GDPR Compliance and Privacy Protection
•Télécharger en tant que PPTX, PDF•
2 j'aime•189 vues
Skyword will be compliant with the EU General Data Protection Regulation (GDPR) when it goes into effect on May 25, 2018. We know that this is top of mind for all of you, and we have been working diligently for months to ensure our platform, policies, and procedures meet GDPR requirements. Join Skyword's CMO, Tricia Travaline, and Chief Technology and Data Protection Officer, John Mihalik, delivered these slides in a webinar to provide an overview of Skyword's new data protection policies.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à GDPR Compliance and Privacy Protection
Similaire à GDPR Compliance and Privacy Protection (20)
Plus de Skyword Inc.
Plus de Skyword Inc. (20)
Dernier
Dernier (20)
GDPR Compliance and Privacy Protection
- 1. Security, privacy, and GDPR compliance
- 2. 2 John Mihalik Chief Technology Officer Dave Sandborg Vice President, Engineering
- 3. • Skyword’s commitment to security: ISO 27001 compliance • Quick overview of General Data Protection Regulation (GDPR) • Privacy Shield • Skyword’s Action Plan Agenda 3
- 4. 4 ISO 27001
- 5. 5 ISO 27001 Security Framework Assets Threats Weakness Exposure Risk Controls endangered by that exploit resulting inleading to mitigated by to protect
- 6. Define the Scope Define the IS Policy Undertake Risk Assessment Selection of Controls Risk Treatment Plan Prepare SOA Treatment Planning Execute Risk Treatment Write Controls Implement Policies and Procedures Implement Training Manage Operations Implementation Define Metrics for Measurement Execute Operational Plan Regular Review of Effectiveness Review Level of Residual Risk Internal Audit Management Review Record Impact of ISMS Verification Implement Identified Improvement Take Corrective Action Apply Lessons Learned Communicate Results Execute ISMS Continuous Review Continuous Improvement Continuous Improvement ISO 27001 Implementation Process
- 7. The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years – we’re here to make sure you’re prepared.
- 8. What is GDPR? 8 Definition of Personal Data Principles of Processing Lawfulness of Processing Personal Data Conditions of Consent Rights of the Data Subject Data Breach Notifications Data Protection Officer
- 9. 9 What is “Personal Data” as Defined by GDPR? “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” - Article 4, GDPR
- 11. • Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the EU to US. • The GDPR has specific requirements regarding the transfer of data out of the EU. • One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. • In general the EU does not list the US as one of the countries that meets this requirement. • Privacy Shield is designed to create an program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information. • In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR. What is the Privacy Shield? 11 What is the Privacy Shield?
- 13. Assessment of Personal Data1 Implementation of Rights2 Verification3 PrivacyTrust Certification/Privacy Shield4 Ongoing Maintenance5
- 14. 14 Partnership with UK-based GDPR consulting firm Comprehensive data audit and assessment Partner/vendor GDPR compliance verification Assessment of Personal Data1
- 15. 15 Updated Privacy Policy and Terms of Service Updated cookie policy Explicit agreement to cookie and data collection on site and Partner/vendor GDPR compliance verification Implementation of Rights2
- 16. 16 Skyword Tracking Tag • Pseudonymization • Anonymization • Exclusion Database Encryption Data retention Verification3
- 17. 17 Application submitted and pending final approval Will display shield on our web site and platform PrivacyTrust Certification/Privacy Shield4
- 18. 18 Established Data Protection Officer Developed process for privacy inquiries Requiring GDPR compliance in all upcoming vendor contracts Strict adherence to privacy and security policies Ongoing Maintenance5
- 19. 19 Questions
Notes de l'éditeur
- A series of laws that were approved by the EU Parliament in 2016 These laws will come into affect on May 25th 2018 GDPR is an initiative by the EU to bring data protection legislation into line with new ways that data is now used New regulations will give users great control over their data, including the ability to export it, withdraw consent, and request access to it. It will affect any company that does business with Europe, whether they are based in the EU or not Fines can be the greater of €20 million, or four percent of annual worldwide turnover
- The bullet points appear correct in PPT but not in Google Slides. I just want to ensure that they will show up correctly in the final presentation.
- Database encryption: Comes at two levels – the entire database is encrypted. Data elements that include particularly sensitive information (such as taxpayer ID) are additionally encrypted at the column level. Passwords are stored in such a way that even Skyword personnel cannot recover them. Data retention: Though the Skyword tracking tag has been updated to not log PII (perhaps that discussion should come before data retention), we will only retain detailed tracking information for 7 days (6 months for SPR data). We are working on automated data retention policies for contributor data – but in the interim we will honor removal requests insofar as we can “Elimination”: Perhaps “exclusion” is a better word? Pseudonymization, which already masks PII, is our default behavior. Anonymization is offered at customer request for further protection. Exclusion is by the end user’s request