Data Protection World Forum Showguide by Data Protection Magazine

20 & 21

NOVEMBER TUESDAY & WEDNESDAY

EXCEL LONDON

ALL YOUR DATA PROTECTION NEEDS UNDER ONE ROOF

EVENT SHOWGUIDE

OPERATIONALIZE YOUR PRIVACY PROGRAM O

AUTOMATE GDPR RECORD KEEPING

READINESS & ACCOUNTABILITY TOOL

PIA, DPIA & PbD AUTOMATION

DATA MAPPING AUTOMATION

COOKIE CONSENT & WEBSITE SCANNING

Benchmark organisational readiness and provide executive-level visibility with detailed reports.

Choose from pre-defined screening questionnaires to generate appropriate record keeping requirements.

Populate the data flow inventory through questionnaires, scanning technologies or through bulk import.

Conduct ongoing scans of websites and generate cookie banners and notices.

GDPR Articles 5 & 24

GDPR Articles 25, 35 & 36

GDPR Articles 6, 30 & 32

GDPR Articles 7 & 21 ePrivacy Directive Draft Regulation

SUBJECT ACCESS RIGHTS PORTAL

UNIVERSAL CONSENT & PREFERENCE MANAGEMENT

VENDOR RISK MANAGEMENT

INCIDENT & BREACH MANAGEMENT

Capture and fulfill data subject requests based on regulation specific requirements

Embed consent management directly on website with standardised transaction workflow.

Conduct vendor risk assessments, audit and manage data transfers to third parties.

Build a systematic process to document incidents and determine necessity for notifications.

GDPR Articles 12 - 21

GDPR Article 7

GDPR Articles 28(1), 24(1), 29, 46(1)

GDPR Articles 33 & 34

FREE GDPR WORKSHOP 4.5 CPE Credit Hours

Details and Registration Available at PrivacyConnect.com

For privacy professionals focussed on tools and best practices to operationalise compliance.

SHOW GUIDE CONTENTS 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19 -20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38. 39 - 40. 41. 42. 43 44. 45. 46. 47.

BigID Welcome Sponsors/Exhibitors Partners Acuity Conigo: How to Handle your First GDPR DSAR (Data Subject Access Request) Cogniware: GDPR Explorer - Cognitive Approach to Compliance Ardoq Data Solver: 130 Days Later DPOCentre: Data Protection Officers – the New Superheroes? Echoworx: The World Turned Upside Down? Digital Trust, Paradox and Encryption Equinix: Life after GDPR: where do we go from here? EXL: The Journey to GDPR Compliance Integris: Driving Data Innovation In The Wake Of Privacy Regulations Interactive Services Infinite Convergence Solutions: GDPR Compliant Secure Enterprise Messaging PSKinetics - Appian: Operationalising GDPR Compliance It Governance: Compliance Standards and their Role in Demonstrating GDPR Compliance Keepabl: GDPR & Data Breaches: insecure or unsecure? Nimity: An Accountability Approach to Data Subject Rights Rare Technologies / Kalepso SAI Global: Financial Services, Brand Resilience and the Data Protection Conundrum Sytorus: GDPR and Managing the ‘Bang!’ Cybersecurity Hub / Global Banking & Finance ZLTech: Which of Your Employees Are Most Likely to Expose Your Company to a Cyberattack? Qualys Elite Business Magazine Capgemini Consulting Capgemini: GDPR and Digital: beyond compliance, an opportunity Deltanet: Processing Data in a Post-Brexit World International Marketing Agency / DataRails Dell: The Recovery Imperative-restarting your Business in the Aftermath of a Destructive Malware Attack Ohalo: Implementing Information Security in a World Protiviti: To Report or Not to Report, that is the Question Iomart: 10 Frequently Asked Questions about GDPR Trustarc Trusthub: Opportunities Become Apparent when Business Becomes Transparent DataGrail Echoworx Varonis: Data on the Loose: why it’s time to regain control DPOware: Simplifying Compliance Dataguise Nymity

Schedule a demo bigid.com/demo

Redefining Personal Data Protection & Privacy Find, Inventory & Map User Data at Scale

Data-driven Compliance Advanced PII Discovery

GDPR Compliance

Automated Data Mapping

Data Subject Access & Erasure

Breach Identification & Notification

Lineage Analysis

Residency and Retention Analysis

Security & Privacy Risk Measurement

Track Data Access

Centralized Consent Management

3 bigid.com

@bigidsecure

info@bigid.com

welcome TO DATA PROTECTION WORLD FORUM

We are delighted to welcome you to Data Protection World Forum Implementation of the General Data Protection Regulation (GDPR) makes 2018 a pivotal year in data protection and privacy. Taking place six months after the introduction of GDPR, Data Protection World Forum arrives as high-profile data breaches clamour for headline space on websites and newspapers around the world. These stories not only highlight the many challenges organisations face in their bid to comply with more stringent data laws, but they also demonstrate a global awakening to the concept of data privacy, which Apple boss Tim Cook recently labelled a â&#x20AC;&#x153;fundamental human right.â&#x20AC;? Featuring 150 expert speakers and over 70 vendors, Data Protection World Forum will showcase more data protection and privacy solutions providers than any other European event of its kind. Attendees can look forward to talks from leaders in data privacy, protection and cyber security, along with advice on how organisations can keep up to speed with regulatory demands. We trust the event will be a place for people to learn, network and gain the very latest insight on the data protection and privacy landscape. In addition to the event we also publish www.gdpr.report and Data Protection Magazine to offer up to date news on all aspects of data protection.

Enjoy the show! 4

thanks to our sponsors & exhibitors

thanks to our partners

STREAM Integrated Risk Manager Fast, flexible, scalable and easy-to-use GRC platform for cyber and privacy risk management

Rated 5* by SC Magazine for four consecutive years GRC, Risk and Policy Management Review 2018

See quantitative risk management in action Visit stand 30 Contact us for a FREE 30-day STREAM Trial https://acuityrm.com/

Acuity Risk Management

@AcuityRM

STAND 7 How to handle your first GDPR DSAR (Data Subject Access Request)

Data Subject Access Requests (DSARs) are not new with GDPR but the new legislation has introduced some updates and changes which need to be considered and which make the data discovery and labelling process more complex. Organisations that receive a DSAR need to comply at no cost (in most cases), and respond within one month. Personally Identifiable Information (PII) which has been collected over the span of the organisationâ&#x20AC;&#x2122;s lifetime, must now be easily discoverable and securely accessible to fulfil GDPR compliance and to mitigate against financial penalties. The collection of such data has proven to be quite complex, resource-consuming, and expensive for organisations. Cognigoâ&#x20AC;&#x2122;s DataSense combines artificial intelligence and cognitive computing to discover, label and govern personal identifiable data and enforce data security policies automatically and continuously across the enterprise.

Request: The source of the data Where did you get the data? It could be from a marketing activity that the user registered to, an event the user attended and got scanned at, a partnership, a deal you made or any other source for that matter. Depending on where the data is, may give you an indication of where and why it was collected. Imagine how long it would take to locate the data for the specific user if you donâ&#x20AC;&#x2122;t know where it is?

Request: The purpose of processing What was the purpose of processing the data? It could be almost anything depending on what your business does. Could be patient data for health records, could be for a sales opportunity or just a user that got logged in the systems for other purposes.

Request: List the recipients which the personal data was disclosed to In this case you have to figure out if this data was shared and if so, who was it shared with. Again, a task that takes time and resources and information that is hard to find within the wealth of data you manage on a daily basis.

Request: Your retention period for storing the personal data. Do you know how long the different pieces of data are stored and how long you intend on storing them? Do you have a policy in place for data storage period?

Request: Information regarding the transfer of personal data to a third-country or other organisation Provide the name of the country or the organisation, and affirm that safeguards are in place to ensure the data is held securely.

Request: Deletion and minimisation of data Users can request to delete all saved data and receive confirmation. This, under regular circumstances, may require access to multiple systems, databases, cloud storage, CRM, emails etc. and could take weeks to figure out. This is a real challenge which requires a solution that can save time and human resources upon each DSAR submitted, to improve the lives of CISOs and Privacy Officers. For us at Cognigo, we had it quite simple, all our data is constantly under inspection and under data security policy controls. We only needed to type the customers email in the Datasense search bar and the full information was immediately available and generated as a report. was immediately available and generated as a report.

Request: List the Categories of Personal Data concerned This one is quite tricky as GDPR has enhanced the range of what is considered as personal data. With such a large range of potential data to be considered as personal, context becomes very important. The context of which it was collected and the context of which it is stored. Context is tricky because understanding context is based on human logic.

about cognigo Cognigo is a single point of control to manage and protect critical data assets and PIIs. Gain deep and context-aware visibility into enterprise-wide data. Achieve data protection and GDPR compliance in days, not months.

Demo Pod e Cogniware GDPR Explorer - Cognitive Approach to Compliance

When GDPR came into effect on May 25th 2018, many companies were, and still are, rushing to put their new data processes in place. As such, acknowledging the value of data and rethinking data management has become the need of the hour for organisations to stay compliant with the new directive and assure their clients and partners how carefully they handle data. However, the path to systematic and efficient use of data is often not easy to find and typically endures a high effort threshold. Cogniware has a rich history of delivering solutions focused on understanding unstructured data and offering complex security analysis for national security organisations. “We have been able to put this extensive experience to use today through Cogniware GDPR Explorer and help companies wade through their data protection setbacks,” says Jan Racko, co-founder and CEO of Cogniware. He further explains that the core of solving any organisation’s data protection challenge is simple: “It starts by finding and categorising sensitive data.” This data can include sensitive agreements protected by NDAs, manufacturing guidelines of a company, and design papers, “all containing sensitive information that should be kept under control,” Racko emphasizes. Unfortunately, most organisations, in their pursuit to resolve GDPR-related issues quickly, are seen making superfluous investments. Cogniware has taken their time to thoroughly understand the regulation by consulting with data protection officers, lawyers, and business owners to build a solution that is transparent and efficient. “Our value proposition lies in our ability to connect all the siloed data sources of an organisation and recognize sensitive information that needs to be protected,” states Racko. Once GDPR Explorer analysis all the records from the relevant systems (email servers, databases, enterprise systems, document storages and more) it creates a full catalogue of sensitive data including personal information. Suddenly data protection with GDPR compliance becomes possible. Alongside, the solution’s alerting module continuously notifies of any sensitive information out of place or out of time. DPOs and security manager scan constantly track the

sensitive data and GDPR-related processes through GDPR Explorer’s 360-degree view dashboard and check if all the GDPR obligations are covered. At the end of each process responding to request for data erasure, correction, portability, etc. the DPO generates PDF statement, which serves as a final response to the data subject (customer). Coupled with that, GDPR Explorer is equipped to show detailed records of individuals and supports minimisation of the information stored. “With retention policies that trigger notifications, you can always keep the information stored for the right amount of time and in secured places only,” he explains. Cogniware’s growing footprint in the GDPR compliance management landscape is a fitting testament to its costeffective and transparent data management approach. Citing a few examples, Racko mentions that Cogniware has efficiently helped companies like Prague Casting Services (a precision casting foundry), Houston Analytics (an IT company), a Major government organisation in the Czech Republic and one of the largest Scandinavian food chain to overcome their GDPR challenges. Increasingly, the veracity of Cogniware’s GDPR solution is also making its way into countries outside the EU (like the U.S.) To seize such opportunities further, Cogniware is constantly enhancing its algorithms to further increase the accuracy of personal information recognition. “In a nutshell, we aim to redefine the approach to GDPR compliance and emerge as a major game-changer in the business landscape.

About cogniware Cogniware is one of the most experienced companies in Central and Eastern Europe in the areas of Unstructured Data Analysis (natural language processing, picture and voice analytics), Big Data Analytics, Cognitive and Enterprise Content Management solutions. We specialize in merging of unstructured and structured data to exponentially increase the utilization of clients information. All of our experience is gathered in Cogniware GDPR Explorer, the latest of our SW Products letting companies identify sensitive information throughout organization and act upon it.

Address GDPR compliance with Ardoq AI application

Risk and compliance architecture.

Rich graph analytics and auto-generated visualizations

Customizable templates for GDPR data mapping

Supports and integrates with existing security and quality solutions

Read our special GDPR magazine to learn more about how Ardoq helps enterprises understand GDPR as an integrated part of wider risk and compliance architecture.

