Do You Have a Roadmap for EU GDPR Compliance - Aug 18 2017

1. Do You Have a Roadmap for EU
GDPR Compliance?
David Morris,
Thought Leader
and Pioneer in
Cybersecurity
United States
Ian West,
Specialist in
GDPR, Data
Governance,
Data Privacy &
Security
United Kingdom
Ulf Mattsson,
CTO Security
Solutions
Atlantic BT,
United States
Khizar A. Sheikh,
Chair, Privacy,
Cybersecurity, and
Data Law,
Mandelbaum
Salsburg
United States

2. GDPR Action Plan
A Members Owned Not-for-Profit Organisation

3. GDPR = Trust
ENTERPRISE wide Trust
© 2017 - The GDPR Institute - All Rights Reserved

4. Impact
Do you control or process personal data about
ANY EU Citizens?
If so you have to be GDPR compliant by 25th May 2018
or manage the implications of the fines and the
reputational damage of any and every Data Breach
– including Customers Employees Suppliers
© 2017 - The GDPR Institute - All Rights Reserved

5. The Institutes’ Purpose
Create a community of Data Privacy, Data Security and Data Governance
experts to assist Large, Medium and Small Organisations address the
challenge and maximise the opportunity created by the
General Data Protection Regulation
GDPR Challenge
Or
GDPR Opportunity
© 2017 - The GDPR Institute - All Rights Reserved

6. The Institutes’ Community
Corporate
Clients
61 Million
Global
Experts
GDPR
Consulting
Providers
GDPR
Technology
Solutions
GDPR
Audit
Services
GDPR
Legal
Advisors
GDPR
Training
Providers
GDPR
Recruitment
Services
© 2017 - The GDPR Institute - All Rights Reserved

7. Bringing Together to Solve GDPR
GDPR
Defensible
Position
GDPR
Consulting
Providers
GDPR
Technology
Solutions
GDPR
Legal
Advisors GDPR
Recruitment
Services
GDPR
Training
Providers
GDPR
Audit
Services
61 Million
Global
Experts
© 2017 - The GDPR Institute - All Rights Reserved

8. Opportunity or Challenge?
1. Fines
2. Loss of Customers
3. Reputational Damage
COST
of
Compliance
© 2017 - The GDPR Institute - All Rights Reserved

9. Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change
GDPR = Enterprisewide Change Management
Post Room Board Room
People Process Technology Information
© 2017 - The GDPR Institute - All Rights Reserved

10. Key Questions
1. What Personal Data do you hold – Customer, Employee, Supplier,
Contractor, Sub-Contractor, Citizen, Patient etc
2. Where is that Data Located? PC hard drive, Remote Storage or Backup
Device, On Premise Database or Content Server, or in The Cloud
3. How are you using that Data?
4. Do you have Explicit or Implied Permission to use
the data in the way you are using it?
© 2017 - The GDPR Institute - All Rights Reserved

11. Immediate Action Plan
1. Seek Legal Advice
2. Conduct a Privacy Impact Assessment
3. Complete a Readiness Assessment to address the key questions
4. Secure Executive Sponsorship and a meaningful budget
5. Develop a Consent Management Strategy
6. Build a Data Subject Access Request process before you get swamped
7. Ensure you have all your Breach Detection technology in place –
Database, Content Repositories, Network Traffic, Dark Web
8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen
© 2017 - The GDPR Institute - All Rights Reserved

12. The GDPR Institute
Helping you resolve YOUR GDPR Challenge
& Maximise the GDPR Opportunity
A Members Owned Not-for-Profit Organisation
www.gdpr.institute

13. General
• The EU General Data Protection Regulation
(GDPR) was adopted on April 8, 2016 and will
take effect on May 25, 2018.
• The GDPR will replace the current the current
Data Protection Directive 95/46/EC and will be
directly applicable in all Member States without
the need for implementing national legislation.
• The Article 29 Working Party (WP29) first
guidelines on data protection officers, one-stop-
shop, and the new right to data portability were
adopted on April 5, 2017.
• More guidelines are expected for 2017.

