fast track your gdpr compliance with the microsoft cloud ......• salesforce + sharepoint •...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
Fast Track Your GDPR Compliance
with the Microsoft Cloud & Protiviti
• Location: Doubletree by Hilton | McLean, VA
• *Pricing: General: $399, Ass./Non/Edu/Gov: $349, Workshops: $299
• Audience: SharePoint & Office 365 Business & Technical Users
• Goal: 135-150 Attendees, 8 Sponsors
• Session Topics Include:
• Office 365• Salesforce + SharePoint
• SharePoint for GRC• GDPR
REGISTER BY FEB 16TH, GET AN AMAZON ECHO DOT!
ProCollabCon.com
ProCollabCon 2018 Full AgendaMonday, April 30, 2018
10:00 am – 4:00 pm Office 365 Business User Workshop
10:00 am – 4:00 pm Nintex Workflow Workshop
Tuesday, May 1, 2018
8:00 am – 9:00 am Registration & Breakfast
8:00 am – 5:30 pm Sponsor Booths Open
9:00 am – 10:30 am Keynote Presentation
10:45 am – 12:00 pm Educational Breakout Sessions
12:00 pm – 1:00 pm Networking Lunch
1:15 pm – 2:30 pm Educational Breakout Sessions
2:45 pm – 4:00 pm Educational Breakout Sessions
4:15 pm – 5:30 pm Educational Breakout Sessions
5:30 pm – 7:30 pm Conference Happy Hour
Wednesday, May 2, 2018
10:00 am – 4:00 pm Office 365 Admin Workshop
10:00 am – 4:00 pm Nintex Forms, Hawkeye & Mobile Workshop
• Business Process Automation
• Usability & Accessibility
• Office 365 Security
• Public Facing Websites
4 Microsoft MVPs!
Keynote Speaker: Dux Raymond Sy
ONLY $399!!! Workshops ONLY $299!!
13 Sessions! Food, Parking &
Wireless Included!
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BEFORE WE START…
3
Today’s program is an open discussion. We encourage participation & questions. 1
Attendees will receive a workshop recap following today's session.
Please attempt to minimize disruptions, and remember to mute your cellphones.
2
3
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AGENDA
4
Who We Are
What are the GDPR Regulations?
Personal Data
Compliance with the Microsoft Cloud
Microsoft’s Commitment to GDPR
Microsoft Cloud & Office 365 Solutions to support GDPR
GDPR Compliance Program
Resources
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
3,500professionals
Over 20 countriesin the Americas, Europe,
the Middle East and
Asia-Pacific
70+offices
Our revenue*:
$743 millionin 2015
Protiviti (www.protiviti.com) is a global consulting firm that helps
companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60
percent of Fortune 1000® and 35 percent of Fortune Global 500®
companies. Protiviti and our independently owned Member Firms
serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including
those looking to go public, as well as with government agencies.
Ranked 57 on the 2016 Fortune 100 Best Companies to Work For®
list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI).
Founded in 1948, Robert Half is a member of the S&P 500 index.
WHO WE ARE
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PROTIVITI’S SOLUTION OFFERINGS
Internal Audit, Risk, Business & Technology Consulting
WHAT ARE THE GDPR REGULATIONS?
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT ARE THE GDPR REGULATIONS?
8
The General Data Protection Regulation (GDPR) imposes new rules
on organizations in the European Union (EU) and those that offer goods and services
to people in the EU, or that collect and analyze data tied to EU residents, no matter
where they are located.
