1 / 16

The General Data Protection Regulation: Are You Ready?

Learn about the requirements and responsibilities of the General Data Protection Regulation (GDPR) to ensure compliance and protect personal information. Understand the rights of data subjects, implement privacy by design and default, and meet record-keeping requirements.

rodriguesd
Download Presentation

The General Data Protection Regulation: Are You Ready?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The General Data Protection Regulation: Are You Ready? Angela fares, rhia, crm, cisa, cism, cgeit, cRISC November 13, 2018

  2. General Data Protection Regulation • Enacted May 25, 2018 • Applies to personal information that identifies living people in specific ways and gives individuals greater control over their information • Enforceable in all European Union countries and other countries doing business in the European Union

  3. Main Requirements of GDPR • Transparency, fairness and lawfulness in the handling and use of personal data (including a lawful basis to process that data) must be demonstrated during its handling and use • Limitation of the processing of personal data to specified, explicit, and legitimate purposes (data cannot be re-used or disclosed for purposes for which it was not originally collected) • Collection and storage must be minimal and limited to only the information adequate for the intended purpose • Data must be accurate and there must be a mechanism in place to erase, rectify or amend information • Storage is limited to the amount of time necessary to accomplish the purpose for which it was collected (unless otherwise defined by law) • Security, integrity and confidentiality must be ensured through technical and organizational security measures This Photo by Unknown Author is licensed under CC BY-NC This Photo by Unknown Author is licensed under CC BY

  4. Personal Information • Personal Information – Includes any data that relates to an identified or identifiable natural living person. Even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual • Special Personal Information – Personal Information that includes data related to race, ethnic origin, health, sexual orientation, and geolocation

  5. Definitions • Controller: Person, organization or other body that, alone or jointly with others, determines the purposes and means of processing personal data • Processor: Person, organization, or other body which processes personal data on behalf of the Controller • Data Subject: Person that is the subject of the personal information being collected and processed • Processing: Any operation or set of operations, physical or automated, which is performed on personal data • Pseudonymization: Processing of personal data in such a manner that the data cannot be associated with a specific data subject without the use of additional information

  6. Organizational Measure GDPR doesn’t mandate exact security measures to use, but requires organizations to base the security on attributes of the personal data such as: • Nature of the information • Sensitivity • Risks associated with handling/processing

  7. Rights of Data Subjects • Right to access personal information about themselves • Right to correct, amend, or erase information that is not correct • Right be forgotten and have data deleted if it is no longer required to be kept by law • Right to request that processing of personal data be stopped if consent is withdrawn • Right to data portability • Right to object to direct marketing

  8. Privacy by “Design” and “Default” Processes must be designed to incorporate privacy features and functionality into the products from the first time that they are designed Processes must, by default, implement measures to ensure that no more data is collected and processed than necessary, and is not retained any longer than necessary

  9. GDPR Record-Keeping Requirements • Policies • Procedures • Classification • Categorization • Lifecycle Management • Data Transfers/Disclosures • Data Amendments • Audits and Key Performance Indicators

  10. Critical Timelines • Data breaches require notice to regulators within 72 hours of the breach • Requests by Data Subjects must be fulfilled or enabled within 30 days This Photo by Unknown Author is licensed under CC BY

  11. Step 1 • Discover and classify/categorize data • Map data flows • Conduct a gap analysis

  12. Step 2 • Quantify resources for hiring/training people • Estimate costs for new products and services • Account for professional services

  13. Step 3 • Deploy security controls • Update processes • Review privacy notices and communication

  14. Step 4 • Ensure that the incident response plan is tested • Analyze your monitoring and audit mechanisms • Consider new processes or methods of managing risk

  15. Step 5 • Set up training and awareness programs • Prepare to demonstrate compliance • Develop key performance indicators to measure compliance

  16. Summary Know where your data is Doesn’t have to be complex Classification enhances the information security and information governance ecosystem Access / Processing / Encryption / Cloud Sharing / Archiving / Reporting Create a culture of security awareness Address the security gap that arises from human behavior

More Related