eu general data protection regulation: are you ready?...– data controller data breach notification...
TRANSCRIPT
1 © Copyright 2016 Dell . All rights reserved. 1 © Copyright 2016 Dell. All rights reserved.
EU General Data Protection Regulation: Are you ready?
Prof. Dr. Ingrid De Poorter, Gent University Raymond Knook, Rune Mehlum, Dell EMC
2 © Copyright 2016 Dell . All rights reserved.
CONTENT I. BACKGROUND
II. LEGAL STRUCTURE
III. SCOPE
IV. KEY CHANGES AND PRINCIPLES
V. IMPACT: HOW TO PREPARE?
VI. GDPR AND ENTERPRISE CONTENT MANAGEMENT
VII. GDPR Essential Summary
3 © Copyright 2016 Dell . All rights reserved.
I. BACKGROUND
4 © Copyright 2016 Dell . All rights reserved.
II. LEGAL STRUCTURE Current: Data Protection Directive 95/46/EC
– Directive = implementation by the EU Member States through national law
– Significant variation and fragmentation
Future: General Data Protection Regulation 2016/679 – Goal: harmonise current legal framework
– Regulation = directly applicable
– Consistent effect ▪ Increase legal certainty, reduce administrative burden and cost of compliance for
organisations, enhance consumer confidence
5 © Copyright 2016 Dell . All rights reserved.
III. SCOPE MATERIAL SCOPE (art. 2)
– “The processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system”
– What is personal data? ▪ Information relating to an identified or identifiable natural person (‘data subject’)
▪ F.e. name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
– What is processing? ▪ Any (set of) operation(s) which is performed on (sets of) personal data
▪ F.e. collection, recording, organization, structuring, storage, adaption,…
6 © Copyright 2016 Dell . All rights reserved.
III. SCOPE TERRITORIAL SCOPE (art. 3)
– ! Key change GDPR: extra-territorial applicability ▪ Regardless of the company’s location
▪ All companies processing the personal data of data subjects in the EU/EEA
– Overview ▪ Controllers/processors established in the EU/EEA
▪ Controllers/processors not established in the EU/EEA
— when offering goods or services to data subjects in the EU/EEA or
— when monitoring their behavior
▪ Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law
7 © Copyright 2016 Dell . All rights reserved.
IV. KEY CHANGES AND PRINCIPLES DATA MINIMIZATION
– Adequate, relevant and limited to what is necessary for purposes – More restrictive obligation in GDPR
DATA RETENTION PERIODS – Retention of data for no longer than is necessary for purposes – Two new factors in GDPR
▪ Longer retention period possible: historical, statistical or scientific purposes ▪ Shorter retention period possible: “right to be forgotten”
8 © Copyright 2016 Dell . All rights reserved.
IV. KEY CHANGES AND PRINCIPLES PRIVACY BY DESIGN
– Design data protection into development of business processes and new systems
– Privacy settings are set at a high level by default
PRIVACY IMPACT ASSESSMENTS (“PIA”) – Obligation to undertake PIA when conducting risky or large scale processing
of personal data
9 © Copyright 2016 Dell . All rights reserved.
IV. KEY CHANGES AND PRINCIPLES
CONSENT – Freely given ‘consent’ or ‘explicit consent’ (for sensitive data)
– Specific and unambiguous
– Informed (right to withdraw or object)
10 © Copyright 2016 Dell . All rights reserved.
IV. KEY CHANGES AND PRINCIPLES
DATA SUBJECT’S RIGHTS – The right to be forgotten
▪ Google v. Spain case
▪ Affect on social networks
– The right to data portability
– The right to object to profiling
11 © Copyright 2016 Dell . All rights reserved.
IV. KEY CHANGES AND PRINCIPLES RESPONSIBILITIES
– Data Controller ▪ Data breach notification
– Data Processor ▪ New direct obligations – an officially regulated entity
– Data Protection Officer (“DPO”) ▪ Obligation to appoint in some circumstances
— (i) Processing carried out by a public authority — (ii) Conducts large scale of systematic monitoring, or — (iii) Processes large amounts of sensitive personal data
FINES – Up to 4 % of annual worldwide turnover or € 20,000,000 !
12 © Copyright 2016 Dell . All rights reserved.
V. IMPACT: HOW TO PREPARE?
13 © Copyright 2016 Dell . All rights reserved.
GDPR AND ENTERPRISE CONTENT MANAGEMENT
14 © Copyright 2016 Dell . All rights reserved.