New data privacy regulation designed to bring clarity & strengthen privacy rights for EU residents
GDPR is a regulation, not a directive - Takes effect immediately on May 25, 2018
(does not require EU member states to enact their own laws)
Replaces existing 95/46/EC Directive, which resulted in a patch work of laws across the EU (ex. Data Protection Act, UK)(covers European Economic Area, EEA, including 28 member states + 3 EEA member states)
Applies to organizations globally who do business with, market products to & gather behavioral data on EU residents
Applies to both data processors and data controllers
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
9
Data Breach
Notification
Requirement to report Privacy breaches to the EU regulator (DPA) within 72 hours and potentially
to the data subject
Privacy by Design &
by Default
Firms must minimize the collection of personal data and ensure that the right security controls are in place
Required to perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if transfer data outside of the EU
Data Subject Rights New rights include the right to access & correct personal data (data portability); Right to erasure
Consent Requirement to gain unambiguous consent (i.e. explicit); Opt-out is not permitted
Global Mandate Applies to all organizations globally who collect, store and process personal data for EU residents
Data Protection
Officer (DPO)
DPO required for organizations that conduct regular and systematic monitoring of data subjects on
a large scale or process Special Categories of data (e.g., healthcare/medical) on a large scale
Evidence of Risk
Mitigation
Per GDPR rules, organizations must demonstrate that they have implemented appropriate measures
to mitigate privacy risks
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
10
Privacy by Design &
by Default
Firms must minimize the collection of personal data and ensure that the right security controls are in place
Required to perform a Data Protection Impact Assessment (DPIA) for high risk data processing, or if transfer data outside of the EU
• Data privacy is protected by design, and by default
• Minimize the types of personal data collected from data subjects, and the storage of that data
• Be capable of legally justifying collection of specific types of personal data
• Controller must conduct Data Protection Impact Assessment (DPIA) for high-risk processing
(As well as in connection with many other GDPR requirements, including data security, privacy by design, breach notifications, legitimate interest, purpose limitation and fair processing.)
• Controller must keep records of data processing activities
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
11
Consent Requirement to gain unambiguous consent (i.e. explicit); Opt-out is not permitted
• Presumption against consent, if there is a clear imbalance of power between company and consumer
• “Opt out” consent is not permitted
• Consent must be freely given, specific, informed, unambiguous, and given through a clear action
• Explicit consent is required for sensitive data
• Must be an option for data subjects to withdraw (as easy as it was to give consent)
• Specific consent required for each new data processing operation (unless substantially similar to
previous operation)
• Any child under 16 will require parental consent (member state may opt to reduce age to 13)
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
12
Data Subject Rights New rights include the right to access & correct personal data (data portability); Right to erasure
• Data subjects may request a copy of their personal data
• Data subjects may request that their personal data be corrected
• Data subjects may request that their personal data be deleted (“right to be forgotten”)
• Controller may specify under which conditions that personal data is shared, corrected and deleted
based on data subject requests
• Consider when a data subject’s data is co-mingled with another data subject’s personal data
• Consider when a data subject’s data is part of a record that must be retained for tax purposes (invoices, contracts, etc.)
• How data subject rights are dealt with is a legal question, not an information security question
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
13
Data Breach
Notification
Requirement to report Privacy breaches to the EU regulator (DPA) within 72 hours and potentially
to the data subject
• EU regulator, or the Data Protection Authority (DPA), must be notified of a data breach within 72 hours
(unless the breach is unlikely to impact the rights and freedoms of the individuals)
• Data controllers/processors may be required to also notify data subjects within 72 hours(unless the breach is unlikely to impact the rights and freedoms of the individuals)
• Includes a duty for data processors to report a data breach to the company that collected and
controlled the data
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
14
Global Mandate Applies to all organizations globally who collect, store and process personal data for EU residents
• Affects all organizations world wide, no matter where in the world personal data is collected, stored or
processed
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
15
Evidence of Risk
Mitigation
Per GDPR rules, organizations must demonstrate that they have implemented appropriate measures
to mitigate privacy risks
• Maintain and potentially provide to regulators documentation regarding data protections implemented,
test procedures and audit results
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY GDPR REQUIREMENTS
16
Data Protection
Officer (DPO)
DPO required for organizations that conduct regular and systematic monitoring of data subjects on
a large scale or process Special Categories of data (e.g., healthcare/medical) on a large scale
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RISK BASED APPROACH & PENALTIES
17
A key objective of GDPR is to take a risk based approach to data privacy, to help organizations prioritize compliance
while maximizing privacy and effective use of personal data.
Effective method for ensuring a high level of protection of the
rights and freedoms of individuals
Ultimately, creates better outcomes and more effective protection
for individuals
Enables stakeholders to dedicate resources to the areas where
risks and potential harms for individuals are most significant and to
mitigate these risks
Up to 20M € or 4% of organization’s annual global
revenue, whichever is higher
(data subjects can claim compensation for
damages from data breaches )
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RISK BASED APPROACH TO DATA PRIVACY
18
The risk to the rights and freedoms of individuals of “varying likelihood and severity” may result from personal data processing, which could lead to “physical, material, or non-material damage”.