ARDOQ.COM Ardoq cited in

Market Insight: Address GDPR Compliance With AI Application (March 2018).

STAND 74 130 days Later

Data Solver is working with Barclays Law Tech Lab, sponsored by The Law Society and a number of large scale law firms and other regulated organisations. We know that the GDPR came into force on 25th May 2018, so after consulting our colleagues within these firms, let’s look at what has happened since and the main challenges and landscape shifts organisations are facing. Data protection is getting democratised across organisations which is great, but companies are struggling with how to best manage the implications for their non-legal departments and people. Expertise and technology are seen as the solution but expertise is short in supply and tech solutions don’t always deliver what they promise. It’s good to hear that that the ICO is supporting and cooperating constructively with business in respect of increasingly complex cyber issues and the implementation of genuine privacy-by-design strategies. Now that Facebook and Cambridge Analytica have dropped off their to-do list, it is likely that enforcement and proactive management of adherence to the GDPR will be scaled. Companies shouldn’t rest on their laurels however, as Eprivacy will come into force likely 2020 and will be as significant as GDPR if not more so. Therefore, preparations should begin now. Organisations are finding that, as a result of the GDPR, internal cross-departmental collaborations and the removal of silos is happening. Compliance is now getting better funded and is now a boardroom priority however, a bridge still remains to be crossed between legal and IT. We are hearing that marketing- and customer-facing teams are generating the most errors and a knowledge gap exists here, there is also an attitude of “our competitors are doing that so we’re not going to stop”. The compliance culture will need to mature a little in some of these organisations. In respect of breach management, we are seeing that the 72hr deadline is often not met, companies are wanting to find causes and solutions ahead of reporting and breach protocols are being rigorously tested and in many cases

failing, as paper policies are attempted to be followed. The most problematic issues appear to be a deep lack of knowledge of the GDPR implications and translating that into own company practices and business as usual behaviour. Most people have undergone the readiness phase but are juggling ongoing management like a hot potato. The poor DPO is heading for spreadsheet saturation and playing the whack-a-mole game! They need all the support they can get financially, technically and in the boardroom. Beth Kendall-Hirons Sales and Marketing Director at Data Solver.

About Data Solver and Founder Claire Banwell-Spencer Claire is a dual qualified Barrister and Solicitor, with 15 years’ experience and an MBA from Cranfield School of Management. Claire was the Group Head of Compliance of the largest property services group in the UK, where she experienced first-hand the pain caused to organisations and their customers by breaches of privacy legislation. She understood that those challenges would only deepen in May 2018 when the introduction of the General Data Protection Regulations would cause a seismic shift in financial and reputational risk for organisations that didn’t comply. Driven by the desire to make the complex simple and create practical solutions for legal compliance Claire, with the support of her cofounder, Vinay Nagaraju, created Data Solver. Data Solver’s Privacy Management Software automates compliance with the GDPR. It’s products and tools provide case management processing, risk mapping and system driven recommendations and audits which provide practical, expert, cost effective and automated privacy solutions via the concept of “Privacy by Design” a key GDPR principle. Organisations will experience a simplification of the complexity of the GDPR and an acceleration of compliance with the GDPR on an on-going basis. Claire is also a trustee and legal and compliance officer to a UK charity and a GDPR consultant to a number of other UK organisations. You can meet Claire at the Data Protection Forum in November.

Data Protection Officers – the new Superheroes? The DPO’s role is multi-faceted. It’s already changed greatly and will continue to evolve. Recognising this evolution and appointing DPOs with the best possible background and skills will help organisations put ePrivacy and personal data at the heart of their business and give them a real business advantage. Where have Data Protection Officers typically come from? In the run up to May 25th companies appointed DPOs from all sorts of backgrounds, sometimes without really understanding what the role involved. Senior managers sometimes thought their time was better spent elsewhere and, in some cases, were conflicted. Site general managers often didn’t have the time. Functional middle management, like marketing or IT experts didn’t always understand how other departments like finance and HR operated and often didn’t have the necessary authority or influencing skills to make things happen. Even in-house legal counsel potentially had a conflict of interests. It wasn’t uncommon for the appointed DPO to be the “last man (or woman) standing!!” Despite this already do a great job…

What makes a good DPO? DPOs need to wear many hats and have a wide range of skills. A legal or compliance-based background and a detailed knowledge of the GDPR and DPA are definitely important, as is strong IT knowledge. But it’s also the soft skills – putting together a compliance framework across a large organisation needs good project management skills, influencing skills, a thick skin and persistence. An ability to remain unperturbed by apathy also helps in some cases.

How has the DPO Role changed with the GDPR? According to the GDPR, the DPO role is to inform and advise, monitor compliance, provide advice and to work with the supervisory authority. In practice, at the coal face, the role is changing all the time Before May 25th, the main focus was understanding what the GDPR was all about. DPOs first had to take the text and translate it. This isn’t easy – it’s a law written in “legalese” and by definition generically applicable – DPOs have to get to grips with the legal concepts, understand how they apply to each organisation’s specific situation and then explain them to management and staff who unfortunately often saw the whole thing as box ticking exercise. Once the translation is done DPOs have to start policing what the company was doing. Many long-established working practices aren’t compliant. DPOs advise they have to stop or need changing. Again no straightforward particularly if they don’t have full support across the senior management team!! Currently, for many organisations, the policing is the role’s main focus but I’m sure it will evolve further.

How will the role evolve? It’s all well and good saying “you can’t do this” but DPOs have to then answer the question “well what should I do instead?”. Often Change is required to achieve compliance and DPOs will be key to this. Change is tough, it requires influencing and leadership skills, persistence, a thick skin and a sound knowledge of the subject to be credible. Good DPOs with these skills will help facilitate this.

STAND 39

Looking further forward again, companies managing Personal data and Privacy particularly well will set themselves ahead of their competitors. Designing strategies, products and services incorporating Privacy from the outset – Privacy by Design – will be at the heart of this. DPOs will have a key strategic role to play. They won’t just deliver change they’ll help define the strategy

Why the role is so important The data protection landscape is evolving all the time – it’s a change that isn’t going to go away and there’s increasing pressure to put personal privacy at the heart of the agenda. New technology and AI require an increasing reliance on data and new ePrivacy will be with us at some point. Companies ignoring Personal Privacy will lose trust with their customers and suffer both reputational and financial costs when held to account. The DPO’s role of representing the Data Subject is therefore vital

What makes the perfect DPO? The DPO’s role is multi-faceted. It’s already changed greatly and will continue to evolve. Recognising this evolution and appointing DPOs with the best possible background and skills will help organisations put ePrivacy and personal data at the heart of their business and give them a real business advantage. There’s no perfect template for the ideal DPO – but it is really difficult to fulfil all the roles we’ve discussed; to have the necessary soft skills and to keep up with changing legislation and practices. Having a primary outsourced DPO working part-time within an organisation who is also a member of a team of multi-disciplined DPOs can bring numerous benefits. Additional resources can be brought in when required and which draw from a far wider knowledge base. Procedures and policies can be validated across numerous organisations and model documentation continuously updated and enhanced based on the experience of working in a range of industry sectors. By using this model maybe DPOs at the DPO Centre can provide far even greater value for this key role than an independent contractor or internal employee. At the DPO Centre, we suggest to our team that it isn’t necessary to wear a cape to be a DPO Superhero, but nobody minds if you do.

About the author Rob Masson is founder of The DPO Centre, the leading DPO resource centre providing Outsourced DPOs, EU Representation Services, DPIAs, Gap analysis, Data Processor agreements and policy writing, Staff training and EU Representation services. With over 30 years of business experience, Robert is a veteran entrepreneur and thought leader who has been involved in delivering solutions and services to some of the world’s largest and most respected companies. He has advised a broad range of organisations on the most effective strategies to meet their goals and is an expert adviser on compliance with data protection regulations. Robert set up The DPO Centre to assist organisations of all sizes to identify how evolving Data Protection and ePrivacy legislation will affect them, the steps they need to take to comply, and how when implemented well, compliance builds trust, confidence, loyalty and engagement.

STAND 28 The World Turned Upside Down? Digital Trust, Paradox and Encryption

Gaining a customer’s trust is a reward earned only after many years of careful branding, superb service and product quality. And a trusting customer is a loyal customer who you can count on to work with you every time – through thick and thin. Right? Not quite. When it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry. Paradoxically, unlike the delicate offline relationships you nurture so carefully, gaining digital trust is a piece of cake – an ooey gooey cake - where users are more likely to share more personal details with you than they would a person they are dating. In fact, according to Echoworx research, the average user takes just 30 seconds to assess the safety of an email before sending along their most-personal data. Sounds sweet? It is. Maybe even too sweet – since the ease of getting customers to trust your brand online comes with a huge price tag of responsibility that is too much to chew for the digitally unprepared. And you are only one slip-up away from losing them forever – with 80 per cent of customers considering leaving your brand after a breach. So, given that your organization invests so much money and time building your brand, why take the risk of not adequately protecting sensitive data to avoid it all crashing down? This is suddenly where pre-emptive investments in cybersecurity infrastructure start making sense – in the organizational sense. In the past, cybersecurity was traditionally seen as a more internal issue. In layman’s terms, the mantra was, if you keep the bad guys out, the money stays in the bank. But, given today’s customer-centric view on providing digital services, and the real threats of ransomware attacks, this view has evolved into an organizational problem – a crisis of brand.

So how do you prevent losing your customers? Easy: You protect them. And protecting your customers is more than just building a bigger firewall. You also need to consider sensitive data which leaves your walled garden of information. While encryption is an effective way at securing your communications, clunky solutions make your messages look like spam – to the detriment of the end-user or customer and therefore defeating the point. Secure encrypted messages should look authentic and be flexible to cater to the needs of your customer base. Branding, languages and any other organization-specific details should be customizable as to not affect user experience. This not only eliminates confusion (something scammers thrive off) but is also just good customer service. You also need to consider offering multiple delivery methods to meet different customer needs. For example, sometimes you want to encrypt a document, not an entire message. You might look for a delivery method which allows for attachment-only encryption. The more your encrypted messages mimic the look and feel of your regular communications, without sacrificing user experience, the more your customers trust digital interactions with you. And the more you protect them, the less likely you are to experience a devastating breach. This is how investing in data privacy is not only good for protecting your organizational infrastructure – it’s also good for your business, your brand and is just good customer service.

Lorena Magee - echoworx Lorena Magee, the VP of Marketing at Echoworx, which specializes in protecting sensitive communications, describes how when it comes to gaining digital trust, traditional approaches can go topsy-turvy in a hurry.

STAND 97 Life after GDPR: where do we go from here? Peter Waters is Privacy Officer and Vice-President of Legal at global interconnection and data centre company, Equinix. It took so long for the General Data Protection Regulation (GDPR) to emerge from the seemingly endless cycle of rewriting and debate that when the time came for it to actually come into force, it took everyone a little by surprise. For about a year leading up to 25 May, there was a frantic period where companies across Europe scrambled to get a grip on their data and improve (or in some cases create) the protocols and systems they needed to ensure compliance with GDPR’s robust requirements. Yet get a grip they did, and three months on, with the fevered GDPR hype subsiding, some may be forgiven for wondering what all the fuss was about. In fact, GDPR’s long-awaited arrival was just the start. As the unstoppable progress of the digital economy meets an ever-growing focus on privacy and data sovereignty, it’s what comes next that businesses really need to start thinking about.

The immediate future Now that GDPR is in place, we’re seeing a period of alignment across Europe as the measures that businesses have put in place are road tested against the requirements of the new regulations. There’s no doubt we’ll see some costly and in some cases high-profile penalties along the road. Organisations not complying may be liable for fines of 4% of annual turnover or up to €20m (whichever is highest). And even with stricter controls in place across many companies post-GDPR, compliance will still be a challenge. In the era of cloud computing and IoT, data is constantly flowing from one end user to another, making it that much harder for businesses to ensure the security of data with full confidence and transparency. The data centre industry has assumed a key role and responsibility in helping enterprises wrestling with this issue. Equinix is a multi-billion-dollar company but unlike most firms our size and most of our customer base, we obtain and manage very little personal data – we’re a major multinational with the personal data footprint of a virtual corner shop. But much of the personal data in the world passes through the servers in our data centres, making us well placed to understand how to interpret and navigate the nuances of regulations and data sovereignty issues. We set up the Equinix Privacy Office as part of our GDPR

compliance program for this very reason. Our team of subject matter experts have helped customers understand their obligations as ‘controllers’ or “processors” of personal data, advised on contract negotiations on data privacy assurance and ensured vendors are upholding and adhering to the same best practice standards that GDPR demands, as well as next steps. data privacy assurance and ensured vendors are upholding and adhering to the same best practice standards that GDPR demands, as well as next steps.

