The Impact of GDPR Compliance on IT and Security

© 2017 MetricStream, Inc. All Rights Reserved.

Experts on Panel

Bojana BellamyPresident

Centre for Information Policy Leadership

Vibhav AgarwalDirector

MetricStream

© 2017 MetricStream, Inc. All Rights Reserved.

• The effect of GDPR on IT and security teams

• Technical and security measures to support data protection

• The interaction between IT and IS with data privacy compliance and legal

• A risk based approach to GDPR compliance

• Q&A

Agenda

GDPR Compliance – Key impact for IT, CIO and CISO and Recommendations for Data Driven

Organizations

CIPL at a glance

55+Member

Companies

5+Active

Projects & Initiatives

20+Events

annually

15+Principals

and Advisors

We SHAPE privacy policy,

law and practice

We CREATE and

implement best practices

We INFORM through

publications and events

We NETWORK with global

industry and government leaders

BRIDGING REGIONSBRIDGING INDUSTRY & REGULATORSBRIDGING PRIVACY AND DATA DRIVEN INNOVATION

ACTIVE GLOBAL REACH

A GLOBAL PRIVACY AND SECURITY THINK TANK

Twitter.com/the_cipl

https://www.linkedin.com/company/centre-for-information-policy-leadership

www.informationpolicycentre.com

2200 Pennsylvania Ave NW Washington, DC 20037

Park Atrium, Rue des Colonies 111000 Brussels, Belgium

30 St Mary AxeLondon EC3A 8EP

ABOUT US

• The Centre for Information Policy Leadership (CIPL) is a global privacy and security think tank

• Based in Washington, Brussels and London

• Founded in 2001 by leading companies and Hunton & Williams LLP

• CIPL works with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for data privacy and responsible use of data to enable the modern information age

www.informationpolicycentre.com

Key GDPR Changes at a Glance

Harmonisation and progressive

aspects

•Harmonised rules, but not fully (e.g. employee data, children data)

•One Stop Shop: Lead DPA for pan-European matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals

•Risk-based approach

•Some reduction of administrative burden (no national registration of processing. or prior authorisation)

•BCR, seals and certifications

•Greater cooperation and consistency by DP regulators

Broader scope

• Obligations on both controller and processor

• Extraterritorial application to foreign controller and processor

• Wider definition of personal data and sensitive data; anonymous data and pseudonymisation

• Processing data of children under 16 requires parental consent

Increased obligations

•DP principles tightened (consent, transparency/notices)

•Profiling rules

•Privacy Impact Assessment

•Privacy by Design

•Breach notification - to DPAs and individuals

•Direct obligations and liability for processor

•Accountability -privacy programme

•Internal record of processing

•DP Officer

Strengthened rights of

individuals

• Right to erasure

• Data portability

• Right not to be subject to automated decision making

• Right to object

Increased enforcement, fines, liability

• Regulatory fines up to 4% of annual worldwide turnover

• Individual action

• Class action

• Criminal sanctions (in national laws)

• Larger role for European Data Protection Board (EDPB)

• Amsterdam (Kick-off), Paris (DPO, Risk), Brussels (Certifications), Madrid (Transparency, Consent, Legitimate interest) , Dublin (Smart Regulation)

5 Workshops and working sessions

• DPO

• Risk and DPIA

• One Stop Shop and Lead DPA

• Certifications

• Transparency, Consent, Legitimate Interest

5 CIPL Papers Submitted to WP29

ePrivacy Regulation Consultation Response

• DPO, Data Portability, Lead SA, DPIA4 CIPL Responses to WP29 Guidance

GDPR Readiness Survey Report

• Smart Regulation

• ePrivacy Regulation

• Profiling and Automated Decision-Making

3 CIPL Papers in Progress

CIPL GDPR Project Deliverables to Date

www.informationpolicycentre.com

www.informationpolicycentre.com

DP Program –Corporate

Digital Responsibility

DPO led, documented,

risk-based, verified,

demonstrated

Data transfers strategy

Data strategy and Big Data enablement

DPIA and Risk Assessment

Privacy Engineers

Vendor management

Breach management

DPArelationship

management

Legal uncertainty

and disputes management

GDPR: Key Areas of Strategic Impact

Impact and interaction with global program

Readiness

Level

of

Imp

act

CIPL & AvePoint Joint

GDPR Readiness Survey – Oct 2016

Individual rights

Data breach notification

Privacy Management Programme

Use/Contracting with processors

Legitimate interest, Privacy by Design, DPIA and risk - the main areas requiring most clarification