• Identity theft/fraud, financial loss
• Discrimination, reputational damage, and any other significant economic or
social disadvantage
• Unauthorized reversal of pseudonymization
• Preventing individuals from exercising control over their data
• Processing special categories of personal data (Article 9)
• Profiling individuals
• Processing children’s and vulnerable persons’ data
• Processing large amounts of personal data
• Accidental or unlawful destruction, loss, alteration, unauthorized disclosure
of or access to personal data
Risk Definition(Recital 75)
Examples of “physical, material or non-material damage”(Recital 75)
Internal Audit, Risk, Business & Technology Consulting
HOW DO WE DEFINE PERSONAL DATA?
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IS THIS “PERSONAL DATA” UNDER GDPR?
20
Vehicle Identification Number (VIN)
Yes“…the vehicle identification is directly related to the identity of the owner of the car
who is in several cases identical with the driver”
Opinion of the European Data Protection Supervisor (EDPS) on the proposal for a Regulation of
the European Parliament and of the Council concerning type-approval requirements for the deployment of the eCall system and amending Directive 2007/46/EC
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IS THIS “PERSONAL DATA” UNDER GDPR?
21
Employee ID Number
Yes
“…Accordingly, in the business context, a photo of someone on an identification
badge or on a video monitor is “personal data,” as is a listing of employee
salaries designated either by employee name or some identification number
(company ID number, social security system/tax ID number)
- Proskauer on Int’l Litigation and Arbitration
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IS THIS “PERSONAL DATA” UNDER GDPR?
22
Meal Preference on Commercial Air Travel
NoNot listed as one of the 19 elements that makes up personal data on Annex I of
DIRECTIVE (EU) 2016/681:
DIRECTIVE (EU) 2016/681 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27
April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PERSONAL DATA DEFINED IN ANNEX 1 EU, DIRECTIVE 2016/681
23
• PNR record locator
• Date of reservation/issue of ticket
• Date of travel
• Name
• Address/Contact info
• All forms of payment
• Complete itinerary
• Frequent flyer info
• Travel Agent info
• Travel status of passenger
• Split PNR info.
• General remarks
• Ticketing field info
• Seat number
• Code share
• All baggage info
• Number and order names
• Advance info
• All historical changes to the PNR
listed in the above 18.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IS THIS “PERSONAL DATA” UNDER GDPR?
24
Photo (assume no other information)
Yes
“The processing of photographs should not systematically be considered to be
processing of special categories of personal data as they are covered by the
definition of biometric data only when processed through a specific technical
means allowing the unique identification or authentication of a natural person.”
- Implied by Recital 51 of the GDPR
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IS THIS “PERSONAL DATA” UNDER GDPR?
25
Opinions About Others (typically in an employment environment)
Yes“The definition [of personal data] also specifically includes opinions about the
individual, or what is intended for them.”
- U.K. Information Commissioners Office, Key definitions of the Data Protection Act
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
HOW DO WE DEFINE PERSONAL DATA?
26
Any Information
Identified or identifiable natural person (“data subject”)
relating to an…
directly or indirectly
who is and/or can be identified…
one or more identifiers (“types of subject data”)
in particular by reference to…
Personal Data (Article 4)
Online Identifiers (Recital 30)
Special Category Personal Data (Article 9)
such as…
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CATEGORIES OF PERSONAL DATA
27
IDENTIFIERArt. 4
(Personal Data about the Data Subject)
Name
Address
Email Address
Passport Number
Financial & Bank Info.
Data of Birth
Health Care Data
Biometric Data
Employee ID
Phone Number
Online IDENTIFIER Rec. 30
(“…online identif iers [Personal Data] provided by
their [Data Subject’s] devices, applications, tools
and protocols…”)
IP Address (static, dynamic)
MAC Address
Cookies
International Mobile Equip. ID (IMEI)
Advertising IDs
GPS, other location data
Log Files
Browser Fingerprints
Special Category IDENTIFIERArt. 9
(Special Categories of Personal Data about the
Data Subject)
Biometric Data
Religious & Philosophical Beliefs
Trade Union Membership
Processing of Genetic Data
Race
Ethnic Origin
Health/Medical
Sex Life
Sexual Orientation
GDPR COMPLIANCE WITH THE
MICROSOFT CLOUD
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
“MAKE NO MISTAKE, THE GDPR SETS A NEW
AND HIGHER BAR FOR PRIVACY RIGHTS, FOR
SECURITY, AND FOR COMPLIANCE.
