2

All rights reserved.

What is GDPR?

3

What is GDPR?

CIO

COO

CSO

CTO

CEO

CAO

CRO

CBO

CDO

CMO

CFO

What is

the Penalty

What is

GDPR

Why

GDPR Who is the

Data Controller Who is the

Data Processor

Who is the

Data User

WHAT?

WHY? WHEN?

HOW?

The EU General

Data Protection

Regulation (GDPR)

was designed to

harmonize data

privacy laws across

Europe, to protect

and empower all

EU citizens data

privacy and to

reshape the way

organizations

across the region

approach data

privacy.

Key aspects -

Minimize

personal data

collection.

Delete unused

personal data.

Restrict access

to personal data.

Secure the

collected data.

All rights reserved. 4

What are the fundamental principles?

There are Seven Principles (Article 5)

1 Lawfulness, fairness and transparency.

2 Purpose limitation.

3 Data minimisation.

4 Accuracy.

5 Storage limitation.

6 Integrity and confidentiality.

7 Accountability and compliance.

All rights reserved. 5

The broad picture of GDPR

A comprehensive approach to

data security.

Regulation to protect individual’s

data within EU.

Addresses export of personal

data outside EU.

Citizens get control of their

personal data.

Ability to invoke data protection

rights on behalf of individuals by

privacy groups.

Simplifies international business

regulatory environment.

Replaces old Data Protection

Directive of 1995.

What is GDPR?

Obtain consent for collecting

personal data.

Consent age to collect

individual’s data - 16 years.

Delete data if not used for the

purpose collected.

Delete data if individual revokes

data holding consent.

Single national office monitoring

and handling complaints.

Appoint a Data Protection

Officer.

Updated rights to claim

compensation.

Big fines.

‒ €10 mil or 2% Global Turnover.

‒ €20 mil or 4% of Global

Turnover.

What does it cover?

25th May, 2018.

When does it come in

implementation?

Data Controllers, Data Processors

and Data Users.

Organizations that use, store,

manage data.

‒ Of EU residents.

‒ On behalf of Data Controller

and/or Data Users.

Non-EU firms collecting or

processing personal data of EU

residents.

Who does it impact?

All rights reserved. 6

The broad picture of GDPR

Warning.

Reprimand.

Suspension of data processing.

Fine.

What are ICO

Enforcement Actions?

E-Privacy Directive is looking at

amending PECR.

PECR will fall in line with GDPR.

All B2B marketers should be

GDPR compliant too.

How does

EU GDPR affect PECR?

Right to information.

Right to access.

Right to rectification.

Right to be forgotten.

Right to restriction of

processing.

Right to notification.

Right to data portability.

Right to object.

Right to appropriate decision

making.

What are

individuals rights?

Processing operations which require

regular monitoring of data subjects.

Processing on a large scale of special

categories of data (Article 9).

The DPO must appraise the

organisation of the accountability

principle.

DPO must be independent

Report to the highest level of

organization.

What is the

New DPO Role?

All rights reserved. 7

Why GDPR?

z

Mainframe

Microsoft

PC UseNet

WWW eBay

Google Salesforce

Facebook

iPhone

Big Data

Internet

of things

Pervasiveness

of Information

Technology

Relevance of

Data Protection

1970 1980 1990 2000 2010 2020

t

1970

First DP Law

of the world

in Hessen,

Germany 1983

Right of

informational

self-determination

proclaimed by

highest court

in Germany

1995

EU directive

on data

protection.

2000

Safe

Harbor

2001

September

attacks

9/11

Frequent

Data

Breaches

National

DP laws

tightening

Mass

surveillance

disclosures

2015

Safe Harbor

declared invalid

2018

GDPR

in effect?

1985

Treaty signed

for protection

of individuals.

The European Data

Protection Directive

95/46/EC was created

as an essential element of

EU privacy and human rights law.

2009 Article 29

Working Party released the

“Future of Privacy” paper for personal

data protection.

2010 EU commission sets out strategy on protecting

individual’s data in all policy areas.

