2024: Domino Containers - The Next Step. News from the Domino Container commu...
Gdpr action plan
1. Do You Have a Roadmap for EU
GDPR Compliance?
David Morris,
Thought Leader
and Pioneer in
Cybersecurity
United States
Ian West,
Specialist in
GDPR, Data
Governance,
Data Privacy &
Security
United Kingdom
Ulf Mattsson,
CTO Security
Solutions
Atlantic BT,
United States
Khizar A. Sheikh,
Chair, Privacy,
Cybersecurity, and
Data Law,
Mandelbaum
Salsburg
United States
12. The GDPR Institute
Helping you resolve YOUR GDPR Challenge
& Maximise the GDPR Opportunity
A Members Owned Not-for-Profit Organisation
www.gdpr.institute
13. General
• The EU General Data Protection Regulation
(GDPR) was adopted on April 8, 2016 and will
take effect on May 25, 2018.
• The GDPR will replace the current the current
Data Protection Directive 95/46/EC and will be
directly applicable in all Member States without
the need for implementing national legislation.
• The Article 29 Working Party (WP29) first
guidelines on data protection officers, one-stop-
shop, and the new right to data portability were
adopted on April 5, 2017.
• More guidelines are expected for 2017.
14. Expanded Territorial
Reach
• The GDPR regulates data controllers and processors
outside the EU whose processing activities relate to
the offering of goods or services (even if for free) to,
or monitoring the behavior of, data subjects in the
EU.
• “Offering goods or services” is more than mere
access to a website or email address, but could
be triggered by use of language or currency
generally used in one or more Member States
with the possibility of ordering goods/services
there and/or mentioning customers or users
who are in EU.
• “Monitoring of behavior” will occur, e.g., where
individuals are tracked on the internet by
techniques which apply a profile to enable
decisions to be made/predict personal
preferences, etc.
• This means that a company outside the EU which is
targeting consumers in the EU will be subject to the
GDPR.
15. Role of Data
Processors
• Data processors have direct obligations for the first
time. These include an obligation to:
• maintain a written record of processing activities
carried out on behalf of each controller;
• designate a data protection officer where
required;
• appoint a representative (when not established
in the EU) in certain circumstances; and
• notify the controller on becoming aware of a
personal data breach without undue delay.
• Provisions on cross border transfers also apply to
processors, and Binding Corporate Rules for
processors are formally recognized.
• New status of data processors will impact how data
protection matters are addressed in supply and other
commercial agreements.
16. Notice /
Consent
• Data controllers must continue to provide
transparent information to data subjects at the
time personal data is obtained.
• Existing forms of fair processing notices and
consents will have to be re-examined as GDPR
requirements are more detailed.
• Consent must be freely given, specific,
informed, and unambiguous, and must be as
easy to withdraw as to give.
• Consent is not freely given if the data subject
has no genuine and free choice or is unable to
withdraw or refuse consent without detriment.
• Consent must be “explicit” for sensitive data.
• The data controller is required to be able to
demonstrate that consent was given.
17. Notice / Consent Issues
• Contracts:
• Requests for consent should be separate from other terms, and be in clear and plain language.
• Does consent provides a valid legal ground for processing where there is a significant imbalance between the data
subject and data controller?
• Whether consent has been freely given depends on, e.g., whether the performance of a contract is made conditional
on the consent to processing data that is not necessary to perform that contract (may affect e-commerce services,
among others).
• Employment:
• Member States may provide more specific rules for use of consent in employment context.
• Marketing:
• Where personal data is processed for direct marketing the data subject will have a right to object.
• This right must be explicitly brought to their attention.
• Children / Parents:
• Member States can lower the age from whom data can be collected from 16 to 13 (lack of harmonization).
• Data Transformation:
• When is data no longer the data subjects’ personal information?
18. Penalties
• The GDPR establishes a tiered approach to
penalties.
• Enables the DPAs to impose fines for some
breaches of the greater of 4% of annual
worldwide revenues or 20 million euros (e.g.,
breach of requirements relating to
international transfers or the basic principles
for processing, such as conditions for consent).
• Other specified breaches would be subject to a
fine of the greater of 2% of annual worldwide
revenues or 10 million euros .
• A list of considerations when imposing fines
(such as the nature, gravity and duration of the
breach) is included.
19. Which Authority?
• The mechanism is complicated as it
distinguishes between cross-border and
domestic processing.
• There are complex cooperation and
coordination procedures for DPAs.
• To have their cases dealt with locally, the GDPR
contains a detailed regime with a Lead
Authority and Concerned Supervisory
Authorities working together.
• The WP29 has provided guidance on how to
identify a Lead Supervisory Authority.
• It remains to be seen how it will work in
practice and whether it can work without forum
shopping.
22. GDPR Case Studies
Source: EU GDPR Report, Crowd Research Partners, 2017 22
1.US and Spain – customer
data
2.Italy, Germany and more –
financial data
3.Germany – outsourcing
4.Sweden – PII data
• US and Spain – customer data
• Italy, Germany and more – financial data
• Germany – outsourcing
• Sweden – PII data
Welcome to my session and Thank you for inviting me
FinTech - Wikipedia
https://en.wikipedia.org/wiki/Financial_technology
Financial technology, also known as FinTech, is an industry composed of companies that use new technology and innovation to leverage available resources in .
Cyber Risk Management in 2017: Challenges & Recommendations
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice “secure by design” discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stack—reducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice “secure by design” discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stack—reducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
Risk Assessment. We evaluate your digital footprint and infrastructure to find and resolve vulnerabilities in your network, databases, applications, storage, and other infrastructure.
Data Security. We map the flow of data across your digital footprint, applications environment, library framework, source code, and storage to pinpoint risks before they turn into attacks.
Secure Hosting. We create dynamic, cloud-based environments with inside-out security controls to protect your systems and storage from attacks and other service disruptions.
Application Security. We practice “secure by design” discipline in our software development. This protects your custom applications by automating secure coding standards and testing at every step.
Integrated Tools. We architect holistic security solutions that integrate traditionally siloed tools to give you a lean and flexible security stack—reducing the effects of tools sprawl and wasted level of effort.
Monitoring and Contingency Plans. We monitor your systems, applications, and digital interactions for threats and architect back-up capabilities to quickly restore service if a breach occurs.
https://www.atlanticbt.com/services/cybersecurity/
Examples of Services That Can Fill The Gap
Security Services
Audit & Assessment Services
Application Security Consulting
Managed Vulnerability Scanning
Security Tools Implementation
Virtual CISO
Application Services
Application Hosting & Cloud Migration
IT Consulting & Information Architecture
Software Development & User Experience Design