AND WHILE YOUR JOURNEY TO GDPR MAY
SEEM CHALLENGING, MICROSOFT IS HERE TO
HELP ALL OF OUR CUSTOMERS AROUND THE
WORLD.”
BRAD SMITH
PRESIDENT & CHIEF LEGAL OFFICERMICROSOFT CORPORATION
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PROVIDING CLARITY AND CONSISTENCY FOR THE
PROTECTION OF PERSONAL DATA
Enhanced personal privacy rights
Increased duty for protecting data
Mandatory breach reporting
Significant penalties for non-compliance
The General Data Protection
Regulation (GDPR) imposes new rules
on organizations in the European Union (EU)
and those that offer goods and services to
people in the EU, or that collect and analyze
data tied to EU residents, no matter where
they are located.
Microsoft believes the GDPR is an important step forward for clarifying and enabling individual privacy rights
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT ARE THE KEY CHANGES TO ADDRESS THE GDPR?
Personal
privacy
Controls and
notifications
Transparent
policies
IT and training
Organizations will need to:
• Train privacy personnel
& employee
• Audit and update data
policies
• Employ a Data Protection Officer (if
required)
• Create & manage compliant vendor contracts
Organizations will need to:
• Protect personal data
using appropriate security
• Notify authorities of
personal data breaches
• Obtain appropriate
consents for processing data
• Keep records detailing data processing
Individuals have the right to:
• Access their personal
data
• Correct errors in their
personal data
• Erase their personal
data
• Object to processing of their personal data
• Export personal data
Organizations are required to:
• Provide clear notice of data collection
• Outline processing purposes and use
cases
• Define data retention
and deletion policies
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT DOES THIS MEAN FOR MY DATA?
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
MICROSOFT’S COMMITMENT
To simplify your path to compliance, we are committing to
GDPR compliance across our cloud services when
enforcement begins on May 25, 2018.
We will share our experience in complying with complex
regulations such as the GDPR.
Together with our partners, we are prepared to help you
meet your policy, people, process, and technology goals on
your journey to GDPR.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SIMPLIFY YOUR PRIVACY JOURNEY
Centralize, Protect, Comply with the Cloud
Centralize processing in a single system, simplifying data management,
governance, classification, and oversight.
Protect data with industry leading encryption and security technology
that’s always up-to-date and assessed by experts.
Utilize services that already comply with complex, internationally-
recognized standards to more easily meet new requirements, such as
facilitating the requests of data subjects.
Maximize your protections
Process all in one place
Streamline your compliance
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
UNCOVER RISK AND TAKE ACTION
Protect through the entire lifecycle
Discover data across systems
Govern access and processing
• Protect user credentials with risk-based conditional access
• Safeguard data with built-in encryption technologies
• Rapidly respond to intrusions with built-in controls to detect and respond to data breaches
• Enforce use policies and access controls across your systems
• Classify data for simplified compliance
• Easily respond to data requests and transparency requirements
• Easily discover and catalog data sources
• Increase visibility with auditing capabilities
• Identify where personal info resides across devices, apps and platforms
00
1
1
0
0
1
00
1
100
00
101
00
1
100
1
00
1
100
DEMONSTRATION
MICROSOFT GUIDANCE ON CLOUD SOLUTIONS FOR GDPRHTTPS://DOCS.MICROSOFT.COM/EN-US/OFFICE365/ENTERPRISE/OFFICE-365-INFORMATION-PROTECTION-FOR-GDPR
OFFICE 365 COMPLIANCE MANAGERHTTPS://AKA.MS/STP
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
GDPR COMPLIANCE PROGRAM
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHERE DO YOU START?
