SlideShare a Scribd company logo

The Countdown is on: Key Things to Know About the GDPR

Case IQ
Case IQ

The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens. Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time. Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.

Technology
1 of 34
The Countdown is on: Key Things to Know About the GDPR Greg Reber, CEO AsTech Consulting
http://i-sight.com/resources/ce-webinar-library/http://i-sight.com/resources/ce-webinar-library/
Greg Reber Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. As an early pioneer in the information security field, Reber was among the first to recognize and address the risks presented by consumer-facing applications. He launched AsTech in 1997 and has established AsTech as the premier firm that financial services companies, retail service providers and other Fortune 1000 companies turn to for real-world, effective information security solutions.
Poll Question Where are you in GDPR readiness: • Not started • Just started • Well on the way to readiness • Complete with Data Protection Officer (DPO) in place • I don’t think GDPR applies to my business
Today  What GDPR is and who it applies to  The importance of compliance and possible consequences of non- compliance  Obtaining consent to collect, process and store personal information  Requests to delete, access, transfer or update personal information  Conducting a Data Protection Impact Assessment (DPIA)
What is GDPR? “The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).” - Investopedia
What is GDPR (Really)? “The General Data Protection Regulation (GDPR) is a game-changing privacy protection framework that shifts control of personal data from ‘collectors and processors’ to individuals, while allowing unprecedented access to data.” - Greg Reber
GDPR Is A Big Deal Experts agree that these are the biggest ‘changers of the game’: Greatly Expanded ‘Data Subject’ (person) rights: Right to be Forgotten, Right of Access, Right to Restriction of Processing, etc. are all new to most data processors 72-hour breach notification: Currently there is no timeframe for notification, other than “without unreasonable delay” Data protection by design and by default: Example – Application developers will need to take a ‘build security in’ approach, a significant shift from current practices Use of cloud storage and sharing services are not exempt: Organizations that use cloud-based services will have to develop new policies and attestation methods Fines are significant: Up to 4% of global revenue (not profit) or €20M, whichever is greater (this is huge)
Who Does GDPR Apply To? GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU, be it the data of residents or visitors. (The U.K. has adopted very similar rules to be in effect after the ‘Brexit’)
Who Does GDPR Apply To (cont’d)? What does that mean? Any website or mobile application that is accessible by a person in the EU will need to comply with GDPR. Scenario 1  A tourist from the EU logs onto the website of their local EU grocery store from their hotel in the US. They provide personal data such as their EU delivery address and EU credit card details to order a delivery to their home = GDPR is applicable - this is a service being delivered in the EU.
Who Does GDPR Apply To (cont’d)? Scenario 2  A tourist from the US logs onto the website of their local US grocery store from their hotel in the EU. They provide personal data such as their US delivery address and US credit card details, to order a delivery to their home in the US = GDPR is not applicable - it is not an EU transaction and it does not matter where the data is processed.
The Importance of Compliance This can really be thought of in terms of Consequences of Non- Compliance… Every EU country and most others have Supervisory Authorities who can: • Issue warnings • Issue reprimands • Communicate a personal data breach directly to Data Subjects • Impose fines • Tier 1 – Up to 2% of gross revenue • Tier 2 – up to 4% of gross revenue
The Importance of Compliance Issue warnings • “Don’t do that again” or “You’re not doing things right, fix it” Issue reprimands • “Hey, we told you not to do that again” or “You’re still not doing things right” Communicate a personal data breach directly to Data Subjects • “HEY!! The processor of your personal information has been breached!”  
The Consequences… Now, let’s talk about those fines • Tier 1 • Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of Articles 8, 11, 25-39, parts of 41, 42 and 43 • These articles pertain to the protection and security of information and the security organization, including designating a Data Protection Officer (DPO) • Example: Morgan Stanley • In 2014, an employee downloaded account information of 730,000 customers • Russians hacked his laptop and posted some of the data for sale • Morgan Stanley was fined $1M for not having “policies and procedures that are reasonably designed to protect customer information” (SEC Press Release) • Under Article 32 of GDPR, they could have been fined up to $686M
