Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business

WithumSmith+Brown, PC | BE IN A POSITION OF STRENGTH 0SM
withum.com
Presented by:
Anupam Goradia, CPA, CISA, CITP
Daniel Cohen-Dumani, Partner, Market Leader
Introduction to GDPR:
WEBINAR
What It Is, How It Will Affect Your
Business and How to Stay
Compliant

About Daniel
Daniel Cohen-Dumani
@dcohendumani
dcohendumani@withum.com
Partner,
Market
Leader
15+ years of Digital Transformation
Expertise with Office 365, SharePoint and
Dynamics
SharePoint Visionary
Interests: Productivity in the
Modern Workplace. Work 2.0
Started working with
SharePoint when nobody
could spell it

About Anupam
Anupam Goradia
agoradia@withum.com
CPA, CISA,
CITP, Senior
Manager
15+ years of public accounting experience,
plus extensive experience in internal audit,
risk management and internal control related
consulting services.
Member of Withum’s
Cybersecurity team as well
as the Governance, Risk and
Compliance Services team.
Specializes in Construction,
Government, Not-for-Profit
and Education, and Real
Estate

BE IN A POSITION OF STRENGTH | withum.com
Agenda
Introduction: What Is GDPR?
How Does GDPR Impact Your Business?
What Can You Do to Stay Compliant?
The Role of Microsoft Technology in Ensuring Compliance
Q&A
digital.withum.com

Providing clarity and consistency for the protection
of personal data
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new
rules on organizations in the European
Union (EU) and those that offer goods and
services to people in the EU, or that collect
and analyze data tied to EU residents, no
matter where they are located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights

General Data Protection Regulation
(GDPR)
A European Union regulation
It is about the protection of privacy and
data of EU “data subjects”
Has implications beyond EU
Organization for Economic Co-
operation and Development (OECD)
Non-compliance can have penalties

Poll Number 1:
 Do you currently have EU exposure that would require GDPR compliance?
 Yes
 No

History of Privacy Regulation in Europe
OECD documented
first guidelines in
1980
Data protection
directive was
issued in 1995
OCED revises
guidelines in 2013
EU Parliament
approves GDPR in
2016
Data protection
and its regulation
is a global
phenomenon

Implications Beyond EU
GDPR affects your organization if:
 Your organization offers goods or services to
EU data subjects or monitors their behavior
 Processes and holds “personal data” of data
subjects residing in EU (regardless of
organization’s location)

Penalties for
Non-
Compliance
Up to 4% of annual
global turnover or
20 Million Euros
(maximum).
Which businesses can be subject to
penalty?
• If your organization offers goods or
services EU data subjects or monitors
their behavior
• Processing and holding of “personal
data” of data subjects residing in EU
(regardless of organization’s location)

Personal Data
Includes
• Name
• An identification number
• Location data
• Computer IP address
• An online identifier to one more factors
specific to the:
 Physical, physiological, genetic,
mental, economic, culture or social
identify of that natural person
Data Subjects
Identified or Identifiable natural person

Poll Number 2:
Which of the following is false:
1) GDPR extends to paper based records
2) GDPR stands for Gross Domestic Product Regulation
3) GDPR will not impact UK due to Brexit

Right to
Access
Data subjects have a right
to obtain a free copy of
their personal data in an
electronic format.
Data subjects can request
information on where the
data is being processed
and for what purposes.

Right to be
Forgotten
Also known as right of erasure
Data subjects can request to:
• Erase his/her personal data
• Cease further dissemination of the data
• Have third parties halt processing of data
Discretion in cases when there is
public interest in the availability
of data

Data
Portability
and
Conditions
of Consent
• Data subjects have the right to
transmit data to another data
controller
Data Portability
• Data subjects have to give their
informed consent; consent
cannot be assumed
Conditions of Consent

Privacy by
Design
Inclusion of data protection from the
onset of the designing of systems
Requires organizations to ‘implement
appropriate technical and
organizational measures….in an
effective way…in order to meet the
requirements of this Regulation and
protect rights of data subjects’.

