SlideShare una empresa de Scribd logo

GDPR (En) JM Tyszka

J
Jean-Michel Tyszka

General Data Protection Regulation (GDPR) at a glance English version of my GDPR slideshow (more details in the French document)

Empresariales
1 de 31
Descargar para leer sin conexión
GDPR (General Data Protection Regulation) Jean-Michel TYSZKA https://www.linkedin.com/in/jeanmicheltyszka/
The GDPR at a glance Risks & Challenges Opportunities
What’s GDPR ?  « This regulation […] sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules. » * * preamble of the European Council
When ?  Entered into force on 24th may 2016  Applicable as from 25th may 2018  But :  End 2014, 52% of surveyed companies were not ready for it; 56% did not know exactly what the acronym "GDPR" corresponded to 1  Sept 2015 : if 2/3 (69%) of IT professionals had realized that GDPR will impact their business, almost 1/5 (18%) still had no idea of whether they will be impacted  According to a recent survey less than 10% of businesses believe they will be ready on time 2 1 Ipswitch – survey performed end 2014 on 316 European businesses 2 http://www.lexpress.fr/actualites/1/societe/donnees-personnelles-la-cnil-exhorte-les-societes- a-se-preparer_1893219.html?socid=8a3ZW8qL
Scope & Penalties  All organisations localized in the EU or outside of the EU but processing data about EU citizens  It sets out the principles of personal data collection to the bare minimum  Offenders will be subject to heavy penalties; max of:  4% of the total worldwide annual turnover of the preceding financial year,  20M euros
Personnal data Very large scope:  Individual identity: first/last names, birth place and date, social security number, postal and e-mail addresses, telephone number, registration plate number, photo or video, etc…  Personal information: employment status, salary, etc…  Bank & fiscal details : credit/debit card number, IBAN, tax position, etc…  Personal life: interests, cookies and other internet traces, etc…  Localization : such as geolocation (GPS or GSM), IP address, etc…  “Sensitive data” (requiring a specific attention) :  Personal life: racial or ethnic origins, living habits, religious, philosophical, politic, union or sexual preferences, etc…  Medical, genetic or biometric data: fingerprint, DNA, etc…  Legal data : offences, convictions, etc…  Minor related data.
Symbolic Articles (1/4)  Right of access by the data subject + data portability:  Right to know if data concerning an individual is being processed and, if so, to which purpose; right to know the source of the data and planned retention duration  Right to request from the controller for the data to be rectified or erased, or to restrict the personal data processing  Right to receive a copy of the personal data in a “structured, commonly used and machine-readable format”  Right to have the personal data transmitted directly from one controller to another, where “technically feasible”
 Right to erasure: data subjects can ask the controller, provided the request is legitimate, to :  Erase permanently and globally their personal data  Stop spreading them  If applicable, request to third parties to which the data will have been transmitted to stop using it  The controller will have 30 days to do so Symbolic Articles (2/4)
 « Privacy by Design / Ethic by Design » : GDPR must be taken into account as from products and services conception and during the whole project life cycle  Deployment of actions such as:  Data minimisation: only adequate et relevant data, limited to the processing purpose, shall be collected,  Pseudonymising, anonymization or cyphering so that the data subject cannot be associated to the data itself without additional information  Processing purpose and retention duration restrictions  Algorithm ethic: processing shall in no way prejudice an individual’s private life Symbolic Articles (3/4)
 Notification of a personal data breach:  Supervisory authorities shall be notified within the next 72H following the detection of a data breach, stating the data types, the records and the approximate number of individuals involved  In case the breach may generate a high risk to the individual, the data subject shall be informed as quickly as possible  This requirement is accompanied by an obligation of means in terms of security measures that shall be adapted to the risk Symbolic Articles (4/4)
Methodology  The CNIL (French supervisory authority) recommends to proceed in 6 steps :
The GDPR at a glance Risks & Challenges Opportunities
GDPR implementation inherent risks (1/5)  European harmonisation of personal data management. Yet, each State can adapt the scope of some articles such as :  The lawfulness of processing,  The conditions applicable to child’s consent (13 or 16 years old),  The definition of the « specificities » of some special personal data,  The national supervisory authority designation (e.g.: the CNIL in France), the means it will have and the extent of its authority to enforce the GDPR,  And even the penalties . . . Risk of race towards the lowest minimum restrictions to attract the businesses on the national ground, which would compromise the harmonisation
 Implementation/Redesign of business processes :  Processing lawfulness : any personal data processing must be lawful and conform to the purpose it was gathered for. In addition, the processor must look at minimizing the collected data One can wonder how Big Data, machine learning or deep learning project fit with this requirement ?  Consent : The processor must keep track of any individual consent: this implies, not only to modify the processes to collect and store this information, but also to be able to differentiate the processing depending on the individuals  Right to be forgotten : Requires automating (1) the process to take this right into account and (2) the one required to implement it GDPR implementation inherent risks (2/5)
 Implementation/Redesign of business processes :  Right to data portability : Big Challenge  Personal data transfer format harmonisation  Questions the later utilisation of the personal data by the 1st processor  What about « produced » personal data, i.e. data that was not provided by the individual (bills, traffic, localisation, IOT generated data …) ?  Privacy by design : requires a new project governance between IT, legal & operational  Impacts on the organisation :  Redefinition of some positions,  New expertise,  Blueprint review GDPR implementation inherent risks (3/5)
 Legal aspects :  Territorial scope :  The GDPR impacts potentially non-EU businesses : how to enforce the decisions ?  All the more in the case were several transnational processors are involved?  Processor responsibility : assessing risks at their fair value so that they can be handled by appropriate measures will represent a real challenge GDPR implementation inherent risks (4/5)