14. Expanded Territorial
Reach
• The GDPR regulates data controllers and processors
outside the EU whose processing activities relate to
the offering of goods or services (even if for free) to,
or monitoring the behavior of, data subjects in the
EU.
• “Offering goods or services” is more than mere
access to a website or email address, but could
be triggered by use of language or currency
generally used in one or more Member States
with the possibility of ordering goods/services
there and/or mentioning customers or users
who are in EU.
• “Monitoring of behavior” will occur, e.g., where
individuals are tracked on the internet by
techniques which apply a profile to enable
decisions to be made/predict personal
preferences, etc.
• This means that a company outside the EU which is
targeting consumers in the EU will be subject to the
GDPR.

15. Role of Data
Processors
• Data processors have direct obligations for the first
time. These include an obligation to:
• maintain a written record of processing activities
carried out on behalf of each controller;
• designate a data protection officer where
required;
• appoint a representative (when not established
in the EU) in certain circumstances; and
• notify the controller on becoming aware of a
personal data breach without undue delay.
• Provisions on cross border transfers also apply to
processors, and Binding Corporate Rules for
processors are formally recognized.
• New status of data processors will impact how data
protection matters are addressed in supply and other
commercial agreements.

16. Notice /
Consent
• Data controllers must continue to provide
transparent information to data subjects at the
time personal data is obtained.
• Existing forms of fair processing notices and
consents will have to be re-examined as GDPR
requirements are more detailed.
• Consent must be freely given, specific,
informed, and unambiguous, and must be as
easy to withdraw as to give.
• Consent is not freely given if the data subject
has no genuine and free choice or is unable to
withdraw or refuse consent without detriment.
• Consent must be “explicit” for sensitive data.
• The data controller is required to be able to
demonstrate that consent was given.

17. Notice / Consent Issues
• Contracts:
• Requests for consent should be separate from other terms, and be in clear and plain language.
• Does consent provides a valid legal ground for processing where there is a significant imbalance between the data
subject and data controller?
• Whether consent has been freely given depends on, e.g., whether the performance of a contract is made conditional
on the consent to processing data that is not necessary to perform that contract (may affect e-commerce services,
among others).
• Employment:
• Member States may provide more specific rules for use of consent in employment context.
• Marketing:
• Where personal data is processed for direct marketing the data subject will have a right to object.
• This right must be explicitly brought to their attention.
• Children / Parents:
• Member States can lower the age from whom data can be collected from 16 to 13 (lack of harmonization).
• Data Transformation:
• When is data no longer the data subjects’ personal information?

18. Penalties
• The GDPR establishes a tiered approach to
penalties.
• Enables the DPAs to impose fines for some
breaches of the greater of 4% of annual
worldwide revenues or 20 million euros (e.g.,
breach of requirements relating to
international transfers or the basic principles
for processing, such as conditions for consent).
• Other specified breaches would be subject to a
fine of the greater of 2% of annual worldwide
revenues or 10 million euros .
• A list of considerations when imposing fines
(such as the nature, gravity and duration of the
breach) is included.

19. Which Authority?
• The mechanism is complicated as it
distinguishes between cross-border and
domestic processing.
• There are complex cooperation and
coordination procedures for DPAs.
• To have their cases dealt with locally, the GDPR
contains a detailed regime with a Lead
Authority and Concerned Supervisory
Authorities working together.
• The WP29 has provided guidance on how to
identify a Lead Supervisory Authority.
• It remains to be seen how it will work in
practice and whether it can work without forum
shopping.

20. GDPR Already a Reality
Source: Cordery Legal Compliance, UK, 2017 20

21. GDPR Rules Requires Data Protection Technology
Source: Imperva, 2017 21

22. GDPR Case Studies
Source: EU GDPR Report, Crowd Research Partners, 2017 22
1.US and Spain – customer
data
2.Italy, Germany and more –
financial data
3.Germany – outsourcing
4.Sweden – PII data
• US and Spain – customer data
• Italy, Germany and more – financial data
• Germany – outsourcing
• Sweden – PII data

23. Preparing for GDPR
23