The Consequences… One more recent example: Equifax • In 2017, Equifax was breached resulting in disclosure of 143 million people’s Personally Identifiable Information (PII) • The company was breached in May, discovered it in July, and waited until September to tell people (they were afraid of copycat hackers) • Under GDPR Article 33 (72 hour breach notification), they would have been fined $67M • Equifax did everything wrong • To date, Equifax has not been fined  
The Consequences… Fines can get REALLY BIG • Tier 2 • Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of articles 5, 6, 7, 9, 12-22, 44- 49, and parts of 83 • These articles pertain mainly to Data Subject (citizen) rights and transfers of data to third countries or international organizations • Example: FaceBook • Years ago, a German privacy advocate wanted Facebook to delete his own data, and prove to them that they did. Non-U.S. Facebook operated under Irish law, which said Facebook didn’t have to do this, as it would be prohibitively expensive • Article 17 of GDPR – ‘Right to be Forgotten’ would allow for 2017 fines on FaceBook to be as high as $1.6B (yep, Billion)
Consent Article 7 of GDPR appears to be aimed at complicated End User License Agreements (EULAs), with a requirement that the user ‘opt in’ very clearly •The data controller (collector) has to be able to show the user Opted In •Consent cannot be mixed in with a “written declaration that concerns other matters” •“It shall be as easy to withdraw consent as to give consent” This is very, very important to the spirit of GDPR
Consent - Example
Requests – Right to Erasure Right to Erasure can be invoked for a host of reasons • Data no longer necessary for original purposes • Citizen withdraws consent • Citizen ‘objects’ to the processing • Data have been unlawfully processed There are some caveats to this one though, if processing is necessary for: • “freedom of expression” (we are not sure what this means in Art.85) • Public interest, public health, scientific or historical research, etc.
Requests – Right of Access Supervisory Authorities can order compliance with Data Subject (citizen) requests, such as . . . •Is my personal data being processed? If so what is (are) the: • Purpose of processing • Categories of data • Recipients and their locations • Duration it will be stored • Source of data (if not the citizen) • Existence of automated decision making (this is the Artificial Intelligence/Machine Learning aspect of inquiry)
Requests – Right to Object People have the right to object to processing of their personal data This appears to be focused squarely on Direct Marketing and consumer profiling, as the actual verbiage within the GDPR states: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.” (Recital 70)
Data Protection Impact Assessment The assessment shall contain at least (from Article 35): – a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; – an assessment of the necessity and proportionality of the processing operations in relation to the purposes; – an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and – the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
Data Protection Impact Assessment Translation: – Description of the purpose of the proposed processing and its operations and systems, including WHY the data controller wants to add this processing – an assessment of the necessity and proportionality of the processing operations in relation to WHY the data controller wants to add this processing – an assessment of the risks to the rights and freedoms of data subjects – the measures proposed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. • (This is the real purpose of the DPIA, and where most of the effort will be spent) “Looks like it worked . . . “
Data Protection Impact Assessment Bottom line on DPIAs: If a controller or processor has completed a DPIA in good faith (not checking a box), then later there is an issue, the Supervisory Authority will look at the DPIA and possibly find fault with it, and base punitive action on those faults If a controller or processor has NOT completed a DPIA (or has a weak effort), then later there is an issue, the Supervisory Authority may base punitive actions on the damages done to the data subjects (residents) and those actions will hurt more Of course, they could do that anyway…
Poll Question Where are you in GDPR readiness: Poll Results Today February • Not started 9% • Just started 40% • Well on the way to readiness 41% • Complete with Data Protection Officer (DPO) in place 4% • I don’t think GDPR applies to my business 5%
Questions ?
Thank-you for participating Contact Greg Reber Greg.Reber@AsTechConsulting.com @greg_reber  https://www.linkedin.com/in/gregreber/ Contact i-Sight j.gerard@i-sight.com Find more free webinars: http://www.i-sight.com/resources/webinars @isightsoftware

