Privacy is no longer something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations
Statistics from EY Surveys Page 2 When is privacy not something to keep quiet about?
Data protection and data privacy compliance can create challenges for companies Q: Which statement best describes your company’s status, with respect to complying with GDPR in 2018? Base: all respondents (745) Page 3 When is privacy not something to keep quiet about?
Increased concern about data protection and data privacy compliance Q: Over the past two years, how has the level of concern about these risk areas changed in your organization? Base: all respondents (745) The “Don’t know” percentages have been omitted to allow better comparisons among the responses given. Page 4 When is privacy not something to keep quiet about?
What has specifically changed within organizations? Page 5 When is privacy not something to keep quiet about?
What is happening after May 25 th ? Page 6 When is privacy not something to keep quiet about?
Compliance by May 25 th ? Page 7 When is privacy not something to keep quiet about?
Can we expect investigations? Page 8 When is privacy not something to keep quiet about?
Data subject rights Page 9 When is privacy not something to keep quiet about?
Overview of EU residents’ privacy rights: Rights in relation to automated decision-making and profiling Right to restrict processing Right to be informed Right of access Right to correct errors Right to be forgotten / Right to erasure Consent Right to data portability Right to object Page 10 When is privacy not something to keep quiet about?
After May 25, 2018, customers and employees will exercise their new rights on a large scale “ Please provide me with a copy of, or access to, my personal data that you have or are processing. ...” “ Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store. ...” “ Please provide a list of all third parties with whom you have (or may have) shared my personal data. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data. ...” 11 Page 11 When is privacy not something to keep quiet about?
Data subject rights Key changes Impact The right to be forgotten — the right to ask data Support rights of data subjects i.e., to access, modify and ► ► controllers to erase all personal data without undue delay erase their PII, transfer PII to another organization (data in certain circumstances portability) and object to the processing. The right to data portability — where individuals have Ensure professional management of such inquiries and ► ► provided personal data to a service provider, they can timely handling of such demands (information must be require the provider to ‘port’ the data to another provider, provided without delay and at the latest within one month provided this is technically feasible of receipt). The right to object to profiling — the right not to be Provide copies of relevant data free of charge, unless a ► ► subject to a decision based solely on automated request is manifestly unfounded or excessive, processing particularly if it is repetitive. Challenges What do we see in the market: Implement robust procedures/functionalities for data Many of our clients prepare for a more sophisticated ► ► subjects to submit requests and provide transparency on approach in regard to handling data subject access data subjects rights. requests, as they consider it an opportunity to show sincerity and professionalism in times, in which Large quantity requests (GDPR does not introduce an ► customers’ levels of trust can be decisive for the success exemption for large requests, but permits you to ask the of new business models. individual to specify the information the request relates to). Additionally, many companies consider mishandled data ► Scoping of and tooling for transferring data to another ► subject requests a likely vector for problems with their organizations (as a part of data portability) is still regulator, where they expect any disgruntled customer subject to many questions and ambiguities. will quickly turn to. Page 12 When is privacy not something to keep quiet about?
Technology to Handle SARs Page 13 When is privacy not something to keep quiet about?
Financial Times Reports Google Received 2.4m Requests to be Forgotten Page 14 When is privacy not something to keep quiet about?
Time to get personal on data Global Fraud Survey 2018 One in four of our respondents are likely to assert their right to have personal data erased. ► Even if only half of this percentage of respondents assert their right to be forgotten, the technology and administrative burden on companies will be immense. Under 35 age group are significantly more likely (30%) to assert their right to have personal ► data erased. Page 15 When is privacy not something to keep quiet about?
Where Should I start? Defining risk Prioritize Inventory Dataflow Assess Impact Define actions appetite dataflows In order to fully The second step Using the gathered Based on both the Assess the impact Actions will be assess privacy and consists of insights on the defined risk of the dataflows on defined to mitigate compliance risks, identifying and dataflows, the risk appetite of the the natural the risks on the organizations will categorizing the appetite will be organization and persons involved. natural persons need to systems used and defined to support the established identified. understand how specific data flows expected GDPR risk(s) per Subsequently, this (customer and by the associated changes, prioritize dataflow, it will be list of actions will employee) data risks dataflows and established in be divided based are used. (high/medium/low define actions. which order tasks on the risk appetite risk). will be carried out. of the organizations, mitigating the highest risks first. Personal Data Lifecycle Management Appropriate Review privacy Relevant use Appropriate retention and Managed disclosure expectations of data collection of data disposal Page 16 When is privacy not something to keep quiet about?
Most Start by Separating Client and Employee Data Workforce Ecosystem Customer Ecosystem USERS USERS Travel Vendors & Customer & Worldwide Operations Aeroplan BU Cargo Rouge Agents Loyalty Contacts BU Cargo Rouge Leisure Altitude Operations Workday Reservation Systems Travel Agent Includes Unstructured Platform Storage Extracts, Archives, Payment Systems WorkerDB and Backups Customer Profiles PeopleSoft Includes Unstructured Value Statement Storage Extracts, Archives, Loyalty Programs Taleo Illustrates a high-level view and Backups of enterprise footprint for impacted business units, applications, and data Time & Attendance stores Enables information owners, users, and managers to Marketing Data Customer Surveys understand their GDPR Oracle compliance scope for inventorying during Phase 2 of EY’s GDPR Execution Framework 17 Page 17 When is privacy not something to keep quiet about?
Know Where Your Data is Located Value Statement GDPR requires detailed mapping of the flow of EU PI Documents a preliminary view of the data exchanges that must be evaluated and inventoried during Phase 2 of EY’s Customers GDPR Execution Loyalty Framework Systems Forms the basis for Payment Reservation accountable, timely Processors Systems reporting; data subject rights fulfillment; and reliable event response Transaction Custome Managemen r t Support Systems Agents Travel Regulatory Agencies Agencies 18 Page 18 When is privacy not something to keep quiet about?
Internal Investigations Page 19 When is privacy not something to keep quiet about?
Handling Investigations and Litigation post GDPR (1/2) Update or develop your discovery protocols Consider working with privacy counsel to develop standard collection, processing and review protocols to have consistent procedures Whenever possible, collect, filter and review data in the local country and cull the data set to only the most responsive. Embed steps to identify and categorize personal data during data collection. The information will help you assess the impact of GDPR on the discovery effort. Assess the scope of personal data during early case assessment. The early understanding of the impact will help you to anticipate the challenges ahead and plan your production schedule accordingly. Develop a phased production scheduled by the data’s risk profile and relevance to the matter. Begin with the most relevant data and with the least risk, such as public data or data not subject to GDPR. Anonymize or pseudo-anonymize personal information that is subject to data transfer clauses of GDPR. Page 20 When is privacy not something to keep quiet about?
Recommend
More recommend