 Legal aspects :  New binding corporate rules : BCR must be reviewed according to the new regulation and be applied internally  Subcontracting : potentially all existing subcontracting agreements are to be amended  Personal data breach notification :  To the national supervisory authority : the balance between the penalties that could be applied and the fear of damaging the company’s image and trust will be delicate to find  To the individuals : again, this is a real Sophie’s choice to decide between communicating openly or taking the risk of being sanctioned GDPR implementation inherent risks (5/5)
Governance / Organisation difficulties  Stakeholders unwillingness (Management, BUs, ISD)  Reluctance to change (new organisation, Privacy by Design new requirements) : the DPO must keep a close watch  Lack of methodology / expertise  Budgetary :  High level estimates of the personal data mapping might be possible but final compliance estimate is just impossible  Balance between risks & « gold-plated » hard to find  Deadline : follow a step-by-step approach attending the most urgent subjects first
Special case  Unauthorised transfers or disclosures outside of the EU : Companies will be crushed between the GDPR and foreign lawful injunctions  unmanageable situation  More political than legal ?
The GDPR at a glance Risks & Challenges Opportunities
An opportunity for the European citizens  To 57 % of the Europeans, personal data disclosure is a real problem,  94 % deem it necessary to explicitly provide their consent to collect personal data (74% in any case, 12% via internet and 8% for sensitive data),  90 % consider it important that the same data protections rules apply all over EU,  70 % are preoccupied that their personal data can be utilized for different purposes than what they provided it for  Only 15 % feel that they have a full control over the information they provide online * Eurobarometer 2015-431
An opportunity for the European companies (1/4)  Regain control on the data : the digital transformation impact on the company’s operating incomes is evaluated to +/- 60% (+40% in case of success to -20% in case of failure) 1. ➢ New regulation + digital maturity are perfect triggers for digital transformation ➢ Full data mapping will help implement Big Data projects ➢ Deployment of « self-service » tools : Data Preparation, Data Discovery, Data Governance, Dataviz, Data Science 1 McKinsey 2014 « accelerating the digital transformation of the French companies »
 Regain control on IS security : ➢ GDPR enables more transparency and therefore more trust in the digital world. Crucial: ➢ 75 % of the businesses ignore that « private life » experience is perceived as one of the customers’ 3 most important criteria 1 ➢ 88 % of the consumers consider the personal data security as THE most important factor when buying online 1 1 Symantec surveys 2015 & 2016 An opportunity for the European companies (2/4)
 Right to data portability  opt for a more open architecture :  APIs deployment and utilisation to exchange data with third parties (e.g. Open Data) An opportunity for the European companies (3/4)
 European Big Data players :  European players are the 1st and most exposed to the regulation, will they seize the opportunity, implementing the “Privacy by Design”?  Same thing for « subcontractors » (Cloud, Software firms, etc…)  Meanwhile – in the United Stares, the Congress abrogates a law protecting the private life on the web (29/3) 1:  Internet providers will be able to sell their customer’s data to third parties without explicit authorisation,  If Donald Trump promulgates the law voted on Tue, service providers such as Verizon or Comcast will be able to follow their customers’ online behaviour and utilize the financial and personal data without their consent to sell specially well targeted advertising spaces. This will allow them to compete more fairly with Google or Facebook, which are regulated by different acts and can therefore add more value to the information collected to gain momentum on the online advertising market that is estimated to weight $83 billion. 1 1 « Les Echos » (29 March 2017) An opportunity for the European companies (4/4)
What about tomorrow ?  We’re already talking about « Privacy by Using » …  Unique Digital Identifier  IOT, bots & GDPR
Tomorrow : Privacy By Using http://blog.businessdecision.com/bigdata/2016/11/gdpr-nouvelles-contraintes-opportunites/
Tomorrow : Unique Digital Id  When buying online one will be able to provide his/her UDId  The vendor will only get the data required for the payment  He/she will then provide the UDId to the courier who will be able to retrieve the buyer’s address but will ignore what is in the parcel
Tomorrow : IOT  2020 : 26 billion connected objects are expected,  $300 billion !  + data  + governance !  2 major challenges :  Data flood is at odds with GDPR : we stand very far from the « Privacy by Design »  Trust & security  Many providers : no one is accountable  Each new IOT opens a door to the IS … posing serious security issues  « Don’t speak about too personal or too sensitive things in front of your TV screen because it’s spying on you ! » (Samsung about its « smart TV »)
IN FINE  A road paved with difficulties:  GDPR inherent (harmonisation ?, organisation, reorganisation, legal aspects)  Exogenous (unwillingness, lack of methodology/expertise, budgetary, deadline)  But also offers many opportunities:  To the European citizens,  To the European companies  regain control on their data and on their IS security  Deployment of a more opened architecture  Opportunity for the European Digital players
Acknowledgements / Webography  Thanks to Mr. Antoine Vigneron, teacher at the « CNAM » REFERENCES READ ON LINE European Council – The GDPR http://www.consilium.europa.eu/fr/policies/data- protection-reform/data-protection-regulation/ CNIL (Commission nationale de l'informatique et des libertés) – French regulator https://www.cnil.fr/professionnel CIGREF – Valuing data in large corporates - Maturity, practices and model http://www.cigref.fr/wp/wp- content/uploads/2016/11/CIGREF-Valorisation-des- donnees-Pratiques-Modele-2016.pdf gdpr.expert https://www.gdpr-expert.eu/#textesofficiels GlobalSecurityMag.fr - GDPR : 5 major changes for companies http://www.globalsecuritymag.fr/GDPR-5- changements-majeurs-pour,20170227,69261.html NOVENCIA - 10 questions to understand the GDPR https://www.novencia.com/gdpr-10-questions/ BusinessDecision.com – Big Data & Digital Blog http://blog.businessdecision.com/bigdata/2016/11/gdpr- nouvelles-contraintes-opportunites/ CIL consulting http://www.protection-des-donnees.fr/gdpr-pourrait-bien- booster-croissance-acteurs-europeens-big-data/

