The Countdown is on: Key Things to Know About the GDPR

The Countdown is on: Key Things to
Know About the GDPR
Greg Reber,
CEO AsTech Consulting

http://i-sight.com/resources/ce-webinar-library/http://i-sight.com/resources/ce-webinar-library/

Greg Reber
Greg Reber is the Founder and CEO of
AsTech, a leading information security
consulting firm. As an early pioneer in the
information security field, Reber was
among the first to recognize and address
the risks presented by consumer-facing
applications. He launched AsTech in 1997
and has established AsTech as the
premier firm that financial services
companies, retail service providers and
other Fortune 1000 companies turn to for
real-world, effective information security
solutions.

Poll Question
Where are you in GDPR readiness:
• Not started
• Just started
• Well on the way to readiness
• Complete with Data Protection Officer (DPO) in place
• I don’t think GDPR applies to my business

Today
 What GDPR is and who it applies to
 The importance of compliance and possible consequences of non-
compliance
 Obtaining consent to collect, process and store personal information
 Requests to delete, access, transfer or update personal information
 Conducting a Data Protection Impact Assessment (DPIA)

What is GDPR?
“The General Data Protection Regulation
(GDPR) is a legal framework that sets
guidelines for the collection and processing of
personal information of individuals within
the European Union (EU).”
- Investopedia

What is GDPR (Really)?
“The General Data Protection Regulation
(GDPR) is a game-changing privacy protection
framework that shifts control of personal data
from ‘collectors and processors’ to individuals,
while allowing unprecedented access to data.”
- Greg Reber

GDPR Is A Big Deal
Experts agree that these are the biggest ‘changers of the game’:
Greatly Expanded ‘Data Subject’ (person) rights: Right to be Forgotten,
Right of Access, Right to Restriction of Processing, etc. are all new to most data
processors
72-hour breach notification: Currently there is no timeframe for notification,
other than “without unreasonable delay”
Data protection by design and by default: Example – Application developers
will need to take a ‘build security in’ approach, a significant shift from current
practices
Use of cloud storage and sharing services are not exempt: Organizations
that use cloud-based services will have to develop new policies and attestation
methods
Fines are significant: Up to 4% of global revenue (not profit) or €20M, whichever
is greater (this is huge)

Who Does GDPR Apply To?
GDPR requirements apply to any
organization doing business in the EU or
that processes personal data originating in
the EU, be it the data of residents or
visitors.
(The U.K. has adopted very
similar rules to be in effect
after the ‘Brexit’)

Who Does GDPR Apply To (cont’d)?
What does that mean?
Any website or mobile application that is accessible by
a person in the EU will need to comply with GDPR.
Scenario 1
A tourist from the EU logs onto the website of their local EU grocery store
from their hotel in the US. They provide personal data such as their EU
delivery address and EU credit card details to order a delivery to their
home = GDPR is applicable - this is a service being delivered in the EU.

Who Does GDPR Apply To (cont’d)?
Scenario 2
A tourist from the US logs onto the website of their local US grocery store
from their hotel in the EU. They provide personal data such as their US
delivery address and US credit card details, to order a delivery to their
home in the US = GDPR is not applicable - it is not an EU transaction and
it does not matter where the data is processed.

The Importance of Compliance
This can really be thought of in terms of Consequences of Non-
Compliance…
Every EU country and most others have Supervisory Authorities who can:
• Issue warnings
• Issue reprimands
• Communicate a personal data breach directly to Data Subjects
• Impose fines
• Tier 1 – Up to 2% of gross revenue
• Tier 2 – up to 4% of gross revenue

The Importance of Compliance
Issue warnings
• “Don’t do that again” or “You’re not doing things right, fix it”
Issue reprimands
• “Hey, we told you not to do that again” or “You’re still not doing things
right”
Communicate a personal data breach directly to Data Subjects
• “HEY!! The processor of your personal information has been breached!”

The Consequences…
Now, let’s talk about those fines
• Tier 1
• Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year,
whichever is higher, shall be issued for infringements of Articles 8, 11, 25-39, parts of
41, 42 and 43
• These articles pertain to the protection and security of information and the security
organization, including designating a Data Protection Officer (DPO)
• Example: Morgan Stanley
• In 2014, an employee downloaded account information of 730,000 customers
• Russians hacked his laptop and posted some of the data for sale
• Morgan Stanley was fined $1M for not having “policies and procedures that are
reasonably designed to protect customer information” (SEC Press Release)
• Under Article 32 of GDPR, they could have been fined up to $686M

