The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
10. Greg Reber
Greg Reber is the Founder and CEO of
AsTech, a leading information security
consulting firm. As an early pioneer in the
information security field, Reber was
among the first to recognize and address
the risks presented by consumer-facing
applications. He launched AsTech in 1997
and has established AsTech as the
premier firm that financial services
companies, retail service providers and
other Fortune 1000 companies turn to for
real-world, effective information security
solutions.
11. Poll Question
Where are you in GDPR readiness:
• Not started
• Just started
• Well on the way to readiness
• Complete with Data Protection Officer (DPO) in place
• I don’t think GDPR applies to my business
12. Today
What GDPR is and who it applies to
The importance of compliance and possible consequences of non-
compliance
Obtaining consent to collect, process and store personal information
Requests to delete, access, transfer or update personal information
Conducting a Data Protection Impact Assessment (DPIA)
13. What is GDPR?
“The General Data Protection Regulation
(GDPR) is a legal framework that sets
guidelines for the collection and processing of
personal information of individuals within
the European Union (EU).”
- Investopedia
14. What is GDPR (Really)?
“The General Data Protection Regulation
(GDPR) is a game-changing privacy protection
framework that shifts control of personal data
from ‘collectors and processors’ to individuals,
while allowing unprecedented access to data.”
- Greg Reber
15. GDPR Is A Big Deal
Experts agree that these are the biggest ‘changers of the game’:
Greatly Expanded ‘Data Subject’ (person) rights: Right to be Forgotten,
Right of Access, Right to Restriction of Processing, etc. are all new to most data
processors
72-hour breach notification: Currently there is no timeframe for notification,
other than “without unreasonable delay”
Data protection by design and by default: Example – Application developers
will need to take a ‘build security in’ approach, a significant shift from current
practices
Use of cloud storage and sharing services are not exempt: Organizations
that use cloud-based services will have to develop new policies and attestation
methods
Fines are significant: Up to 4% of global revenue (not profit) or €20M, whichever
is greater (this is huge)
16. Who Does GDPR Apply To?
GDPR requirements apply to any
organization doing business in the EU or
that processes personal data originating in
the EU, be it the data of residents or
visitors.
(The U.K. has adopted very
similar rules to be in effect
after the ‘Brexit’)
17. Who Does GDPR Apply To (cont’d)?
What does that mean?
Any website or mobile application that is accessible by
a person in the EU will need to comply with GDPR.
Scenario 1
A tourist from the EU logs onto the website of their local EU grocery store
from their hotel in the US. They provide personal data such as their EU
delivery address and EU credit card details to order a delivery to their
home = GDPR is applicable - this is a service being delivered in the EU.
18. Who Does GDPR Apply To (cont’d)?
Scenario 2
A tourist from the US logs onto the website of their local US grocery store
from their hotel in the EU. They provide personal data such as their US
delivery address and US credit card details, to order a delivery to their
home in the US = GDPR is not applicable - it is not an EU transaction and
it does not matter where the data is processed.
19. The Importance of Compliance
This can really be thought of in terms of Consequences of Non-
Compliance…
Every EU country and most others have Supervisory Authorities who can:
• Issue warnings
• Issue reprimands
• Communicate a personal data breach directly to Data Subjects
• Impose fines
• Tier 1 – Up to 2% of gross revenue
• Tier 2 – up to 4% of gross revenue
20. The Importance of Compliance
Issue warnings
• “Don’t do that again” or “You’re not doing things right, fix it”
Issue reprimands
• “Hey, we told you not to do that again” or “You’re still not doing things
right”
Communicate a personal data breach directly to Data Subjects
• “HEY!! The processor of your personal information has been breached!”
21. The Consequences…
Now, let’s talk about those fines
• Tier 1
• Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year,
whichever is higher, shall be issued for infringements of Articles 8, 11, 25-39, parts of
41, 42 and 43
• These articles pertain to the protection and security of information and the security
organization, including designating a Data Protection Officer (DPO)
• Example: Morgan Stanley
• In 2014, an employee downloaded account information of 730,000 customers
• Russians hacked his laptop and posted some of the data for sale
• Morgan Stanley was fined $1M for not having “policies and procedures that are
reasonably designed to protect customer information” (SEC Press Release)
• Under Article 32 of GDPR, they could have been fined up to $686M
22. The Consequences…
One more recent example: Equifax
• In 2017, Equifax was breached resulting in disclosure of 143 million
people’s Personally Identifiable Information (PII)
• The company was breached in May, discovered it in July, and waited
until September to tell people (they were afraid of copycat hackers)
• Under GDPR Article 33 (72 hour breach notification), they would
have been fined $67M
• Equifax did everything wrong
• To date, Equifax has not been fined
23. The Consequences…
Fines can get REALLY BIG
• Tier 2
• Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year,
whichever is higher, shall be issued for infringements of articles 5, 6, 7, 9, 12-22, 44-
49, and parts of 83
• These articles pertain mainly to Data Subject (citizen) rights and transfers of data to third
countries or international organizations
• Example: FaceBook
• Years ago, a German privacy advocate wanted Facebook to delete his own data,
and prove to them that they did. Non-U.S. Facebook operated under Irish law,
which said Facebook didn’t have to do this, as it would be prohibitively expensive
• Article 17 of GDPR – ‘Right to be Forgotten’ would allow for 2017 fines on
FaceBook to be as high as $1.6B (yep, Billion)
24. Consent
Article 7 of GDPR appears to be aimed at complicated End User
License Agreements (EULAs), with a requirement that the user ‘opt in’
very clearly
•The data controller (collector) has to be able to show the user Opted In
•Consent cannot be mixed in with a “written declaration that concerns other
matters”
•“It shall be as easy to withdraw consent as to give consent”
This is very, very important to the spirit of GDPR
26. Requests – Right to Erasure
Right to Erasure can be invoked for a host of reasons
• Data no longer necessary for original purposes
• Citizen withdraws consent
• Citizen ‘objects’ to the processing
• Data have been unlawfully processed
There are some caveats to this one though, if processing is necessary
for:
• “freedom of expression” (we are not sure what this means in Art.85)
• Public interest, public health, scientific or historical research, etc.
