governance risk compliance GDPR data protection legal

1. © 2016 IBM Corporation1
Why Britain’s decision to exit from the EU
actually makes complying with the GDPR even
more important for business today.
Donald Macfarlane (IBM)
Mark Williamson (Hanzo)
9.15 - 9.50 am
22 September 2016
General Data Protection Regulation

2. © 2016 IBM Corporation2
GDPR Summary & Obligations
Britain’s vote to exit the EU & GDPR Impact
Compliance Examples – current practice
Summary / Conclusions
Questions
Agenda

3. © 2016 IBM Corporation3
General Data Protection Regulation applies
from 25 May 2018
 The General Data Protection Regulation
(GDPR) was published on 4 May 2018, and
will be apply after a 2 year transition
period.
 Any organisation which “operates in” the
EU market from 25th May 2018.
 Creates a unified data protection law
framework for all EU countries.
 Non-compliance has the potential to lead
to huge fines and the clock is ticking.

4. © 2016 IBM Corporation4
 Right to Seek Information (Article 14)
 Right of Access by Data Subject (Article 15)
 Right to Rectification (Article 16)
 Right to Erasure (Article 17)
 Right to Restrict Processing (Article 18)
 Right of Data Portability (Article 20)
 Right to Object (Article 21)
GDPR

5. © 2016 IBM Corporation5
“Who cares, we are leaving
we do not need to worry
about this stuff….”

6. © 2016 IBM Corporation6
The GDPR is a game changer because of the
civil and criminal liability
Applies to organisations outside the EU
processing EU data subjects’ personal data.
Broad definition of personal data.
Will fundamentally change the way
organisations must protect, govern and know
their structured and unstructured data.
Euro 20 m or 4 % group turnover (worldwide).

7. © 2016 IBM Corporation7
GDPR: Good Practice
• Studies still indicate ~50 % business still unaware of
obligations/partial.
• Reputational damage / initial customer loss e.g. Talk Talk
plc/Sony etc
• Studies show that consumers trust ethical organisations more
and spend more with them.
• Individuals can sue for material and non-material damage
(distress).
• Not just the fine – you want to do this as you want to be seen
as a “good business”.

8. © 2016 IBM Corporation8
 23rd June 2016 Referendum Result – UK votes to leave the EU.
 Brexit Implication:
• GDPR will apply in 18 months whereas Article 50 will likely take 2 years
plus; and
• Whether UK in/or out any business processing EU citizens data.
• UK/International corporations trading with EU:
• Non EU members of the EEA e.g. Norway – GDPR implemented;
• EFTA member but not EEA e.g. Switzerland – Swiss DP very similar; or
• “WTO” type model (Canada) – partial adequacy c.f. USA “EU-US Privacy
Shield”
“It’s not fair we don’t like the EU legislation, we voted “out”, but it is being
forced upon us anyway….”
Impact of Brexit Vote

9. © 2016 IBM Corporation9
 Article 4: “Personal data" means any information relating to an identified or
identifiable natural person ("data subject"); an identifiable person is one who can
be identified, directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that person.
 Email address, unique national identification number, tax, passport or identity
card, vehicle registration plate number, driver's license number, biometric data:
face, fingerprints, or handwriting, credit card numbers, date of birth an birthplace,
gender/race, genetic/medical information, telephone number, login name, screen
name, nickname, or handle, IP address (in some cases), geographical data,
qualifications, criminal record data, employment details….
In Reality

10. © 2016 IBM Corporation10
Where is the data?
• Web Pages
• Email
• SharePoint
• Wiki(s)
• Documents
• Sharing Platforms
• Customer Portals
• Know your customer platforms
• ECM systems
• Data Map and how is it accessed – via a browser?
Everywhere

11. © 2016 IBM Corporation11
 Right to Seek Information (Article 14)
 Right of Access by Data Subject (Article 15)
 Right to Rectification (Article 16)
 Right to Erasure (Article 17)
 Right to Restrict Processing (Article 18)
 Right of Data Portability (Article 20)
 Right to Object (Article 21)
GDPR

12. © 2016 IBM Corporation12
 Understanding where the data resides and keeping track of it
 Ability to perform your obligations, which means:
• Ability to report what you have;
• Ability to delete defensibly;
• Ability to place a block internally; and
• Right to receive an export.
• Business needs workable, efficient processes that allow people to do their day jobs.
What does it mean?

13. © 2016 IBM Corporation13
Question: Customer(s) reporting their PII on your corporate
site. What do you do?
• Capture all corporate sites legally defensible
• Identify the PII – search, extract
• Broaden the analysis to verify extent
• Generate Report
• Take Action
• Verify – appropriate action taken and rectified (control)
Best Practice Example 1

14. © 2016 IBM Corporation14
Question: Customer(s) requesting a copy of their data in
electronic format? What do you do?
• Capture all corporate sites/data - legally defensible
• Identify the PII – search, extract
• Generate an export (csv, xml)
Streamlined process and anticipates multiple data provisions
due to being prepared by knowing where the data resides
Best Practice Example 2

15. © 2016 IBM Corporation15
 No matter how we leave the EU, we will still be doing business with the EU.
 GDPR matters.
 With the right tools it need not be complex.
 People, Process and Technology.
Summary