Data privacy – a human right? Meeting the requirements of GDPR may still be the most immediate objective, but there are bigger things on the horizon. We’re witnessing a sea change in how the general public perceives, understands and engages with issues around personal data. People care deeply about their privacy in the online world, and this along with the ever-growing proliferation of data is fueling the rapid rise in new privacy regulations all around the world. Many countries are now following Europe’s lead with similar legislation to GDPR. But is even this just the start? Some are asking whether we will we see further convergence and a global standard emerge, as was the case with climate change at the end of the 2000s. In the years to come, will we see a global standard taking over from the various national and regional regulations that have emerged? Could an international body like the UN take control of such a global standard, or would a yet-to-be formed government-industry body with worldwide jurisdiction be the one to oversee this process? This is some way in the future of course, and it’s certain that many countries wouldn’t want to play ball. But with public outcry over data privacy reaching unprecedented levels, there’s no doubt the idea is already being played with by various decision-makers – any business that wants to understand GDPR end-game needs to be thinking about this eventuality too.

A fine balance All companies need to understand their compliance around managing personal data; the requirements for which are only going to grow. The real challenge is how to make the tradeoff between these increasing compliance demands, and the need to be adopt an ever-more ‘digital first’ approach to dayto-day business operations. It will be the businesses that find a way to strike a balance between these two often competing pressures that will survive and thrive in the digital economy.

The Journey to GDPR Compliance With GDPR now in full effect, European residents are finally in a more privacy-friendly world. Organisations invested weeks and months getting to their interim privacy maturity states in the time leading up to the May 25th deadline. They largely prioritised efforts around areas such as data processing inventory, privacy notices, consents, DPO appointment, contracts addendums, rights request workflows, and basic training and awareness. However, the work is far from over. Business must lay out a clear plan to progress from their current privacy level to the desired compliance level, a task requiring immediate attention. They must also plan to implement forwardlooking solutions allowing for sustained compliance as new data and processing activities come into the regulated perimeter. These trends are pushing businesses towards solving problems across three key areas: Privacy Assessment Framework - Demonstrating ongoing compliance Organisations have invested significant effort to show their commitment to comply with principles of transparency, accuracy and data minimisation required by the regulation. With accountability as the new principle, regulators have made it clear that organisations (data controllers) need to demonstrate compliance on an ongoing basis. Myriad challenges complicate this task: • • • •

Organisations do not have a robust privacy assessment framework that they can use assess and monitor privacy risks and controls on an ongoing basis. Current risk assessments do not provide adequate coverage of GDPR or data privacy Organisations do not have a GDPR-specific risk and controls matrix, and there are no proven libraries they can leverage out of box. Privacy risks vary with business functions

What organisations must do is map a proven internal control framework to the GDPR’s privacy principles, then carry out an evaluation from the lens of key assessment areas. Third-Party Risk Management Assessing the data privacy and security preparedness of third-party data processors Data breaches are now common. The increasingly complex supply chain for today’s technologically advanced business landscape and evolving cyber threats only fuel the chance of an organisation being subjected to a third-party related breach. Many studies of some of the recent breaches suggest that as many as 50% of breaches can be directly or indirectly attributed to supply-chains. The GDPR, FCA and other regulatory norms make the repercussions for these breaches massive. However, many organisations have taken a myopic approach to data privacy and security, focusing largely on perimeter and ignoring or deferring their supply-chain. As organisations now look to enhance and optimise their thirdparty risk management processes, they face several challenges: • • • •

There is no single authoritative repository of all thirdparties and their related details, including services they provide and data they process Various departments hold and maintain their own records of suppliers in largely unstructured forms such as spreadsheets Current processes for conducting third-party risk assessments are manual and time-consuming, resulting in a low proportion of risk-assessed third-parties Assessment questionnaires are subjective, making the quality of data gathered as part of responses is poor

STAND 48 • •

Manual risk scoring methods mean that insights generated from assessments are basic, at best There is limited knowledge of risks posed by the organisations in the third party’s supply chain

Manual process alone will not enable organisations to accurately assess their third-party risk. Technology will be critical in augmenting overall risk assessment and reporting processes. Sustainable Compliance - Forward-looking processes and solutions Organisations’ compliance efforts thus far have been mainly tactical. They were aimed at getting over the line and minimising adverse privacy impact. Unsurprisingly, many of these measures were manual and hence less sustainable. Take, for example, areas such as data and processing inventory, DPIA and rights of data subjects. Organisations carried out structured data audits to understand how personal data is held and processed, resulting in spreadsheet-based data and processing inventories. Likewise, data protection impact assessments (DPIA) questionnaires were manually circulated to various internal business functions for one-time risk assessments of their processing activities. Customer requests around portability and erasure are tracked manually or via a ticketing system with no workflow capability. Other areas have seen similar tactical fixes mainly aimed at achieving partial compliance in the short term. Such measures prompt many challenges in the long run: • Spreadsheets only provide a point-in-time snapshot and must be maintained as new data and processing operations come into regulated perimeter • Unstructured data has been largely deferred until now; discovering and inventorying such data manually is unimaginable • Manual processes for rights request management aren’t scalable for spikes and surges in request volumes, given tight fulfilment timelines • Manually fulfilling complex requests such as data erasures may not work, especially as unstructured data comes into the mix • Access provisioning and permissions will require sophistication to account for staff movements Achieving sustainable compliance requires people, processes and technology working together. Digitising spreadsheets will minimise errors, automating critical activities creates efficiencies, and robust underlying processes support business logic while an effective governance structure provides strategic direction. Conclusion GDPR is profoundly reshaping the way data is managed by organisations, challenging their current system landscapes, internal processes, data management practices and governance structures. It is not surprising that current measures for complying with this regulations aren’t yet sustainable. Organisations still require sizable and well-deliberated investments in terms of augmenting people, process and technology. GDPR compliance is a journey, and a solid compliance roadmap will ensure compliance and good data practices in the longer run. Mohit Manchanda, Head of Consulting and F&A, UK/Europe and Prakhar Agarwal, Practice Director – Data Privacy. Look further. For further information on how EXL can assist you on your compliance journey, come and visit us at booth 48 or book your one-to-one appointment with a specialist at http://info1.exlservice.com/data-protection-world-forum-registration

STAND 52 Driving Data Innovation In The Wake Of Privacy Regulations

by Nick Brandreth of Integris In the Digital Era, which calls for analytics in every facet of the business, Data has become the most valuable asset. Our ability to create, collect and store Data has become much easier with the explosion of Data innovation, cloud and distributed computing techniques. Data drives growth and business value. It accelerates the creation of better services and services to the consumer. Yet many organizations are failing to fully leverage the data they have acquired due to ever-growing risks and the advent of Privacy regulations. We are seeing a mind shift in consumers from a stance of “how you are protecting my data” to “what data do you have about me”. This amplified scrutiny on data privacy is helping to drive increasing regulations worldwide. Privacy and security are part of a continuum, with “privacy” telling you what data is important and why, and “security” telling you how to protect it. So far, the emphasis has been on security, but organizations are beginning to understand that the privacy – the “what” piece - is crucial. You can’t have a coherent security program in place without an equally comprehensive and detailed privacy program. Put simply, privacy feeds security. To know what data exists, keep track of it and place policies on it, organizations have to automate their ability to understand exactly what data they have, what impact it has on the business and how effective their “data controls” are at understanding and protecting the data. You can’t have transparency without visibility. Though data is constantly being streamed, analyzed, shared, and combined, the most common method of data discovery is still manual and survey-driven. It is unsustainable and inaccurate for any organization to manually try to discover what data it has, the level of data

sensitivity and map it back to the obligations of the business. New regulations like GDPR and the new California privacy law in the U.S. are triggering a knee-jerk reaction across all sectors out of fears of data misuse. Continuing down this path threatens the ability to use data, and therefore, locks down the data. In contrast, an effective data privacy solution empowers organizations to utilize their most important asset – their data. A new approach is needed that has the ability to scale across all data sources, whether in the cloud or on premise, and that continuously provides an accurate picture of an organization’s data privacy landscape. Organizations/ companies should not have to compromise innovation for privacy compliance. By bringing together the latest in machine learning and flexible microservices-based architecture, it’s possible to solve this problem and allow organizations to both protect privacy and use their data without fear.

About the Author Nick Brandreth is the vice president of sales at Integris Software, a fast-growing start-up and the pioneer of the emerging market of Data Privacy Automation. Nick is an evangelist of cutting-edge technologies. He holds a bachelor and master’s degree in English from Portland State University. Join Nick Brandreth and a panel of experts as they explore key privacy related issues for emerging technology.

Emerging Technology in the Context of GDPR GDPR Refresh Theatre Day One (20 Nov) at 11:25 AM

FREE TRIAL

Get a free trial of our Compliance eLearning courses

www.interactiveservices.com/compliance

STAND 94 GDPR compliant secure enterprise messaging

With GDPR in full effect now, a GDPR-compliant Enterprise Messaging is no longer a recommendation for the enterprises doing business in Europe – it’s a necessity. With these key changes coming in place, it is evident that enterprises doing business in EU would need to take appropriate measures to protect the data of their customers and stakeholders. With the proliferation of smart phone and more and more enterprises allowing BYOD (Bring Your Own Device), enterprises must be more vigilant about their communication – both internal as well as external. Several studies have shown that a large number of employees use consumer-grade messaging apps to communicate official information, which can be a huge risk for the enterprises. This has led to the likes of large enterprises like tyre giant Continental banning consumer apps likeWhatsApp and Snapchat on company devices. In addition to leakage of confidential company information, data breaches and privacy breaches, the hefty penalties under the GDPR regulations are making enterprises look further into their mobile messaging communication. It becomes inevitable for the enterprises to look for an alternative – A GDPR Compliant Secure Enterprise Messaging App.

How Secure Enterprise Messaging Solutions relate to GDPR 1.

Right of Access: GDPR allows consumers the right to obtain data a company has from them. An enterprise messaging solution should provide an intuitive, searchable archive should the data need to be provided. This is a typical feature lacking with consumer apps. Right of Erasure: Consumers have the right to have data removed and deleted. If customer data is being shared via WhatsApp or other consumer apps, how will the data be deleted if requested? Rights of Data Subject: Consumer data should not

transfer outside the EU. An enterprise messaging solution should allow the company to store all data on-premise or within the EU exclusively. Data protection by design and default: Pseudonymisation is an important part of GDPR. Only with industry leading, high level of encryption is customer data ensured to be secure and pseudonymised. Conditions for Consent: Consumers must give consent to the enterprise to use their data. Consumer apps typically search an employee’s phone book, transferring client data without consent and also potentially outside of the EU. Choosing a GDPR Compliant Secure Messaging Solution

There are many factors to consider when choosing an enterprise messaging solution such as: • • • • •

On-Premise or Cloud Based Closed User Group for internal only or also allowing external partners & clients Compliance on top of GDPR such as ISO27001, HIPAA, FINRA, etc Archive availability of the solution Flexible retention period for data storage

Regardless of your requirements, it is key that at a minimum you have the key GDPR components covered to avoid an unforeseen compliance risk. With NetSfere we have developed a secure messaging solution that enables enterprises to have flexibility and usability in their messaging while being able to effortlessly comply with administrative, physical and technical safeguards of the Security Rule and other Data Protection requirements mandated by GDPR.

Scott Crowley, Sales Director, Infinite Convergence Solutions Infinite Convergence Solutions will be exhibiting on stand 94, come and visit the team to ask questions and find out more about their GDPR Secure Messaging Solutions.

