EU General Data Protection Regulation: Are you ready?...– Data Controller Data breach notification...

1 © Copyright 2016 Dell . All rights reserved. 1 © Copyright 2016 Dell. All rights reserved.

EU General Data Protection Regulation: Are you ready?

Prof. Dr. Ingrid De Poorter, Gent University Raymond Knook, Rune Mehlum, Dell EMC

2 © Copyright 2016 Dell . All rights reserved.

CONTENT I. BACKGROUND

II. LEGAL STRUCTURE

III. SCOPE

IV. KEY CHANGES AND PRINCIPLES

V. IMPACT: HOW TO PREPARE?

VI. GDPR AND ENTERPRISE CONTENT MANAGEMENT

VII. GDPR Essential Summary


I. BACKGROUND


II. LEGAL STRUCTURE Current: Data Protection Directive 95/46/EC

– Directive = implementation by the EU Member States through national law

– Significant variation and fragmentation

Future: General Data Protection Regulation 2016/679 – Goal: harmonise current legal framework

– Regulation = directly applicable

– Consistent effect ▪ Increase legal certainty, reduce administrative burden and cost of compliance for

organisations, enhance consumer confidence


III. SCOPE MATERIAL SCOPE (art. 2)

– “The processing of personal data wholly or partly by automated means and to manual processing if the personal data form part of a filing system or are intended to form part of a filing system”

– What is personal data? ▪ Information relating to an identified or identifiable natural person (‘data subject’)

▪ F.e. name, identification number, location data, online identifier or factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

– What is processing? ▪ Any (set of) operation(s) which is performed on (sets of) personal data

▪ F.e. collection, recording, organization, structuring, storage, adaption,…


III. SCOPE TERRITORIAL SCOPE (art. 3)

– ! Key change GDPR: extra-territorial applicability ▪ Regardless of the company’s location

▪ All companies processing the personal data of data subjects in the EU/EEA

– Overview ▪ Controllers/processors established in the EU/EEA

▪ Controllers/processors not established in the EU/EEA

— when offering goods or services to data subjects in the EU/EEA or

— when monitoring their behavior

▪ Non-EU/EEA controllers established in a place where EU/EEA law applies by virtue of public international law


IV. KEY CHANGES AND PRINCIPLES DATA MINIMIZATION

– Adequate, relevant and limited to what is necessary for purposes – More restrictive obligation in GDPR

DATA RETENTION PERIODS – Retention of data for no longer than is necessary for purposes – Two new factors in GDPR

▪ Longer retention period possible: historical, statistical or scientific purposes ▪ Shorter retention period possible: “right to be forgotten”


IV. KEY CHANGES AND PRINCIPLES PRIVACY BY DESIGN

– Design data protection into development of business processes and new systems

– Privacy settings are set at a high level by default

PRIVACY IMPACT ASSESSMENTS (“PIA”) – Obligation to undertake PIA when conducting risky or large scale processing

of personal data



CONSENT – Freely given ‘consent’ or ‘explicit consent’ (for sensitive data)

– Specific and unambiguous

– Informed (right to withdraw or object)



DATA SUBJECT’S RIGHTS – The right to be forgotten

▪ Google v. Spain case

▪ Affect on social networks

– The right to data portability

– The right to object to profiling


IV. KEY CHANGES AND PRINCIPLES RESPONSIBILITIES

– Data Controller ▪ Data breach notification

– Data Processor ▪ New direct obligations – an officially regulated entity

– Data Protection Officer (“DPO”) ▪ Obligation to appoint in some circumstances

— (i) Processing carried out by a public authority — (ii) Conducts large scale of systematic monitoring, or — (iii) Processes large amounts of sensitive personal data

FINES – Up to 4 % of annual worldwide turnover or € 20,000,000 !


V. IMPACT: HOW TO PREPARE?


GDPR AND ENTERPRISE CONTENT MANAGEMENT


Where can Dell EMC help?

1. Data Minimization 2. Data Retention Periods 3. Privacy by Design 4. Privacy Impact Assessments 5. Consent 6. Data Subject’s Rights 7. Data Breach Notification 8. Data Protection Officer 9. Fines


Data Retention Periods

Requirement

• Retention of data for no longer than is necessary for purposes

Solution

• Manage Retention within a single archive, instead of implementing retention in all systems.


Privacy by Design

Requirement

• Organizations are required to implement appropriate technical and organizational measures such as • Encryption • Ensure confidentiality, integrity and availability of personal data

Recommendation

• Separation of the personal data from other information

Solution

• Move data to a centralized archive when the data is no longer changing (static)

• At one location, manage the encryption, access, and integrity of the data

• Additionally use masking to hide the access to personal data when it is not required

• Where possible, the personal data can be stored separately. If necessary a relation can be made between the personal data and the other data.


Consent

Requirement

• Consent must be requested for each process in which personal data is requested

• And must be stored in an auditable manner

• Consent may also be withdrawn

Solution

• Consent will be stored at a single location, to simplify the prove of compliance

• By storing the consent in relation to data requested for the process, organizations can prove their compliance when audited and when consent is withdrawn, the related data can easily be discovered.


Data Subject’s Rights

Requirement

• Data subjects have the right to request their data and

• Data subjects have the right to ask for erasure of that data

Solution

• Centralize the location of as much data as possible of a data subject, by storing all data directly in an archive when it becomes static.

• Apply retention in a single and consistent manner to avoid • Implementing retention management in all your systems • Keeping data your not allowed to keep


(Mitigate) Fines

Requirements

• All data containing personal data are subject to the GDPR

• Organizations are required to implement appropriate technical and organizational measures to comply

Solution

• Automate the analysis of the data within your organization

• Automate decisions and actions based on the analysis

• Have a solution to easily make manual decisions and actions

• Store the data in a compliant and a auditable way

• Connect LoB applications to move static data to a compliant solution


How to become and stay compliant with GDPR


The Dell EMC GDPR solution components

• Analyze with Kazeon – eDiscovery and File Intelligence

• Enhance with Captiva – Capture and interpretation of scanned documents, pictures (jpg, tiff etc)

• Action with Documentum xCP – Case Management solution to moderate your data – Automate policy execution

• Store with InfoArchive – Compliant archiving of data governed by GDPR


Simplify and shorten time for discovery and reaching compliance

with the right tools and technologies

This is a big scale undertaking and time is

of the essence, get going now

Regulation coming and coming faster than you

think – and it will be about YOU

GDPR Essential Guidance


Interrested? Who to contact…

[email protected]

[email protected]

Reach out to your local DellEMC ECD Account Manager

Ask for the GDPR solution stack

mailto:[email protected]

mailto:[email protected]


JOIN THE CONVERSATION! #MMTM16

Take the LEAP personality quiz

and win!

Connect with us

ECD SERVICES

Genius Labs Garden Level

Foyer


MOMENTUM BARCELONA APP AND WIN!

31

http://bit.ly/mmtm16BCN


BEYOND SILOS Play the BEYOND Game and win a Raspberry Pi pre-loaded with InfoArchive


LET US KNOW WHAT YOU THOUGHT Take the Session Survey

1. Open the schedule with the Momentum App 2. Go to the session you attended 3. Open “Session Survey” 4. Answer the 4 questions and submit. Thank you!


EU General Data Protection Regulation: Are you ready?...– Data Controller Data breach notification...

Documents

Transcript of EU General Data Protection Regulation: Are you ready?...– Data Controller Data breach notification...