27. Requests – Right of Access
Supervisory Authorities can order compliance with Data
Subject (citizen) requests, such as . . .
•Is my personal data being processed? If so what is (are) the:
• Purpose of processing
• Categories of data
• Recipients and their locations
• Duration it will be stored
• Source of data (if not the citizen)
• Existence of automated decision making (this is the Artificial
Intelligence/Machine Learning aspect of inquiry)
28. Requests – Right to Object
People have the right to object to processing of their
personal data
This appears to be focused squarely on Direct Marketing and
consumer profiling, as the actual verbiage within the GDPR states:
“Where personal data are processed for the purposes of direct marketing, the
data subject should have the right to object to such processing, including
profiling to the extent that it is related to such direct marketing, whether with
regard to initial or further processing, at any time and free of charge.”
(Recital 70)
29. Data Protection Impact Assessment
The assessment shall contain at least (from Article 35):
– a systematic description of the envisaged processing operations and the
purposes of the processing, including, where applicable, the legitimate interest
pursued by the controller;
– an assessment of the necessity and proportionality of the processing operations
in relation to the purposes;
– an assessment of the risks to the rights and freedoms of data subjects referred to
in paragraph 1; and
– the measures envisaged to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons concerned.
30. Data Protection Impact Assessment
Translation:
– Description of the purpose of the proposed processing and its operations and
systems, including WHY the data controller wants to add this processing
– an assessment of the necessity and proportionality of the processing operations
in relation to WHY the data controller wants to add this processing
– an assessment of the risks to the rights and freedoms of data subjects
– the measures proposed to address the risks, including safeguards, security
measures and mechanisms to ensure the protection of personal data and to
demonstrate compliance with this Regulation taking into account the rights and
legitimate interests of data subjects and other persons concerned.
• (This is the real purpose of the DPIA, and where most of the effort will be spent)
“Looks like it worked . . . “
31. Data Protection Impact Assessment
Bottom line on DPIAs:
If a controller or processor has completed a DPIA in good faith (not checking a
box), then later there is an issue, the Supervisory Authority will look at the
DPIA and possibly find fault with it, and base punitive action on those faults
If a controller or processor has NOT completed a DPIA (or has a weak effort),
then later there is an issue, the Supervisory Authority may base punitive
actions on the damages done to the data subjects (residents) and those
actions will hurt more
Of course, they could do that anyway…
32. Poll Question
Where are you in GDPR readiness: Poll Results
Today February
• Not started 9%
• Just started 40%
• Well on the way to readiness 41%
• Complete with Data Protection Officer (DPO) in place 4%
• I don’t think GDPR applies to my business 5%
34. Thank-you for participating
Contact Greg Reber
Greg.Reber@AsTechConsulting.com
@greg_reber
https://www.linkedin.com/in/gregreber/
Contact i-Sight
j.gerard@i-sight.com
Find more free webinars:
http://www.i-sight.com/resources/webinars
@isightsoftware
Editor's Notes
i-Sight is the world’s premiere case management software,
Work anywhere with 24-hour access on any mobile device or computer.
Save your company time with our intuitive software and custom one-click reports.
trusted by top brands, banks, and schools to manage HR, fraud, and compliance investigations.
Use our powerful reporting tools to help you identify risks, trends, and opportunities.
i-Sight is a better way to manage your investigations. Book a demo today to learn how companies are saving money and protecting their business.
----- Meeting Notes (4/23/18 09:43) -----
When you think about GDPR as it relates to your own company, where are you on the readiness scale:
(read bullets)
----- Meeting Notes (4/23/18 09:43) -----
When you think about GDPR as it relates to your own company, where are you on the readiness scale:
(read bullets)
----- Meeting Notes (4/23/18 09:43) -----
The topics we'll touch upon today are
(read bullets)
----- Meeting Notes (4/23/18 09:43) -----
So, what is GDPR?
