View
224
Download
4
Category
Preview:
Citation preview
12/1/2016
1
Drawing a Map: Where Are You Now?
Where Do You Need to Go?
Dana Simberkoff, CIPP/US, Chief Compliance and Risk Officer, AvePoint
Christina Peters, CIPP/US, CPO, IBM
Practical Privacy Series 2016
9:30 a.m. – 10:15 a.m.
Presenter
Dana Louise Simberkoff, JD, CIPPChief Compliance and Risk Officer, AvePoint
Dana.Simberkoff@avepoint.com
Blog: www.DocAve.com
https://www.linkedin.com/in/danalouisesimberkoff
@danalouise
• @danalouise
12/1/2016
2
3 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
Christina Peters, IBM Chief Privacy Officer
cpeters@us.ibm.com
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc.
• Introductions (some questions to get us started)
• The IBM Perspective
• Benchmarking Global Readiness-AvePoint and CIPL Survey
• Questions
12/1/2016
3
5 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
IBM at a glance
5
400,000+ employees 170+ countries Well-established privacy program
Services
Key Business Segments
Software Hardware
Research FinancingCognitiveCloud
6 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Diverse businesses, diverse challenges
6
CloudAnalytics Cognitive
Security
EducationCommerce Digital Business
WatsonMobile Social Watson HealthIT Infrastructure
IoT Industry SolutionsGBS GTS
ControllersProcessors IBM dataClient data
12/1/2016
4
7 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Cross Company GDPR Project. . . Established GDPR project to help business units take ownership of various
challenges, provide and promote common approaches, and share solutions
7
GDPR Public Community GDPR Implementation Project Internal Community
8 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
IBM as a Controller. . . using existing GPA to help internal business owners prepare for GDPR in
the course of 2017
8
Global Privacy Assessment
12/1/2016
5
9 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Partnership with Chief Data Office. . . privacy in sync with data strategy
9
10 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Successful implementation of data strategy
10
Streams
Spark, SQL, DataStageSearch Indices
FEATURES• Analysis across data sets• Expanded access• Ongoing integration of new data• Improved data quality• Timely access
• Data stewardship• Metadata management• Data curation• Data catalog
EXIS
TIN
G D
ATA
A
SSET
S
Governance drives value
from ingestion to access
• Rationalization of data purchases• Scalable & secure role/access
authorization• Privacy and security
• Reporting• Auditing• Feedback &resolution process
. . . depends upon a sophisticated approach to governance from beginning to end
Security, Provenance, Privacy/Policy Enforcement
12/1/2016
6
11 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Established framework for managing data end-to-end
11
Policies,
Audits & Controls
Stewardship &
Data Governance
Organizational Support
(BUDO, FUDO)
Data Integration
Data Acquisition
Meta Data Management
Data Quality
Information Storage Management
Data Security, Privacy and Regulatory Compliance
CDO Data Strategy
Data Governance
Disciplines
---
each with detail
Data Governance
processes
Data
Management
Components
---
Providing integrated
Management of
DG Practices
Data Strategy
---
Integrating
DG Disciplines
&
Data Management
Components
Data Ingestion
Data Access
12 © 2016 IBM CorporationIBM internal use only
Global Sales Leadership Academy
© 2016 IBM Corporation
Key goals for GDPR implementation. . . go beyond compliance
12
GDPR strategy
measurementtechnical automationeducationpolicies
. . .
Innovate
with
Confidence!
12/1/2016
7
AvePoint & CIPL's first global survey to benchmark
organisations’ readiness for the GDPR
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
BRIDGING REGIONSBRIDGING INDUSTRY & REGULATORSBRIDGING PRIVACY & DATA DRIVEN INNOVATION
A GLOBAL PRIVACY AND SECURITY THINK TANK
45+Member
companies
5+Active projects
& initiatives
20+Conferences,
workshops &
events annually
15+Principals
& advisors
We INFORM through
publications and events
We NETWORK with global
industry and government leaders
We SHAPE privacy policy,
law and practice
We CREATE and
implement best practices
ABOUT US
The Centre for Information Policy Leadership (CIPL) is a global privacy and security
think tank.