Recommended

Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Case IQ
 
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Case IQ
 
Detecting and Preventing Payroll Fraud
Detecting and Preventing Payroll FraudDetecting and Preventing Payroll Fraud
Detecting and Preventing Payroll Fraud
Case IQ
 
Accounts Payable Fraud: Keys to Detection and Prevention
Accounts Payable Fraud: Keys to Detection and PreventionAccounts Payable Fraud: Keys to Detection and Prevention
Accounts Payable Fraud: Keys to Detection and Prevention
Case IQ
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
Marc S. Sokol
 
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Marc S. Sokol
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
Case IQ
 

Recommended

Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Misconduct or Missed Conduct? Ensuring Consistent SAR Reporting of Internal M...
Case IQ
 
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Under the Table: Combatting Bribery and Corruption Through Analysis and Preve...
Case IQ
 
Detecting and Preventing Payroll Fraud
Detecting and Preventing Payroll FraudDetecting and Preventing Payroll Fraud
Detecting and Preventing Payroll Fraud
Case IQ
 
Accounts Payable Fraud: Keys to Detection and Prevention
Accounts Payable Fraud: Keys to Detection and PreventionAccounts Payable Fraud: Keys to Detection and Prevention
Accounts Payable Fraud: Keys to Detection and Prevention
Case IQ
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
Marc S. Sokol
 
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Marc S. Sokol
 
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
“New” Misconduct Challenges and Solutions for Investigating as We Move to a ...
Case IQ
 
OFAC Name Matching and False-Positive Reduction Techniques
OFAC Name Matching and False-Positive Reduction TechniquesOFAC Name Matching and False-Positive Reduction Techniques
OFAC Name Matching and False-Positive Reduction Techniques
Cognizant
 
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk AssessmentACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
BillyCheuk
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
WeaverCPAs
 
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
FraudBusters
 
Third Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionThird Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study Discussion
Sam Gibbins 紀俊森
 
Detecting and investigating vendor fraud mvw
Detecting and investigating vendor fraud mvwDetecting and investigating vendor fraud mvw
Detecting and investigating vendor fraud mvw
Case IQ
 
Tips for Implementing a Whistleblower Hotline
Tips for Implementing a Whistleblower HotlineTips for Implementing a Whistleblower Hotline
Tips for Implementing a Whistleblower Hotline
Case IQ
 
Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2, Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2,
Tahir Abbas
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000
PECB
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Jay Kesan
 
Financial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefingFinancial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefing
Bovill
 
Modern Slavery Supply Chain
Modern Slavery Supply Chain Modern Slavery Supply Chain
Modern Slavery Supply Chain
ethiXbase
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
Fraud Investigation
Fraud InvestigationFraud Investigation
Fraud Investigation
Salih Islam
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
Fraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresFraud Investigation Process And Procedures
Fraud Investigation Process And Procedures
Veriti Consulting LLC
 
Ais Romney 2006 Slides 05 Computer Fraud And Abuse
Ais Romney 2006 Slides 05 Computer Fraud And AbuseAis Romney 2006 Slides 05 Computer Fraud And Abuse
Ais Romney 2006 Slides 05 Computer Fraud And Abuse
Sharing Slides Training
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
Mdm (2)
Mdm (2)Mdm (2)
Mdm (2)
Martijn Sinninghe Damsté
 
Presentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligencePresentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due Diligence
ethiXbase
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
Tech Trust
 

More Related Content

What's hot

How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
FraudBusters
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000
PECB
 
Financial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefingFinancial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefing
Bovill
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
FraudBusters
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
DecosimoCPAs
 
Presentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligencePresentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due Diligence
ethiXbase
 

What's hot (20)

OFAC Name Matching and False-Positive Reduction Techniques
OFAC Name Matching and False-Positive Reduction TechniquesOFAC Name Matching and False-Positive Reduction Techniques
OFAC Name Matching and False-Positive Reduction Techniques
 
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk AssessmentACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
ACCA-IIA Singapore Seminar 2015 Part 3 Fraud Risk Assessment
 
Fraud Risk and Control
Fraud Risk and ControlFraud Risk and Control
Fraud Risk and Control
 
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory FraudHow to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
How to Use Data Analytics to Detect Fixed Asset and Inventory Fraud
 
Third Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study DiscussionThird Party Due Diligence - Case Study Discussion
Third Party Due Diligence - Case Study Discussion
 
Detecting and investigating vendor fraud mvw
Detecting and investigating vendor fraud mvwDetecting and investigating vendor fraud mvw
Detecting and investigating vendor fraud mvw
 
Tips for Implementing a Whistleblower Hotline
Tips for Implementing a Whistleblower HotlineTips for Implementing a Whistleblower Hotline
Tips for Implementing a Whistleblower Hotline
 
Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2, Fraud Risk Assessment- detection and prevention- Part- 2,
Fraud Risk Assessment- detection and prevention- Part- 2,
 
Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000Corruption and Fraud Risk Management using ISO 31000
Corruption and Fraud Risk Management using ISO 31000
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
Financial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefingFinancial crime anti-money laundering - bovill briefing
Financial crime anti-money laundering - bovill briefing
 
Modern Slavery Supply Chain
Modern Slavery Supply Chain Modern Slavery Supply Chain
Modern Slavery Supply Chain
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
 
Fraud Investigation
Fraud InvestigationFraud Investigation
Fraud Investigation
 
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data AnalysisRecognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
Recognizing and Preventing Fixed Asset and Inventory Fraud using Data Analysis
 
Fraud Investigation Process And Procedures
Fraud Investigation Process And ProceduresFraud Investigation Process And Procedures
Fraud Investigation Process And Procedures
 
Ais Romney 2006 Slides 05 Computer Fraud And Abuse
Ais Romney 2006 Slides 05 Computer Fraud And AbuseAis Romney 2006 Slides 05 Computer Fraud And Abuse
Ais Romney 2006 Slides 05 Computer Fraud And Abuse
 
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance IndustryFraud Prevention, Detection and Investigation in the Payday Advance Industry
Fraud Prevention, Detection and Investigation in the Payday Advance Industry
 
Mdm (2)
Mdm (2)Mdm (2)
Mdm (2)
 
Presentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due DiligencePresentation: Compliance & Third Party Due Diligence
Presentation: Compliance & Third Party Due Diligence
 

Similar to The Countdown is on: Key Things to Know About the GDPR

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 

Similar to The Countdown is on: Key Things to Know About the GDPR (20)

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
GDPR (En) JM Tyszka
GDPR (En) JM TyszkaGDPR (En) JM Tyszka
GDPR (En) JM Tyszka
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
Explain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdprExplain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdpr
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 

More from Case IQ

How Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
How Best Practices in Triage Protocol Can Boost Compliance and Reduce RiskHow Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
How Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
Case IQ
 
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
Case IQ
 
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
Case IQ
 
Protecting the Mental Wellbeing of Corporate Investigators
Protecting the Mental Wellbeing of Corporate InvestigatorsProtecting the Mental Wellbeing of Corporate Investigators
Protecting the Mental Wellbeing of Corporate Investigators
Case IQ
 
Meric Bloc_Webinar Nov22.pptx
Meric Bloc_Webinar Nov22.pptxMeric Bloc_Webinar Nov22.pptx
Meric Bloc_Webinar Nov22.pptx
Case IQ
 
Everything You Need to Get E&C Investigations Right (According to the DOJ)
Everything You Need to Get E&C Investigations Right (According to the DOJ)Everything You Need to Get E&C Investigations Right (According to the DOJ)
Everything You Need to Get E&C Investigations Right (According to the DOJ)
Case IQ
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
Case IQ
 
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
Case IQ
 
How to recognize and minimize unconscious bias in the workplace
How to recognize and minimize unconscious bias in the workplaceHow to recognize and minimize unconscious bias in the workplace
How to recognize and minimize unconscious bias in the workplace
Case IQ
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Case IQ
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
Case IQ
 
How to Incorporate "Psyber Resilience" into Your Security Strategy
How to Incorporate "Psyber Resilience" into Your Security Strategy How to Incorporate "Psyber Resilience" into Your Security Strategy
How to Incorporate "Psyber Resilience" into Your Security Strategy
Case IQ
 

More from Case IQ (20)

How Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
How Best Practices in Triage Protocol Can Boost Compliance and Reduce RiskHow Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
How Best Practices in Triage Protocol Can Boost Compliance and Reduce Risk
 
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
How to Drive Efficiency and Reduce Risk with Investigative Case Management So...
 
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
Who's Lying? Using the Cognitive Interview to Assess Credibility in Workplace...
 
