This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.

1. 1

2. Introductions

3. Agenda
3 www.bigid.com
BigID

4. 4
BigID

5. GDPR in the eyes of the legislator
5 www.bigid.com
BigID

6. 6
BigID

7. Agenda
Enforcement
Databreach notification
Privacy Impact Assessment & Privacy by design
7Gaston Gautreneau – IT Expert Department23/06/2017

8. Enforcement
Each supervisory authority shall ensure that the imposition of administrative fines pursuant …/… shall in each
individual case be effective, proportionate and dissuasive.
Administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide
annual turnover of the preceding financial year, whichever is higher
Taken into account, especially
Nature, gravity and duration of the infringement
Number of data subjects affected
Level of damage suffered by them
The intentional or negligent character of the infringement
…
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial
benefits gained, or losses avoided, directly or indirectly, from the infringement
8Gaston Gautreneau – IT Expert Department23/06/2017

9. Data breach notification
A personal data breach means a breach of security leading to the destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data.
This means that a breach is more than just losing personal data.
The controller shall document any personal data breaches, comprising the facts relating to the
personal data breach, its effects and the remedial action taken
Administrative fines up to €10,000,000 or 2% of global turnover, whichever is the greater
Notify DPA if there is risks on rights and freedom of natural persons
When the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the controller shall communicate the personal data breach to the data subject
without undue delay.
Shall not be required if the controller has implemented appropriate technical and organisational
protection measures
9Gaston Gautreneau – IT Expert Department23/06/2017

10. The PIA stands on two pillars
What does it mean to comply with the regulation ?
The fundamental
principles and rights
(purpose, information,
etc.) are “non
negotiable”, fixed by the
law, and have to be fully
respected
Risk management allows
to identify the technical
and organizational
measures to protect the
personal data from data
breaches
1. Respect
the
fundamenta
l principles
2. Manage
the risks
related to
data
security
PIA
(Privacy
Impact
Assessmen
t)
The Privacy Impact
Assessment (PIA) is a
means to comply with the
regulation and prove it
(accountability)
10Gaston Gautreneau – IT Expert Department23/06/2017

11. 11
Likely to result in
high risks?
[art. 35(1), (3) & (4)]
Yes
Prior
consultation
Yes
No prior
consultation
No
No DPIA needed
No
No DPIA
[art. 35(7)]
High residual risks?
[art. 36(1)]
Code(s) of conduct
[art. 35(8)]
Advice of the DPO
[art. 35(2)]
Monitor performance
[art. 39(1) (c)]
Seek the views of
the data subjects
[art. 35(9)]
Yes Exception ?
[art. 35(5) et (10)]
Processing
reviewed by the
controller
[art. 35(11)]
Process overview
Gaston Gautreneau – IT Expert Department23/06/2017

12. www.dlapiper.com 12
Speaker
Prof. dr. Patrick Van Eecke is partner in DLA Piper’s Brussels
office and global co-chair of DLA Piper's Data Protection,
Privacy and Security practice.
He has over 20 years of international legal experience in
privacy and data protection issues advising on the legal
impact of big data, cloud computing and Internet of Things.
Patrick advises multinational organisations on data protection
and privacy issues and has in-depth knowledge of regulatory
developments both in Belgium, EU Member States, and on a
pan-European level.
Patrick teaches European Cyberlaw at the University of
Antwerp and King's College London.

13. www.dlapiper.com 13
New principles introduced by GPDR

14. www.dlapiper.com 14
New principles introduced by GPDR

15. www.dlapiper.com 15
"Been there, done
that. It is similar to
our anti-bribery
and anti-trust
exercise"
"We are ISO 72K
compliant, so we
are GDPR
compliant"
"It's just a
European issue,
why should we
bother"
"PII = personal
data: let's keep our
US approach"
"We still have time,
25 May 2018 is the
date we need to
start our
implementation"
Some myths unveiled

16. www.dlapiper.com 16
"Let's decrease our
liability exposure, by
spinning off data
activities to a shared
service center"
"Data Protection =
Consumer
Protection, we only
process employee
and B2B data"
"Let's change our
website privacy
policy, then we're
fine"
"It has never been
enforced, it will
never be enforced"
"End users will never
sue us"
"We need a DPO,
let's ask our CISO to
take up this role"
Some myths unveiled

17. 17
BigID

18. General Data Protection Regulation (GDPR):
Tools to Accelerate the Journey
Cindy E. Compert CIPT/M, CTO Data Security & Privacy, IBM Security
JUNE 22, 2017

19. 19 IBM Security
“A ship in port is safe; but that is not what ships are built for.
Sail out to sea and do new things” – Grace Hopper

20. 20 IBM Security
IBM’s Overall GDPR Framework: 5 phases to Readiness
IBM PROPRIETARY
Identify GDPR
impact and plan
Technical and
Organisational
Measures (TOM)
Includes Data
Protection controls,
processes and
solutions to be
implemented.
TOMs in place:
Personal Data
discovery,
classification and
governance in place
Begin the new
GDPR compliant
way of working
Monitor TOMs
execution; deliver
compliance evidence
to internal and
external
stakeholders
• Conduct GDPR
assessments
across privacy,
governance,
people, processes,
data, security
• Develop GDPR
Readiness
Roadmap
• Identify personal
data
• Design
governance,
training,
communication,
and processes
standards
• Design privacy,
data management
and security
management
standards
• Develop and
embed procedures,
processes, and
tools
• Deliver GDPR
training
• Develop/embed
standards using
Privacy by Design,
Security by Design,
data management
policies
• Execute all
relevant business
processes
• Monitor security
and privacy using
TOMs
• Manage data
subject access and
consent rights
• Monitor, assess,
audit, report and
evaluate adherence
to GDPR standards
Assess Design Transform Operate Conform
ActivityOutcomePhase
Assessments
and roadmap
Defined
implementation
plan
Process
enhancements
completed
Operational
framework in
place
Ongoing
monitoring and
reporting
©2017 IBM Corporation