STAND 41

Operationalising GDPR Compliance Data and privacy legislation compliance has become a top strategic issue for organisations across the world. After the initial scramble up to the May 2018introduction of the EU’s General Data Protection Regulation (GDPR), implemented in the UK by The Data Protection Act 2018, the challenge is now “How do we effectively operationalise ongoing GDPR compliance?” psKINETIC in association with APPIAN Ingolv Urnes is a Co-Founder and Director of psKINETIC. The Challenges Data capture and use is growing exponentially. Large organisations have a significant and growing data inventory (we use the term ‘dataset’). While new and exciting ways of leveraging this data are emerging, GDPR now puts significant demands on organisations to demonstrate appropriate and lawful use of such data. The consequences of a failure to comply are well known. GDPR breaches do not only carry substantial reputational risks but also potentially very significant penalties of up to 4% of global turnover. News headlines regarding data protection and largescale data breaches or theft of data (British Airways, being a good example) have made the general public much more aware of the risks. The Information Commissioner in the UK (as reflected elsewhere in Europe) is reporting a rapid growth in complaints. In fact, complaints filed with the Information Commissioner’s Office between May 25, when the new GDPR rules went into effect, and July 3, were more than double the number received during the same period a year earlier. As the value of data is better understood and reports of record-breaking fines hit the media, individuals are likely to increasingly use their newfound rights. At the same time, expect to continue to see the phenomenon of the GDPR activists. There is even an app that simplifies – for the consumer – the exercise of subject access rights. The challenge of the explosive growth in data and its uses is compounded for organisations by their data sitting in different systems (from large ERP systems to excel); different organisational units and regions holding, and using, data differently; and, much of this data sitting with various data processes, such as vendors of cloud software or other outsourcing arrangements.

360° Holistic Approach GDPR compliance is a complex multi-dimensional challenge. At the heart is your Dataset of Personal Data which (i) drives various activities including Impact Assessment, Subject Access Requests, Incident Reporting and Vendor Management and (ii) requires planning, execution and monitoring across complex organisational structures of various Divisions, Regions and Functional areas. So how do you ensure compliance? How do you try to guarantee that the expensive work on polices is actually put in to real life? We think a 360° holistic approach is required to ensure all areas are covered and no effort is duplicated.

C-360° Compliance Platform C-360° is a unique software solution designed to help you solve your privacy and GDPR compliance needs more effectively. It is delivered on Appian, a world-class case management and automation platform: •

•

Flexibility: C-360° is not an off-the-shelf product. Our job is to adapt it to work with your existing processes and organisational structure. C-360° can be tailored according to your key priorities. Start small: When we implement C-360° with you and your team, we begin with the most immediate priority – maybe it’s Impact Assessment or Subject Access Requests. Our approach and the underlying architecture allow C-360° to grow organically; for example, you may build out the Dataset as you respond to incoming SARs or you may choose to first build the Dataset, including DPIA and policies which can then drive more automated responses to SARs. Future proof: Since you are fully in control of C-360°’s configuration, you can expand it to cover new compliance related requirements as these emerge. Our job is to help you operationalise compliance for today and the future.

C-360° is designed to automate as many activities as possible and ensure coordination across large organisations – key functionality includes: 1. Auto capture of requests from email, web form or print (using OCR); AI is helping us structure incoming requests to reduce manual work and errors. 2. Policy Engine: A sophisticated rules engine that links your dataset and the associated policies to increase automation when responding to Subject Access Requests (SAR). This reduces cost, but more importantly ensures that you are executing SARs consistently. 3. Case Management & Workflow: Enable coordination and collaboration across complex organisations, including delegation of tasks, measurement of SLAs, etc.

psKINETIC in association with APPIAN psKINETIC has nearly 10 years of experience helping customers leverage the Appian platform, working to ensure a successful outcome for clients’ digital transformation and process automation projects. For more information, www.pskinetic.com or telephone 0845 5050120.

STAND 27 Compliance standards and their role in demonstrating GDPR compliance Author: Alan Calder, Founder and Executive Chairman IT Governance Ltd is the single-source provider of books, tools, training and consultancy for IT governance, risk management and compliance. It is a leading authority on data security and IT governance for business and the public sector. IT Governance is ‘non-geek’, approaching IT issues from a non-technology background and talking to management in its own language. Its customer base spans Europe, the Americas, the Middle East and Asia. More information is available at www.itgovernance.co.uk. Technology undoubtedly plays an important role in an organisation’s overall cyber resilience strategy, but organisations must also focus on addressing the people and processes components of cyber security. A recent study suggests that 88% of UK data breaches are caused by human error, not by cyberattacks, which demonstrates how a lack of cyber security awareness and training can lead employees to undermine an organisation’s cyber security. Alan Calder, founder and executive chairman of IT Governance, argues that, in order to tackle information security and data privacy in a structured and resilient manner, organisations should consider standards such as ISO 27001, the industry best practice for an information security management system (ISMS), and BS 10012, the Standard that sets out the requirements for a personal information management system (PIMS). The two frameworks can help organisations not only meet information security and privacy requirements but also demonstrate, by achieving accredited certification, that they have implemented security measures and controls in line with the requirements of the General Data Protection Regulation (GDPR). Article 32 of the GDPR states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” and to ensure the confidentiality, integrity, availability and resilience of processing systems and services. To address this, organisations are encouraged to certify to information security standards such as ISO 27001, which can help them address the three pillars of cyber security, people, processes and technology to demonstrate compliance with the Regulation. Implementing an ISO 27001-compliant ISMS requires board-level commitment. This ensures that the ISMS is effectively incorporated in the organisation’s culture and strategy, and continually monitored, updated and reviewed. By using a process of continual improvement, organisations can ensure that the ISMS adapts to changes – both internal and external – to continually identify and reduce risks. IT Governance has more than 15 years of practical

experience working on management system standards and implementations, and is the first organisation in the world to achieve accredited certification to ISO 27001 that references BS 10012. BS 10012:2017 specifies the framework for implementing a personal information management system (PIMS) that complies with the GDPR. The Standard was recently amended to incorporate changes introduced by the UK’s Data Protection Act 2018. Any organisation looking to assure stakeholders, including the board and clients, of its commitment to security and the GDPR, and demonstrate the efficacy of its data privacy practices should consider integrating a BS 10012 PIMS with an ISO 27001-compliant ISMS and obtaining certification. For more informationabout IT Governance’s information security and data protection solutions, please visit the website, email servicecentre@itgovernance.co.uk or call +44 (0)333 800 7000.

AUTHOR PROFILE Alan Calder is an internationally acknowledged cyber security guru and a leading author on information security and IT governance issues. He is also the founder and executive chairman of IT Governance Limited, a single-source provider of cyber risk and privacy management solutions. Alan co-wrote the definitive compliance guide IT Governance – An International Guide to Data Security and ISO27001/ ISO27002 (with Steve Watkins), which is the basis for the UK Open University’s postgraduate course on information security. This work draws on his experience of leading the world’s first successful implementation of BS 7799 (now ISO 27001). He also wrote the popular EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide, which provides a clear and comprehensive guide to the Regulation, and sets out the obligations of data processors and controllers. Alan is a frequent media commentator on information security, privacy and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.

STAND 35 GDPR & data breaches: insecure or unsecure?

GDPR imposed, for the first time, a breach-reporting obligation on all EU organisations. Robert Baugh, CEO of Keepabl, the GDPR-compliance platform, looks at recent statistics from 3 countries with challenging results. Organisations are - correctly - notifying many more personal data breaches to their national Data Protection Authorities (or DPAs) since GDPR took effect on 25 May 2018. The UK has seen a fourfold, and Ireland a near-threefold increase in notified breaches. GDPR requires you to notify the DPA of a breach unless it is unlikely to result in a risk to the rights and freedoms of natural persons. There’s a lot of uncertainty about how to judge that threshold. It also seems a very low threshold. So it’s understandable if those making that judgement err on the side of caution and notify when in doubt. Indeed, in September, the UK DPA said that it feels businesses are overreporting. (That may be the case for those contacting the UK DPA; my personal, empirical view is that a great number of breaches are not being notified but that’s for another article.) You might expect that the uncertainty over when to notify is felt uniformly across the EU. However, recently-published figures question that premise, and suggest significant differences in practice. The UK DPA says it received just under 400 notified breaches in each of March and April 2018, compared to 1,792 in June (over 4 times the March and April figures). That June run-rate appears to have been maintained as, in September 2018, they said they’ve been receiving around 500 calls a week to their breach reporting line. While a third ended up not being seen as needing notification, that still means 333 calls a week (or 1,400 a month) did, and breaches can be separately notified online. Compare that to Ireland. On 30 July, Ireland’s DPA tweeted it had logged 1,184 data breach notifications since May 25, roughly 600 a month, compared to a 2017 average of 230 a month. And compare it to France, where the DPA stated on 28 September that it had received more than 600

breach notifications in those 4 months, about 7 a day, or 150 a month. So, 150 notifications a month in France, at least 1,400 in the UK, and 600 in Ireland (although that’s a July figure). The UK looks like either the most compliant country on earth, or the least secure. But looked at on a per capita basis, these figures paint a different picture. The EU says France’s population was 67.2m (January 2018), the UK 66.2m, and Ireland 4.8m. Meaning France had 2.2 notifications per month per million of population, the UK 21 (still roughly 10 times more than France), and Ireland 124, or a whopping 56 times more than France. Suddenly, the UK and Ireland have switched places. That picture is similar on a per business or GDP basis. Again using EU figures, France had 3.6m businesses in 2016, the UK 2.5m, and Ireland 250k (a 2015 figure, the same as Ireland’s own 2016 figure). Meaning France had 42 notifications per month per million businesses, the UK 567 (13.5 times more), and Ireland 2,411 (57 times more). On the EU’s 2017 GDP figures, France had 0.06 notified breaches per month per billion of GDP, the UK 0.6 and Ireland 2.04 (31 times more than France). Of course, there are lies, damn lies and statistics. Ireland may well have an imbalance of tech businesses that crunch more data and we’ve tried to compare apples and apples based on limited published data. But does that explain why a country with 14 times fewer businesses than France has 4 times the breach notifications per month? It will be interesting to see more statistics and analysis appear. In the meantime, my bet is for breach notifications to keep rising. Is your organisation ready?

About the author Robert is CEO of Keepabl (www.keepabl.com), the GDPRcompliance platform where customers record and decide whether to notify breaches, build their data map, see instant analysis and Article 30 Records, store policies and other privacy materials, and much more.

STAND 45 An Accountability Approach to Data Subject Rights

What are data subject rights?

applies and, in many jurisdictions, is also known as the notice requirement. In the interest of transparency, organisations are required to disclose to data subjects what information is being processed, for which purpose, by whom, and which parties it is being shared with or sold to. Most organisations will include all of this information in a privacy statement or notice. In many jurisdictions, including the EU, the information provided needs to be specific to the data collected.

Data subject rights allow individuals:

Other common data subject rights

The Right to Data Portability: Under the GDPR, individuals are entitled to take their data from one organisation to another, if processing is based on consent or contract, and it is done by automated means. The CCPA stipulates that when an organisation provides information to an individual in an electronic format, it must be portable and readily transferable.

Understanding and Protecting the Rights of Individuals Under Multiple Laws Although they have been around for almost four decades, data subject rights have recently gained attention with the advent of the EU’s GDPR and California’s upcoming CCPA. Both laws award extensive rights to data subjects

to understand what an organisation knows about them; and to restrict or change what an organisation knows about them.

This is a simple definition, and there are many different rights linked to the broader concept of data subject rights. On the one hand, there are the rights that require a data subject to make a request before an organisation has to act, and on the other hand, there are the non-request rights that organisations have to fulfill at all times. Which data subject rights are most common? The Right of Access: This right allows an individual to understand which of their data are being processed. Requests can be submitted in virtually any way and in many jurisdictions a copy of the individual’s data can be obtained. The Right to Rectification or Correction: Based on the principle of data quality, this right enables an individual to change data. Inaccurate or incomplete data can be rectified at the request of the individual, such as a change of address or marital status. Not all information is eligible for correction, including assessment data, personal analysis, or other opinion-based data. The Right to Deletion or Erasure: This right allows for the removal of personal information from a database at the request of a data subject. This is not an unlimited right. Most laws prescribe use cases, such as: • • •

the information is no longer necessary for the purpose; consent for processing is withdrawn; the information has been processed unlawfully.

When a deletion request is received, organisations must verify whether deletion is possible and allowed. The Right to be Forgotten: A specific version of the right to deletion is the right to be forgotten. This includes the right to be delisted from a search engine. It is not absolute. It only applies if the information: • • •

cannot be removed from the original source; is no longer considered relevant; is context-specific.