Recomendados

Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 

Recomendados

Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Gdpr compliance. Presentation for Consulegis Lawyers network
Gdpr compliance. Presentation for Consulegis Lawyers networkGdpr compliance. Presentation for Consulegis Lawyers network
Gdpr compliance. Presentation for Consulegis Lawyers network
Bart Van Den Brande
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
Jason Lackey
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR compliance
Dave James
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
Amarach Research
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
Kyle Davies
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR Compliance
DATAVERSITY
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Erwin Otten
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Gdpr compliance. Presentation for Consulegis Lawyers network
Gdpr compliance. Presentation for Consulegis Lawyers networkGdpr compliance. Presentation for Consulegis Lawyers network
Gdpr compliance. Presentation for Consulegis Lawyers network
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Convince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR complianceConvince your board - Ten steps to GDPR compliance
Convince your board - Ten steps to GDPR compliance
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
 
VMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide DeckVMTN6642E - GDPR Slide Deck
VMTN6642E - GDPR Slide Deck
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Getting Started with GDPR Compliance
Getting Started with GDPR ComplianceGetting Started with GDPR Compliance
Getting Started with GDPR Compliance
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection Regulation
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering GegevensbeschermingMagento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
 

Similar a GDPR (En) JM Tyszka

Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 

Similar a GDPR (En) JM Tyszka (20)

Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.GDPR How ready are you? The What, Why and How.
GDPR How ready are you? The What, Why and How.
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
Gdpr compliance univ'air carslon wagon lit 5 oktober 2017
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Jisc GDPR conference
Jisc GDPR conferenceJisc GDPR conference
Jisc GDPR conference
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
GDPR
GDPRGDPR
GDPR
 

Último

Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
ZurliaSoop
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
Workforce Group
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
instagramfab782445
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
laloo_007
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 

Último (20)

Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance management
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan CytotecJual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
Jual Obat Aborsi ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan Cytotec
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
Cracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' SlideshareCracking the 'Career Pathing' Slideshare
Cracking the 'Career Pathing' Slideshare
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in OmanMifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
Mifepristone Available in Muscat +918761049707^^ €€ Buy Abortion Pills in Oman
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow ChallengesFalcon Invoice Discounting: Aviate Your Cash Flow Challenges
Falcon Invoice Discounting: Aviate Your Cash Flow Challenges
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Structuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdfStructuring and Writing DRL Mckinsey (1).pdf
Structuring and Writing DRL Mckinsey (1).pdf
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 

GDPR (En) JM Tyszka

  • 1. GDPR (General Data Protection Regulation) Jean-Michel TYSZKA https://www.linkedin.com/in/jeanmicheltyszka/
  • 2. The GDPR at a glance Risks & Challenges Opportunities
  • 3. What’s GDPR ?  « This regulation […] sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules. » * * preamble of the European Council
  • 4. When ?  Entered into force on 24th may 2016  Applicable as from 25th may 2018  But :  End 2014, 52% of surveyed companies were not ready for it; 56% did not know exactly what the acronym "GDPR" corresponded to 1  Sept 2015 : if 2/3 (69%) of IT professionals had realized that GDPR will impact their business, almost 1/5 (18%) still had no idea of whether they will be impacted  According to a recent survey less than 10% of businesses believe they will be ready on time 2 1 Ipswitch – survey performed end 2014 on 316 European businesses 2 http://www.lexpress.fr/actualites/1/societe/donnees-personnelles-la-cnil-exhorte-les-societes- a-se-preparer_1893219.html?socid=8a3ZW8qL
  • 5. Scope & Penalties  All organisations localized in the EU or outside of the EU but processing data about EU citizens  It sets out the principles of personal data collection to the bare minimum  Offenders will be subject to heavy penalties; max of:  4% of the total worldwide annual turnover of the preceding financial year,  20M euros
  • 6. Personnal data Very large scope:  Individual identity: first/last names, birth place and date, social security number, postal and e-mail addresses, telephone number, registration plate number, photo or video, etc…  Personal information: employment status, salary, etc…  Bank & fiscal details : credit/debit card number, IBAN, tax position, etc…  Personal life: interests, cookies and other internet traces, etc…  Localization : such as geolocation (GPS or GSM), IP address, etc…  “Sensitive data” (requiring a specific attention) :  Personal life: racial or ethnic origins, living habits, religious, philosophical, politic, union or sexual preferences, etc…  Medical, genetic or biometric data: fingerprint, DNA, etc…  Legal data : offences, convictions, etc…  Minor related data.
  • 7. Symbolic Articles (1/4)  Right of access by the data subject + data portability:  Right to know if data concerning an individual is being processed and, if so, to which purpose; right to know the source of the data and planned retention duration  Right to request from the controller for the data to be rectified or erased, or to restrict the personal data processing  Right to receive a copy of the personal data in a “structured, commonly used and machine-readable format”  Right to have the personal data transmitted directly from one controller to another, where “technically feasible”
  • 8.  Right to erasure: data subjects can ask the controller, provided the request is legitimate, to :  Erase permanently and globally their personal data  Stop spreading them  If applicable, request to third parties to which the data will have been transmitted to stop using it  The controller will have 30 days to do so Symbolic Articles (2/4)
