Regulation Any company worldwide that collects and processes personal data of an individual in the EU, are subject to the regulations Fines for data breach or non-compliance: 4% worldwide revenue or 20 million Euro Must provide breach notification within 72 hours Encompasses a wide variety of personal data Took effect on May 25, 2018
Russia: Federal Law of July 27th 2006 Switzerland: Federal Act on Data Protection South Africa: The Protection of Personal Information Act 2013 Mexico: Federal Law on the Protection of Personal Data Argentina: Data Protection Act of 2000 Chile: law for the Protection of Private Life Jamaica: Data Protection Act (Pending) Other Countries: Dubai, South Africa, India, Philippines, Australia, Singapore, Japan, South Korea, China
last name Application forms & reports 2.Geographic location Physical address, Longitude/Latitude Mobile Apps / Pictures 3.Internet location IP Address Websites, VPN/network connectivity 4.Biographical information / current living situation Physical address, Date of birth, Social Security, phone number, email address Application/Registration forms 5.Look, appearance / behavior Eye color weight, character traits Medical Records, Identification Records 6.Workplace information / educational info Salary, tax information, student numbers Financial Information, Student info/cards 7.Private and subjective data Region, political opinions and geo-tracking data Websites, News (Local laws raised concern among Journalist *) 8.Health / sickness / and genetics Medical History, genetic data, sick leave info Medical Records, and Biometric applications
Identify compliance gaps in how it is stored or processed Plan the next steps Recommend hiring an expert: Reduces the time to become compliant They would have learnt from other implementation Look for the following expertise: Risk and compliance: due to government regulations Information Technology: impacts how systems operate Information Security: for incident handling and other information security controls Legal: to ensure third-party agreements and other contracts are appropriately drafted
rendered completely unreadable • In a security breach, this information cannot be abused by attacker • Customer data privacy is enforced • IT systems may be impacted • Either change vendor, or modify exist systems • Performance may be impacted • Business processes may change: • Redesign to add extra steps in accessing encrypted data • Lower ease of use (customers/staff) Pseudonymization • Masks parts of data • Replacing identifying information with artificial identifiers • Cannot identify persons, if used outside of defined context • Limits risk associated with data breach • Data Analysis will now be required to use this “masked” information • Able to still perform profiling and data analysis • Software Development and UAT must implement pseudonyms, instead of production data • Changes the way we work
principles of Least Privilege and Need-to-Know Access • Implement authentication and authorization • IT systems may be impacted • Either change vendor, or modify exist systems • Performance may be impacted • Business processes may change: • Redesign to add extra steps in accessing encrypted data • Lower ease of use (customers/staff) Protect your systems and network • Align with an appropriate information security framework • ISO27000 • PCI • COBIT • Provides a guidance to effectively protect your personal data, and the systems in which they reside • IT may already have selected a framework • If not, significant investment may be require
has designated a Data Protection Officer Responsibilities outlined in the GDPR requirements Breach notification follows the guidelines outlined Reporting to the Data Protect Authority Report to affected individuals
its processing • Categories of personal data collected • Recipients of this data • Update website, contract, and application forms • Display cookies usage and policy • Disclose data collection and processing Consent • Must consent to the collection and processing of their personal information • May already exist • May requires professional review Inaccurate or Incomplete data • Individuals have the right to request rectification • Must correct data, upon notification by individual • Must notify third parties that received incorrect data* • Provide a mechanism for collecting customer requests. • Verify the individual making the request.
data must be available to individual • Data must be available in a portable form • Data portability allows for its reuse at other service providers * • Provide a mechanism for collecting customer requests. • Verify the individual making the request • Require further review, based on existing business process Objection to Data Processing • Individual have right to object to data processing • Must stop, unless there is “compelling legitimate grounds” that override their rights (legal advice) • Provide a mechanism for collecting customer requests. • Verify the individual making the request Right to be forgotten • Erase all personal data, upon request, within one (1) month, if (on discretion) * • Data not required for initial purpose • Data subject withdraws consent • Data subject objects to processing • Data is unlawfully processed • Must notify all third parties to stop processing and erase data • Must make similar public advisory, if made publicly available.
cookies/tracking Customer registration information Third party contractors/vendors information Empower customer to control the use of their data: Obtain customer permission Provide customer access to, and control of, their data Implement protection of customer data and related systems Get professional support