gdpr countdown: targeting a defensible position by may 2018the eu general data protection regulation...

1© 2018 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

kpmg.ca

GDPR Countdown:Targeting a Defensible Position by May 2018

Presentation to Legal.ITMontreal

March 23, 2018


Introductions

François Senécal

ManagerInformation Management and

eDiscovery

Sylvia Kingsmill

Partner, Data Protection & PrivacyForensic ServicesRisk Consulting

With You Today


Discussion Topics1.GDPR Overview2.Key GDPR Impacts3.Market Observations4.Next Steps5.Closing Thoughts

GDPR Overview


88 pages

99 articles

11 chapters

173 recitals

The Wait is Finally Over!

January 25, 2012Initial proposal by the

Council of the EU

April 8, 2016Adoption by the

Council of the EU

April 14, 2016Adoption by European Parliament

May 4, 2016Published in the Official Journal

of the EU May 25, 2018GDPR must be implemented!!

2017Guidelines published by the CNIL and the “Article 29” working party

• The EU General Data Protection Regulation (GDPR) will reform, modernize and replace the 1995 EU Data Protection Directive

• The objective is to harmonize data protection rules across 28 EU member states by creating a single, comprehensive EU data protection framework for the processing of and free flow of data, with a one-stop shop mechanism for enforcement

• The reform aims to give control to EU citizens and strengthen consumer trust in digital economy

2016 2017 2018 2019

December 17, 2015

Agreement reached between

all 3 parties

2012


Where does Canada stand?

Adequacy

Canadian private

sector law has been granted partial

adequacy status that

allows international

transfers

Under EU law, one way to transfer personal data abroad is on the basis of an EU Commission “adequacy” decision confirming that the non-EU country provides a level of data protection “essentially equivalent” to that in the EU.


EU’s New Privacy Regime “Raises the Bar”

Parliamentary report released on February 28th 2018 identified 19 recommendations to update and modernize the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

Key Finding:PIPEDA is going to change1. PIPEDA is not fit for purpose2. Canada is at risk of losing adequacy

standing3. Calling for order-making powers,

better consent rules and adoption of privacy by design

Privacy Commissioner Daniel Therrien says "It creates impetus, if not pressure, on other countries and economies of the world to at least consider whether the GDPR rules should be adopted in their own jurisdictions." The Globe and Mail, March 4 2018.


Why (s)care?

HUGE FINES• The GDPR introduces fines of up to €20 million, or 4% of

worldwide annual turnover, whichever is higher• The GDPR allows individuals to seek monetary damages in

court

REAL REPUTATIONAL RISK• Enforcement activities by Data Protection Authorities (DPAs)

will increase. Data protection breaches will make the headlines sooner.

OVERSIGHT/ENFORCEMENT• Harmonized enforcement actions across EU with “one-stop

shop” cooperation• New Data Protection Board will resolve disputes among DPAs


Objects in mirror are closer than they appearThe GDPR will apply to ALL organizations established in the EU that process EU data and ANY organization that processes data about EU residents or citizens within the EU that relate to: Offering goods or services; or Monitoring the behaviour of EU residents/citizens.

Do you have offices or employees in the EU?

Do you offer goods or services to individuals in the EU through your website or mobile app and/or or track them online?

Do you process EU data on behalf of your business clients?

GDPR DOES NOT APPLY

GDPR Applies to Canadian BusinessesYES YES YES

NO NO NO


Key Roles and Responsibilities under the GDPRData Subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom the personal data is about.

Data Processorin relation to personal data, means any person who processes the data on behalf of the data controller

Data Controller is a person/organization who (either alone or jointly) determines what, how, why and for what purpose(s) any personal data is processed


Lawful and Fair Processing

The General Rule: Data Controller must have a legal basis for collecting Personal Data and

must protect Personal Data throughout information lifecycle (from acquisition to disposition).

Data Processors must provide sufficient guarantees they comply with GDPR and help protect Data Subject rights.

1. Consent 2. Legal obligation3. Performance of contract4. Protect the interests of the Data Subject5. Public Interest or official authority6. Legitimate interests

Legal Grounds for Processing


Medical records. Health information is sensitive data

What isPersonalData?

Financial information. Union membership is sensitive data

Family and demographic information. Religious beliefs and race are sensitive data

Home and work information. Sexual orientation is sensitive data

Online behavioralpatterns

Fingerprints, and geneticinformation

Leisure activities and hobbies. Political opinions and group membership are sensitive data

Employee data

Travel history and location data

Key GDPR Impacts


The GDPR has both heightened and new requirements:

Data Protection by Design & DPIAsPrivacy must be built into design of system architectures and processes from the start!

A DPIA is required for any data processing posing a high risk or for all new data processing technologies being introduced, including profiling and predictions about Data Subjects.

RecordkeepingData Controllers will have to identify and inventory processes and systems handling personal information, and must be prepared to demonstrate compliance on demand.

Data Subject Rights

Third Party Risk ManagementVendors and suppliers must provide “sufficient guarantees” of appropriate technical and organizational measures, reflected in third-party vendor contracts.

Mandatory Data Breach NotificationData Controllers have 72-hour window by which they need to report breaches to the regulators and to Data Subjects where it is likely to affect their rights and freedoms. Data Processors must also report privacy breaches.

Accountability and TransparencyHeightened expectations for accountability and transparency for Data Controllers and Processors.