This right applies in the EU and many Latin American countries based on case-law, and in South Korea based on guidelines from the Korean Communications Commission. The Right to Information: The rights discussed above require data subjects to make requests. The right to information is a right that always

The Right to Restriction of Processing: A specific right under the GDPR is the right to restrict the processing of an individual’s data, if the data itself or the lawfulness of the processing are contested. The Right to Complain: Several jurisdictions have included in their legislation the possibility to file complaints to an organisation about their data processing practices. If the complaint is found to be justified, changes to the organisation’s policies and procedures will need to be made. In all jurisdictions but Brazil, the legislation contains provisions allowing individuals to file a complaint with a data protection authority. The Right to Not be Subject to Automated Decision-Making: Strongly advocated in the EU, this right is closely linked to the transparency of processing and the need for individuals to have control over their own data. However, this right is not absolute. The GDPR, for example, also allows for some explicit exemptions, such as the preparation and execution of contracts. No right is absolute Many privacy and data protection laws around the world contain specific provisions, allowing exceptions and limitations to the rights of individuals. It is important for organisations to understand that these exceptions and limitations exist, and how and when they can be applied. How to embed data subject rights into your privacy program An accountability approach to compliance means implementing and embedding relevant policies, procedures, and other measures throughout the organisation, and assigning responsibility for these activities. Ideally, the activities will also be reviewed on a regular basis, such as annually or semi-annually. Such reviews will serve to produce documentation, including meeting minutes and memos, in addition to the actual policies, procedures, and log files, which can all serve as evidence to demonstrate compliance to regulators and other stakeholders. The best way to ensure compliance is embedded throughout your organisation is to develop a program based on a framework that maps to multiple laws, such as the Nymity Privacy Management Accountability Framework™. It will help you to implement all the right privacy management activities to deal with data subject rights under the GDPR, the CCPA, and all the other privacy laws around the globe.

STAND 6

Kalepso builds the first Never-Decrypt Cloud Database System, for sensitive data and regulated industries. KalepsoDB boosts compliance with privacy regulations, incl. GDPR, and unlike other solutions- protects storage against any database attack. It easily integrates with existing applications, without any changes, with a MySQL and MariaDB integration already available and more coming up (incl. MongoDB). Kalepsoâ&#x20AC;&#x2122;s patent-filed tech was co-invented at Harvard by Kalepsoâ&#x20AC;&#x2122;s CTO. Visit www.kalepso.com

STAND 96 Financial Services, Brand Resilience and the Data Protection Conundrum With the growing volume and complexity of data protection regulatory requirements, increased scrutiny and activity from regulators and an activist, social media-fuelled public, the financial services sector is having to find ways to toe the line in an increasingly fragmented landscape. Today’s financial services organisations operate in a more change-heavy, complex, and connected environment, than we could ever have imagined ten years ago. In the past few years alone, the sector has seen a growing volume of sophisticated regulatory requirements, some triggered by the global financial crisis and others based on dynamic and fast-moving challenges, such as consumer data protection and cybersecurity. Adding to the mounting regulatory pressure is a shift in the consciousness of consumers. Still reeling from the financial and economic crisis of the past ten years, consumers are now holding executives personally accountable and are making brand reputations vulnerable like never before. This has introduced a fresh set of fundamental truths every financial services business needs to bear in mind – transparency and accountability. Supervising authorities are demanding more firms undergo greater scrutiny of their approaches to their use of, and controls over, personal data. While financial services firms might be old hands at following privacy and security protocol for financially sensitive data (and some personal information), recent data privacy regulations such as GDPR significantly ups the ante.

From Compliance to Advantage By approaching customer’s personal data in the context of all regulatory and legal obligations, as well as business processes and goals, an organisation has a better chance of making system and resource changes that are as suitable and sustainable as they are compliant. Tackling personal data protection at the information governance level is essential. It’s not enough to simply look at processes as they are and then change them to tick personal data protection (PDP) compliance boxes, financial services firms need to start thinking of PDP like the airbags of IT, not the most exciting feature of a new car but an essential life-saving one. The key here lies in finding the interconnections between privacy issues and commercial questions of data collection and management. After all, good data privacy planning and implementation can reinforce customers’ trust, help personalise products and services, and also give new insights into habits and preferences. So, in order for a firm to thrive and ensure business resilience means not just adopting a robust information governance framework to

protect personal data but also making it part of the fabric of a business. To do this in a practical way that delivers oversight and control of key risks – and reduces the burden of compliance to the organisation – requires an integrated, coordinated approach, supported by technology. By introducing automation and removing the repetitive, time-consuming processes and tasks that drown employees, a firm can significantly free up time for the team to focus on initiatives that can provide real value for the business. Moreover, sound risk management requires real-time updating of very large data sets. With the growing amount of collected data, the complex applications utilising it and potential third-parties processing the data, require new innovations in the management of data sets and the workflows relating to processing. To convert this data into actionable information requires business intelligence and analytical tools to detect patterns, trends, and draw conclusions. Organisations should also look at data privacy awareness throughout their business. Employees need to have a fundamental understanding of data privacy regulations and others in functions like HR, Marketing and IT, require deeper knowledge. After all, employees making the right decisions is one of the most important risk mitigation strategies.

Setting the Standard There’s no getting away from the reality that compliance standards will always be demanding and rigorous for the sector. And while financial services organisations might not like the breadth of strict compliance laws, they are beneficial to both customers and their bottom line, even providing a competitive advantage in some cases. This is why they should treat data privacy as a great opportunity to be seen as leading the charge in responsible data practices. By setting the standard in data privacy and protection, they can transform an important compliance goal into a stronger foundation for a more trusting relationship with customers. After all, data is the lifeblood of every business and protecting it at all costs should be an organisation’s greatest priority.

About the author Rob Van Straten is Executive Vice President, EMEA and APAC for SAI Global, a provider of integrated risk management solutions. He previously served as Nasdaq Inc’s Global Head of Sales and Professional Services responsible for the BWise business unit, from 2011 to 2017. Previously, Van Straten served in a number of executive roles at both private and public technology and services companies.

STAND 86 GDPR and Managing the ‘Bang!’ Author: Hugh Jones – Chief Privacy Officer at Sytorus Much of the commentary in relation to the GDPR focuses on the Regulation’s emphasis on risk management – putting focus on an organisation’s ability to anticipate, evaluate and manage risk. The mind-set is not dissimilar to those in the security sector, who are challenged with anticipating and preventing terrorist and other disruptive incidents. Security analysts and trainers will speak about the ‘Bang’ event – the attack, intrusion or disruption of daily life which is the goal of such incidents. The work of these services to anticipate and prevent such incidents is categorised as ‘Left of Bang’ activity, since in chronological terms, it takes place prior to such events occurring, and, if done well and in a timely manner, prevents the incident from happening in the first place. Naturally, the steps taken post an incident are then referred to as ‘Right of Bang’ actions – the recovery, the investigation, pursuit of perpetrators and, ultimately, a return to business as usual, older and wiser. I would like to split the various elements of the GDPR obligations in a similar way.. ,

‘Left of Bang’ in the GDPR The GDPR encourages organisations, with or without a DPO, to pro-actively take steps to understand their exposure to risk. Privacy by design or default – this innovative aspect of the GDPR is focused on risk assessment and prevention –where the organisation is considering a substantial modification of its processing activities, a pre-emptive evaluation of the proposal is done to anticipate any areas in which risks might arise, and, crucially, the adoption of practical and appropriate risk mitigation measures to deal with these effectively; Processing Activity Logs require a description of the various processing of personal and special category data within the organisation, by whom it is done, in what volumes, and relating to what Data Subjects. The log is immediately valuable when considering the range and scope of any risks to which the organisation is exposed; Vendor selection and engagement – the Data Processor Agreement is a study, in and of itself, of risk management – the clauses and conditions which the Controller imposes within the contract are a reflection of the risks which the organisation anticipates, and the parameters which they wish to enforce, in order to ensure that their data is safe while being processed by the third party; Policies, Governance and Staff Training – central to the obligations of Principle Seven is the requirement on the organisation to be able to present evidence of their efforts to act on their responsibilities as Data Controller – the roll-out of formal policies and procedures, training for staff, active

monitoring of compliance, detection and resolution of noncompliant behaviours.

‘Right of Bang’ in the GDPR As any security professional will attest, all the planning, preparatory and preventative work will not stop the incident from occurring – it may reduce the likelihood of an incident, and may limit the impact, but the organisation should be prepared for some level of ‘mopping up’ of the aftermath should an incident occur. Breach Notification – the mandatory reporting, in some circumstances, of the nature, range and impact of a breach incident recognises the obligation on the organisation to understand the events leading up to the ‘bang’, as well as accounting for the actions taken afterwards; Respect for Individual Rights – we have seen a substantial increase in requests from members of the public to organisations who have suffered some form of breach incident – requests for information on the use of their data, to opt out or restrict the manner in which their data is being used, and (the ‘nuclear option’) for complete erasure (the right to be ‘forgotten’); Incident Logging –where the circumstances of an incident might not meet the criteria for a formal notification to the Supervisory Authority, the GDPR encourages the logging of any such low-key security incident, and to learn from the experience Training and Procedures – here again, the experience from any incident should be an opportunity for the organisation to review its policies and procedures, to provide updated or refresher training to staff, as well as modifying any induction training. Naturally, there are many other aspects to the GDPR which will not be so neatly accommodated with simple categorisation, but risk evaluation, assessment and mitigation remain core disciplines within the GDPR, and the language of risk management will continue to echo in the training, advice and ‘best practice’ guidance in relation to GDPR compliance in the coming years.

mr hugh jones Mr Hugh Jones - As a certified Data Management consultant, Hugh is closely involved with the development and introduction of compliant Data Management policies and practices within a wide range of clients globally. Hugh provides professional advisory services and is a frequent speaker at local and international Data Management events. Through his experience as a business and IT Project Manager, Hugh supports organisations striving to maturity with the EU Data Protection legislation, as well as helping them to design their ‘adoption journey’ towards full compliance. Hugh has a BA (Hons) from NUI Maynooth (German and Anthropology, 1986), and is a qualified Project Manager and EU Data Protection Practitioner.

Global Banking & Finance Review is a leading Online and Print Magazine, which has evolved from the growing need to have a more balanced view, for informative and independent news within the financial community. Our experienced contributors provide this quality and in-depth insight in a clear and concise way, providing leading players and key figures with up to date information within the finance sector.. Read in over 200 different countries and ranked below 15,000 globally by Alexa across billions of websites. Visit www.globalbankingandfinance.com

STAND 43 Which of Your Employees Are Most Likely to Expose Your Company to a Cyberattack? Kon Leong, co-founder and CEO of ZL Technologies, Inc., a software and cloud vendor to large enterprises for information governance and analytics solutions, shares his insights around how employee behavior plays a large role in the state of an organization’s cybersecurity. Cybersecurity has expanded beyond its traditional domain of external threats, typified by external hackers attacking network vulnerabilities. It now includes insider threats, which are much more complex and difficult to manage, as evidenced by some very serious insider breaches, such as those involving Edward Snowden and Chelsea Manning. The nature of insider threats can be categorized into malicious, accidental, or negligent, and account for 39% of all data breaches according to recent research. With employee behavior playing a larger role in the state of your organization’s cybersecurity, here are some insights into the human side of cybersecurity that can help shape the right approach for your company:

Rethink employee training. Company-wide training on best practices for handling the latest security threat is a common approach; unfortunately these guidelines are overlooked or disregarded entirely. The standard memo on security often fails to capture the nuances presented by more dynamic security threats, which are often internal. For instance: • • •

How does an employee differentiate a bona fide email conversation versus phishing bait? When should an employee speak up about a coworker’s suspicious activity? What types of information can and cannot be shared, and with whom?

To make a lasting impact on employee behavior, organizations should consider interactive training sessions. Recent research by the Ponemon Institute indicates that employee training is tied as the third-most-effective method of decreasing the per capita cost of a breach, right after extensive use of encryption and assignment of an incident response team. For more resistant users, consider employing a variety of creative training techniques that involve employee interaction, feedback, and discussion. For instance, take the method of gamification: one could supplement a cybersecurity presentation with a game of spotting suspicious activity, which compels employees to develop responsive skills. Moreover, engaging employees in handson training encourages buy-in and accountability. In all cases of cybersecurity training, it’s a case of train, retrain, and repeat. Too often, organizations hold a single seminar and then expect that to suffice. Given the constant

influx of new employees and the constant change in security threats, periodic training should be mandatory.

