1 / 14

General Data Protection Regulation

General Data Protection Regulation. Shana Bumpas, MSIA, CISSP, CRISC, CISA. Overview. Approved into European Union (EU) law on April 14, 2016 Repeal’s EU Directive 95/46/EC Consistency with privacy laws across EU Protect and empower EU citizens’ data privacy Effective May 25, 2018

bitting
Download Presentation

General Data Protection Regulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Data Protection Regulation Shana Bumpas, MSIA, CISSP, CRISC, CISA @Shana Bumpas

  2. Overview • Approved into European Union (EU) law on April 14, 2016 • Repeal’s EU Directive 95/46/EC • Consistency with privacy laws across EU • Protect and empower EU citizens’ data privacy • Effective May 25, 2018 • Penalties • The greater of 4% of annual global revenue or €20M ($22.78M) • Lower tier infraction is 2% • Applies to EU Data Subjects • EU residents • US residents while physically in EU @Shana Bumpas

  3. Data Subject Rights A data subject is a natural person • the right to be informed; • the right to be forgotten; • the right of access; • the right to rectification; • the right to restrict processing; • the right to data portability; • the right to object; and • the right not to be subject to automated decision-making including profiling @Shana Bumpas

  4. Legal Basis The organization must have a lawful basis for processing personal data There are six categories of lawful basis: • Consent • Contract • Legitimate interest • Legal obligation • Vital interest • Public authorities Conduct legal basis impact assessment @Shana Bumpas

  5. Roles • The controller is the entity that determines the purposes, conditions and means of the processing of personal data • The processor is an entity which processes personal data on behalf of the controller • Supervisory authority is EU regulator responsible for enforcement of the GDPR in relation to cross border processing • Data Protection Officer (DPO) monitors compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits. @Shana Bumpas

  6. Types of Data • “Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (European Parliament and the Council of the European Union, 2016). • “Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” European Parliament and the Council of the European Union, 2016). @Shana Bumpas

  7. Impact on Data Collection • Data privacy impact assessment • Know where the data is • How it is being used • Consent • At collection • Clear about what is collected and how used • Ability to withdraw consent • Minors must have parents provide consent • Opt-in must be explicit • Lawful basis • Privacy policy @Shana Bumpas

  8. Data Protections • Privacy by design • Pseudonymization • Encryption – keys stored separately • Breach notification within 72 hours or undue delay • Privacy Shield (replaces Safe Harbor) • DPO may be required • EU Member States may have additional laws and compliance requirements @Shana Bumpas

  9. Post - GDPR • Facebook facing $1.6B fine from Irelands Data Protection Commission for data breach impacting 50M users (September 2018) • British Airways posted on Twitter that customers send personally identifiable information via Tweet (July 2018) • that led to the discovery of a second privacy violation with data collection on their site by a third party; • Then there was a data breach between August – September 2018 of financial and personal customer information • Google fined $56.8M for GDPR violation informing users on consent and data usage (January 2019) • Taxa 4x35 fined $178k for GDPR violation for retaining personal data after no longer necessary for purpose it was collected @Shana Bumpas

  10. US State Privacy Laws • California Consumer Privacy Act of 2018 - right of privacy among the “inalienable” rights of all people • (1) The right of Californians to know what personal information is being collected about them. • (2) The right of Californians to know whether their personal information is sold or disclosed and to whom. • (3) The right of Californians to say no to the sale of personal information. • (4) The right of Californians to access their personal information. • (5) The right of Californians to equal service and price, even if they exercise their privacy rights. • Enforcement begins January 2020 • Fines range from $100 - $750 per record • Other states are following suit @Shana Bumpas

  11. GDPR and BC/DR • Include GDPR in BC/DR planning • Data identity is broader in GDPR – name, employee ID, role, title, etc. • Consent still applies in DR • Privacy by design • DR environment must have same privacy controls • Ensure you have consent or proper legal basis in BC/DR situation • Third parties need to ensure compliance too • Data breach is a crisis management activity • Response time is critical • Have an incident response plan for data @Shana Bumpas

  12. Next Steps… • EU footprint • Data privacy impact assessment • Data map • Identify data type and storage locations • Where it originates? • Permissions to collect • Why is it collected? • Evaluate current data processing practices • Review who has access • Record retention • Identify compliance requirements @Shana Bumpas

  13. Questions @Shana Bumpas

  14. References California Legislative Information. (2018). California Consumer Privacy Act of 2018, AB – 375. Retrieved from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375. Department of Commerce. (2018). Privacy Shield. Retrieved from https://www.privacyshield.gov/welcome. European Parliament and the Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679. “Facebook Faces Potential $1.63 Billion Fine in Europe Over Data Breach.” (Sep. 30, 2018). Sam Schechner. Retrieved from https://www.wsj.com/articles/facebook-faces-potential-1-63-billion-fine-in-europe-over-data-breach-1538330906. “France Fines Google $57 Million For GDPR Violations.” (Jan 21, 2019). Emily Price. Retrieved from http://fortune.com/2019/01/21/france- fines-google-57-million-for-gdpr-violations/. Gydeline Ltd (2018, March 19). GDPR Compliance Journey 03 – Data Mapping. Retrieved from https://www.youtube.com/watch?v=W5D2gkbzQNk. “Taxi Firm Fined Heavily Under GDPR For Data Retention.” (Apr 1, 2019). Peter Galdies. https://www.dqmgrc.com/article/taxi- firm-fined-heavily-under-gdpr-data-retention. @Shana Bumpas

More Related