Preparing for the GDPR: Attaining and Demonstrating Compliance

Transcription

1 Preparing for the GDPR: Attaining and Demonstrating Compliance IAPP Privacy. Security. Risk. September 16, San Jose (CA) Copyright 2016 by Nymity Inc. All rights reserved. This document is provided as is without any express or implied warranty. This document does not constitute legal advice and if you require legal advice you should consult with an attorney. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior written permission of Nymity Inc.

2 Preparing for the GDPR: Attaining and Demonstrating Compliance The EU General Data Protection Regulation Understanding Accountability under the GDPR Operationalizing Accountability From Accountability to Compliance: Evidence Appropriate Technical and Organization Measures How Nymity helps Compliance in Practice Paul Breitbarth Nymity The Hague (NL) Joseph Alhadeff Oracle Washington D.C. (US) Andy Garner Nymity London (UK)

3 Introducing Nymity A Data Privacy Research & Solutions Company Focus: Dedicated to global data privacy compliance research Established: 2002 Offices: Toronto, Canada (HQ) London, UK The Hague, the Netherlands Bogota, Colombia Boulder, Colorado, USA Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants Software Solutions for the Privacy Office Privacy Management Solutions: Nymity Attestor Nymity Benchmarks Nymity Templates Nymity Planner Compliance Research Solutions: Nymity Research Nymity LawTables Nymity MofoNotes Nymity LatAm Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance.

4 EU General Data Protection Regulation What is the GDPR and why is it relevant? Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data One main data protection law for all EU Member States (until further notice including UK) Fully applicable from 25 May 2018 to all organizations processing personal data in the EU or when offering goods and services to people in the EU New financial penalties in case of non-compliance Maximum 20 million euro; or 4% worldwide annual turnover (whichever is higher)

5 EU General Data Protection Regulation Nymity s Approach to GDPR Compliance Checklist-based guidance to GDPR implementation is ubiquitous Nymity has a different approach that has been made available for free, based on many years of own research Focus on accountability and demonstrating compliance Not a one-off exercise No ticking boxes Going concern that requires attention on an ongoing basis

6 EU General Data Protection Regulation GDPR Compliance We envisage three types of organizations in 2018: 1. Those who are non-compliant 2. Those who are compliant 3. Those who are able to demonstrate ongoing compliance Snapshot of a given moment in time (compliant) vs. readiness to deal with changing circumstances because the fundamentals of the police are sound (ongoing compliance) Free tools available today at More advanced solutions at a subscription basis

7 Nymity GDPR Compliance Toolkit

8 Understand Accountability under the GDPR Replacement of the obligation to register with DPA Understand your data processing operations on an ongoing basis: Both what and why Article 24 Responsibility of the Controller Article 5 Principles relating to personal data processing Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 ( accountability ).

9 Accountability Cornerstone of the GDPR replaces notification obligation Accountability requires the need to show what you are doing (demonstrate compliance): To the supervisory authority To individuals Reduce risk of investigations and/or fines Quicker response to complaints and breaches - save time

10 Operationalizing Accountability: Structured Privacy Management Accountability Approach to Demonstrating Compliance Structured Privacy Management is embedding ongoing privacy management activities throughout the organization, resulting in the ability to demonstrate accountability and compliance with evidence. RESPONSIBILITY Privacy management activities have been implemented and are maintained on an ongoing basis. OWNERSHIP Privacy management activities are embedded throughout the organization within each function or business unit that processes personal data. EVIDENCE Documentation is produced as a result of a privacy management activity that can be used as Evidence of accountability and compliance.

11 Nymity Privacy Management Accountability Framework Accountability Approach to Demonstrating Compliance Privacy management activities are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data or that relate to compliance with privacy and data protection laws.

12 Evidence and Compliance Article 24 requires organizations to demonstrate that the processing of personal data is performed in compliance with this Regulation. Demonstrating compliance is a dialogue, the privacy office uses evidence to tell the story Not: Are we compliant right now? Instead: How do we comply on an ongoing basis?

13 Appropriate Technical and Organizational Measures Appropriate dependent on the specificities of an organization DPA Guidance can be expected in the coming years Don t wait Many measures are likely already part of your privacy program Document what is currently undocumented Best practices available Make sure you are ready to tell the story behind your privacy policy and illustrate it with supporting documents Nymity research tools accessible via IAPP Resources

14 Evidence and Compliance 39 of 99 Articles in the GDPR require Evidence to demonstrate compliance What about the others? Definitions Enforcement Actions Legal Obligations Codes of conduct

15 Evidence and Compliance Evidence of ongoing privacy management activities, embedded throughout the organization 55 mandatory privacy management activities

16 Nymity GDPR Compliance Toolkit

17 Nymity GDPR Compliance Toolkit Privacy Management Accountability Annotations

18 Nymity GDPR Compliance Toolkit Readiness Assessment Questions

19 Nymity GDPR Compliance Toolkit Roadmap for Demonstrable GDPR Compliance

20 Nymity Attestor Andy Garner Nymity

21 Compliance in practice Joseph Alhadeff Oracle

22 In Conclusion How Nymity Helps Free GDPR Compliance Toolkit Subscription-based Solutions Privacy Management Accountability Annotations Accountability Roadmap for Demonstrable Compliance Readiness Assessment Questions

23 Thank Copyright 2016 by Nymity Inc. All rights reserved. This document is provided as is without any express or implied warranty. This document does not constitute legal advice and if you require legal advice you should consult with an attorney. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior written permission of Nymity Inc.