EU General Data Protection Regulation (GDPR) ISC2 January 24, 2017
Agenda GDPR overview GDPR’s impact on the enterprise Top challenges to compliance Risks of non-compliance Operational readiness timeline
www.pwc.com/cybersecurity
2
The EU GDPR
•
Official regulation formally adopted as law by the EU -- approved 2016, enforcement begins May 2018
•
Creates a consistent, global, and unified legal basis for data protection and enforcement
•
Applies to controllers or processors established in the EU and those who offer goods or services to (or otherwise collect data on) individuals located in the EU
•
Controllers and processors outside the EU that fall under the GDPR are under an obligation to appoint a representative in the Member State unless certain exceptions are met. (Article 25)
•
This affects non-EU online services that process the data of their EU-based consumers. It applies to online providers and advertisers that place cookies or tracking tokens on the equipment of EU data subjects for the purpose of tracking online behavior.
Data Controllers
Data Processors
The responsible party for the fair, transparent, and secure collection and use of personal information.
Entities that process, manipulate, or otherwise “use” data on behalf of a data controller, but do not exercise responsibility or control over the data.
Example responsibilities include: •
May only collect data for explicit and legitimate purposes
Example responsibilities include:
•
Must ensure accuracy and security
•
Must only process data on strict instruction from the data controller
•
Must provide means to rectify/purge data
•
•
Must respect retention and secure deletion
Must maintain security to protect against unauthorized access, disclosure, or loss
•
Must formally register as a processor 3
General Data Protection Regulation timeline
2012 - 2015
2016 - 2017
Jan 2012
Dec 2015 Apr 2016
European Commission publishes GDPR legislative proposal
GDPR approval reached
2016-2017
GDPR formally adopted by EU
Two-year implementation phase Key Readiness Activities Conduct capability Assessment
Privacy Shield Timeline
Conduct data inventory
2000 – 2015
Oct 2015
EU-U.S. Safe Safe Harbor Harbor in effect invalidated
2018
Feb 2016
Jul 2016
Privacy Shield proposed
Privacy Shield approved
May 2018
Operational readiness for privacy program capabilities
GDPR in effect, enforcement actions begin
Optimize privacy program
Mitigate gaps and risks
Identify EU privacy risks
Early 2018
Implement ongoing monitoring
Develop audit response
4
GDPR’s impact on the enterprise
• • • •
Appointing a Data Privacy Officer Enhanced consumer notice & transparency Implementing Privacy by Design Conducting Privacy Impact Assessments
• • • •
Enacting data transfer mechanisms Defining data controllers & processors Managing model contract clauses process Driving data breach notification
• Ensuring rights of access & remediation • Permitting the right to be forgotten • Fielding questions, inquiries, concerns
PwC
Privacy
• • • •
IT
Office
Enterprise data inventory
Legal
Customer Service & Ops
CISO
Marketing & HR
Enabling data portability Ensuring rights of access, authentication Enhancing systems development lifecycle Managing consent indicators and logs
• Promoting security across the data lifecycle • Assisting with data breach notification • Driving incident response • • • • •
Respecting consent Ensuring employee privacy Automated decision-making processes Training employees on privacy Limiting data access
5
Top challenges of clients we’ve assessed 78%
61%
of organisations we assessed do not have policies or procedures in place to ensure that personal data used for purposes other than those for which they were originally collected.
of organisations we assessed do not have policies or procedures in place to ensure the proportionality of collection of personal data for lawful purposes.
78%
of the organisations we assessed do not fully understand what is required to assess the lawful bases for processing personal data.
79%
of organisations we assessed do not feel confident that the personal data they collect and process is kept accurate and, where necessary, up to date. PwC
74%
of organisations we assessed do not have appropriate documentation relating to personal data, processing operations, third party recipients of data, and personal data flows have not been documented.
6
What are the risks of non-compliance? Regulator Risk
• • •
Fines & penalties (up to 4% global revenue) Data protection audits by DPA Data localization requirements
Reputational Risk
Financial Risk
•
Brand damage
•
Loss of revenue
•
Loss of consumer trust
•
Litigation costs
•
Loss of employee trust
•
Private right of action
•
Customer attrition
•
Remediation costs
Operational Risk
•
Restricted EU operations
•
Invalidated data transfer
•
Incident response
7
Operational readiness timeline
2016
2017
2018
GDPR Workshop A high level overview of current data practices and future initiatives with an impact on Personal Data Privacy Governance Transformation Assess and design data governance processes to help manage privacy risk and operations across the enterprise Data Inventory Build a confident, defensible understanding of the data footprint, including data types, scale, and jurisdictions Risk Assessment Evaluate your enterprise data risk across businesses and geographies to aid in decision making Capability Assessment Understand current capabilities within the privacy program to mitigate known risks to the business Gap & Risk Mitigation Based on results from risk assessment, data inventory and/or capability maturity assessment, remediate known gaps Optimize Privacy Program Manage compliance risk by developing sustainable privacy processes across the enterprise Audit Response Develop an audit readiness toolkit in preparation for potential inquiry into privacy program operational readiness by various regulators Ongoing Monitoring Build ongoing compliance monitoring strategies to facilitate continued compliance with privacy requirements and commitments GDPR Ready Project initiation
PwC
Project completion
Milestone
8
Questions?
PwC
9
Thank you! Doris A. Patrick Director, Cybersecurity and Privacy PricewaterhouseCoopers LLP Detroit, Michigan doris.patrick@pwc.com 313-657-4917
Š 2016 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.