Protecting the Mental Wellbeing of Corporate Investigators
Protecting the Mental Wellbeing of Corporate InvestigatorsProtecting the Mental Wellbeing of Corporate Investigators
Protecting the Mental Wellbeing of Corporate Investigators
 
Meric Bloc_Webinar Nov22.pptx
Meric Bloc_Webinar Nov22.pptxMeric Bloc_Webinar Nov22.pptx
Meric Bloc_Webinar Nov22.pptx
 
5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture5 Steps to Creating an Ethical Work Culture
5 Steps to Creating an Ethical Work Culture
 
How to Assess, Level Up, and Leverage Your Culture of Compliance
How to Assess, Level Up, and Leverage Your Culture of ComplianceHow to Assess, Level Up, and Leverage Your Culture of Compliance
How to Assess, Level Up, and Leverage Your Culture of Compliance
 
Everything You Need to Get E&C Investigations Right (According to the DOJ)
Everything You Need to Get E&C Investigations Right (According to the DOJ)Everything You Need to Get E&C Investigations Right (According to the DOJ)
Everything You Need to Get E&C Investigations Right (According to the DOJ)
 
5 Ways to Build Employee Trust for Less Turnover and Fewer Incidents
5 Ways to Build Employee Trust for Less Turnover and Fewer Incidents5 Ways to Build Employee Trust for Less Turnover and Fewer Incidents
5 Ways to Build Employee Trust for Less Turnover and Fewer Incidents
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
Finding Value Before a Crisis: How Workplace DEI Drives Revenue and Prevents ...
 
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
How Not to Get Called Out on TikTok: Improving Your Brand Through Employer/Em...
 
What is Psychological Safety in the Workplace?
What is Psychological Safety in the Workplace?What is Psychological Safety in the Workplace?
What is Psychological Safety in the Workplace?
 
Building Effective Sexual Harassment Prevention Policies and Training
Building Effective Sexual Harassment Prevention Policies and TrainingBuilding Effective Sexual Harassment Prevention Policies and Training
Building Effective Sexual Harassment Prevention Policies and Training
 
How to recognize and minimize unconscious bias in the workplace
How to recognize and minimize unconscious bias in the workplaceHow to recognize and minimize unconscious bias in the workplace
How to recognize and minimize unconscious bias in the workplace
 
Search Engine Skills for Workplace Investigators
Search Engine Skills for Workplace InvestigatorsSearch Engine Skills for Workplace Investigators
Search Engine Skills for Workplace Investigators
 
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
Preventing Bullying and Harassment Through Diversity and Inclusion in the Wor...
 
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk 7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
7 Ways to Increase Ethical Accountability and Decrease Fraud Risk
 
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
10 Critical Mistakes in Workplace Investigation Programs and How to Avoid Them
 
How to Incorporate "Psyber Resilience" into Your Security Strategy
How to Incorporate "Psyber Resilience" into Your Security Strategy How to Incorporate "Psyber Resilience" into Your Security Strategy
How to Incorporate "Psyber Resilience" into Your Security Strategy
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

