Skyword will be compliant with the EU General Data Protection Regulation (GDPR) when it goes into effect on May 25, 2018. We know that this is top of mind for all of you, and we have been working diligently for months to ensure our platform, policies, and procedures meet GDPR requirements.
Join Skyword's CMO, Tricia Travaline, and Chief Technology and Data Protection Officer, John Mihalik, delivered these slides in a webinar to provide an overview of Skyword's new data protection policies.
3. • Skyword’s commitment to security: ISO 27001 compliance
• Quick overview of General Data Protection Regulation (GDPR)
• Privacy Shield
• Skyword’s Action Plan
Agenda
3
5. 5
ISO 27001 Security Framework
Assets
Threats
Weakness
Exposure
Risk
Controls
endangered by
that exploit
resulting inleading to
mitigated by
to protect
6. Define the Scope
Define the IS
Policy
Undertake
Risk
Assessment
Selection of
Controls
Risk
Treatment
Plan
Prepare SOA Treatment
Planning
Execute Risk Treatment Write Controls
Implement Policies
and Procedures
Implement
Training
Manage
Operations
Implementation
Define Metrics for
Measurement
Execute
Operational
Plan
Regular
Review of
Effectiveness
Review Level
of Residual
Risk
Internal
Audit
Management
Review
Record
Impact of
ISMS
Verification
Implement Identified
Improvement
Take
Corrective
Action
Apply Lessons
Learned
Communicate
Results
Execute ISMS
Continuous
Review
Continuous
Improvement
Continuous Improvement
ISO 27001 Implementation Process
7. The EU General Data Protection Regulation (GDPR)
is the most important change in data privacy regulation
in 20 years – we’re here to make sure you’re prepared.
8. What is GDPR?
8
Definition of Personal Data
Principles of Processing
Lawfulness of Processing Personal Data
Conditions of Consent
Rights of the Data Subject
Data Breach Notifications
Data Protection Officer
9. 9
What is “Personal Data” as Defined by GDPR?
“‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;”
- Article 4, GDPR
10.
11. • Privacy Shield is an agreement between the EU and US allowing for the transfer of personal
data from the EU to US.
• The GDPR has specific requirements regarding the transfer of data out of the EU.
• One of these requirements is that the transfer must only happen to countries deemed as
having adequate data protection laws.
• In general the EU does not list the US as one of the countries that meets this requirement.
• Privacy Shield is designed to create an program whereby participating companies are
deemed as having adequate protection, and therefore facilitate the transfer of information.
• In short, Privacy Shield allows US companies, or EU companies working with US companies,
to meet this requirement of the GDPR.
What is the Privacy Shield?
11
What is the Privacy Shield?
13. Assessment of Personal Data1
Implementation of Rights2
Verification3
PrivacyTrust Certification/Privacy Shield4
Ongoing Maintenance5
14. 14
Partnership with UK-based GDPR consulting firm
Comprehensive data audit and assessment
Partner/vendor GDPR compliance verification
Assessment of Personal Data1
15. 15
Updated Privacy Policy and Terms of Service
Updated cookie policy
Explicit agreement to cookie and data collection
on site and
Partner/vendor GDPR compliance verification
Implementation of Rights2
16. 16
Skyword Tracking Tag
• Pseudonymization
• Anonymization
• Exclusion
Database Encryption
Data retention
Verification3
17. 17
Application submitted and pending final approval
Will display shield on our web site and platform
PrivacyTrust Certification/Privacy Shield4
18. 18
Established Data Protection Officer
Developed process for privacy inquiries
Requiring GDPR compliance in all upcoming
vendor contracts
Strict adherence to privacy and security policies
Ongoing Maintenance5
A series of laws that were approved by the EU Parliament in 2016
These laws will come into affect on May 25th 2018
GDPR is an initiative by the EU to bring data protection legislation into line with new ways that data is now used
New regulations will give users great control over their data, including the ability to export it, withdraw consent, and request access to it.
It will affect any company that does business with Europe, whether they are based in the EU or not
Fines can be the greater of €20 million, or four percent of annual worldwide turnover
The bullet points appear correct in PPT but not in Google Slides. I just want to ensure that they will show up correctly in the final presentation.
Database encryption: Comes at two levels – the entire database is encrypted. Data elements that include particularly sensitive information (such as taxpayer ID) are additionally encrypted at the column level. Passwords are stored in such a way that even Skyword personnel cannot recover them.
Data retention: Though the Skyword tracking tag has been updated to not log PII (perhaps that discussion should come before data retention), we will only retain detailed tracking information for 7 days (6 months for SPR data). We are working on automated data retention policies for contributor data – but in the interim we will honor removal requests insofar as we can
“Elimination”: Perhaps “exclusion” is a better word? Pseudonymization, which already masks PII, is our default behavior. Anonymization is offered at customer request for further protection. Exclusion is by the end user’s request