Identify high-risk users and intervene. Basic human behavior is hard to reprogram, so training should be augmented by constantly updating technology, which has now evolved to detect errant behavior. The advancement of technology has started to solve what seemed to be intractable issues in security and governance, and these new capabilities such as predictive analytics and artificial intelligence are able to monitor and influence human behavior. By employing analytics that enables organizations to analyze documents for sensitive content, review user actions, and track the flow of data across the enterprise, cybersecurity stakeholders can now identify many common indicators of negligent or malicious activity, including: • • •

Accessing, moving, or deleting large volumes of sensitive content Inappropriately creating, storing, or sending sensitive content Extreme negative sentiment towards the organization in messages

Sending out mock-phishing emails to see who clicks can identify signs of risky behavior, allowing organizations to stage a strategic intervention with high-risk users, or potentially even catch the next “Snowden” in progress. In leveraging such technologies, organizations should consider the issue of privacy, which plays a complex role in today’s regulatory environment. Companies need to engage with the end-users to find out how far out of their way they’re realistically willing to go in their everyday activity to support cybersecurity efforts. In other words, avoid protocols that rely on them doing any more than they actually will.

Constantly adapt to changing threats. As the threat focus shifts from external hackers and network vulnerabilities to internal staff and content repositories, the security picture becomes more complex. Fortunately, the rapid advancement in content technologies makes it easier to secure these data repositories and also apply advanced governance and analytics to enable detection and remediation of risky behavior. The advent of these technologies also happens to address other critical issues, such as applying discipline to what is currently unbridled data access by data analytics, and satisfying new privacy regulations such as the General Data Protection Regulation (GDPR). Increasingly, technology and improved practices can help you identify those employees who are most at risk of exposing your company to a cyberattack — before it becomes a major problem.

Talk to us at Stand 91 Visit qualys.com/gdpr

GET INSPIRED BY THE MANY FACES OF ENTREPRENEURSHIP Every issue covers up-to-the-minute content and presents a unique angle on the things enterprises need to know, from automation to alternative finance. We also gather the best and brightest voices in the community to share their experiences, whether it’s Sarah Wood explaining how she broke all of the rules with Unruly or Timo Boldt telling us how he is cooking up a storm with recipe-box startup Gousto.

EXCLUSIVE

OFFER Media partner for

FIRST PRINTED ISSUE + 12 MONTH ONLINE SUBSCRIPTION FREE: NO OBLIGATION TO CONTINUE Call us today on: 01245 673 700 or visit: elitebusinessmagazine.co.uk/subscription

*Limited to new subscribers at UK addresses only. Please allow 28 days for delivery. Overseas mail: Europe £60; rest of world £95. Offer closes 31.12.18

GDPR and digital: beyond compliance, an opportunity

With the advent of the digital revolution, data has emerged as the new treasure trove of the 21st century. Today, it is more than just knowledge; it is of strategic and economic importance for companies that are competing for the most innovative Big Data technologies to get ahead of their competitors.

Personal data is an integral part of the digital transformation

Given this context, personal data management represents a delicate and potentially tricky topic. GDPR, a new European regulation, is an opportunity to go beyond compliance and make the most of regulatory obligations by implementing a digital transformation strategy.

The EU is further strengthening the regulation

The GDPR or General Data Protection Regulation was created by the European Union to counter the misuse of data; it came into effect from 25 May 2018. It concerns all European companies as well as all non-European companies that handle the personal data of people living in the EU region. The regulation reinforces the concepts of consent, the right to be forgotten and free access and introduces the right to data portability. Furthermore, the failure to adhere to these principles leads to substantial financial penalties. More importantly, the GDPR principles impact the entire data cycle, from data collection to data deletion.

GDPR should be seen as an opportunity

Can this constraint be seen as an opportunity? Although the regulation only concerns personal data (for now), it’s an opportunity for companies to better understand the data that they possess, know where it is, how it is used, and especially, for what purpose is it used. Consequently, the potential linked to GDPR becomes evident. Without making an exhaustive list, it is however interesting to look at the most relevant ideas: data quality (accuracy and freshness), prioritisation of useful data, deletion of unnecessary data records, simplified and faster processing, more refined targeting, better use of data, standardisation of practices, process optimisation, resource prioritisation, inbound marketing and intelligent content... And to realise that these transformation streams will be accompanied by the explosion and evolution of several services: digital vaults for personal data, blockchain enabling “Zero Knowledge Proof”, etc. Implementing GDPR is the best way to relaunch your digital transformation, to move from quantitative to qualitative data, a disruption of the Big Data model towards the Smart Data model.

How to define a GDPR strategy

Investing in GDPR for going beyond compliance requires that you establish a clear, complete and coherent strategy. The roadmap of this strategy should validate 3 key steps: assessing compliance and defining the level of ambition; implementing the main GDPR principles combined with an ambitious digital transformation; ensuring business sustainability. It’s an opportunity to draw a clearer course of action, with reliable and transparent data that will help build trust not only with consumers, but also with employees, partners and prospects. 25th May 2018 did not mark the “deadline” of meeting compliance, but rather the beginning of a new digital agenda.

STAND 11 Processing data in a post-Brexit world

By Darren Hockley, Managing Director, DeltaNet The physical movement of goods and people across EU borders post-March 2019 is quite rightfully attracting much attention. Whilst these concerns are undoubtedly valid (British consumers are likely to face raised prices on imported goods and long queues at the borders, whilst exporters can expect tariff increases and more stringent customs controls leading to delays), in a world where data is coin of the realm, it seems prudent to consider Brexit’s impact on the digital economy. More specifically, on the movement and processing of data in cyberspace, where geographical borders are less apparent. Close to 80% of the UK economy is service-driven and reliant on the free flow of data. Additionally, many of these businesses operate in more than one territory, digitally speaking. It’s not uncommon, for example, for organisations in the UK to store vast amounts of personal data on servers located in the EU (many companies outsource their data storage to satellite locations to save on costs). It’s equally commonplace for organisations in the EU to do business with service providers based in other EU member states, or to have regional headquarters across many countries and to transfer data between them. It’s just par for the course in the modern global economy; something we all take for granted. The rise of Cloud computing is also worth consideration as the UK edges closer and closer to Brexit, be it hard or soft. This is because The Cloud raises questions as to exactly where data is and what data protection laws govern its use and access. Remember, even in The Cloud, servers still have to be physically located somewhere – and not necessarily in the same country as your service provider. Data Transfer: Deal or No-Deal Regardless of a deal or no-deal Brexit, the EU’s recentlyimplemented data protection legislation – the GDPR – won’t automatically extend to the UK. That’s because, postBrexit, the UK will assume ‘third country’ status under the regulation and, as such, will be subject to restrictions on the transfer of data in and out of the EU. The UK will be required to prove its data protection ‘adequacy’ in order for UK-based organisations to move data in and out of the EU – part of the reason the Data Protection Act (DPA) 2018 was implemented in the UK alongside GDPR, to keep British data protection law on par with that of the EU. It’s inconceivable that a Brexit deal with the EU wouldn’t

grant data protection adequacy to the UK. However, in a no-deal scenario, the UK’s adequacy is more elusive. Whilst the DPA 2018 ensures that it’s highly likely the UK will eventually be deemed adequate for data transfer by the EU, the word from Brussels is that this won’t even be considered until the UK has already departed the Union. In other words, the UK will have to sweat it out without adequacy status until the EU scopes us out – a degradation of trust that could potentially devastate UK/EU business relations. In order to bridge the gap (and hopefully deter EU businesses from finding partners closer to home) it’s likely that many UK organisations will turn to contract law for help. Negotiating contracts with specific data protection clauses that meet GDPR standards could help maintain data fluidity between the UK and EU in the aftermath of Brexit, but it’s not a perfect solution. Not only will drawing-up new and more in-depth contracts raise the cost of business for UK organisations, but it’s likely that some EU businesses will look upon the UK (and our not-yet-adequate treatment of data) with an element of distrust. GDPR may have raised the stakes when it comes to protecting data, but Brexit threatens its free movement. Advice for UK Organisations At this stage, all UK businesses should fully align their practices with the Data Protection Act 2018. As the UK’s implementation of GDPR, this seems the best advice for any organisation looking to maintain business relations and partnerships across the EU (not to mention those who want to mitigate the risk of a data breach!). Doing so will include implementing data controller / data processer agreements or contracts with your clients, particularly if you work with or process data from EU citizens. Clauses like this, which align with GDPR, will ensure both parties are legally obliged to protect the rights of individuals whose data is being processed. It also means UK businesses will be less vulnerable to distrust from our EU associates, whatever the outcome of Brexit negotiations.

deltanet at data protection world forum DeltaNet will be exhibiting at Data Protection World Forum at Excel London November 20th-21st. Come and visit the team on stand 11 to learn more about processing data and GPDR compliance.

Are You Using Spreadsheets?

YOUR COMPLIANCE IS AT RISK Gain full control, trust and compliance with DataRailsâ&#x20AC;&#x2122; Spreadsheet Management Solution for financial users

Come see it in action at booth 84

STAND 24 The Recovery Imperative restarting your business in the aftermath of a destructive malware attack

Nick Turner, Senior Director Data Protection Solutions, Dell Technologies United Kingdom & Ireland Here at Dell Technologies we are in a privileged position of being a trusted partner to our clients, helping them to secure their data assets across the extended data protection continuum. This means in reality that we are providing solutions spanning from active-active replication, through traditional backup & recovery techniques, right through to long term retention….and everything in-between! Security has always been a vital component of a data protection strategy, and for good reasons. Keeping the bad guys out has never been more important! However I would argue that in the last 10 years or so the relationships and inter-working between the Security and IT teams that support other data protection functions within many of our customers have not been working in an optimal way. Security teams struggle with a wide brief; perimeter threat detection, network security, authentication and of course preventing aggressive destructive malware attacks. Data protection teams focus on data replication, security, backup, recovery and archiving. These teams do not always collaborate perfectly! This world we have been living in for the last 10 years is changing and we need to help our customers create a more integrated approach to protecting their businesses and their data against today’s threats. The reason that the security and data protection worlds are converging at a faster rate than ever is down to the changing nature of the cyber threats we all face. We’ve seen the rise of destructive malware & insider led cyber-crime; Cyber-attacks such as ‘WannaCry’, ‘Petya’ and ‘notPetya’ have caused havoc in many companies and industries due to the destructive nature of their objectives. We can observe some stark learnings as a result of reviewing how companies were affected. There have been many insightful articles written about how the affected companies & organizations dealt with incident response and business recovery in the direct aftermaths of these attacks. These observations include:

Breaches will happen. It is inevitable. In fact the greatest threats many organizations face today is from ‘insider’ led cyber-crime. As many security experts warn, ‘It’s not a question of if you will be breached, rather than when you will be breached….’ Once a destructive cyber-attack is underway, the attacks can proliferate across global networks in minutes. IT systems & services collapse quickly & all network connected systems are exposed. Once such an attack has occurred (assuming your organization’s defences have been breached) the focus quickly comes onto your recovery strategy. This is not like traditional IT system recovery, this is recovery 2.0. You may be working in the dark, with no access to networks, applications, recovery systems or communication tools. Recovery becomes your only imperative. If you cannot recover, the future of your organization/ business is in doubt At this point – your ability to execute a successful IT services recovery is no longer an issue for the IT department, the Security Operations Centre etc. It has become a board level issue and your customers, shareholders expect to see board level ownership and communication.

So with this in mind….does your organization have a clear, unambiguous recovery strategy that is understood from the board level down, and, integrates all the business functions under an integrated strategy, and that can be executed seamlessly should the worst case scenario happen?

nick turner - dell technologies I will be discussing ‘The Recovery Imperative – restarting your business in the aftermath of a destructive malware attack’ at the ISF Risk Management and Cyber Security Theatre at the Data Protection World Forum on November 21st 2018.

STAND 16 Implementing Information Security in a World From the GDPR to the Brazil General Data Protection Law to the California Consumer Privacy Act, new regulations emerging throughout the world require businesses to emphasize data protection as a new facet of security across their systems. At its simplest, this can mean just understanding where a company has data. At its more sophisticated it requires implementing new technical systems and human-centered business processes around data management wherever it exists across the cloud, on premise, shared drives, or in paper filing systems. How are changes in data protection regulations affecting information security? Information security is a wide-ranging practice covering everything from cyber risk management to application security to identity management to human business process improvement and culture. But there is a new risk in town, and that is the threat of data protection liabilities in the wake of new regulations that are sweeping the world, like GDPR. Organizations must see data now not only as an asset but also consider it as a liability. Put another way, as businesses are becoming increasingly digital, the intangible asset line item on the balance sheet is growing, but there has not been a concomitantly wide consideration of the “intangible liability” that data in general, and personal data in particular, presents. It is data protection regulation that will turn uncontrolled data into liabilities (whatever the accountants choose to call it!) and these liabilities should be subsumed alongside other impacts into the overall security risk models of an organization. Data protection regulation is an increasingly important risk that is crossing into the security sphere.