The Countdown is on: Key Things to Know About the GDPR

  • 1. The Countdown is on: Key Things to Know About the GDPR Greg Reber, CEO AsTech Consulting
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 10. Greg Reber Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. As an early pioneer in the information security field, Reber was among the first to recognize and address the risks presented by consumer-facing applications. He launched AsTech in 1997 and has established AsTech as the premier firm that financial services companies, retail service providers and other Fortune 1000 companies turn to for real-world, effective information security solutions.
  • 11. Poll Question Where are you in GDPR readiness: • Not started • Just started • Well on the way to readiness • Complete with Data Protection Officer (DPO) in place • I don’t think GDPR applies to my business
  • 12. Today  What GDPR is and who it applies to  The importance of compliance and possible consequences of non- compliance  Obtaining consent to collect, process and store personal information  Requests to delete, access, transfer or update personal information  Conducting a Data Protection Impact Assessment (DPIA)
  • 13. What is GDPR? “The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU).” - Investopedia
  • 14. What is GDPR (Really)? “The General Data Protection Regulation (GDPR) is a game-changing privacy protection framework that shifts control of personal data from ‘collectors and processors’ to individuals, while allowing unprecedented access to data.” - Greg Reber
  • 15. GDPR Is A Big Deal Experts agree that these are the biggest ‘changers of the game’: Greatly Expanded ‘Data Subject’ (person) rights: Right to be Forgotten, Right of Access, Right to Restriction of Processing, etc. are all new to most data processors 72-hour breach notification: Currently there is no timeframe for notification, other than “without unreasonable delay” Data protection by design and by default: Example – Application developers will need to take a ‘build security in’ approach, a significant shift from current practices Use of cloud storage and sharing services are not exempt: Organizations that use cloud-based services will have to develop new policies and attestation methods Fines are significant: Up to 4% of global revenue (not profit) or €20M, whichever is greater (this is huge)
  • 16. Who Does GDPR Apply To? GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU, be it the data of residents or visitors. (The U.K. has adopted very similar rules to be in effect after the ‘Brexit’)
  • 17. Who Does GDPR Apply To (cont’d)? What does that mean? Any website or mobile application that is accessible by a person in the EU will need to comply with GDPR. Scenario 1  A tourist from the EU logs onto the website of their local EU grocery store from their hotel in the US. They provide personal data such as their EU delivery address and EU credit card details to order a delivery to their home = GDPR is applicable - this is a service being delivered in the EU.
  • 18. Who Does GDPR Apply To (cont’d)? Scenario 2  A tourist from the US logs onto the website of their local US grocery store from their hotel in the EU. They provide personal data such as their US delivery address and US credit card details, to order a delivery to their home in the US = GDPR is not applicable - it is not an EU transaction and it does not matter where the data is processed.
  • 19. The Importance of Compliance This can really be thought of in terms of Consequences of Non- Compliance… Every EU country and most others have Supervisory Authorities who can: • Issue warnings • Issue reprimands • Communicate a personal data breach directly to Data Subjects • Impose fines • Tier 1 – Up to 2% of gross revenue • Tier 2 – up to 4% of gross revenue
  • 20. The Importance of Compliance Issue warnings • “Don’t do that again” or “You’re not doing things right, fix it” Issue reprimands • “Hey, we told you not to do that again” or “You’re still not doing things right” Communicate a personal data breach directly to Data Subjects • “HEY!! The processor of your personal information has been breached!”  
  • 21. The Consequences… Now, let’s talk about those fines • Tier 1 • Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of Articles 8, 11, 25-39, parts of 41, 42 and 43 • These articles pertain to the protection and security of information and the security organization, including designating a Data Protection Officer (DPO) • Example: Morgan Stanley • In 2014, an employee downloaded account information of 730,000 customers • Russians hacked his laptop and posted some of the data for sale • Morgan Stanley was fined $1M for not having “policies and procedures that are reasonably designed to protect customer information” (SEC Press Release) • Under Article 32 of GDPR, they could have been fined up to $686M