21. 21 IBM Security
IBM Security Framework: Key Activities to address GDPR
IBM PROPRIETARY
Privacy Requirements Security Requirements
ASSESS
PREPARE:
• Conduct GDPR Assessments, assess and document
GDPR related policies
• Assess data subject rights to consent, access,
correct, delete, and transfer personal data
DISCOVER:
• Discover and classify personal data assets and
affected systems
• Identify access risks, supporting Privacy by Design
PREPARE:
• Assess security current state, identify gaps, benchmark
maturity, establish conformance roadmaps
• Identify vulnerabilities, supporting Security by Design
DISCOVER:
• Discover and classify personal data assets and affected
systems to design Security controls
DESIGN
ROADMAP:
• Create GDPR remediation/implementation plan
PRIVACY BY DESIGN:
• Design policies, business processes and supporting
technologies
• Create GDPR Reference Architecture
• Evaluate Controller/Processor Governance
ROADMAP:
• Create Security remediation/implementation plan
SECURITY BY DESIGN:
• Create Security Reference Architecture
• Design Technical and Organizational Measures (TOMs)
appropriate to risk (encryption, pseudonimization, access
control, monitoring, etc.)
TRANSFORM
TRANSFORM PROCESSES:
• Implement and execute policies, processes and
technologies
• Automate data subject access requests
PROTECT:
• Implement privacy enhancing controls (e.g. encryption,
tokenization, dynamic masking)
• Implement security controls; mitigate access risks and security
vulnerabilities
©2017 IBM Corporation
Legend:
Red=Tools available

22. 22 IBM Security
IBM Security Framework: Key Activities to address GDPR
IBM PROPRIETARY
Privacy Requirements Security Requirements
OPERATE MANAGE GDPR PROGRAM:
• Manage GDPR Data Governance Practices such as
Information Lifecycle Governance
• Manage GDPR Enterprise Conformance Programs such as
data use, consent activities, data subject requests
RUN SERVICES:
• Monitor personal data access
• Govern roles and identities
MANAGE SECURITY PROGRAM:
Manage and implement Security Program Practices such as
risk assessment, roles and responsibilities, program
effectiveness
RUN SERVICES:
• Monitor security operations and intelligence: monitor,
detect, respond to and mitigate threats
• Govern data incident response and forensics practices
CONFORM
DEMONSTRATE:
• Record personal data access audit trail including data
subject rights to access, modify, delete, transfer data
• Run Data Processor/Controller Governance including
providing processor guidance, track data processing
activities, provide audit trail, preparing for data subject
access requests
• Document and manage compliance program - Ongoing
monitoring, assessment, evaluation and reporting of GDPR
activities
RESPOND:
o Respond to and manage breaches
DEMONSTRATE:
• Demonstrate technical and organizational measures to
ensure security appropriate to processing risk
• Document Security program - Ongoing monitoring,
assessment, evaluation and reporting of security controls
and activities
RESPOND:
o Respond to and manage breaches
©2017 IBM Corporation
Legend:
Red=Tools available

23. 23 IBM Security
Other activities with tools that can help address GDPR
IBM PROPRIETARY
PRIVACY REQUIREMENTS
GOVERN
Develop data lifecycle
management processes
Maintain enterprise vocabulary
Manage Data Subject Quality
Govern Risk and Compliance
Vendor Management
©2017 IBM Corporation
Legend:
Red=Tools available

24. 24
BigID

25. GDPR brings new requirements
25 www.bigid.com
BigID

26. Addressing Subject Access Requests
NEED TO KNOW WHO’S DATA IS IT!
26
Don’t know Who’s data is it
Cannot detect Contextual PII
Many False Positives
!
Need to know Where is the data going
www.bigid.com
BigID
Need to search Big Data

27. Need an Inventory by Data Subject
JUST KNOWING WHAT CLASS OF DATA IS FOUND WHERE IS NOT ENOUGH
27
Learning Based Discovery
No Duplication of data
Correlate to the identity
Map identity Data Graph
www.bigid.com
BigID

28. Data Subject Request Automation
IDENTITY DATA INDEX PROVIDES ALL DATA SUBJECT INFORMATION AT YOUR FINGERTIPS
28
Quickly Find Personal Data
Date
Location
Properties
Export Personal Data
Correlate Consent Approvals
Trigger Data Deletion
Provide as Self Service
www.bigid.com
BigID

29. Responsible Breach Response
IDENTITY INDEX HELPS YOU MINIMIZE YOUR EXPOSURE
29
Pinpoint
Breach Time
Scan Dark Web
Breach Files
Quickly Find Who
was Impacted
Pinpoint Breach
Source
Notify Only
Who was Impacted
www.bigid.com
BigID

30. Data Mapping True Automation
ONCE YOU KNOW WHERE THE DATA IS, UNDERSTAND WHO IS ACCESSING IT
www.bigid.com30
Top Down And Bottom Up
Continuous Compliance
Data Discovery, Not questionnaires
Enrich with Business Information
BigID

31. QUESTIONS TIME!
Have a question? Ask NOW!

32. Disclaimer
• Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data
Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws
and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted
availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that
clients are in compliance with any law or regulation.
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing
decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality.
Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance
that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user’s job
stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will
achieve results similar to those stated here.
2
None of the statements contained herein constitutes legal advice– it is process
advice only.