Based in Washington, DC, Brussels and London.
Founded in 2001 by leading companies and Hunton & Williams LLP.
CIPL works with industry leaders, regulators and policy makers to develop global
solutions and best practices for privacy and responsible use of data to enable the
modern information age.
twitter.com/the_cipl
linkedin.com/company/centre-for-information-policy-leadership
www.informationpolicycentre.com
Bojana Bellamy
President
bbellamy@hunton.com
Markus Heyder
Vice President & Senior Policy Counselor
mheyder@hunton.com
Michelle Marcoot
Director, Business Development
mmarcoot@hunton.com
2200 Pennsylvania Avenue
Washington, DC 20037
Park Atrium, Rue des Colonies 11
1000 Brussels, Belgium
30 St Mary Axe
London EC3A 8EP
BRIDGING REGIONS
BRIDGING INDUSTRY & REGULATORS
BRIDGING PRIVACY & DATA DRIVEN INNOVATION
12/1/2016
8
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Deloitte
Technology Fast 500
Inc. Magazine
Hire Power Award
Ernst & Young
Entrepreneur of the Year
Windows IT Pro
Best SharePoint Product
Founded in 2001, AvePoint helps more than 15,000 organizations accelerate the migration, management, and protection of their data no matter where it lives – including IT systems on premises, in the cloud, and in hybrid environments.
GDPR Survey
CIPL and AvePoint launched a
global GDPR readiness survey to:
• Assess current state of readiness for
the GDPR
• Benchmark and evaluate readiness in
relation to industry peers on an
ongoing basis
• Understand key changes and
compliance obligations under the
GDPR
• Help determine a best
implementation path forward and
make appropriate resources and
budgetary requests to meet their
goals
The survey focuses on the key change areas in GDPR
including:
• Consent and consent for children
• Legitimate interest
• Profiling
• Data portability
• Privacy impact assessments
• Data protection by design
• DPOs and resources
• Data breach reporting
• Transfers to third countries
• Accountability and privacy management programme
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
12/1/2016
9
Survey Participants Snapshot – 232 responses
Job Titles
• Chief Privacy Officer/Data Protection Officer
• Senior Director Global Privacy
• Legal Counsel/Attorney
• Information Security Officer
Company Revenues
Less than $1 Million to Greater than $100 Billion
Survey Participants Location
• 70% Europe
• 27% Americas
• 2% Asia
• 1% Africa
• 93% operate in Europe
• More than half operate in US
• Under half in Latin America
• Under half in Asia Pacific
25%
20%
15%
10%
5%
0%
21%
16%
13%
11%
8%
5%4%
3% 3% 3%2% 2% 2% 2% 2% 1%
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
• Manager
• Consultant
• Vice President
Key Insights
• Consent and Legitimate Interest
• DPIA and Privacy by Design
• Security Breach Notification
• Controller-Processor Agreement
• Data Transfers outside EU – HR, Customer and Data Transfers to Vendors
• Organisational Readiness and Resources for GDPR Implementation
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
12/1/2016
10
GDPR: Organisational Readiness
Have committed additional
headcount, budget or external
counsel spend
No additional resources
Have started internal
discussions
SENIOR MANAGEMENT KEY CONCERNS
Enhances sanctions Data Breach reporting
Stricter rules on consent & reuseIndividual rightsChanges to internal privacy program
1
212/31%1 in 5
Readiness
Leve
l of
Imp
act
GDPR Requirements: Where do you stand?