Other
Requirement
s
Breach notifications
•Within 72 hours of
becoming aware of the
breach*
Data Controller and
Data Processor
•Processor has to meet
compliance
Data Protection
Officer “DPO”
•Most companies would be
required to designate a
DPO
* According to a recent report from FireEye, it takes an average of 146 days to discover a breach

Summary of Key Changes for GDPR
Personal
Privacy
Controls and
Notifications
Transparent
Policies
IT and Training
Organizations will need to:
• Train privacy personnel &
employees
• Audit and update data
policies
• Employ a Data Protection
Officer (if required)
• Create & manage
compliant vendor
contracts
Organizations will need to:
• Protect personal data using
appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate consents
for processing data
• Keep records detailing data
processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal data
• Object to processing of
their personal data
• Export personal data
Organizations are required to:
• Provide clear notice of
data collection
• Outline processing
purposes and use cases
• Define data retention and
deletion policies

Poll Number 3:
GDPR may not apply to the following:
1. A local dollar store
2. A company providing online education across borders
3. A data center hosting payroll records of EU citizens located in Virginia, United
States

Where Do We
Stand on GDPR
Compliance?
 Over half of US multinationals say GDPR is their
top data protection priority
 While 24% of respondents plan to spend under
$1 million for GDPR preparations, 68% said they
will invest between $1 million and $10 million.
Nine percent (9%) expect to spend over $10
million to address GDPR obligations
 23% of surveyed respondents have not started
GDPR compliance
 71% have begun GDPR preparation
Source : December 2016 PwC Survey

What Needs to be Done:
Data
Discovery
1
Information
Security
Enhancement
2
Third-Party
Risk
Management
3
GDPR Gap
Assessment
4
Remediation
5

Let’s Talk Small Business…
Do I Even Have to be
Compliant?
 Now?
 Maybe now?
 In the future?
 Never?

Regardless of the GDPR Compliance Requirements…
Data protection should be your number one priority!
These basics should always be in place at your organization:
• IT Policies and Procedures
• Cybersecurity Risk Assessment
• IT Audits
• Penetration Testing
Available framework - NIST Small Business IT Framework
GDPR is all about data protection!
Data protection should be every organization’s top priority!

Preparing for the GDPR
Leverage guidance
from experts
Simplify your
privacy journey
GDPR
Compliance
GDPR
Compliance
GDPR
Compliance
Uncover risk &
take action

How Do I Get Started?
Identify what personal data you have and
where it resides
Discover1
Govern how personal data is used
and accessed
Manage2
Establish security controls to prevent, detect,
and respond to vulnerabilities & data breaches
Protect3
Keep required documentation, manage data
requests and breach notifications
Report4

Poll Number 4:
Do you currently have Office 365?
1. Yes
2. No
3. Not sure

Discover:
Identify what personal data you have and
where it resides
In-scope:
•
•
•
•
•
•
•
•
•
•
Inventory:
•
•
•
•
•
•
•
Microsoft Azure
Microsoft Azure Data Catalog
Enterprise Mobility + Security (EMS)
Microsoft Cloud App Security
Dynamics 365
Audit Data & User Activity
Reporting & Analytics
Office & Office 365
Data Loss Prevention
Advanced Data Governance
Office 365 eDiscovery
SQL Server and Azure SQL Database
SQL Query Language
Windows & Windows Server
Windows Search
Examples of Microsoft Solutions1

2 Manage:
Data governance:
•
•
•
•
•
•
•
•
Data classification:
•
•
•
•
•
•
•
Microsoft Azure
Azure Active Directory
Azure Information Protection
Azure Role-Based Access Control (RBAC)
Dynamics 365
Security Concepts
Office & Office 365
Advanced Data Governance
Journaling (Exchange Online)
Microsoft Data Classification Toolkit
Examples of Microsoft Solutions

3 Protect:
Preventing data
attacks:
•
•
•
•
•
•
•
•
Detecting &
responding to
breaches:
•
•
•
•
•
•
Microsoft Azure
Azure Key Vault
Azure Security Center
Azure Storage Services Encryption
Azure Active Directory Premium
Microsoft Intune
Office & Office 365
Advanced Threat Protection
Threat Intelligence
SQL Server and Azure SQL Database
Transparent data encryption
Always Encrypted
Windows Defender Advanced Threat Protection
Windows Hello
Device Guard
Examples of Microsoft Solutions

4
Record-keeping:
•
•
•
•
•
Reporting tools:
•
•
•
•
•
•
Microsoft Trust Center
Service Trust Portal
Microsoft Azure
Azure Auditing & Logging
Azure Data Lake
Azure Monitor
Dynamics 365
Reporting & Analytics
Office & Office 365
Service Assurance
Office 365 Audit Logs
Customer Lockbox
Windows Defender Advanced Threat Protection
Report: Examples of Microsoft Solutions

Q&A

NEXT STEPS
To learn more about GDPR visit digital.withum.com
Are You Prepared to Meet GDPR Compliance?
Take advantage of our no obligation consultation.
We’ll help you make sure you’re on the right path to being
prepared.
Schedule a Free Consultation
Click Here

Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (18)

Similar a Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business

Similar a Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business (20)

Más de WithumSmith+Brown, formerly Portal Solutions

Más de WithumSmith+Brown, formerly Portal Solutions (20)

Último

Último (20)

Webinar: Introduction to GDPR - What It Is and How It Will Affect Your Business