Investopedia, and many other sources define it like this:
(read text)
Notice is says ‘individuals’ not citizens. This is important an distinction as we’ll go into later
----- Meeting Notes (4/23/18 09:43) -----
But what is it really?
I define it like this:
(read text)
----- Meeting Notes (4/23/18 09:43) -----
Why is it a game changer?
Because companies that collect and/or process data have to do a lot of things that they aren't doing right now
(touch upon each bullet, don't read every word)
----- Meeting Notes (4/23/18 09:43) -----
Many people are saying that GDPR only applies to EU residents but that is not the whole picture.
People visiting any EU country will be covered also.
The U.K. has adopted The Data Protection Bill which is very similar to the GDPR to be in effect after they leave the EU in March 2019.
----- Meeting Notes (4/23/18 09:43) -----
Another scenario illustrates an alternative situation
(read text)
----- Meeting Notes (4/23/18 09:43) -----
It will be important to comply with the GDPR, mostly because what will happen to companies that don't comply, but for those companies that do they will have processes in place that will generally help their business – from building security into everything they do, to using case management systems to track requests and security incidents
GDPR oversight will be imposed by Supervisory Authorities whose responsibilities will include, but not be limited to:
(read text)
Imposition of fines
----- Meeting Notes (4/23/18 09:43) -----
(read text)
For minor issues, the supervisory authority will warn companies that some action is required to comply
Reprimands will be follow up to warnings
When a breach occurs, companies will report them to the Supervisory Authorities, together they will determine the best way forward and the supervisory authority will inform people as necessary of the breach
----- Meeting Notes (4/23/18 09:43) -----
Among the biggest game changers are the fines that can be imposed. these will be based on gross global revenue.
There are two tiers of fines.
The lower tier will be used for infractions related to data protection and processes related to that protection.
(talk thru Morgan Stanley breach and fine)
----- Meeting Notes (4/23/18 09:43) -----
A more recent example is last year’s equifax breach of very sensitive information affecting 143 million people
(talk thru Equifax breach - highlight all the missteps
- easy find/fix,
- single person under the bus,
- insider trading,
- website to check if affected,
- sign people up for free then charge after a year)
----- Meeting Notes (4/23/18 10:09) -----
The higher tier pertains to the rights of people and how data is shared among companies
(talk thru FB example)
----- Meeting Notes (4/23/18 10:09) -----
Article 7 is a very, very important piece of GDPR - the 'opt in' regulation
we've all seen long EULAs, and most people click through them without reading.
Somewhere in there is the part where we agree to let the company do whatever they want with our information
Under GDPR, we have to be given the choice to opt in for data collection, how it is going to be used and other very specific notification requirements, and that choice has to be isolated from the rest of any EULA
This is a huge change over what is available to us today
----- Meeting Notes (4/23/18 10:09) -----
This is an example of the type of consent pop-up that we can expect. Others will be longer and more drawn out, but may run afoul of the 'simplicity spirit' of the intent.
(Read pop up)
so, looking at something like this, we'll be able to decide if we want 'offers that will of interest' to us based on our browsing habits.
----- Meeting Notes (4/23/18 10:09) -----
This right to erasure is also known as 'right to be forgotten' relates back to that Facebook example.
People will now be able to have their data erased from the databases of companies collecting or processing their information, for any reason
‘freedom of expression’ pertains to journalistic and artistic pursuits, and is still a bit subjective, this will be sorted out as cases arise
----- Meeting Notes (4/23/18 10:09) -----
the supervisory authorities will facilitate citizen requests, and order compliance with them
(read bullets)
this underscores the basic foundational tenet of GDPR that people own their information, not companies that collect or process it
----- Meeting Notes (4/23/18 10:09) -----
One of the main targets of GDPR is the direct marketing industry. These companies collect huge amounts of data, not just browsing histories, to focus those pop up ads we all see.
You know what I mean - I just bought a pair of boots online, and within hours I see boot ads wherever I go on the internet. So the direct marketing companies are smart enough to know that I was looking at boots, but not smart enough to know that I bought some and won't need any more for 5 or 6 years.
----- Meeting Notes (4/23/18 10:09) -----
And then there's the Data Protection Impact Assessment, or DPIA
this is a very important part of the GDPR, and everyone should pay real attention to this
on this slide we have the text from Article 35
----- Meeting Notes (4/23/18 10:09) -----
on this slide we have a
translation
why probable? because as with most regulatory frameworks, this one will be interpreted as applicable cases unfold
you see here that companies will have to explain WHY they are doing what they are doing
No more personality quizzes that are really collecting demographic information to be used to target political 'news' stories at specific groups of individuals
----- Meeting Notes (4/23/18 10:12) -----
We also think that, like many regulatory frameworks, if you have gone through the planning process in good faith and an issue arises, the supervisory authorities will look at your processes and may find fault there and issue warnings or reprimands based on the DPIA
If you don't have that process or just check a box saying you did it, then there will be more serious consequences
bottom line: take the DPIA very seriously, as it will be one of the best practices for your company for many reasons
----- Meeting Notes (4/23/18 09:43) -----
When you think about GDPR as it relates to your own company, where are you on the readiness scale:
(read bullets)