1. The Rise of Privacy: Complying with GDPR in the United States
Gene Geiger President of A-LIGN

2. Presenter Leads A-LIGN’s service delivery
Areas of concentration include PCI DSS, ISO 27001, FedRAMP, FISMA, HIPAA/HITECH and HITRUST
Holds the following designations:
CPA
QSA
CCSK
ISO LA
CISSP
HITRUST Practitioner
PCIP
Gene Geiger
President of A-LIGN
| ©2018

3. Agenda Privacy Landscape Overview of GDPR Impact of GDPR
Steps to Prepare
Appendices
| ©2018

4. Privacy & Data Protection Environment
Source: International Association of Privacy Professionals
| ©2018

5. General Data Protection Regulation
Adopted April 27, 2016, replaces the Data Protection Directive
Protects personal data of EU citizens
Expands citizen control over personal data
Unifies existing privacy regulations
Full implementation by May 25, 2018
| ©2018

6. Why Is GDPR Important? Penalties of noncompliance
Fines up to 4% of global revenue or $20 million
EU Commission-directed data protection audits
Individual lawsuits
Restricted access to data
Loss of organizational certifications
Damaged reputation
| ©2018

7. Why is GDPR Challenging?
Source: CIPL and AvePoint Release Global GDPR Readiness Report
| ©2018

8. 6 Main Principles Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
| ©2018

9. What is Personal Data? Identifies a real person by: Name
Photos
Banking Info
Social Media
Medical Info
IP Address
Indirect & Direct Identifiers
Biometric & Genetic Data
Identifies a real person by:
Name
Identification number
Location data
Online identifier
One or more factors specific to the … identity of that person
Difference between personal data in US and EU
PII is a term that is used by US – Coined by NIST
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Non PII information according to US: Device IDs, IP addresses, Cookies
Personal Data is a term used by EU
‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity;
An “identification number” does include an IP address or cookie string
Personal Data according to the GDPR Regulation and its actual definition:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
| ©2018

10. Comprehensive Requirements
Breach Notification
Consent
Privacy Notice
Accountability
Territorial Scope
Security Obligations
Pseudonymisation
Data Protection Officer
Privacy by Design
Penalties
Breach Notification - 72 hours to notify data subjects and supervisory authority
Consent – to justify processing personal data, and consent can be withdrawable
Privacy notice - this is a letter that contains information telling people what you are doing with their data
Accountability –how you comply with the regulation by deploying and demonstrating both of policies and principles regarding the regulation
Territorial Scope – any entity that processes personal information of EU citizens ( in the EU ) is applicable to the Regulation
Security Obligations – to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Pseudonymisation –encrypting personal data and keeping it secured
Data Protection Officer – to monitor the compliance with the GDPR
Privacy by design – to manage and minimize access to confidential data
Penalties
| ©2018

11. Expanded Privacy Rights
Right to be informed when data is collected
Right to object to data collection
Right to access collected data
Right to challenge and change data
Right to transfer data easily between any processors
Right to be forgotten (erase data)
| ©2018

12. Required Consent Unambiguous Consent For non-sensitive information
Social media, business telephone numbers, etc.
Explicit Consent
For sensitive information
Medical records, social security numbers, etc.
Different levels of sensitivity – According to regulation
"Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
Non-sensitive information is all other personal data.
| ©2018

13. Does GDPR Impact You?
GDPR applies to any organization in and outside the EU that collects/processes EU citizens’ personal data
Organizations that collect EU residents’ data
Controllers
Organizations that process data on behalf of controllers
Processors
| ©2018

14. How Will GDPR Affect U.S. Organizations?
Changing operational policies for a comprehensive privacy management program
Contracting third-party processors and controllers
Strategizing data security and breach notification
Appropriately using personal data
| ©2018

15. GDPR Implementation Challenges
Privacy program implementation and management
Data identification and location
Relationship with data processors (service providers)
Breach notification requirements
Data security
Resources
| ©2018

16. GDPR Misconceptions 4% or $20,000,000 fine
GDPR applies equality to all types of data
GDPR certification is required
Every company must have a Data Protection Officer
Encryption of data removes GDPR requirements
Privacy Shield compliance is enough for GDPR
| ©2018

17. Steps for Compliance Data mapping exercise
Gap assessment against GDPR requirements
Engage outside resources as needed
Develop privacy management system
| ©2018

18. Steps for Compliance Discover risk areas within the business
Identify risk mitigation recommendations for improved security
Implement solutions within the business 
Start by asking yourself these questions:
Does my organization implement safeguards to ensure the confidentiality, integrity and availability of data?
Are safeguards periodically reviewed to ensure they are working as expected?
Is data processing sufficiently monitored to detect and alert malicious activity?
Should a data breach occur, are procedures in place to limit unauthorized disclosure of data?
Are employees properly trained to protect data according to their roles and responsibilities?
| ©2018

19. Best Practices
Implement protection solutions for processing activities
Apply encryption keys to all data
Limited access to data
Regularly audit of protection solutions
Train personnel on requirements and mechanisms
| ©2018

20. GDPR Recap Mandated adoption May 25, 2018 10 key GDPR requirements
Non-compliant fines up to 4% of global revenue
Enhances individual rights
Demonstrates responsibility and accountability
Improves organization through trust and effectiveness
| ©2018

21. Appendices Information Commissioners Office GDPR Questionnaires
Controller
Processor
Guide to the GDPR
GDPR Guide
| ©2018

22. Appendices ISACA – Data Protection Impact Assessment
Data Protection Impact Assessment Template
| ©2018

23. Questions? 888.702.5446 | www.A-LIGN.com | info@a-lign.com