SENIOR

MANAGEMENT

KEY CONCERNS

CCC

• Enhanced sanctions

• Data breach reporting

• Stricter rules on consent &

data reuse

• Individual rights

• Changes to internal privacy

program

www.informationpolicycentre.com

Accountability in GDPR – Privacy Programme

Controllers must:

• Be responsible for compliance with GDPR

• Implement appropriate and effective technical and organisational measures to comply with the GDPR

• Demonstrate compliance & effectiveness of the measures

Taking into account:

• The nature, scope, context, and purposes of the data processing

• The risk for individuals - physical, moral, material damages

Currently organizations do not widely use, or have access to, technology tools and software to aid with data privacy compliance tasks.

Only a minority use technology to automate and industrialize:

DPIAs;

Data classification and tagging policies;

Data processing records / inventories;

Delivery of new data portability right.

Where else can technology help?

Right of access, consent management, privacy transparency dashboards, Privacy Program demonstration, etc.

Compliance Tools, Technology, Software

Enable new business models, digitalisation and data innovation

Address expectations for increased transparency, user control and value, corporate responsibility

Ensure data sustainability and digital trust

Address regulatory changes - impact and implementation

Mitigate legal, commercial and reputational risks

www.informationpolicycentre.com

GDPR – Opportunity to Rethink Data Privacy and Information Management Strategy

www.informationpolicycentre.com

Systematic Changes Ahead for Organisations

Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates)

DP Officer (DPO) - becomes a more strategic, senior and multi-skilled role

Holistic and joined-up approach - between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations

DP becomes board-level issue – higher enterprise risk; larger business, legal and compliance impact; security breach notification and management

DP becomes a business issue - wide impact on company’s globalisation, digital transformation and data strategy

GDPR implementation – requires company-wide change management program

www.informationpolicycentre.com

EU GDPR - Key Red Flags for IT, CIO, CISO

Coordinated action DPO, CIO,

CISO

Wide regulated personal data

Internal inventory of processing

Privacy Impact Assessments, based on risk to individuals

Privacy by Design and Privacy by

Default Security breach management &

notification

Third party providers

(software and services)

Tension privacy v. security

www.informationpolicycentre.com

Holistic Approach to Privacy and Security

• Protecting assets and information creates privacy risks

• Enabling business growth and innovation

• Privacy can be breached without a breach of security

• Two sides of the same coin

• There is no privacy without security

ConvergencePrivacy > Security

ConflictGovernance

Understand your data, its relevance and the risks – customers, employees, third parties contacts, website users

Create and maintain accourate records of processing

Appoint DPO, or allocate responsibility for DP compliance

Establish legal basis for each data processing – consent, legitimate interest, contract necessity, etc.

Draft privacy notices and policies for individuals

Create DPIA processes / templates and carry out DPIA for existing and new processing and new projects

Draft vendor DP due diligence and contracting templates

Create legal mechanisms for sharing data globally

Establish procedures for rights of individuals

Develop and test breach response and notification procedures

Training and communication of the staff and relevant functions

On-going compliance and monitoring / auditing

GDPR Compliance Steps

Thank you

Bojana Bellamybbellamy@hunton.com

Centre for Information Policy Leadership www.informationpolicycentre.com

Hunton & Williams Privacy and Information Security Law Blogwww.huntonprivacyblog.com

FOLLOW US ON TWITTER

@THE_CIPL

FOLLOW US ON LINKEDIN

linkedin.com/company/centre-for-information-policy-leadership

How can technology help you?

Vibhav AgarwalDirectorMetricStream

© 2017 MetricStream, Inc. All Rights Reserved.