Where can Dell EMC help?
1. Data Minimization 2. Data Retention Periods 3. Privacy by Design 4. Privacy Impact Assessments 5. Consent 6. Data Subject’s Rights 7. Data Breach Notification 8. Data Protection Officer 9. Fines
15 © Copyright 2016 Dell . All rights reserved.
Data Retention Periods
Requirement
• Retention of data for no longer than is necessary for purposes
Solution
• Manage Retention within a single archive, instead of implementing retention in all systems.
16 © Copyright 2016 Dell . All rights reserved.
Privacy by Design
Requirement
• Organizations are required to implement appropriate technical and organizational measures such as • Encryption • Ensure confidentiality, integrity and availability of personal data
Recommendation
• Separation of the personal data from other information
Solution
• Move data to a centralized archive when the data is no longer changing (static)
• At one location, manage the encryption, access, and integrity of the data
• Additionally use masking to hide the access to personal data when it is not required
• Where possible, the personal data can be stored separately. If necessary a relation can be made between the personal data and the other data.
17 © Copyright 2016 Dell . All rights reserved.
Consent
Requirement
• Consent must be requested for each process in which personal data is requested
• And must be stored in an auditable manner
• Consent may also be withdrawn
Solution
• Consent will be stored at a single location, to simplify the prove of compliance
• By storing the consent in relation to data requested for the process, organizations can prove their compliance when audited and when consent is withdrawn, the related data can easily be discovered.
18 © Copyright 2016 Dell . All rights reserved.
Data Subject’s Rights
Requirement
• Data subjects have the right to request their data and
• Data subjects have the right to ask for erasure of that data
Solution
• Centralize the location of as much data as possible of a data subject, by storing all data directly in an archive when it becomes static.
• Apply retention in a single and consistent manner to avoid • Implementing retention management in all your systems • Keeping data your not allowed to keep
19 © Copyright 2016 Dell . All rights reserved.
(Mitigate) Fines
Requirements
• All data containing personal data are subject to the GDPR
• Organizations are required to implement appropriate technical and organizational measures to comply
Solution
• Automate the analysis of the data within your organization
• Automate decisions and actions based on the analysis
• Have a solution to easily make manual decisions and actions
• Store the data in a compliant and a auditable way
• Connect LoB applications to move static data to a compliant solution
20 © Copyright 2016 Dell . All rights reserved.
How to become and stay compliant with GDPR
21 © Copyright 2016 Dell . All rights reserved.
The Dell EMC GDPR solution components
• Analyze with Kazeon – eDiscovery and File Intelligence
• Enhance with Captiva – Capture and interpretation of scanned documents, pictures (jpg, tiff etc)
• Action with Documentum xCP – Case Management solution to moderate your data – Automate policy execution
• Store with InfoArchive – Compliant archiving of data governed by GDPR
27 © Copyright 2016 Dell . All rights reserved.
Simplify and shorten time for discovery and reaching compliance
with the right tools and technologies
This is a big scale undertaking and time is
of the essence, get going now
Regulation coming and coming faster than you
think – and it will be about YOU
GDPR Essential Guidance
28 © Copyright 2016 Dell . All rights reserved.
Interrested? Who to contact…
Reach out to your local DellEMC ECD Account Manager
Ask for the GDPR solution stack
29 © Copyright 2016 Dell . All rights reserved.
BETTER TOGETHER
We take content seriously. Leave no application data behind.
© Copyright 2016 Dell . All rights reserved.
Content apps for the digital era.
30 © Copyright 2016 Dell . All rights reserved.
JOIN THE CONVERSATION! #MMTM16
Take the LEAP personality quiz
and win!
Connect with us
ECD SERVICES
Genius Labs Garden Level
Foyer
31 © Copyright 2016 Dell . All rights reserved.
MOMENTUM BARCELONA APP AND WIN!
31
http://bit.ly/mmtm16BCN
© Copyright 2016 Dell . All rights reserved.
BEYOND SILOS Play the BEYOND Game and win a Raspberry Pi pre-loaded with InfoArchive
32 © Copyright 2016 Dell . All rights reserved.
LET US KNOW WHAT YOU THOUGHT Take the Session Survey
1. Open the schedule with the Momentum App 2. Go to the session you attended 3. Open “Session Survey” 4. Answer the 4 questions and submit. Thank you!
© Copyright 2016 Dell . All rights reserved.
33 © Copyright 2016 Dell . All rights reserved.