2011 European Commission plans to implement a Regulation applicable to all EU Member States.

2012 EU

commission proposed a

comprehensive reform of EU’s

1995 data protection rules to strengthen online privacy

rights.

2016

GDPR adopted? The 47 countries of the Council of Europe celebrated the Council of Europe's Convention108.

47 members of

the Council of

Europe ratified the

Treaty, except Turkey.

DPA was based on a

Directive.

DPD is over 20 years

old and could not

predict new

technologies.

Member state could

interpret the rules as

they saw fit.

The EU GDPR is an

agreed Regulation.

It recognises the value

of personal

information.

Examples include –

Cyber theft, big data,

predictive behaviour,

automated-decision

making.

GDPR

All rights reserved.

Obligations

Fairness

Transparency

Consent

Accuracy

Impact assessments

Security

Purpose

Proportionality

Risk

Correction

8

How GDPR impacts you?

GDPR

Data

Processors

activities

Provision

of an

appropriate

level of

security

Data breach

notifications

to buyers

Assign DPO

Record-

keeping of

consent

Direct liability

to pay

compensation Buyer’s

compliance

with it’s

security

obligations

Impact

assessments

and prior

consultations

with data

protection

authorities

Third parties

like cloud

providers are

responsible

for breach

Data

Users

activities

Provision

of an

appropriate

level of

security

Must specify

if they intend

to transfer

the user’s

data out of

the EU Non-EU data

processors

also be

captured

Must specify

the level

of data

protection

out of the EU

Obligation

to appoint

a DPO

Data

Controllers

activities

Written data

processing

agreements

are

compulsory

Data

processing

activity

records to

be kept up-

to-date

Non-EU

Data

Processors

Are

included

Restrictions

on cross-

border data

transfers

Obligation

to appoint a

DPO

Data security

obligations &

Data breach

reporting is

mandatory

Data

Processors

are equally

responsible

DPO – Data Protection Officer

Obligations Determine GDPR exposure Understand penalties Establish controls Determine opt-in statement specifics Prior consent / Opt-In Explicit double opt-in Buy targeted lists and opt-in Store record of consent message Check privacy and cookie consent Storing system security Retrieval process Disclosure process Erasing process (RtbF)

All rights reserved. 9

Marketers guide

Prior consent / Opt-In.

Double opt-in.

A record of the consent message stored.

Secured data storing system.

Data retrieval process in line with GDPR.

Disclosure process to be in line with GDPR.

The erasing process to be followed as per GDPR guidelines.

Marketers Obligations

Determine your exposure under EU GDPR.

Understand the penalties.

Start planning today! You have less than 12 months.

Establish what controls you need in place such as opt-in services.

Get the specifics of your opt-in statement right.

Check privacy and cookie consent.

Get explicit double opt-in consent from your contacts.

Buy targeted lists now and get them to opt-in to your communications.

Marketers Checklist

All rights reserved. 10

Roadmap to compliance

Begin Successful

Journey

Obtain

Senior

Management

approval

Undertake data audit

(Data Mapping/

Flows) (POTI)

Privacy Impact

Assessments (PIA)/

Risk treatments/

Risk exposure

Plan for ongoing

assessments / training

Setup a

formal

project

Conduct research

of similar industries

Communication

& awareness

Engage suppliers/

consult widely

within organisation

Identify various

departments and

data flow

Identify controls

(technical / administrative)

Define scope of

the project / SoA

Resourcing

Develop

security policies

ISO27001 /

27003

Thank You

globalsales@dfssl.com

US: +1 571 281 0707

EU: +44 2030 265 330

IND: +91 22 26771 2001

marketing@dfssl.com

Peter Thiel

Marc Andreessen

John Lagerling

David Wehner

Lori Goler

Jan Koum

Sheryl Sandberg

Alex Stamos

Timothy Campos

Dan Rose

Elliott Schrage

Amin Zoufonoun

Mark Zuckerberg

Erskine Bowles

Colin Stretch

Mike Schroepfer

Reed Hastings

Christopher Cox

Y Combinator

LinkedIn

Asana

Slide

Geni.com

Votizen

Founders Fund Thiel Foundation

Mithril Capital Management

Vator

Palantir Technologies

In-Q-Tel

Big Think

Booktrack Nanotronics

Imaging Practice Fusion Legendary Entertainment

Yammer

Rypple

Valar Ventures

Zenefits IronPort

TransferWise Powerset

Clarium Capital

Rapleaf

Stripe

MetaMed

Yelp Inc.