The Consequences…
One more recent example: Equifax
• In 2017, Equifax was breached resulting in disclosure of 143 million
people’s Personally Identifiable Information (PII)
• The company was breached in May, discovered it in July, and waited
until September to tell people (they were afraid of copycat hackers)
• Under GDPR Article 33 (72 hour breach notification), they would
have been fined $67M
• Equifax did everything wrong
• To date, Equifax has not been fined

The Consequences…
Fines can get REALLY BIG
• Tier 2
• Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year,
whichever is higher, shall be issued for infringements of articles 5, 6, 7, 9, 12-22, 44-
49, and parts of 83
• These articles pertain mainly to Data Subject (citizen) rights and transfers of data to third
countries or international organizations
• Example: FaceBook
• Years ago, a German privacy advocate wanted Facebook to delete his own data,
and prove to them that they did. Non-U.S. Facebook operated under Irish law,
which said Facebook didn’t have to do this, as it would be prohibitively expensive
• Article 17 of GDPR – ‘Right to be Forgotten’ would allow for 2017 fines on
FaceBook to be as high as $1.6B (yep, Billion)

Consent
Article 7 of GDPR appears to be aimed at complicated End User
License Agreements (EULAs), with a requirement that the user ‘opt in’
very clearly
•The data controller (collector) has to be able to show the user Opted In
•Consent cannot be mixed in with a “written declaration that concerns other
matters”
•“It shall be as easy to withdraw consent as to give consent”
This is very, very important to the spirit of GDPR

Requests – Right to Erasure
Right to Erasure can be invoked for a host of reasons
• Data no longer necessary for original purposes
• Citizen withdraws consent
• Citizen ‘objects’ to the processing
• Data have been unlawfully processed
There are some caveats to this one though, if processing is necessary
for:
• “freedom of expression” (we are not sure what this means in Art.85)
• Public interest, public health, scientific or historical research, etc.

Requests – Right of Access
Supervisory Authorities can order compliance with Data
Subject (citizen) requests, such as . . .
•Is my personal data being processed? If so what is (are) the:
• Purpose of processing
• Categories of data
• Recipients and their locations
• Duration it will be stored
• Source of data (if not the citizen)
• Existence of automated decision making (this is the Artificial
Intelligence/Machine Learning aspect of inquiry)

Requests – Right to Object
People have the right to object to processing of their
personal data
This appears to be focused squarely on Direct Marketing and
consumer profiling, as the actual verbiage within the GDPR states:
“Where personal data are processed for the purposes of direct marketing, the
data subject should have the right to object to such processing, including
profiling to the extent that it is related to such direct marketing, whether with
regard to initial or further processing, at any time and free of charge.”
(Recital 70)

Data Protection Impact Assessment
The assessment shall contain at least (from Article 35):
– a systematic description of the envisaged processing operations and the
purposes of the processing, including, where applicable, the legitimate interest
pursued by the controller;
– an assessment of the necessity and proportionality of the processing operations
in relation to the purposes;
– an assessment of the risks to the rights and freedoms of data subjects referred to
in paragraph 1; and
– the measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons concerned.

Translation:
– Description of the purpose of the proposed processing and its operations and
systems, including WHY the data controller wants to add this processing
– an assessment of the necessity and proportionality of the processing operations
in relation to WHY the data controller wants to add this processing
– an assessment of the risks to the rights and freedoms of data subjects
– the measures proposed to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons concerned.
• (This is the real purpose of the DPIA, and where most of the effort will be spent)
“Looks like it worked . . . “

Bottom line on DPIAs:
If a controller or processor has completed a DPIA in good faith (not checking a
box), then later there is an issue, the Supervisory Authority will look at the
DPIA and possibly find fault with it, and base punitive action on those faults
If a controller or processor has NOT completed a DPIA (or has a weak effort),
then later there is an issue, the Supervisory Authority may base punitive
actions on the damages done to the data subjects (residents) and those
actions will hurt more
Of course, they could do that anyway…

Poll Question
Where are you in GDPR readiness: Poll Results
Today February
• Not started 9%
• Just started 40%
• Well on the way to readiness 41%
• Complete with Data Protection Officer (DPO) in place 4%
• I don’t think GDPR applies to my business 5%

Thank-you for participating
Contact Greg Reber
Greg.Reber@AsTechConsulting.com
@greg_reber
https://www.linkedin.com/in/gregreber/
Contact i-Sight
j.gerard@i-sight.com
Find more free webinars:
http://www.i-sight.com/resources/webinars
@isightsoftware

The Countdown is on: Key Things to Know About the GDPR

More Related Content

What's hot (19)

Similar to The Countdown is on: Key Things to Know About the GDPR (20)

More from Case IQ (20)

Recently uploaded (20)

The Countdown is on: Key Things to Know About the GDPR

Editor's Notes