39
11 Chapters
99Articles
173Recitals
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
APPROACH TO GDPR COMPLIANCE
40
Requires a comprehensive effort and strong program management to implement legally-driven policies,
processes, and practices to drive the formalization and efficiency of GDPR programs
• Compliance assessments, gap analysis, monitoring and
remediation of GDPR data protection regimes
• Implementation of Data Discovery and Classif ication (DDC)
programs
• Implementation of “Right to be Forgotten” and related programs in
advance of GDPR
• Privacy impact assessments/data protection impact assessments
• Augmentation, training and deployment of GDPR cross-functional
teams including legal, business and IT, to promote communication
and collaboration
• Defining team member roles and responsibilities
• Developing and executing training and aw areness programs
Discovery &
Inventory
• Inventory of EU personal data,
including classif ication level,
data controller, processor and
exchanges
• Formal inventory of processing
activities
Identify high risk areas to ensure a focused approach.
Risk Assessment/
Gap Analysis
• Assess data collection,
processing, storage and
protection measures,
assignment of a DPO, transfers
to 3rd parties, risk assessment
practices and security policies
Determine exposure and prioritize compliance activities
Data Protection &
Compliance
Remediation
• Obtain executive management
support and funding
• Establish compliance program
structure and governance
• Identify compliance strategies
• Implement remediation plans
Implement changes to achieve compliance
Report
for Ongoing
Compliance
• Testing and validation
• Implementation of reporting
and monitoring tools/processes
Provide evidence of accountability & compliance
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY CONSIDERATIONS FOR RISK ASSESSMENT
41
What about the data transfer?
Special considerations?(Employee data, works councils, information security, etc.)
What’s the basis for processing?
With whom are you sharing the information?
Privacy policy vs. privacy notice
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
GDPR COMPLIANCE ROADMAP
42
3. Privacy Notice
Help to ev aluate and remediate internal priv acy
policies and external priv acy notif ications and
the process f or training and communications.
2. Consent
Help to ev aluate and remediate consent
practices, when rely ing on data subject’s
consent f or processing personal data.
1. Legal Basis for Processing
Help to ev aluate and remediate the legal basis
on which personal data is collected and
processed.
5. Privacy by Design & Default
Implement controls to help ensure appropriate
priv acy saf eguards are in place and are
considered prior to new implementations.
6. Third Party Due Diligence
Help to ev aluate and remediate third party
contracts f or v endors who process personal
data on behalf of the client.
.
7. Records of Processing
Help to ev aluate records of processing
activ ities, establish data processing inv entories,
and the process to maintain such records.
8. Data Security
Help to ev aluate and remediate data security
and access controls employ ed to protect
personal data.
9. Breach Notification
Implement newly established breach notif ication
requirements and incorporate with client’s
Incident Response plans.
11. Data Protection Officer
Ev aluate requirements and the need f or a Data
Protection Of f icer (DPO). If required, act as the
DPO on behalf of the client.
10. Data Protection Impact Analysis
Ev aluate processing activ ities and conduct
DPIA if processing is likely to result in high risk
to data subjects’ rights and f reedoms.
4. Data Subject Rights 12. Cross-Border Data Transfers
Help to ev aluate and remediate legal methods
in place f or transf erring personal data outside of
the EU.
Implement processes that address the rights
of data subjects (e.g., access, rectif ication,
erasure, and portability of personal data).
Required Capabilities: Legal Business IT Information Security
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
GDPR COMPLIANCE WITH THE MICROSOFT CLOUD & PROTIVITI
43
Protiviti has partnered with Microsoft to assist them with building some of the GDPR tools & guidance for their customers
Protiviti has deep expertise with Microsoft Cloud solutions and in conducting GDPR assessments for F500 Organizations
1Microsoft is the first major cloud services provider to pledge GDPR compliance by May 25, 2018
Microsoft has been an industry leader on Model Clauses, HIPAA, ISO 27018, and are taking a similar lead on GDPR compliance
Microsoft offers the most comprehensive set of compliance capabilities of any major cloud service provider
Microsoft’s speed of solution innovation is high – Continual innovation to enable partners and customers to meet their compliance needs
2
3
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
REFERENCES
• http://www.microsoft.com/GDPR
• GDPR Assessment Tools
• Microsoft GDPR Assessment (online version)
• Microsoft GDPR Detailed Assessment
• Microsoft 365 Trust Center
• Office 365 Secure Score (login to Office 365 required)
• Compliance Manager in Office 365 – PREVIEW
44
© 2016 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or
of f er attestation services. All registered trademarks are the property of their respective owners.