  • 22. The Consequences… One more recent example: Equifax • In 2017, Equifax was breached resulting in disclosure of 143 million people’s Personally Identifiable Information (PII) • The company was breached in May, discovered it in July, and waited until September to tell people (they were afraid of copycat hackers) • Under GDPR Article 33 (72 hour breach notification), they would have been fined $67M • Equifax did everything wrong • To date, Equifax has not been fined  
  • 23. The Consequences… Fines can get REALLY BIG • Tier 2 • Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of articles 5, 6, 7, 9, 12-22, 44- 49, and parts of 83 • These articles pertain mainly to Data Subject (citizen) rights and transfers of data to third countries or international organizations • Example: FaceBook • Years ago, a German privacy advocate wanted Facebook to delete his own data, and prove to them that they did. Non-U.S. Facebook operated under Irish law, which said Facebook didn’t have to do this, as it would be prohibitively expensive • Article 17 of GDPR – ‘Right to be Forgotten’ would allow for 2017 fines on FaceBook to be as high as $1.6B (yep, Billion)
  • 24. Consent Article 7 of GDPR appears to be aimed at complicated End User License Agreements (EULAs), with a requirement that the user ‘opt in’ very clearly •The data controller (collector) has to be able to show the user Opted In •Consent cannot be mixed in with a “written declaration that concerns other matters” •“It shall be as easy to withdraw consent as to give consent” This is very, very important to the spirit of GDPR
  • 26. Requests – Right to Erasure Right to Erasure can be invoked for a host of reasons • Data no longer necessary for original purposes • Citizen withdraws consent • Citizen ‘objects’ to the processing • Data have been unlawfully processed There are some caveats to this one though, if processing is necessary for: • “freedom of expression” (we are not sure what this means in Art.85) • Public interest, public health, scientific or historical research, etc.
  • 27. Requests – Right of Access Supervisory Authorities can order compliance with Data Subject (citizen) requests, such as . . . •Is my personal data being processed? If so what is (are) the: • Purpose of processing • Categories of data • Recipients and their locations • Duration it will be stored • Source of data (if not the citizen) • Existence of automated decision making (this is the Artificial Intelligence/Machine Learning aspect of inquiry)
  • 28. Requests – Right to Object People have the right to object to processing of their personal data This appears to be focused squarely on Direct Marketing and consumer profiling, as the actual verbiage within the GDPR states: “Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.” (Recital 70)
  • 29. Data Protection Impact Assessment The assessment shall contain at least (from Article 35): – a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; – an assessment of the necessity and proportionality of the processing operations in relation to the purposes; – an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and – the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
  • 30. Data Protection Impact Assessment Translation: – Description of the purpose of the proposed processing and its operations and systems, including WHY the data controller wants to add this processing – an assessment of the necessity and proportionality of the processing operations in relation to WHY the data controller wants to add this processing – an assessment of the risks to the rights and freedoms of data subjects – the measures proposed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. • (This is the real purpose of the DPIA, and where most of the effort will be spent) “Looks like it worked . . . “
  • 31. Data Protection Impact Assessment Bottom line on DPIAs: If a controller or processor has completed a DPIA in good faith (not checking a box), then later there is an issue, the Supervisory Authority will look at the DPIA and possibly find fault with it, and base punitive action on those faults If a controller or processor has NOT completed a DPIA (or has a weak effort), then later there is an issue, the Supervisory Authority may base punitive actions on the damages done to the data subjects (residents) and those actions will hurt more Of course, they could do that anyway…
  • 32. Poll Question Where are you in GDPR readiness: Poll Results Today February • Not started 9% • Just started 40% • Well on the way to readiness 41% • Complete with Data Protection Officer (DPO) in place 4% • I don’t think GDPR applies to my business 5%
  • 34. Thank-you for participating Contact Greg Reber Greg.Reber@AsTechConsulting.com @greg_reber  https://www.linkedin.com/in/gregreber/ Contact i-Sight j.gerard@i-sight.com Find more free webinars: http://www.i-sight.com/resources/webinars @isightsoftware