Data Controllers must be prepared to respond to requests for access, correction, deletion, transfers, or any objections to processing, which all depend on the legal basis for processing.

DPO

What is Different?


IT Enables : ProcessesData Protection by Design

• Implies a “trilogy” of encompassing applications: IT systems (e.g., secure coding)/accountable business practices (e.g., regular testing of security controls)/physical design and networked infrastructure (e.g., privacy settings by default)

Record-Keeping/Reporting• Tracking and recording of data processing, transfer, access, disclosure activities and objection requests (correction,

portability and erasure); • Inventory and catalogue of all GDPR events (remediation, breaches, notifications, processing, consents, remediation)

Data Minimization• Pseudonymization, anonymization, tokenization or other data minimization tools


LegitimationConsent

• Consent management – track and store consent (meta data) that shows method and purposes of collection) andallows consent to be withdrawn at any time & ensures that processing is stopped

Cross-border Transfers• Identification, cataloguing, and classification of unstructured data (e.g. data mapping & discovery); tracking of

customer data exports/profiling and email archives stored on-premises or in cloud


Individual rightsData Portability

• Data extraction & export mechanism

Right to Object• Tracking and recording of data subject rights:

• Data access, correction, portability and erasure• Objection to and restriction of processing• Automated individual decision-making, including profiling

Right to be Forgotten• Data extraction & purge (profile deletion tool) or algorithm in the system (including for back ups)


Information security

Security for Processing

• Encryption, pseudonymization and/or anonymization techniques (obscures the connection of data to an individual)• Confidentiality, integrity, availability and resilience of processing systems and services in compliance with security

standards, including identity and access management, perimeter and end-point security• Privacy Enhancing Technologies for breach identification (e.g. penetration testing, threat detection, anti-malware,

privileged user monitoring• Data Loss Prevention Tools (DLP)

Secure Destruction

• Data redaction/hashing tools• Review of backup methods

Breach Notification• Get ready to be ready (72h is not that long)• Audit logging, system monitoring of privileged access (alert triggers) and reporting

Market Observations


Where are You On Your GDPR Journey?

1b Data Process InventoryInventory and classify data assets

1a Privacy Maturity

Assessment2 Roadmap 3 Remediation

4 Program Design & Delivery

5 GDPR Managed Services

6 Stress Testing &

Internal Audit

Most are here

Perform a gap analysis of current privacy posture against the requirements of the GDPR.

Define a detailed plan to deliver the changes required for GDPR compliance.

Evaluate, test and monitor for ongoing risks and trends, conduct period reviews as EU regulatory guidance evolves.

Close identified gaps and mobilise the program for GDPR compliance, focus on high risk areas and business units/regions.

Design/enhance and deliver GDPR compliance program. Consider toolkits and technologies.

Sustain compliance activities and identify services that can be outsourced (e.g., DPO Managed Services).

Many are still here!!


GDPR Work Streams

Remediation Roadmap

Program Management /

Change Management

Data Governance &

Inventory

Policies Procedures &

Guidelines

Breach Management

Lawfulness of processing

(consent etc.)

Third-party Risk Management

Process and System

RemediationTraining and Awareness Metrics

Monitoring and Reporting

Notices and Communication

Data Subject Rights

Data Retention

Operational Processes

(DPIAs)


The workload involved in attaining GDPR compliance is often underestimated. As a result, it will be necessary to communicate and build awareness at the outset of the project in order to help prepare the teams and organize for the implementation phase in terms of ownership, budget and ongoing program governance.

The GDPR project must have an integral learning dimension so that all stakeholders adhere to the principles of the GDPR (such as Accountability), understand its impact on current and future activities and get involved in the project, such that GDPR compliance is sustained over the long term.

Senior visibility and sponsorship is key. Tone from the top will drive cultural shift and behaviours for privacy best practices where privacy is treated as a business issue and critical trust factor for the customer experience.

Program Ownership

Training and Awareness

Executive Sponsorship

Key Implementation Challenges

GDPR implementation is cross-functional and requires the contribution of many disciplines (privacy, security, data analytics, IT, business, legal). As a result, all stakeholders must be mobilized and brought in at the outset of the project and their involvement must be ensured throughout.

Implementation Approach


Define and document a GDPR roadmap/action plan that describes short, medium and long-term measures to demonstrate mitigating controls are being implemented that ultimately protect the rights and liberties of Data Subjects.

Build a strong foundation by leveraging existing privacy and security capabilities for core GDPR requirements. Identify opportunities to augment existing capabilities.

Educate the enterprise on benefits of a proactive privacy by design approach in terms of customer engagement. Engage and empower the business with tools to embed GDPR consistently.

Define a target state that is measurable but adoptable. Leverage Privacy Champions to provide direction and oversight during the program implementation. Ensure your governance strategy includes privacy.

Build and Sustain a Long-Term Privacy Target Operating Model

Adopt a Risk-based Compliance Pathway (defensible position)

Standardize across the Enterprise

Pitch the Positive – Embrace Privacy by Design

Critical Success Factors

Closing Thoughts


Closing Thoughts

Remember:

1. It’s business as usual… don’t panic!

2. Mitigate risk exposure rather than strive for full compliance

3. Think long term – it’s about customer trust

Thank you !

Sylvia KingsmillPartner+1 [email protected]

François Sené[email protected]

kpmg.ca

© 2018 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

http://kpmg.com/socialmedia