental changes to how businesses operate
Business processes & relationships need to be reviewed
Internal workflows
Data Governance
New big data problem
Data inventory/mapping
HRIS, recruiting, OS, sys logs, Office365, T&E, LMS, etc…
GDPR compliance is not a “one and done” project but needs to be an ongoing effort
While GDPR “harmonizes” privacy laws in the EU, member-states have the ability to customize certain provisions
PATH TO COMPLIANCE
Inventory all customers and vendors
Contracts in place with both customers and vendors?
Educate both on GDPR
Contracts compliant with GDPR
Update Privacy program
Privacy Notice, Policy, *Data Subject Access Request (DSAR)
Data Protection Officer (DPO)
Legal Basis for processing
Right legal mechanisms in place for cross-border data transfers (intra-group & 3rd
party”)
Data categorization and mapping
DPIAs
Record Keeping
*Very important: Material & non-material damages allowed for violations
RECORD KEEPING – DEMONSTRATING COMPLIANCE (ARTICLE 30)52 out of the 99 articles require evidence to demonstrate compliance with the GDPR
• The name and contact details of the controller and where applicable, the data protection officer
• The purposes of the processing• A description of the categories of data
subjects and of the categories of personal data
• The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations
• The transfers of personal data to a third country or an international organization, including the documentation of suitable safeguards
• Consent • Data Mapping
• The envisaged time limits for erasure of the different categories of data
• A general description of the applied technical and organizational security measures
• Data Retention periods• Data Subject Requests (SARs, rectification, objections,
transfer)• Privacy/Fairness statement acknowledgement• Opt-in/out
• Legal basis for processing• Privacy Notices • Consent tracking• DPIA(s)• RISK Assessment• Data Breach• Vendor Assessments
DEMONSTRATING COMPLIANCE• It’s not enough to be compliant - you have to be able to demonstrate compliance. The regulation allows
the DPAs to audit for compliance
Privacy Framework
Establish a framework that allows us to meet the requirements of the GDPR but is also “flexible” enough to meet other regulatory requirements as they come out
Certifications (Seals) & 3rd party attestations (Art. 42)
ISO27001:2013
ISO27018
HIGHLIGHTS OF SOME GDPR ‘GAME CHANGERS’While the GDPR strengthens existing data protection laws, it also introduces a number of new requirements which will have significant legal, process, and technology implications for organizations.
Data Processors
Breach notifications
Right to erasure
Data Retention
Penalties
Privacy by design/Defalut
GDPR now mandates that data controllers notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of a data breach.
Extensive record keeping required detailing: processing activities, transfers, data mapping, legal basis for consent.
Data subjects now have the power to request the deletion or removal of their personal data, including from backups, archived data and from third parties (e.g., cloud storage). Downstream recipients need to be notified.
Organizations can no longer hold onto personal data indefinitely.
The GDPR allows for both administrative sanctions & financial penalties for non-compliance. Two tiers of penalties:- $10M Euros or 2% of global gross
turnover (prior year) whichever is greater.
- $20M Euros or 4% of global gross turnover (prior year) whichever is greater.
Privacy-by-design/default means organizations need to incorporate GDPR requirements in data collection/processing processes (considerations include data minimization,encryption, pseudonymisation) and new tech e.g., IoT, digital platforms etc. “State pf the art”.
Record Keeping
For the first time, GDPR places direct statutory obligations on data processors. (Ventiv is both a data controller & a processor).
Data Protection Officer
Appointment of a DPO in certain circumstances- .
AccountabilityPrinciple
ACCOUNTABILITY: The GDPR introduces an accountability principle which requires organizations to demonstrate compliance. Supervisory authorities can ask for our documentation.
TUV USA, Inc. 34
GLOBAL PRESENCE: TÜV NORD GROUP
Present in over
countries
40 subsidiaries
13,000employees
Turnover of more than
EUR 1 billion
40,000customers in the field of system certification
worldwide
63,000certified systems
QUALITY SYSTEM DIVISION
TUV USA, Inc. 35
DakkS Accreditation for ISO 9001, 14001 and 18001 Expert for automotive and IT systems ANAB accreditation for ISO 9001 and AS9100 series Access to a global network of auditors approved under
DakkS and ANAB Short turn around times Web-based system to manage system certification
Certification of Quality Management Systems ISO 9001:2015 ISO 14001:2015 OHSAS 18001 (ISO
45001) AS 9100 series TS16494, IT27001,
ISO50001 Security 4 Safety Information Technology BS10012
Benefits of certification Increase in economic
efficiency Time and cost savings Image enhancement and
increased trust on the part of customers and staff
Increase in customer satisfaction
Clear quality status
TUV USA, Inc. 36
QUESTIONS & CONCLUSION
Scott WilsonChief Security & Privacy Officer
Ventiv Technology
Email:[email protected]
LinkedIn:www.linkedin.com/in/scottrichardwilson/
Phone: +1.770.308.5499
Uwe RühlOwner and Managing Director
RUCON Groupwww.RUCON-Gruppe.de
Email: [email protected]: @Uwe_RuehlFollow me on LinkedIn
Phone: +49 911/47 75 28-30
Scott GrossmanSales Director
TUV USA, INC.www.tuv-usa.com
Email: [email protected]:@TUV_USALinkedIn: TUV USA, Inc.https://www.linkedin.com/company-beta/3812830/Phone: 844-488-8872 or603 870-8023