Editor's Notes

  1. i-Sight is the world’s premiere case management software,
  2. Work anywhere with 24-hour access on any mobile device or computer.
  3. Save your company time with our intuitive software and custom one-click reports.
  4. trusted by top brands, banks, and schools to manage HR, fraud, and compliance investigations.
  5. Use our powerful reporting tools to help you identify risks, trends, and opportunities.
  6. i-Sight is a better way to manage your investigations. Book a demo today to learn how companies are saving money and protecting their business.
  7. ----- Meeting Notes (4/23/18 09:43) ----- When you think about GDPR as it relates to your own company, where are you on the readiness scale: (read bullets)
  8. ----- Meeting Notes (4/23/18 09:43) ----- When you think about GDPR as it relates to your own company, where are you on the readiness scale: (read bullets)
  9. ----- Meeting Notes (4/23/18 09:43) ----- The topics we'll touch upon today are (read bullets)
  10. ----- Meeting Notes (4/23/18 09:43) ----- So, what is GDPR? Investopedia, and many other sources define it like this: (read text) Notice is says ‘individuals’ not citizens. This is important an distinction as we’ll go into later
  11. ----- Meeting Notes (4/23/18 09:43) ----- But what is it really? I define it like this: (read text)
  12. ----- Meeting Notes (4/23/18 09:43) ----- Why is it a game changer? Because companies that collect and/or process data have to do a lot of things that they aren't doing right now (touch upon each bullet, don't read every word)
  13. ----- Meeting Notes (4/23/18 09:43) ----- Many people are saying that GDPR only applies to EU residents but that is not the whole picture. People visiting any EU country will be covered also. The U.K. has adopted The Data Protection Bill which is very similar to the GDPR to be in effect after they leave the EU in March 2019.
  14. ----- Meeting Notes (4/23/18 09:43) ----- (read text)
  15. ----- Meeting Notes (4/23/18 09:43) ----- Another scenario illustrates an alternative situation (read text)
  16. ----- Meeting Notes (4/23/18 09:43) ----- It will be important to comply with the GDPR, mostly because what will happen to companies that don't comply, but for those companies that do they will have processes in place that will generally help their business – from building security into everything they do, to using case management systems to track requests and security incidents GDPR oversight will be imposed by Supervisory Authorities whose responsibilities will include, but not be limited to: (read text) Imposition of fines
  17. ----- Meeting Notes (4/23/18 09:43) ----- (read text) For minor issues, the supervisory authority will warn companies that some action is required to comply Reprimands will be follow up to warnings When a breach occurs, companies will report them to the Supervisory Authorities, together they will determine the best way forward and the supervisory authority will inform people as necessary of the breach
  18. ----- Meeting Notes (4/23/18 09:43) ----- Among the biggest game changers are the fines that can be imposed. these will be based on gross global revenue. There are two tiers of fines. The lower tier will be used for infractions related to data protection and processes related to that protection. (talk thru Morgan Stanley breach and fine)
  19. ----- Meeting Notes (4/23/18 09:43) ----- A more recent example is last year’s equifax breach of very sensitive information affecting 143 million people (talk thru Equifax breach - highlight all the missteps - easy find/fix, - single person under the bus, - insider trading, - website to check if affected, - sign people up for free then charge after a year)
  20. ----- Meeting Notes (4/23/18 10:09) ----- The higher tier pertains to the rights of people and how data is shared among companies (talk thru FB example)
  21. ----- Meeting Notes (4/23/18 10:09) ----- Article 7 is a very, very important piece of GDPR - the 'opt in' regulation we've all seen long EULAs, and most people click through them without reading. Somewhere in there is the part where we agree to let the company do whatever they want with our information Under GDPR, we have to be given the choice to opt in for data collection, how it is going to be used and other very specific notification requirements, and that choice has to be isolated from the rest of any EULA This is a huge change over what is available to us today
  22. ----- Meeting Notes (4/23/18 10:09) ----- This is an example of the type of consent pop-up that we can expect. Others will be longer and more drawn out, but may run afoul of the 'simplicity spirit' of the intent. (Read pop up) so, looking at something like this, we'll be able to decide if we want 'offers that will of interest' to us based on our browsing habits.
  23. ----- Meeting Notes (4/23/18 10:09) ----- This right to erasure is also known as 'right to be forgotten' relates back to that Facebook example. People will now be able to have their data erased from the databases of companies collecting or processing their information, for any reason ‘freedom of expression’ pertains to journalistic and artistic pursuits, and is still a bit subjective, this will be sorted out as cases arise
  24. ----- Meeting Notes (4/23/18 10:09) ----- the supervisory authorities will facilitate citizen requests, and order compliance with them (read bullets) this underscores the basic foundational tenet of GDPR that people own their information, not companies that collect or process it
  25. ----- Meeting Notes (4/23/18 10:09) ----- One of the main targets of GDPR is the direct marketing industry. These companies collect huge amounts of data, not just browsing histories, to focus those pop up ads we all see. You know what I mean - I just bought a pair of boots online, and within hours I see boot ads wherever I go on the internet. So the direct marketing companies are smart enough to know that I was looking at boots, but not smart enough to know that I bought some and won't need any more for 5 or 6 years.
  26. ----- Meeting Notes (4/23/18 10:09) ----- And then there's the Data Protection Impact Assessment, or DPIA this is a very important part of the GDPR, and everyone should pay real attention to this on this slide we have the text from Article 35
  27. ----- Meeting Notes (4/23/18 10:09) ----- on this slide we have a translation why probable? because as with most regulatory frameworks, this one will be interpreted as applicable cases unfold you see here that companies will have to explain WHY they are doing what they are doing No more personality quizzes that are really collecting demographic information to be used to target political 'news' stories at specific groups of individuals
  28. ----- Meeting Notes (4/23/18 10:12) ----- We also think that, like many regulatory frameworks, if you have gone through the planning process in good faith and an issue arises, the supervisory authorities will look at your processes and may find fault there and issue warnings or reprimands based on the DPIA If you don't have that process or just check a box saying you did it, then there will be more serious consequences bottom line: take the DPIA very seriously, as it will be one of the best practices for your company for many reasons
  29. ----- Meeting Notes (4/23/18 09:43) ----- When you think about GDPR as it relates to your own company, where are you on the readiness scale: (read bullets)