IngramMicroCloud.eu
How to prepare your company for the GDPR IngramMicroCloud
IngramMicroCloud.eu
1.
What is the General Data Protection Regulation (GDPR)?
2.
Which companies are affected by GDPR?
3.
What are the consequences for non-compliance?
5.
How do you make your customers GDPR-ready?
6.
Summary
The purpose of GDPR The key concepts in the GDPR
Contents 4.
How do you prepare your company for GDPR? 1
2
Know which personal data you have Identify your role in using personal data
3
Develop a strong security program
4
Evaluate if you need a Data Protection Officer (DPO)
5
Develop a data breach response policy
1
Discover
2
Manage
3
Protect
4
Report
IngramMicroCloud.eu
1. What is the General Data Protection Regulation (“GDPR”)? The General Data Protection Regulation (“GDPR”) is a new privacy regulation across the European Union. It provides EU residents with more control over their personal data, ensures transparency about the use of data, and requires certain technical and organizational controls to protect data. The GDPR takes effect on May 25, 2018, and replaces the EU Data
What is personal data?
Protection Directive (“Directive”). The GDPR is all about protecting and processing personal data. Personal data is a The GDPR actually became law in the EU in April 2016, but
lot more than you might initially think. The European definition of personal data is
given the significant changes some organizations will need to
any information about an identified or identifiable individual.
make to align with the regulation, a two-year transition period was included.
This could be any piece of information about you such as your name, e-mail address, phone number, mailing address, order history, user name and passwords, credit card information and transactions.
IngramMicroCloud.eu
The purpose of GDPR
The key concepts in the GDPR
The GDPR is structured around six principles:
1.
Requiring transparency on the handling and use of personal data.
2.
Limiting personal data processing to specified, legitimate purposes.
3.
Limiting personal data collection and storage to intended purposes.
emerging digital economy.
4.
Enabling individuals to correct or request deletion of their personal data.
Secondly, the EU wants to give business a simpler, clearer legal
5.
Limiting the storage of personal data for only as long as necessary
environment in which to operate, making data protection law
for its intended purpose.
6.
Ensuring personal data is protected using appropriate security practices.
Firstly, the EU wants to give people more control over how their personal data is used. The Directive was enacted before the internet and cloud technology created new ways of processing personal data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the
identical throughout the single market (the EU estimates this will save businesses a collective 2.3 billion Euros a year.)
IngramMicroCloud.eu
2.
3.
Which companies are affected by GDPR?
What are the consequences for non-compliance?
The GDPR is going to impact every company that is doing
The GDPR gives Data Protection Authorities (“DPA”), the governmental supervisory
business in Europe that collects personal data on European
entities that oversee compliance with the GDPR, the power to levy substantial fines
data subjects (EU residents). Previously the Directive only
in case of non-compliance.
applied to organizations that have a physical presence in Europe, and directly marketed to or collected data on European
Article 58 of the GDPR provides the DPAs with the power to impose administrative
data subjects.
fines under Article 83 based on several factors, including:
Under GDPR any organization that collects personal data on
The nature, gravity and duration of the infringement (e.g., how many people
European data subjects, whether the company is based in
were affected and how much damage was suffered by them)
Europe or located outside of Europe, will need to develop a
Whether the infringement was intentional or negligent
GDPR compliance program.
The types of personal data involved
There are two types of fines if a company is not in compliance with GDPR. The first level of fines will be of 10 million euros or 2 percent of an organization’s global turnover. These fines will generally be reserved for first time offenses. The second level of fines will be of 20 million euros or 4 percent of an organization’s global turnover. An organization can expect this level of fines in circumstances for negligence, repeat violations or egregious issues within the data processing environment.
IngramMicroCloud.eu
1
Know which personal data you have
4.
The first step towards GPDR compliance is to determine whether the GDPR applies to your organization, and if so, to what extent. This analysis starts with understanding the personal data you have and how it is collected and processed. It’s important to inventory you organization’s data. This will help you to understand what data is personal, and to identify the systems where that personal data is collected and stored, understand why it was collected, how it
How to prepare your company for GDPR? With the GDPR around the corner, it’s time to start planning for GDPR compliance. May 25, 2018 is not as far off as it seems. If your company is holding personal data on EU data subjects and has not started to prepare for the GDPR, you need to act now.
is processed and shared, and how long it is retained.
