Welcome!

Who is KirkpatrickPrice? KirkpatrickPrice is a licensed CPA firm and PCI QSA, providing assurance services to clients worldwide. The firm has over 13 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security and compliance controls.

Services Overview Regulatory Compliance Information Security Consulting Policy and Procedure Risk Assessment Internal Audit Plan Development Readiness Audits Penetration Testing Information Security Guidance and Audit Services SOC 1, SOC 2 SOC for Cybersecurity PCI DSS HIPAA HITRUST GDPR ISO 27001/27002 FISMA

Connect With Us Subscribe to our blog for regular industry updates, tips, and best practices Visit our library of recorded webinars Check out our free video resources and subscribe to our YouTube Channel Connect with us on LinkedIn, Twitter, and Facebook

Legal Disclaimer This presentation is provided by KirkpatrickPrice for educational and/or informational purposes only and does not constitute legal advice. No attorney-client relationship is established by viewing this presentation. Should you need legal advice, please consult with your attorney.

GDPR: Which Requirements Apply to You?

Which Requirements Apply to You? GDPR roles and definitions Requirements: Data processing principles Contracts Data subject rights Data protection by design and default Designated representative Breach notification Data Protection Officer Record of processing Data Protection Impact Assessments International data transfers Questions (maybe answers)

GDPR Roles Controller Processor Joint Controller Controller/Processor The natural or legal person which determines the purposes and means of the processing of personal data (Article 4(7)) Processor The natural or legal person which processes personal data on behalf of the controller (Article 4(8)) Joint Controller Where two or more controllers jointly have authority and determine the purposes and means of processing (Article 26) Controller/Processor Where a person or organization is simultaneously a controller and a processor for different processing functions

Data Processing Principles Controller Processor Transparency Privacy Policies, TOS/TOU Legal basis for processing Consent, contract, law Purpose limitation Data minimization Least data necessary for data processing purpose Transparency Privacy Policies, TOS Legal basis for processing Contract with controller Purpose limitation Data minimization Least data necessary for data processing purpose

Data Processing Principles Controller Processor Accuracy Reviewed, updated, and rectified Storage limitation Retained only as long as necessary Security Appropriate organizational and technical measures Accountability Data governance program DPO Processor oversight Review and correction Accuracy Reviewed, updated, and rectified Storage limitation Retained only as long as controller requires and until the end of agreement with controller Security Appropriate organizational and technical measures Confidentiality agreements Accountability Data governance program DPO Processor oversight Review and correction

Data Processing Agreements Written agreement between controllers and processors Includes these required elements: Descriptions of processing activities, data, and data subjects Duration Confidentiality Subprocessor engagement restrictions Security requirements Support of controller obligations (data rights, DPIA, breach) Cooperation with controller (information requests, audits, inspections)

Data Subject Rights Controller Processor Receive, investigate, and respond to data subject requests Facilitate controller’s ability to respond to data subject rights

Data Protection by Design and Default Controller Processor Consider: Technology available Cost Nature, scope, context and purpose of processing Risks to rights and freedoms Implement: Appropriate controls Pseudonymization Access limitations for each processing activity Provide controller sufficient guarantees of data protection by design and default

Breach Notify supervisory authority Notify data subjects Controller Processor Notify supervisory authority Notify data subjects Notify controller

Records of Processing Controller Processor “Conditional requirement” Content Controller details Purposes of processing Data subjects Personal data International transfers Data retention Description of security measures “Conditional requirement” Content Processor details Controller details Categories of processing International transfers

Data Protection Officer Controller and Processor: Required for both if core activities involve special categories of data or large scale monitoring of data subjects on a regular and systematic basis DPO has the same tasks, qualifications, and position

Data Protection Impact Assessment Controller Processor Perform DPIA for processing likely to result in a high risk to individuals Include: Description of purposes Assess necessity, proportionality, and compliance measures Risk assessment Risk mitigation Support controllers in: Identifying risk Processing documentation

Designated Representative in the EU Same requirement for both controllers and processors Volume Frequency Special categories of data Criminal data

International Transfers Both controllers and processors need: To keep personal data in the EU, or Transfer to a jurisdiction with adequate safeguards, or Binding corporate rules Standard data protection clauses Establish an exception Data subject consent Contract with data subject (for occasional international transfers) Public interest Legal claim

In conclusion… Most of GDPR’s requirements apply in some way to both controllers and processors Biggest differences in responsibility: Legal basis for processing Data subject rights’ requests Breach notification Data Protection Impact Assessments Controllers and processors are jointly and severely liable

Questions?