Data protection regulation and security threats GDPR and similar regulations essentially mandate best practices for data security and usage. Although they do not match precisely (GDPR compliance ≠ ISO27001 compliance), much of the contents of security standards like ISO27001 are subsumed within GDPR. The principal difference is that in the past if a business did not implement best security practices, they were open to threats like external hacks, data breaches, and more. The consequence was reputational damage and loss of customer confidence. In a post-GDPR world, these threats will also manifest in regulatory fines as well. Businesses need to plan for and assign responsibilities for data protection compliance and build technical and process measures to control these threats.

of staffing needs. At the most apparent, GDPR literally mandates a new position for some organisations in the form of a Data Protection Officer (DPO). However, the actual implementation of the processes and assignment of responsibility to implement those processes is more complicated. At clients Ohalo has worked with, the first port of call in many organizations in preparing for GDPR was the legal function of the business or their lawyer. This is normal since much of the process and technology improvement came down to how the regulation was interpreted in the context of a particular business. After this initial breakwater, the actual role of the implementation is somewhat diverse and there seems to be some confusion over where the role of the person that is in charge of implementing data protection measures should sit in a company. What is best practice? Should it be a legal issue? An IT issue? A security issue? Who is in charge? In some large companies, there are fairly clearly defined lines in the form of Chief Data Offices or newly created Chief Privacy/ Protection Offices. In medium sized companies we find that the task normally falls to a legal or security function. And, in smaller companies technology and legal functions seem to be taking the reins. However at the end of the day someone needs to get “close to the data” and put processes in place that determine how an organization is protecting data.

Helping troops on the front line The lesson is that security is a task for everyone. Roles that were not formerly data centric are increasingly so. Roles that were not formerly involved with enabling a sound regulatory environment are increasingly so. The lines between legal, IT, and security are increasingly blurred with new data protection regulation and all of these roles need to be

About Ohalo At Ohalo we build tools that help security and legal staff gain granular insight to how data is managed within their organizations. The Data X-Ray is a machine learning data classification, discovery, and entity scanning tool that identifies personal data throughout our clients’ estates so that they know exactly where the personal data that they hold is stored, how it is accessible, and where a particular data subject’s data sits.

Assigning responsibility for data protection threats and bringing together cross-functional teams Stronger data protection regulation is requiring a reworking

STAND 53 To report or not to report, that is the question Philip Greaves, Director, Protiviti Tom Lemon, Managing Director, Protiviti How do organisations ensure that they are equipped to adequately report data breaches without going too far? Philip Greaves and Tom Lemon, from Protiviti, explore the balance between effective reporting and over reporting. The General Data Protection Regulation (GDPR) requires that, in the event of a personal data breach, the data controller – without undue delay and, where feasible, no later than 72 hours after becoming aware of it – notifies the appropriate supervisory authority. Organisations are clearly taking this requirement to heart. The Information Commissioner’s Office (ICO) received 1,750 breach reports in June 2018, compared with 400 breaches on average reported in April and May. The ICO has indicated that around a third of data breaches are being closed with no further action required, which suggests excessive reporting is taking place.

effectively respond to breaches in compliance with the GDPR: 1. 2. 3. 4. 5. 6. 7. 8.

Establish a formal incident-response policy and plan. Include a process to determine if personal data is impacted and the risk to data subjects. Form an incident-response team. Develop a communication plan. Maintain an up-to-date personal data inventory. Regularly assess your organisation and supply chain for possible threats. Be ready to contain, remediate and recover from incidents. Train the incident-response team and regularly rehearse and update the plan.

So how do organisations develop a risk-based approach?

A personal data breach is defined as a breach of security, leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data. Notification to the supervisory authorities is required where the breach is likely to result in a “risk to the rights and freedoms of natural persons” and to the data subject where the risk is considered to be high. GDPR relies heavily on a risk-based approach to determine whether a breach triggers a personal data breach notification. What might appear to be a risk to the rights and freedoms of individuals may differ from case to case and so it will be important to have effective risk management decision making to support your breach reporting process.

Effective assurance of your GDPR activities is critical. Data breach response plans must be effectively and regularly tested. Companies need to assess that the right people can make the right decisions with the right data in the required timelines. To avoid over reporting of data breaches, it is critical that you have a well-defined risk assessment methodology. If you have existing mechanisms as part of your company-wide enterprise risk management (ERM) framework, then this should be aligned to your existing methodology. However, where this does not exist, it is important that you have a defensible approach for assessing your criteria for risk to the rights and freedoms of natural persons, considering carefully the impact of the event. You do not want to over report to the supervisory authorities, but equally, if you don’t report, it is imperative that your decision is clearly justified and documented. Data breaches will commonly be a trigger for data subject complaints and may lead to investigations.

Are you equipped to handle the speed mandated by GDPR Article 33?

Conclusion

Considering the very short reporting window, an unplanned approach to breach notification may prove disastrous. To minimise the impact of a personal data breach, organisations must have a 72-hour incident-response plan in place and regularly tested. It should be based on a clear policy, have consistent processes around breach detection, and spell out the process to determine if and how personal data has been affected and how and when to respond. Many organisations are adapting their existing cyber breach response plans but it is critical that the risk assessment and reporting components are adequately incorporated into this process to effectively address the GDPR requirements. There are eight preparatory actions we recommend organisations undertake now in order to be ready to

It is critical that you get this process right. Do it well and your organisation can survive and thrive after a breach event. Do it badly and the potential fines and reputational damage could be catastrophic.

What constitutes a personal data breach?

About the protiviti Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Our consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

STAND 22 10 Frequently Asked Questions about GDPR By Steve Flockhart, Compliance Manager, iomart The UK’s Most Accredited Cloud Company Despite the fact that it has now been 6 months after the enforcement date of GDPR in the UK, recent research by TrustArc highlights that only 20 percent of companies surveyed believe they are GDPR compliant. The official Regulation document is 88 pages long so, rather than making you read every clause, we have boiled it down to these 10 FAQs. They highlight some of the key points you should be aware of as you try to make your organisation GDPR compliant. 1. Who does the GDPR apply to? ‘Controllers’ and ‘processors’ of data need to abide by the GDPR. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they are dealing with data belonging to EU citizens. It is the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the UK Data Protection Act. 2. What is the difference between a data processor and a data controller? A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. 3. In light of an uncertain ‘Brexit’, I work for a UK-based company and want to know if I should still continue with GDPR planning and preparation? The short answer is ‘yes’. The UK is due to leave the EU in March 2019, almost a year after the GDPR has come into force. Post-Brexit, if you sell goods or services to people in other EU countries then you will need to comply with the GDPR, irrespective of whether or not the UK retains the regulation. The UK Government has indicated it will implement an equivalent legal mechanism, and the expectation is that any such legislation will largely follow the GDPR. So, it looks like Brexit will have minimal, if any, impact on the requirement for UK organisations to be GDPR compliant. 4. Who does the GDPR affect? The GDPR will apply to businesses and organisations located within the EU but also to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. 5. What constitutes personal data? Any information related to a natural person or ‘data subject’, which can be used to directly or indirectly identify that

person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. 6. Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent - and what is the difference? The conditions for consent have been strengthened, as organisations will no longer be able to utilise long illegible terms and conditions full of legalese. The request for consent must be given “in an intelligible and easily accessible form”, with the purpose for data processing attached to that consent - meaning it must be unambiguous. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data (such as data revealing racial or ethnic origin, health data or genetic data) - in which context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice. 7. What is the difference between a regulation and a directive? A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which was a directive. 8. Does my business need to appoint a Data Protection Officer (DPO)? DPOs must be appointed in the case of: (a) public authorities; (b) organisations that engage in large scale systematic monitoring; or (c) organisations that engage in large scale processing of sensitive personal data. If your organisation does not fall into one of these categories, then you do not need to appoint a DPO. For more detail see Article 37 of the GDPR. 9. How does the GDPR affect policy surrounding data breaches? Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a high risk to the rights and freedoms of individuals must be notified to the relevant Data Protection Authority within 72 hours and to affected individuals “without undue delay”. 10. What are the penalties for non-compliance? Organisations could be fined up to 4% of annual global turnover or a maximum of €20 million, whichever is the greater, for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. Basically if you don’t follow the basic principles for processing data, such as consent; ignore individuals’ rights over their data; or transfer data to another country; you could incur significant financial penalties.

Privacy Compliance and Risk Management

TrustArc Privacy Solutions

20+ Years Experience

1,000+ Clients

Deep Privacy Expertise

Global Coverage

Privacy Platform

Consulting & Training

Compliance Validation

• Data Flow Manager

• GDPR Maturity Assessment

• GDPR Validation

• Assessment Manager

• CCPA Priorities Assessment

• Privacy Shield Verification

• Cookie Consent Manager

• DPIA / PIA Program Development

• APEC CBPR / PRP Certification

• Direct Marketing Consent Manager

• Breach Response Plans

• Kids Privacy / COPPA Certification

• Website Monitoring Manager

• Policies and Procedures

• TRUSTe Enterprise Certification

• Individual Rights Manager

• HIPAA Assessments

• Dispute Resolution Service

• Ads Compliance Manager

• Employee Training

TrustArc Privacy Solutions Privacy Platform Data Flow Manager

Assessment Manager

Cookie Consent Manager

Direct Marketing Consent Manager

Build a data inventory, data �o� �aps� and ��PR Article 30 reports to identify and manage risk

Conduct and manage �P�As/P�As and privacy ris� assessments in compliance �ith ��PR Article ��

Manage user consent to address ��PR coo�ie �sa�e requirements

Ensure proper consent is obtained and managed for direct marketing programs

Website Monitoring Manager

Individual Rights Manager

Ads Compliance Manager

�denti�y and �ana�e the use of trackers on your digital properties

Analy�e and respond to data s��ect access ri�hts requests, in compliance �ith ��PR Articles ��

Obtain and manage user ads preferences across all devices, in co�pliance �ith �AA� ��AA and �AAC ��idelines

Consulting & Training GDPR Maturity Assessment

CCPA Priorities Assessment

DPIA / PIA Program Development

Breach Response Plans

Assess ��PR maturity and develop an action plan

Assess yo�r Cali�ornia Cons��er Privacy Act readiness and develop an action plan

�evelop the processes� templates and tools to conduct privacy risk assessments

�evelop a �or�in� response pro�ra� �ith the help o� o�r privacy e�perts� alon� �ith optional training

Policies and Procedures

HIPAA Assessment

Employee Training

Assess privacy policies and procedures against industry standards and best practices

Assess co�pliance �ith ��PAA requirements and develop a remediation plan

Train employees on privacy and data management best practices

Compliance Validations GDPR Validation

Privacy Shield Verification

APEC CBPR / PRP Certification

Validate privacy program practices meet ��PR standards

Verify customer and �R privacy practices �eet Privacy Shield standards

Certify privacy practices �eet the AP�C C�PR or PRP standards

Kids Privacy / COPPA Certification

TRUSTe Enterprise Certification

Dispute Resolution Manager

Certify privacy practices meet the Kids Privacy / COPPA standards

Certify privacy practices meet industry standards, including ��PPs and O�C�

Manage privacy inquiries from consumers in co�pliance �ith Privacy Shield re��ire�ents

STAND 18 Opportunities become apparent when business becomes transparent

Simon Loopuit - Trusthub Thanks to the GDPR and the rise of increased data regulation, many companies have become paranoid about staying on the right side of regulatory authorities such as the ICO. Of course, you shouldn’t attract their attention with harmful breaches or poor data management practices that contravene the rules but, at the same time, it is important to remember that they’re not actually the people paying the bills and keeping a roof over your business’s head. Enterprises rarely embrace new rules when they first come along. They often fail to see the opportunities that always exist at the heart of regulatory driven change. But as they adapt to the new privacy-savvy culture that initiatives like GDPR have inspired, the concept of genuine operational transparency is gaining real traction. Simply doing what’s required to keep the regulator happy is no longer the goal for such enterprises. Their real objective is to embrace cultural change and ensure privacy management becomes a valuable business asset. At trust-hub, we call this process Personal Data Governance.