2
Identify your role in using personal data You also have to identify your role in using personal data. Are you a data controller or data processor? A data controller states how and why personal data is processed, while a processor is an organization that processes personal data under specific instructions by a data controller. The controller could be any organization, from a profit-seeking company to a charity or government. A processor could be an IT firm processing personal data on behalf of its customer, the data controller. Once you know your role you can determine your data protection obligations.
IngramMicroCloud.eu 5
3 Preparing
Develop a strong security program
for
GDPR
is
a
great
opportunity to review your security program. Data protection requires a strong security program, which includes both physical and information security. You have to know your internal controls,
Another important issue is to evaluate under GDPR is if you
Evaluate if your company needs a Data Protection Officer (DPO)
need to appoint a Data Protection Officer (“DPO”). To comply with the GDPR some organizations must designate a DPO. Data Protection Officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR. Companies need to have their DPOs in place
systems and technologies that you
before the Regulation goes into effect, so it’s important to begin
utilize to protect your organization from
recruiting and hiring DPOs in time.
unauthorized access use or misuse.
Process personal data according to the data subject’s consent
GDPR also requires you to understand
While it’s recommended to have someone who is
how you are collecting data, and the
responsible for personal data protection and GDPR
legal justification for collecting that
compliance, the DPO is only mandatory in three
data. One of the legal mechanisms
circumstances. Your company need a DPO in following
for processing personal data available
cases:
to an organization is through the data subject’s unambiguous consent. For
4
example, you might have received your
The processing of personal data is done by public
customers personal data to facilitate
authorities or a public body, with an exception for courts and
the delivery of goods and services, this
independent juridical authorities.
doesn’t necessarily mean you also have consent to market to them about future
The processing is done by processors who regularly and
products or promotional activities. You
systematically observe data subjects on a large scale.
need to know you have consent in each activity that you do, and that consent
The processing involves specific ‘special’ data categories,
needs to be specific for each activity.
again on a large scale, as processing these special types of
Keep in mind that consent can be
personal data is part of your core business. Data regarding
revoked at any time.
crimes and convictions are included here.
IngramMicroCloud.eu
The DPO’s responsibilities include:
Educating the company and employees on important compliance requirements. Training staff involved in data processing. Conducting audits to ensure compliance and address potential issues proactively. Serving as the point of contact between the company and the DPAs. Maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request. Interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased, and what measures the company has put in place to protect their personal information
6
Develop a data breach response policy
What is a data breach? A data breach is the release of secured, personal information to an untrusted environment
A data breach is when personal information is lost or subjected to
Previously Europe never had a requirement to provide notification
unauthorised access, modification,
to data subjects if their personal data was breached or used in an
disclosure, or other misuse or interference.
unauthorized way. The GDPR requires organizations to develop a data breach response policy. In case of a data breach your company has to inform the data subjects and the government authorities within 72 hours. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals. A data breach response policy will help you prepare for and manage a data breach. It’s a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken in managing a breach if one occurs. This includes: The members of your data breach response team (response team); The actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated
Examples
to the response team;
of a data breach
The actions the response team is expected to take.
are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.
4
Report
How to get your customers GDPR-ready?
Execute on data requests, report data breaches, and keep required 3
Protect Establish security controls to prevent,
Maybe you are already getting
detect, and respond to
questions about the GDPR from your customers.
2
Manage
You can help them to get GDPR-ready by focusing on
Govern how personal
four key steps.
data is used and 1
Discover Identify what personal data your customer has and where it resides.
accessed.
vulnerabilities and data breaches.
documentation.
IngramMicroCloud.eu
Cloud solutions 1
Discover The first step is to inventory the data of your customer.
Enterprise Mobility + Security features identitydriven security technologies that help you discover, control, and safeguard personal data
This will help you to understand what data is personal and where the data is collected. Personal data is ‘any
held by your customers’ organization, as well as reveal potential blind spots and detect when data breaches occur.
information about an identified or identifiable individual’. This could be any piece of information about you such as someone’s name, e-mail address, phone number, mailing address, order history, user name and passwords, credit card information and
Office 365 (Data Loss Prevention) can identify over 80 common sensitive data types including financial, medical, and personally identifiable information.
transactions.