Quora

Friendster

Varian Medical Systems

Regina Dugan

MTG Zynga

Pinterest

GitHub

CollabNet

AOL Kno

Netscape Communications

Mosaic Communications Corporation

Hewlett Packard Enterprise

Groupon Andreessen Horowitz

Qik Jawbone

Bump Technologies

Loudcloud

Anki

Oculus VR

Opsware

Foursquare TinyCo.

Twitter Skype

University of Illinois

Regina Dugan

eBay

Revcube

DePaul University Brad Smallwood

Dan Levy David Fischer

Ernst & Young

WhatsApp

w00w00 San Jose State University Lisa Nakashoji

PwC

University of Southern Queensland

Starbucks

Indiana University

European SMB

Brookings Institution

Ad Council

Courtney Abernathy

Rick Kelley

Lean In Foundation

Diageo

Bartle Bogle Hegarty

Grey Communications Group

University of Leeds

University of Navarra

Siemens AG

Center for Global Development

Javier Olivan

Women for Women International

Women in Economics and Government

US Secretary of the Treasury

SAP Software AG

Susan Desmond-Hellmann Genentech

Affymetrix

UCSF

Biotechnology Innovation Organization

California Academy of Sciences

University of Nevada

Bristol-Myers Squibb Pharmaceutical Research Institute

Synopsys

State University of New York College at Potsdam

Field Ops

Booz & Company

Justin Osofsky Jason Taylor

Unknown

Federal Reserve Bank of San Francisco

Bill & Melinda Gates Foundation

Procter & Gamble

Steve Ruggiero

Hari Pudusseri

Dennis Peddecord

Anil Wilson

Shant Oknayan

Heather Freeland

Christina Smedley

Sona Iliffe-Moon

DDB Digital University at DDB Paris

Institut d'Etudes Politiques of Paris

Macalester College

Levi Strauss & Co.

White House

General Motors

DonorsChoose.

Morgan Stanley

Carousel Capital

University of North Carolina

National Commission on Fiscal Responsibility and Reform

University of North Carolina at Chapel Hill

Norfolk Southern

North Carolina Mutual Life Insurance Company Swarthmore College

Infoscape

Cisco Systems

Cambridge University

Mozilla

Mark Rabkin

Atlassian

Akamai Technologies

Ning

Virginia Polytechnic Institute

Jay Parikh Brian Boland

Washington University

Verizon Enterprise Solutions

Comcast

New York University

Blank Mosseri

TokBox University of Geneva

EdVoice.net

Bowdoin College

George Washington University Najam Ahmad

Haiping Zhao Netflix

Pure Software

DreamBox Learning

California State Board of Education NewSchools.org

Pacific Collegiate School Aspire Public Schools

Adam Mosseri Erick Tseng

HEC Paris

PayPal

David Marcus

Zong

Fidji Simo

Stanford University

Microsoft Vector Marketing

Andrew Bosworth

Carolyn Everson

Dartmouth College

Kellogg Huber Hansen Todd Evans & Figel

Richard Allan

Richard Williamson

Benjamin Lequertier

Gilt

Rebecca Van Dyck

Apple

Tom Stocky

Columbia University

MIT

Santa Clara University School of Law

Hertz Global

Amazon

Google

Artemis Internet

University of California, Berkeley

Kenneth Bishop

Diego Dzodan

Harvard

Walt Disney Co.

KLA-Tencor

Miranda Kalinowski

Yahoo

BACK

Nicola Mendelsohn