Privacy shield & GDPR (General Data Protection Regulation)
GDRP (General Data Protection Regulation) Compliance Roadmap for new EU Privacy Law to be enforced from 25.05.2018
8 step roadmap to demonstrate GDPR compliance
- GDPR Compliance Scope Application
- GDPR Compliance Forum Role Players
- Personal Data Protection legal rights
- Personal data processing types
- Personal data processing location mapping
- Data Protection Impact Assessment (DPIA)
- Personal Data Protection Policy (outcome of DPIA)
- Personal Data Protection Procedures
1. GDPR Compliance Scope Application
GDPR (personal data protection law) will apply to all of the following personal data processing
- EU Citizen data processing located outside the EU
- Global Citizen data processing located inside the EU
- PII (Personally Identifiable Information) of all living data subjects (customers, employees, suppliers)
2. GDPR Compliance Forum Role Players
- Compliance (requirements, monitor, report)
- Legal (privacy & cookie policies, T&C, supplier contracts)
- CISO (personal data security policy, awareness)
- IT (technology solution delivery)
3. Personal data protection legal rights
accessible website links to enable the affirmative exercise of such legal rights:
- Specified Valid Purposes (for personal data processing)
- Explicit consent (unambiguous, informed, logged)
- Withdraw consent (unambiguous, informed, logged)
- Submit a complaint of personal data misuse
- Request personal data update
- Request personal data erasure (subject to retention for legal,
regulatory and other specified valid purposes)
- ePrivacy Regulation (ePR) is estimated to be enforced from 25.05.18
(same EU enforcement fines as GDPR). ePR (Cookie Law) will require
data subjects can exercise all their cookie data processing rights.
4. Personal data processing types
Map all personal data processing types (part of DPIA Procedure):
- PII – name, street address, ID #, email, mobile, online identifier
- KYC – ID document, utility bill, credit history, financial information
- Billing – cardholder PAN and expiry, deposits, withdrawals
- Trading – open positions, transactions, profit & loss
5. Personal data processing location mapping
Map all global locations of all the personal data processing
types (part of DPIA Procedure):
- on-premise – primary and secondary data center sites
- cloud services – SaaS (software), IaaS (VM server
infrastructure), PaaS (database platform)
6. Data Protection Impact Assessment (DPIA)
Perform a DPIA for new projects, technologies and current personal data processing activities that
may result in a high risk to the rights and freedoms of data subjects (identifiable living persons):
- Map all the personal data processing types (step 4 – PII, KYC, Billing, Trading, Other).
- Map the personal data processing on-premise locations and cloud services (step 5).
- Map the collection, storage and replication data flows of all personal data processing types.
- Assess the user access rights management, activity auditing and monitoring processes.
- Identify the risks of unauthorized access to and disclosure of PII (+ other personal data).
- Assess the technical and organizational controls in place, vulnerabilities and potential risks.
- Identify the risk-appropriate technical and organizational security measures.
- Obtain CRO signoff to implement security measures that mitigate high risks to data subjects.
7. Personal Data Protection Policy (outcome of the DPIA)
Implement risk-appropriate ‘technical and organizational measures” to demonstrate compliance with
GDPR personal data protection requirements – Personal Data Security Policy:
- Ensure a level of security appropriate to the risk of personal data breach (identified in DPIA).
- Encrypt PII data to prevent personal identification of and serious harm to all living persons.
- Manage user access rights in accordance with role-based access control and SOD principles.
- Review privileged/other user access rights on a regular and annual basis.
- Implement appropriate MFA (multi-factor authentication) for all authorized users.
- Implement user activity event audit logs, monitoring and alert notification (timely detect breaches).
- Implement timely incident response to mitigate the impact of any personal data breach events.
- Restore data access and availability timely in response to any personal data breach events.
- Regularly review and improve the effectiveness of personal data security controls in place.
8. Personal Data Protection Procedures
Establish and Implement the required GDPR Privacy Procedures:
- Data Privacy by Design (build data security upfront)
- Data Privacy By Default (retain minimum required data)
- Data Protection Impact Assessment (DPIA)
- Data Breach Notification to Impacted Data Subjects
- Data Breach Notification to Lead Data Protection Supervisor
- Appoint Data Protection Officer (DPO) to monitor and advise on compliance.
PREPARE NOW.. RATHER THAN PAY LATER
4% of annual global
turnover or 20M €
+ Personal Damages
Israel Privacy Regulation to be enforced from 31.05.2018
Israel’s new Privacy Protection Regulations, which came into effect in May 2018, set into effect policy concerning holders of personal data in Israel. The wide-reaching legislation now include an obligation of data controllers to notify ILITA, Israel’s data protection agency, of any breaches in medium or high-level security risk databases. These databases comprise two of the four levels of a system that categorizes databases according to their security risk.
The two lower risk categories can be lumped together under one label: basic security risk. The first category comprises databases controlled by an individual, such as the singular owner of a corporation. The individual cannot grant database access to more than two other people (unless the number of data subjects exceeds 10,000). The number of data subjects may not exceed 100,000.
Under the medium level of security includes databases that are owned by public agencies or those possessing “special” categories of data, such as private information, medical records, genetic information, and biometric information. Medium level of security also applies to direct marketing companies, which require consumer data. The above information does not apply to Medium if the information is about the database owners or if the number of data controllers is fewer than ten people.
The highest level of security is for databases with more than 100,000 data subjects and over 100 individual data controllers.
The following regulations apply to all data managers, no matter the level of security of the database they control:
- Security Procedures– The physical and environmental security of the databases must be given top priority. A specification document must also outline contingency plans for data incidents. Data security breaches must be documented and reported to the Data Registrar and, if necessary, data subjects themselves.
- Security Access– Public agencies or companies with at least five separate databases must appoint data security officers. The aforementioned security document must also include a list of individuals with access rights to the database as well as authorization procedures, and protocols regarding the use of mobile devices.
- Database Mapping and Definitions– There must be a detailed explanation regarding what the data will be used for, what kind of data will be stored in the databases, and procedures of processing and transferring data. There must also be a list of the hardware and software components used in the computer systems that support, operate, and manage the database.
- Et Alia– The computer systems handling personal data must be segregated as much as possible from uninvolved systems. Computer systems connected to the internet must be protected against viruses and malware. D controllers must follow certain standards, such as reviewing the risks of outsourcing to another company. In addition, the contract with the outsourcer must include information about the data being processed, like security requirements and obligations, and the period of engagement.
IT Regulatory Compliance Framework
Risk Assessment > Policies & Procedures > Compliance Review > Legal rights protection > Personal Data protection
ITGC + CYBERSECURITY Baseline Controls
Some data was provided according to the Privacy shield framework.