• Individual rights
• Data breach notification
• Privacy Management Programme
• Use/Contracting with processors
Legitimate interests,
Privacy By Design, DPIA
and risk are the areas
requiring most
clarification
Equally Processors are not ready for new obligations imposed by GDPR
12/1/2016
11
Consent & Legitimate Interest
78%90%
Use consentfor majority or some data processing today
78%
Do not consistently obtain separate consent for different
processing operations
83%
Currently using legitimate interest or will be post GDPR
Will be relying more on the legitimate interest processing legal basis under the GDPR than they currently do
33%
• Heavy reliance on consent today - over a third of organisations use it for the majority of their processing (38%) and over a half
(53%) for limited processing
• Only a third or a quarter of organisations currently comply with new GDPR consent requirements - only 22% gather consent
for separate processing operations, 34% are able to demonstrate consent in all instances, 3/4 require consent as a condition of
product/service.
Privacy B
y Design
?Im
pac
t A
sses
smen
t C
apab
iliti
es?
Data Protection Impact Assessments
(DPIAs)
50% +conduct DPIAs in
circumstances required by GDPR
have a framework and procedures to identify & classify risk
use in-house or commercial automated system for DPIAs
40% already
incorporate Privacy by Design for all new
projects
13/
of current DPIAs are
carried out in Word/Excel format
/14
2/3
42% already
incorporate Privacy by Design in some instances
12/1/2016
12
Security Design Assessments
41%
Conduct Security Design Assessments on NEW IT systems
Only conduct Security Design Assessments on EXISTING IT systems
43/
Run assessments
manually
59%
Do
yo
u k
no
w w
hat
yo
u
hav
e an
d h
ow
to
tre
at it
?
Data Classification & Lifecycle Management
of organisations currently
tag sensitive content
do not know how data is treated or processed
throughout its lifespan
/3
1 40%
12/1/2016
13
Data Inventories
have internal data inventory/record of
processing
have no data inventory or internal records of
processing with information required by GDPR
21/
76%
/12
have inventories of international data
transfers
60%
1/2
Breach Notification
What measures and procedures do you currently have in place to respond to data breaches?
75.6%
77.6%
63.5%
33.3%
31.4%
32.7%
28.2%
7.1%
10.9%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Internal reporting procedures / hotlines
Incident response plan
Incident response team
Conduct dry-run/data breach scenarios
Cyber insurance coverage
PR and media consultant retained
Forensic experts retained
None
Other
77% are subject to a data breach
reporting obligation, or voluntary
reporting – under US, E-Privacy,
national EU or other law.
Great majority (64-78%) have breach
notification reporting, response
plan and team.
But just under a third have PR,
media and forensic teams in place,
conduct dry-run and have cyber
insurance.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
12/1/2016
14
Controller – Processor Relationship & Agreements
Are in progress
Have not yet started
31/
40%
Are Controllers reviewing and negotiating current agreements?
/12
Only a half have contracts that address individual rights and require processor to provide information
Majority of organisations’ standard processing agreements already reflect some of the new GDPR requirements76%
Controller Processor Agreement
Do your standard data processing terms include additional terms required by the GDPR?
0% 20% 40% 60% 80% 100%
N/A
Contract requires processor to make information about the
processing it carries out available to the controller
Contract requires the processor to provide assistance in respect
of regulatory queries
Contract requires processor to notify data breaches
Contract addresses data subject rights
Contract prevents sub-processing without consent
Contract imposes duty of confidentiality on
relevant staff
12.7%
52.1%
68.3%
73.2%
56.3%
70.4%
76.8%
• A great majority of standard terms already include new requirements of the GDPR.
• Just over a half of organisations address individual rights in contracts and require processor to provide information about processing.
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
12/1/2016
16
Some Tools to Help Organisations
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced,
stored in a retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
GDPR Benchmark ReportDownload full report
White PaperThe Operational Impact of the European Union General Data Protection
Regulation (GDPR) on IT
GDPR Blog Series More ways to learn
AvePoint’s GDPR SolutionsTools for GDPR compliance
www.avepoint.com/GDPR
DOAvePoint Privacy Impact Assessment SystemOur free privacy impact assessment tool exclusively distributed by the
International Association of Privacy Professionals (IAPP)
https://iapp.org/resources/apia/
LEARN
Recommended