Top Concerns of CIOs within Enterprises*

*cioinsights.com

© 2017 MetricStream, Inc. All Rights Reserved.

Key Requirements for GDPR

Centralized repository/ library of articles, controls, and requirements for GDPR compliance

Establish an integrated framework to conduct Data Privacy Impact Assessments (DPIAs) through surveys and questionnaires

Enable the implementation of robust data privacy processes and controls

Generate delta control reports, as well as other reports and dashboards to assess GDPR compliance

Manage issues generated from risk and control assessments

© 2017 MetricStream, Inc. All Rights Reserved.

GDPR - Focus on Key Areas

Assess Compliance

Ongoing Compliance

Data Privacy Risks, Controls

& Process setup

Update Risk register, Control

register and Process register with GDPR data

Perform survey based Impact assessments

across assets and processes across

Bus and Third parties

Data Privacy Impact

Assessments

Data Protection Audits

Addition of testing strategies and

steps to audit Data breach response

plan and PII storage

Controls Compliance

Comprehensive Extended Org-wide Controls assessment

process for GDPR related controls

Workflow to assess enterprise

& IT Risks quantitatively

based on inherent factors and control

effectiveness

Risk Assessments

© 2017 MetricStream, Inc. All Rights Reserved.

Implementation of an Industry Standard Solution

Management

Reporting

Data Privacy

Impact

Assessments

Relational

Data Model

Controls

Compliance &

Risk

Assessment

Centralized IT

Repository

Third Party

Compliance

Assessment

© 2017 MetricStream, Inc. All Rights Reserved.

Way forward…

Define the overall management strategy for

managing GDPR compliance

Create an Risk and Compliance process with

ownership and governance to meet the GDPR mandate

Implement a Technology solution to ensure

traceability and accountability across the

workflow

Assess IT controls and IT risks leveraging the latest controls, questions and

procedure libraries

Monitor the assessments and perform management reporting via reports and

dashboards

Strategy Design Implement Assess Monitor

Consultancy Technology solution

© 2017 MetricStream, Inc. All Rights Reserved.

Are you GDPR ready?

© 2017 MetricStream, Inc. All Rights Reserved.

About MetricStream

Vision Integrated Governance, Risk and Compliance for Better Business Performance

Solutions

• Risk Management• IT Risk Management• Business Continuity Management• IT Compliance Management• SOX Compliance Management

• Enterprise Risk Management• Internal Audit Management• Compliance Management• Policy and Document Management• Regulatory Change Management

• Over 1,400 employees • Headquarters in Palo Alto, California with offices worldwide• Over 400 enterprise customers• Privately held – Backed by global leading VCs, Sage View Capital,

Goldman Sachs

Differentiators

• Technology - GRC Platform – 9 Patents • Breadth of Solutions – Single Vendor for all GRC needs• Cross-industry Best Practices and Domain Knowledge• ComplianceOnline.com - Largest Compliance Portal on the Web

Organization

Partners

MetricStream GRC Summit 2017Date: November 6 - 7, 2017

Location: Lancaster London Hotel, London, UK

Register now – www.grc-summit.comUse Discount Code WEB200 & Register Now for JUST £599

Days Speakers Sessions Attendees2 60 50 250

GRC for High Performers

Topics in Discussion Include:

Is your company ready for GDPR – A Chief Privacy Officer’s Perspective

Emerging Audit trends and challenges Converging Across Emerging and Evolving Risks – Building

An Enterprise Strategy

© 2017 MetricStream, Inc. All Rights Reserved.

Q&A

Thank you for participating!

A copy of this presentation will be made available to all participants in next 48 working hours.

For more details on upcoming MetricStream webinars: http://www.metricstream.com/events/webinars

Bojana BellamyPresident

Centre for Information Policy Leadership

Vibhav AgarwalDirector

MetricStream

Contact Us:

Website: www.metricstream.com | Email: webinar@metricstream.com

Phone: USA +1-650-620-2955 | UAE +971-5072-17139 | UK +44-203-318-8554

THANK YOU

© 2017 MetricStream, Inc. All Rights Reserved.