This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.
8. Enforcement
Each supervisory authority shall ensure that the imposition of administrative fines pursuant …/… shall in each
individual case be effective, proportionate and dissuasive.
Administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide
annual turnover of the preceding financial year, whichever is higher
Taken into account, especially
Nature, gravity and duration of the infringement
Number of data subjects affected
Level of damage suffered by them
The intentional or negligent character of the infringement
…
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial
benefits gained, or losses avoided, directly or indirectly, from the infringement
8Gaston Gautreneau – IT Expert Department23/06/2017
9. Data breach notification
A personal data breach means a breach of security leading to the destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data.
This means that a breach is more than just losing personal data.
The controller shall document any personal data breaches, comprising the facts relating to the
personal data breach, its effects and the remedial action taken
Administrative fines up to €10,000,000 or 2% of global turnover, whichever is the greater
Notify DPA if there is risks on rights and freedom of natural persons
When the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall communicate the personal data breach to the data subject
without undue delay.
Shall not be required if the controller has implemented appropriate technical and organisational
protection measures
9Gaston Gautreneau – IT Expert Department23/06/2017
10. The PIA stands on two pillars
What does it mean to comply with the regulation ?
The fundamental
principles and rights
(purpose, information,
etc.) are “non
negotiable”, fixed by the
law, and have to be fully
respected
Risk management allows
to identify the technical
and organizational
measures to protect the
personal data from data
breaches
1. Respect
the
fundamenta
l principles
2. Manage
the risks
related to
data
security
PIA
(Privacy
Impact
Assessmen
t)
The Privacy Impact
Assessment (PIA) is a
means to comply with the
regulation and prove it
(accountability)
10Gaston Gautreneau – IT Expert Department23/06/2017
11. 11
Likely to result in
high risks?
[art. 35(1), (3) & (4)]
Yes
Prior
consultation
Yes
No prior
consultation
No
No DPIA needed
No
No DPIA
[art. 35(7)]
High residual risks?
[art. 36(1)]
Code(s) of conduct
[art. 35(8)]
Advice of the DPO
[art. 35(2)]
Monitor performance
[art. 39(1) (c)]
Seek the views of
the data subjects
[art. 35(9)]
Yes Exception ?
[art. 35(5) et (10)]
Processing
reviewed by the
controller
[art. 35(11)]
Process overview
Gaston Gautreneau – IT Expert Department23/06/2017
12. www.dlapiper.com 12
Speaker
Prof. dr. Patrick Van Eecke is partner in DLA Piper’s Brussels
office and global co-chair of DLA Piper's Data Protection,
Privacy and Security practice.
He has over 20 years of international legal experience in
privacy and data protection issues advising on the legal
impact of big data, cloud computing and Internet of Things.
Patrick advises multinational organisations on data protection
and privacy issues and has in-depth knowledge of regulatory
developments both in Belgium, EU Member States, and on a
pan-European level.
Patrick teaches European Cyberlaw at the University of
Antwerp and King's College London.
15. www.dlapiper.com 15
"Been there, done
that. It is similar to
our anti-bribery
and anti-trust
exercise"
"We are ISO 72K
compliant, so we
are GDPR
compliant"
"It's just a
European issue,
why should we
bother"
"PII = personal
data: let's keep our
US approach"
"We still have time,
25 May 2018 is the
date we need to
start our
implementation"
Some myths unveiled
16. www.dlapiper.com 16
"Let's decrease our
liability exposure, by
spinning off data
activities to a shared
service center"
"Data Protection =
Consumer
Protection, we only
process employee
and B2B data"
"Let's change our
website privacy
policy, then we're
fine"
"It has never been
enforced, it will
never be enforced"
"End users will never
sue us"
"We need a DPO,
let's ask our CISO to
take up this role"
Some myths unveiled
18. General Data Protection Regulation (GDPR):
Tools to Accelerate the Journey
Cindy E. Compert CIPT/M, CTO Data Security & Privacy, IBM Security
JUNE 22, 2017
19. 19 IBM Security
“A ship in port is safe; but that is not what ships are built for.
Sail out to sea and do new things” – Grace Hopper
26. Addressing Subject Access Requests
NEED TO KNOW WHO’S DATA IS IT!
26
Don’t know Who’s data is it
Cannot detect Contextual PII
Many False Positives
!
Need to know Where is the data going
www.bigid.com
BigID
Need to search Big Data
27. Need an Inventory by Data Subject
JUST KNOWING WHAT CLASS OF DATA IS FOUND WHERE IS NOT ENOUGH
27
Learning Based Discovery
No Duplication of data
Correlate to the identity
Map identity Data Graph
www.bigid.com
BigID
28. Data Subject Request Automation
IDENTITY DATA INDEX PROVIDES ALL DATA SUBJECT INFORMATION AT YOUR FINGERTIPS
28
Quickly Find Personal Data
Date
Location
Properties
Export Personal Data
Correlate Consent Approvals
Trigger Data Deletion
Provide as Self Service
www.bigid.com
BigID
29. Responsible Breach Response
IDENTITY INDEX HELPS YOU MINIMIZE YOUR EXPOSURE
29
Pinpoint
Breach Time
Scan Dark Web
Breach Files
Quickly Find Who
was Impacted
Pinpoint Breach
Source
Notify Only
Who was Impacted
www.bigid.com
BigID
30. Data Mapping True Automation
ONCE YOU KNOW WHERE THE DATA IS, UNDERSTAND WHO IS ACCESSING IT
www.bigid.com30
Top Down And Bottom Up
Continuous Compliance
Data Discovery, Not questionnaires
Enrich with Business Information
BigID
32. Disclaimer
• Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data
Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws
and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted
availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that
clients are in compliance with any law or regulation.
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing
decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job
stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will
achieve results similar to those stated here.
2
None of the statements contained herein constitutes legal advice– it is process
advice only.