  • 9.  « Privacy by Design / Ethic by Design » : GDPR must be taken into account as from products and services conception and during the whole project life cycle  Deployment of actions such as:  Data minimisation: only adequate et relevant data, limited to the processing purpose, shall be collected,  Pseudonymising, anonymization or cyphering so that the data subject cannot be associated to the data itself without additional information  Processing purpose and retention duration restrictions  Algorithm ethic: processing shall in no way prejudice an individual’s private life Symbolic Articles (3/4)
  • 10.  Notification of a personal data breach:  Supervisory authorities shall be notified within the next 72H following the detection of a data breach, stating the data types, the records and the approximate number of individuals involved  In case the breach may generate a high risk to the individual, the data subject shall be informed as quickly as possible  This requirement is accompanied by an obligation of means in terms of security measures that shall be adapted to the risk Symbolic Articles (4/4)
  • 11. Methodology  The CNIL (French supervisory authority) recommends to proceed in 6 steps :
  • 12. The GDPR at a glance Risks & Challenges Opportunities
  • 13. GDPR implementation inherent risks (1/5)  European harmonisation of personal data management. Yet, each State can adapt the scope of some articles such as :  The lawfulness of processing,  The conditions applicable to child’s consent (13 or 16 years old),  The definition of the « specificities » of some special personal data,  The national supervisory authority designation (e.g.: the CNIL in France), the means it will have and the extent of its authority to enforce the GDPR,  And even the penalties . . . Risk of race towards the lowest minimum restrictions to attract the businesses on the national ground, which would compromise the harmonisation
  • 14.  Implementation/Redesign of business processes :  Processing lawfulness : any personal data processing must be lawful and conform to the purpose it was gathered for. In addition, the processor must look at minimizing the collected data One can wonder how Big Data, machine learning or deep learning project fit with this requirement ?  Consent : The processor must keep track of any individual consent: this implies, not only to modify the processes to collect and store this information, but also to be able to differentiate the processing depending on the individuals  Right to be forgotten : Requires automating (1) the process to take this right into account and (2) the one required to implement it GDPR implementation inherent risks (2/5)
  • 15.  Implementation/Redesign of business processes :  Right to data portability : Big Challenge  Personal data transfer format harmonisation  Questions the later utilisation of the personal data by the 1st processor  What about « produced » personal data, i.e. data that was not provided by the individual (bills, traffic, localisation, IOT generated data …) ?  Privacy by design : requires a new project governance between IT, legal & operational  Impacts on the organisation :  Redefinition of some positions,  New expertise,  Blueprint review GDPR implementation inherent risks (3/5)
  • 16.  Legal aspects :  Territorial scope :  The GDPR impacts potentially non-EU businesses : how to enforce the decisions ?  All the more in the case were several transnational processors are involved?  Processor responsibility : assessing risks at their fair value so that they can be handled by appropriate measures will represent a real challenge GDPR implementation inherent risks (4/5)
  • 17.  Legal aspects :  New binding corporate rules : BCR must be reviewed according to the new regulation and be applied internally  Subcontracting : potentially all existing subcontracting agreements are to be amended  Personal data breach notification :  To the national supervisory authority : the balance between the penalties that could be applied and the fear of damaging the company’s image and trust will be delicate to find  To the individuals : again, this is a real Sophie’s choice to decide between communicating openly or taking the risk of being sanctioned GDPR implementation inherent risks (5/5)
  • 18. Governance / Organisation difficulties  Stakeholders unwillingness (Management, BUs, ISD)  Reluctance to change (new organisation, Privacy by Design new requirements) : the DPO must keep a close watch  Lack of methodology / expertise  Budgetary :  High level estimates of the personal data mapping might be possible but final compliance estimate is just impossible  Balance between risks & « gold-plated » hard to find  Deadline : follow a step-by-step approach attending the most urgent subjects first
  • 19. Special case  Unauthorised transfers or disclosures outside of the EU : Companies will be crushed between the GDPR and foreign lawful injunctions  unmanageable situation  More political than legal ?
  • 20. The GDPR at a glance Risks & Challenges Opportunities