Microsoft Dynamics 365 Dynamics 365 provides several visibility and auditing capabilities that can be used through the Reporting & Analytics dashboards to identify personal data.
IngramMicroCloud.eu
Cloud solutions
2
Manage
Azure Active Directory is an identity and access management solution in the cloud. It manages
Once that inventory is complete, the next important step is to develop and implement a
identities and controls access to Azure, on-premises, and other cloud resources, data, and applications.
data governance plan. This plan can help your customer to define policies, roles, and responsibilities for the access, management, and use of personal data.
Enterprise Mobility + Security (Azure Information Protection) can help you classify and label your data at the time of creation or modification. Protection or visual markings can then be applied to sensitive data.
IngramMicroCloud.eu
3
Protect
The GDPR requires that every company takes appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure. Data security is a complex area. There are many types of risk to identify and consider—ranging from physical intrusion or rogue employees to accidental loss or hackers. Cloud solutions can protect your customers against those risks.
Cloud solutions
Symantec Endpoint Protection Cloud protects
Kaspersky covers protection from malware,
McAfee is intensely focused on developing
corporate and end user devices on various
ransomware, and sophisticated online threats.
proactive, proven security solutions and
platforms
against
ransomware.
directed
attacks
and
services that protect systems, networks, and mobile devices for business and personal use around the world.
IngramMicroCloud.eu
4
Report
The GDPR sets new standards in transparency, accountability and recordkeeping. Your customers need to be more transparent about how they handle personal data, but also how they actively maintain documentation defining their processes and use of personal data. Your customers need to keep records about the purposes of processing, the categories of personal data processed and the identity of third parties with whom data is shared. Using the proper auditing tools can help to ensure that processing of data is tracked and recorded.
Cloud solutions
Microsoft Azure contains security
Enterprise Mobility + Security (Azure
monitoring, reporting and alert tools.
Information Protection) provides rich
Microsoft Azure Monitor enables
logging and reporting to analyze how
your end customer to easily view
sensitive data is distributed.
and manage all their data monitoring tasks from a central dashboard.
IngramMicroCloud.eu
Summary The General Data Protection Regulation (GDPR) is a
The GDPR is going to impact every company that is
Get your customers GDPR-ready by focusing on four
new privacy regulation across the European Union. It
doing business in Europe that collects personal data
key steps:
provides EU data subjects with more control over their
on European data subjects (EU residents). In case of
personal data, ensures transparency about the use of
non-compliance your company can be heavily fined
personal data, and requires security and controls to
(up to 20 million euros or 4 percent of global turnover).
1
Discover: Identify what personal data your customer has and where it resides.
protect data. The GDPR takes effect on May 25, 2018. The time to start planning for GDPR compliance is The GDPR is structured around six principles:
2
now. May 2018 is quickly approaching. You may think
Manage: Govern how personal data is used and accessed.
you have plenty of time, but big companies have been 1
2
Requiring transparency on the handling and use of
preparing for GDPR for a few years. It’s necessary to
personal data.
keep the following in mind: Know which personal data you have 4
Report: Execute on data requests, report data
2
Identify your role in using personal data
breaches, and keep required documentation.
3
Develop a strong security program
Every company knows their customers best and what
Limiting the storage of personally identifiable data for only as long as necessary for its intended purpose.
6
and respond to vulnerabilities and data breaches.
Enabling individuals to correct or request deletion of their personal data.
5
1
Limiting personal data collection and storage to intended purposes.
4
Protect: Establish security controls to prevent, detect,
Limiting personal data processing to specified, legitimate purposes.
3
3
their needs are. It’s important to keep transparent 4
Evaluate if you need a Data Protection Officer (DPO)
Ensuring personal data is protected using appropriate security practices.
on your practices and supportive of your customers’ obligations and requirements. This will allow you to
5
Develop a data breach response policy
differentiate yourself from competitors.
Leverage Ingram Micro’s wealth of experience and allow us to be your trusted partner to guide you through the GDPR legislation Contact your country specialist and find out more
www.IngramMicroCloud.eu