Homeדף בית Service Privacy shield & GDPR (General Data Protection Regulation)

Privacy shield & GDPR (General Data Protection Regulation)

GDRP (General Data Protection Regulation) Compliance Roadmap for new EU Privacy Law to be enforced from 25.05.2018

8 step roadmap to demonstrate GDPR compliance

  1. GDPR Compliance Scope Application
  2. GDPR Compliance Forum Role Players
  3. Personal Data Protection legal rights
  4. Personal data processing types
  5. Personal data processing location mapping
  6. Data Protection Impact Assessment (DPIA)
  7. Personal Data Protection Policy (outcome of DPIA)
  8. Personal Data Protection Procedures

GDPR Europe

1. GDPR Compliance Scope Application

GDPR (personal data protection law) will apply to all of the following personal data processing

  • EU Citizen data processing located outside the EU
  • Global Citizen data processing located inside the EU
  • PII (Personally Identifiable Information) of all living data subjects (customers, employees, suppliers)

2. GDPR Compliance Forum Role Players

  1. Compliance (requirements, monitor, report)
  2. Legal (privacy & cookie policies, T&C, supplier contracts)
  3. Customer Services (privacy policy support)
  4. CISO (personal data security policy, awareness)
  5. IT (technology solution delivery)

3. Personal data protection legal rights

Privacy Policy should clearly explain all personal data processing rights and provide
accessible website links to enable the affirmative exercise of such legal rights:

  1. Specified Valid Purposes (for personal data processing)
  2. Explicit consent (unambiguous, informed, logged)
  3. Withdraw consent (unambiguous, informed, logged)
  4. Submit a complaint of personal data misuse
  5. Request personal data update
  6. Request personal data erasure (subject to retention for legal,
    regulatory and other specified valid purposes)
  7. ePrivacy Regulation (ePR) is estimated to be enforced from 25.05.18
    (same EU enforcement fines as GDPR). ePR (Cookie Law) will require
    Cookie Policy that clearly explains all cookie types in use and how
    data subjects can exercise all their cookie data processing rights.

4. Personal data processing types

Map all personal data processing types (part of DPIA Procedure):

  1. PII – name, street address, ID #, email, mobile, online identifier
  2. KYC – ID document, utility bill, credit history, financial information
  3. Billing – cardholder PAN and expiry, deposits, withdrawals
  4. Trading – open positions, transactions, profit & loss

5. Personal data processing location mapping

Map all global locations of all the personal data processing
(part of DPIA Procedure):

  1. on-premise – primary and secondary data center sites
  2. cloud servicesSaaS (software), IaaS (VM server
    infrastructure), PaaS (database platform)

6. Data Protection Impact Assessment (DPIA)

Perform a DPIA for new projects, technologies and current personal data processing activities that
may result in a high risk to the rights and freedoms of data subjects (identifiable living persons):

  1. Map all the personal data processing types (step 4 – PII, KYC, Billing, Trading, Other).
  2. Map the personal data processing on-premise locations and cloud services (step 5).
  3. Map the collection, storage and replication data flows of all personal data processing types.
  4. Assess the user access rights management, activity auditing and monitoring processes.
  5. Identify the risks of unauthorized access to and disclosure of PII (+ other personal data).
  6. Assess the technical and organizational controls in place, vulnerabilities and potential risks.
  7. Identify the risk-appropriate technical and organizational security measures.
  8. Obtain CRO signoff to implement security measures that mitigate high risks to data subjects.


WP29 proposes DPIA guidelines, shedding light on high risk processing

Privacy Impact Survey

7. Personal Data Protection Policy (outcome of the DPIA)

Implement risk-appropriate ‘technical and organizational measures” to demonstrate compliance with
GDPR personal data protection requirements – Personal Data Security Policy:

  1. Ensure a level of security appropriate to the risk of personal data breach (identified in DPIA).
  2. Encrypt PII data to prevent personal identification of and serious harm to all living persons.
  3. Manage user access rights in accordance with role-based access control and SOD principles.
  4. Review privileged/other user access rights on a regular and annual basis.
  5. Implement appropriate MFA (multi-factor authentication) for all authorized users.
  6. Implement user activity event audit logs, monitoring and alert notification (timely detect breaches).
  7. Implement timely incident response to mitigate the impact of any personal data breach events.
  8. Restore data access and availability timely in response to any personal data breach events.
  9. Regularly review and improve the effectiveness of personal data security controls in place.

8. Personal Data Protection Procedures

Establish and Implement the required GDPR Privacy Procedures:

  1. Data Privacy by Design (build data security upfront)
  2. Data Privacy By Default (retain minimum required data)
  3. Data Protection Impact Assessment (DPIA)
  4. Data Breach Notification to Impacted Data Subjects
  5. Data Breach Notification to Lead Data Protection Supervisor
  6. Appoint Data Protection Officer (DPO) to monitor and advise on compliance.


4% of annual global

turnover or 20M €

+ Personal Damages


Israel Privacy Regulation to be enforced from 31.05.2018

The Protection of Privacy Regulation (passed by the Knesset on 21.03.17) applies to anyone who
owns, manages or maintains a database containing personal data in Israel. Data Security Protocol
and Breach Notification Requirements (“high” data security classification) will apply to anyone who
owns, manages or maintains a “personal database” hosted in Israel that processes “financial
information” (financial obligations, solvency & status) of more than 100,000 data subjects

  1. Database Specification Document (data collection and processing activities, purposes, data
    types, DB Manager, Data Security Officer, Processors, data security risks, mitigating actions).
  2. Physical Security, Data Security Officer (reports to DB Owner/Manager, establish data security
    protocols, ongoing compliance review, present findings from the review to DB Manager), Data
    Security Protocols
    (physical security, portable devices, access credentials, safeguard measures,
    risks, incident response plan according to severity), Mapping the Database Computer Systems
    (hardware and software components, system architecture), Access Credentials, Authentication
    and User Admin
    (appropriate clearance level, role-based access), Data Breach Register,
    Automated Logging Tools, Portable Devices, Segregation from other Systems, Internet
    Security (access control and malware safeguard measures, encrypt personal data transmitted
    over the Internet, remote access authentication).
  3. Additional stringent requirements )such as breach notification to ILITA( apply to high
    security classified “personal databases”.

Information Source: Adv. Haim Ravia, Privacy Law Partner, Pearl Cohen Law Firm 26.03.2017

IT Regulatory Compliance Framework

Risk Assessment > Policies & Procedures > Compliance Review > Legal rights protection > Personal Data protection

ITGC + CYBERSECURITY Baseline Controls

Some data was provided according to the Privacy shield framework.
for more information please call us: +972-52-6898650 (Call 052-6898650 from Israel)