  • 21. An opportunity for the European citizens  To 57 % of the Europeans, personal data disclosure is a real problem,  94 % deem it necessary to explicitly provide their consent to collect personal data (74% in any case, 12% via internet and 8% for sensitive data),  90 % consider it important that the same data protections rules apply all over EU,  70 % are preoccupied that their personal data can be utilized for different purposes than what they provided it for  Only 15 % feel that they have a full control over the information they provide online * Eurobarometer 2015-431
  • 22. An opportunity for the European companies (1/4)  Regain control on the data : the digital transformation impact on the company’s operating incomes is evaluated to +/- 60% (+40% in case of success to -20% in case of failure) 1. ➢ New regulation + digital maturity are perfect triggers for digital transformation ➢ Full data mapping will help implement Big Data projects ➢ Deployment of « self-service » tools : Data Preparation, Data Discovery, Data Governance, Dataviz, Data Science 1 McKinsey 2014 « accelerating the digital transformation of the French companies »
  • 23.  Regain control on IS security : ➢ GDPR enables more transparency and therefore more trust in the digital world. Crucial: ➢ 75 % of the businesses ignore that « private life » experience is perceived as one of the customers’ 3 most important criteria 1 ➢ 88 % of the consumers consider the personal data security as THE most important factor when buying online 1 1 Symantec surveys 2015 & 2016 An opportunity for the European companies (2/4)
  • 24.  Right to data portability  opt for a more open architecture :  APIs deployment and utilisation to exchange data with third parties (e.g. Open Data) An opportunity for the European companies (3/4)
  • 25.  European Big Data players :  European players are the 1st and most exposed to the regulation, will they seize the opportunity, implementing the “Privacy by Design”?  Same thing for « subcontractors » (Cloud, Software firms, etc…)  Meanwhile – in the United Stares, the Congress abrogates a law protecting the private life on the web (29/3) 1:  Internet providers will be able to sell their customer’s data to third parties without explicit authorisation,  If Donald Trump promulgates the law voted on Tue, service providers such as Verizon or Comcast will be able to follow their customers’ online behaviour and utilize the financial and personal data without their consent to sell specially well targeted advertising spaces. This will allow them to compete more fairly with Google or Facebook, which are regulated by different acts and can therefore add more value to the information collected to gain momentum on the online advertising market that is estimated to weight $83 billion. 1 1 « Les Echos » (29 March 2017) An opportunity for the European companies (4/4)
  • 26. What about tomorrow ?  We’re already talking about « Privacy by Using » …  Unique Digital Identifier  IOT, bots & GDPR
  • 27. Tomorrow : Privacy By Using http://blog.businessdecision.com/bigdata/2016/11/gdpr-nouvelles-contraintes-opportunites/
  • 28. Tomorrow : Unique Digital Id  When buying online one will be able to provide his/her UDId  The vendor will only get the data required for the payment  He/she will then provide the UDId to the courier who will be able to retrieve the buyer’s address but will ignore what is in the parcel
  • 29. Tomorrow : IOT  2020 : 26 billion connected objects are expected,  $300 billion !  + data  + governance !  2 major challenges :  Data flood is at odds with GDPR : we stand very far from the « Privacy by Design »  Trust & security  Many providers : no one is accountable  Each new IOT opens a door to the IS … posing serious security issues  « Don’t speak about too personal or too sensitive things in front of your TV screen because it’s spying on you ! » (Samsung about its « smart TV »)
  • 30. IN FINE  A road paved with difficulties:  GDPR inherent (harmonisation ?, organisation, reorganisation, legal aspects)  Exogenous (unwillingness, lack of methodology/expertise, budgetary, deadline)  But also offers many opportunities:  To the European citizens,  To the European companies  regain control on their data and on their IS security  Deployment of a more opened architecture  Opportunity for the European Digital players
  • 31. Acknowledgements / Webography  Thanks to Mr. Antoine Vigneron, teacher at the « CNAM » REFERENCES READ ON LINE European Council – The GDPR http://www.consilium.europa.eu/fr/policies/data- protection-reform/data-protection-regulation/ CNIL (Commission nationale de l'informatique et des libertés) – French regulator https://www.cnil.fr/professionnel CIGREF – Valuing data in large corporates - Maturity, practices and model http://www.cigref.fr/wp/wp- content/uploads/2016/11/CIGREF-Valorisation-des- donnees-Pratiques-Modele-2016.pdf gdpr.expert https://www.gdpr-expert.eu/#textesofficiels GlobalSecurityMag.fr - GDPR : 5 major changes for companies http://www.globalsecuritymag.fr/GDPR-5- changements-majeurs-pour,20170227,69261.html NOVENCIA - 10 questions to understand the GDPR https://www.novencia.com/gdpr-10-questions/ BusinessDecision.com – Big Data & Digital Blog http://blog.businessdecision.com/bigdata/2016/11/gdpr- nouvelles-contraintes-opportunites/ CIL consulting http://www.protection-des-donnees.fr/gdpr-pourrait-bien- booster-croissance-acteurs-europeens-big-data/