Personal Data Governance The thrust of Personal Data Governance is that regulations define minimum standards to avoid an official sanction but they do not define success in business - that is about having a successful privacy strategy and executing against it. In privacy terms this means embracing the relationships we have with commercial stakeholders, such as data subjects or partners and collaborators in the wider data supply chain. Privacy has historically been low on the list of business priorities, and transparency virtually non-existent, so the new regulations, like the GDPR or California’s Consumer Privacy Act, can be seen as elevating the minimum standard

and providing transparency but it is just a catalyst and not an end state. Put another way, markets adapt to changing information: witness the rapid demise of diesel vehicles, the rise of diversity in the workplace, the growing dominance of e-commerce over the High Street, and the winners are the agile organisations that integrate new concepts in their strategy and make virtues out of them.

So what can we learn from this? When devising a privacy policy for your organisation, don’t just wheel out the standard GDPR template. Look at your brand and how you want to be perceived. For example, the European staff of a global business have the legal right to see all their personal data and can formalise this by submitting a Subject Access Request, but what about the team members in Hong Kong or New York - will you treat them differently just because the Regulation allows you to? It is fine for the lawyers to get buried in the fog of the regulations, advising on the minutiae of what constitutes consent, or what form should an Article 30 report take, but now we have passed the May 25th deadline, privacy teams need to start moving the agenda towards helping their organisations define a winning privacy strategy and converting this into a set of policies that will achieve it. Behaviour ceases to be good long before it constitutes a crime.

About Simon Loopuit Simon Loopuit is a serial entrepreneur and experienced CEO with a successful track record in software and outsourced services. Skilled in Data Privacy, User Experience, Enterprise Software, Customer Relationship Management (CRM), and Go-to-market Strategy. Bachelor of Laws (LLB) and chartered accountant (ACA).

Data Data Data Protection Protection Protection Through Through Intelligent Intelligent Connection Connection DataGrail DataGrail helps helps companies companies operate operateefficiently efficientlyand andmaintain compliance under data protection regulation,regulation, streamlines maintaincompliance compliance under data protection protection regulation, maintain under data data subjectsdata access requests, andrequests, grants customers streamlines data subjects access requests, and grants streamlines subjects access and control overcontrol their communication preferences. customers control overtheir theircommunication communication preferences. customers over preferences.

Visit us at

Booth 93 for a product demo!

With our integrated product, clients are able to operate efficiently while requested information informationand and while supplying supplying customers customers with requested complying regulation. complying with government regulation. Request Request Manager Manager

Privacy Portal

Preference Preference Card Card

ManageGDPR GDPRrequests requestsfor foraccess access Manage anddeletion deletionthrough throughlegal, legal,sales, sales, and andmanagement management and

Automate transfers and deletions Automate deletions of personal personal data in third-party of third-party systems systems

Grant Grantusers userscontrol controlofof communication communicationsettings settings across acrossplatforms platforms

Streamlinerequests requestsfrom fromdata data Streamline subjectswith withadvanced advancedtracking tracking subjects

Compatibility with numerous Compatibility databases and applications databases

Integratedwith withemail emailfor for Integrated communicationand andfile filetransfer transfer communication

Remove human error and manual Remove manual data processing processing for access and data and deletion requests deletion

AA single singlepreference preferencecan canmap map to to multiple multipleactions actionsacross acrossany any configured configuredsystem, system,including including Marketo, Marketo,Pardot, Pardot,Salesforce, Salesforce, Outreach, Outreach,Salesloft, Salesloft,and andmore more

Maintain privacy by design Maintain to demonstrate demonstrate compliance to

Advanced Advanceduser userinterface interfacefor for customer customerpeace peaceof ofmind mind

GDPRand andCustomer Customer GDPR Challenges Challenges GDPR GDPRapplies appliestotoany anyentity entitythat thatisis established establishedininthe theEU, EU,processes processes data dataon onpersons personsofofthe theEU EUof of which whichyou youprovide providegoods goodsand and services servicesto, to,orormonitors monitorsbehavior behavior ofofEU EUresidents. residents.

Rights Rightsgiven givento todata datasubjects: subjects:

Requestfor forpersonal personal ••Request datatotobe bedeleted deleted data Accesstotopersonal personaldata data ••Access Halton onpersonal personaldata dataprocessing processing ••Halt Correctionofofpersonal personaldata data ••Correction

DataGrail Highlights. Our Differentiators Rapid 3-6 weeks weeks Rapid Implementation: 3-6

Trustedby byour ourclients clients Trusted

40+ integrations 40+ Readily available integrations

Minimizeimpact impactofofconforming conformingtotodata data Minimize regulationfor forsales sales&&legal legalteams teams regulation

Simple, interface -Simple, user-friendly interface Perfect legal, Perfect for engineering, legal, and and sales teams alike

Easyprocessing processingofofinternal internal Easy andexternal externalGDPR GDPRrequests requests and

Consent Consentisisrequired requiredfor fordata data processing processingororinformation informationcollection. collection. Most Mostcompanies companieswith withpersonal personal data datahave haveititstored storedininmultiple multiplethird third party partysystems, systems,without withoutaaprocess process for forretrieving retrievingorordeleting deletingititfor foraa specified specifieduser. user.

and many more...

datagrail.io datagrail.io

We can

help you

protect

your important

data.

You’ll ﬁnd us at

#S28.

Stop by and let’s chat. And don’t miss our session.

Encryption Is More Than a Button: It’s digital transformation security GDPR Refresh Theatre, Tue. @13:35

A trusted path to secure communications

echoworx.com Email Encryption | Document Delivery | Secure Bulk Mail | Secure Webmail

STAND 40 Data on the loose: why it’s time to regain control Security strategies tend to focus on keeping external threats out of the enterprise network, but many organisations are leaving themselves vulnerable to data breaches with poor internal practices. In particular, some of the most significant data breaches in recent years have been the result of bad practice around managing and securing data on the network. Varonis recently investigated the extent of this problem by analysing more than six billion files held by 130 organisations as part of its 2018 Global Data Risk Report. With the GDPR introducing strict new requirements on data security, it has never been more important to take control of data. Open access The most extensive issue we encountered was a lack of proper control over who could access sensitive data. 58 percent of the organisations we analysed had more than 100,000 folders open to all employees and, in total, 21 percent of all the folders in our investigation had no access controls at all. Worse yet, 41 percent of companies had at least 1,000 sensitive files open to all employees. Unsecured folders that are open to global access groups – those set to Everyone, Domain Users, or Authenticated Users – are also a major windfall for attackers that have breached the network, granting easy access to key data such as intellectual property and customer data. Poor access control also increases the threat of a malicious insider abusing their position. Ghosts in the system Not only are organisations struggling to keep track of what users can access, many also fail to track which accounts exist at all. Many enterprise networks are full of ghost users – accounts which are supposedly inactive but still retain their full capability to login to the network and access files. On average, we found 34 percent of all user accounts in an organisation were actually ghosts. These old accounts are another gift to external attackers, who can use them to move around the network with impunity and are largely unmonitored. Former employees could also log back in after leaving the organisation to access sensitive files – a favoured tactic used by some for gaining goodwill after joining a competing company. Compounding this issue, 46 percent of organisations also had more than 1,000 users with passwords that never expire. This means that many ghost accounts can be utilised by threat actors months or even years later. The risk of stale data Alongside old user accounts, most organisations also have a major problem with old, unused data that is no longer being used in daily operations. We found that on average, 54 percent of all data on the network was stale, and this commonly included sensitive data such as critical information about employees, customers, projects and clients. Stale data creates an unnecessary storage expense and complicates data management, but also poses a major

security risk. The more data on the system, the more damage an intruder or malicious insider can do when they access the network. Additionally, much of this data is subject to regulations such as PCI DSS and the GDPR, exposing the organisation to added liability. The least privilege approach One of the best places to start for any organisation seeking to regain control of its data is to sort out file access. Firms need to run a full audit of all servers to identify any data containers such as folders, mailboxes and SharePoint sites, that have global access groups applied to their ACLs (access control lists). These global access groups need to be replaced with tightly managed security groups that ensure only appropriate users have access to sensitive and regulated data. Moving forwards, a least privilege approach should be used for all access permission, with users only accessing as much as they need to perform their roles. Companies should also work to exorcise their ghost users by ensuring stale accounts are disabled or outright deleted. Behavioural analysis can be used to understand what constitutes normal user behaviour and better spot inactive users and other behavioural anomalies. Finally, the way data is collected and stored should follow the principles of privacy by design. This includes minimising the amount of sensitive data that is collected and how long it is stored for and reducing the number of users that can see it, using a least privilege approach. Networks also need to be analysed for stale data and the findings should be either deleted or archived, particularly data that is sensitive or covered by a regulation. By going back to analyse their current data practices and laying new groundwork to ensure data is collected, stored and accessed securely moving forwards, organisations can gain control of their data and drastically reduce the risk of both internal and external threats.

By Matt Lock, director of sales engineers, UK, Varonis. iomart offers a simple solution to this problem. We have all the components required to help a business transition to the cloud, from a team of expert consultants to our own data centre estate, and everything in between. We are totally vendor, platform and technology agnostic (we are a fully certified and accredited partner with all the major players), ensuring that the solutions we provide are tailored to suit your exact business requirements. Working with you at every stage of your cloud journey from discovery to delivery – we’ll help you navigate the complexities involved in building and operating cloud systems.

SIMPLIFYING COMPLIANCE Many organisations are struggling with compliance and deploy significant resources designing processes and systems to support the implementation. DPOware is a proven solution that provides a full operating model out of the box, delivering the following benefits to our customers.

Trust TRUST •

• •

SECURITY – Clear picture of requirements, compliance degree (version controlled checklist – updated on a ongoing basis) and audit trail on assessments. COMPLIANCE – Real time overview of risk profiles, gaps and actions across compliance areas. PERFORMANCE – KPIs and dashboards to better assess and address performance.

Flexibility FLEXIBILITY • • •

BestPRACTICE practice BEST •

• •

• DO THE RIGHT THINGS – Document solution to define and manage policies, procedures, instructions and control specifications. • DO THINGS RIGHT– Automatically generated activity records, and templates based assessments. REPORTING & DOCUMENTATION – • Standard and prebuild reporting. Documentation always up to date.

SCOPE – Multiple frameworks and flexibility to define internal scope. PACE – Module based solution supporting a phased approach. RESSOURCES – Access to specialists and Black Belt teams to help fix ad-hoc and urgent matters as well as access to resource pool.

Convenience CONVENIENCE CAPABILITIEES – Build internal capabilities where it makes sense and request help to handle selected specialist domains. SUSTAINABILITY – Robust delivery model, reducing the risk of knowledge drain and one system to support all compliance areas. COST PREDICTABILITY – OPEX based Service Model, delivering a scalable and transparent cost model.

DPOwareisis aa cloud solution laws andand DPOware solution supporting supportingmore morethan than2525frameworks, frameworks, laws standards. deliverstransparency, transparency, engages resources standards.ItItisiscost cost effective, delivers engages resources in in activities is easy easytotoimplement implementwithout withoutthe theneed needforfor activitiesonly onlywhen whenneeded needed and and is andbook bookaademonstration. demonstration. integration. integration.Please Please visit visit www.dpoware.com www.dpoware.com and 45

PRIVACY COMPLIANCE SOFTWARE Powered by Expert Research

#1 Research-Based Privacy Compliance Software for the GDPR, CCPA and the Worldâ&#x20AC;&#x2122;s Privacy Requirements

Legal Research Software

Privacy Of ce Support Software

Privacy Management Software

The De nitive Source for Privacy Compliance

Tools to Plan, Build, and Manage Organizational Privacy

The Next Generation in Accountability-Based PIAs

Rules of Law On-Demand

Privacy Program Comparison Tool

Solutions for Processing Data Inventory and Data Mapping

Summary Analysis of Privacy Laws

Comprehensive Resource to Build a Privacy Program

Quantitative Analysis to Demonstrate Compliance

Visit Nymity Booth # 45 to pick up free Resources to help you comply with privacy laws around the world FOR FREE TRIAL OR DEMO, EMAIL INFO@NYMITY .COM