Satori GDPR Overview 2018
Download as PPTX, PDF0 likes49 views
The GDPR is a new EU privacy law taking effect in May 2018. It aims to strengthen and unify data protection for individuals within the EU. Organizations must comply with new rules regarding individual rights and data security. Non-compliance could result in fines of up to 20 million Euros or 4% of global revenue. To prepare, organizations need to appoint a Data Protection Officer, assess their practices, and implement processes to respect individual privacy rights under the GDPR.
Satori GDPR Overview 2018
- 1. GDPR OVERVIEW: KEYS TO READINESS THE EUROPEAN UNION (EU) IS IMPLEMENTING THE GENERAL DATA PROTECTION REGULATION (GDPR) THAT TAKES EFFECT MAY 2018. 2018
- 2. GDPR EXECUTIVE OVERVIEW GENERAL DATA PROTECTION REGULATION 2 The objective of the GDPR is harmonization of EU regulations to enhance the rights of EU citizens to govern the privacy of their personal information and ensure organizations provide the right protections. The GDPR applies to EU and non-EU organizations that: (i) offer goods or services to EU residents; (ii) monitor the behavior of EU residents The GDPR effective date: May 25, 2018 Penalties: Up to 20,000,000 EUR or 4% worldwide revenue from the previous fiscal year (Article 83). Fines are determined by the Data Protection Authority (Supervisory Authority). * The “Articles” referenced in this document refer to the articles included in the GDPR regulation. A link to the regulation text is included in the Appendix section of this document.
- 3. GDPR EXECUTIVE OVERVIEW GDPR CONCEPTS 3 Principles, privacy, and protection represent the core focus for GDPR readiness. Organizations must focus on adhering to principles, implementing processes to satisfy privacy rights of the individual, and securing data. Principles Data processed lawfully, fairly, and transparently Only collect personal data needed Accuracy of personal data must be maintained Minimize the time data is kept in a form to identify data subjects Maintain the confidentiality and integrity of personal data Privacy (rights of data subjects) Transparent information, communication and modalities for the exercise of the rights of the data subject Information to be provided where personal data are collected from the data subject Right of access by the data subject Right to rectification Right to erasure (‘right to be forgotten’) Right to restriction of processing Right to data portability Protection (controllers and processors) Data Protection Officer (DPO) Data protection by design Records of processing activities Security of processing Notification of a personal data breach to the supervisory authority Communication of a personal data breach to the data subject Data protection impact assessment Code of conduct
- 4. GDPR EXECUTIVE OVERVIEW EXECUTION 4 GDPR requires the organization to address privacy and security of personal data. A proven approach to gaining clarity on GDPR relevance and understanding how to execute is described below. The Data Protection Officer (DPO) must lead the effort to achieve and maintain alignment. Preparation • Assign data privacy ownership • Understand the regulation Assessment • Understand the risk of activities • Perform Readiness Assessment Implementation • Inform the Organization • Address consent • Address rights of the individual • Protect personal data Maintenance • Operationalize GDPR controls
- 5. GDPR EXECUTIVE OVERVIEW KEY CONSIDERATIONS 5 GDPR readiness can be complex for some organizations. Leadership should begin to prepare the organization for the journey. 1. Key is establishing the DPO role (internal or external) 2. Gain clarity on the organization’s responsibility 3. Complying with rights of the individual is not trivial – business processes, service desk, and technology impacts. Factor effort into 2018 budget – resource impact is key consideration (assuming good security practices). 4. Processor assessment is key – liability isn’t shifted to the processor 5. Certification is not defined and is not required. DPA (supervisory authority) will assign certification bodies and certification guidelines. Move forward with readiness while tracking DPA guidance.
- 6. GDPR EXECUTIVE OVERVIEW GDPR MISPERCEPTIONS 6 Understanding GDPR requirements can be complex. There are several common misperceptions that should be clarified. 1. A Data Protection Officer is required for all organizations 2. Each GDPR incident will carry a fine equivalent to the greater of 20 mil Euro or 4% annual worldwide revenue 3. Consent is always required for processing of personal data 4. Parental consent is always required when collecting personal information from a child 5. Individuals have the absolute right to be forgotten 6. Biometric data is sensitive data 7. Controllers do not require processing agreements with processors – GDPR takes care of this
Editor's Notes
- #3: “Personal data”* means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier: Name; Identification number; Location data; Online identifier (e.g., email address); Physical and/or physiological; Genetic; Economic; Cultural or ethnic
- #4: Security of processing – anonymization and psuedonymization represent additional security requirements (potentially) Data processed lawfully: consent obtained, processing conducted in accordance with stated purpose, and complies with GDPR Code of conduct establishes readiness with GDPR. Communicates how the organization will comply and manage risk. 'cross-border processing' means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
- #5: The critical path is implementing business processes to address the rights of the individual – right to access personal data, right to correction, right to be forgotten, etc. Understanding data – what data do you have? Data governance – What data do I have? How is it used? Do I need it? How do I protect it. Be able to defend controls
- #6: Joint Controllers and data ownership – how does this work Cross-border traffic – where does it apply and what are the implications Data subjects ability to withdraw consent – what’s the impact Certification w/ Supervisor Authority Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media Customers leaving the platform – how does this work and what are the implications Records of processing Activities (Article 30 (5)) - applicability to dscout. How to handle Privacy Policy separate from agreeing to TOS?
- #7: Joint Controllers and data ownership – how does this work Cross-border traffic – where does it apply and what are the implications Data subjects ability to withdraw consent – what’s the impact Certification w/ Supervisor Authority Anonymization of personal data – blurring/fuzzing of non-data subjects in video and other media Customers leaving the platform – how does this work and what are the implications Records of processing Activities (Article 30 (5)) - applicability to dscout. How to handle Privacy Policy separate from agreeing to TOS?