something to keep quiet about GDPR Compliance Concerns and Its - - PowerPoint PPT Presentation

something to keep
SMART_READER_LITE
LIVE PREVIEW

something to keep quiet about GDPR Compliance Concerns and Its - - PowerPoint PPT Presentation

Mar 30, 2024 629 likes •887 views

Privacy is no longer something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations Statistics from EY Surveys Page 2 When is privacy not something to keep quiet about? Data protection and data privacy compliance

slide-1
SLIDE 1

Privacy is no longer something to keep quiet about

GDPR Compliance Concerns and Its Impacts on Investigations

slide-2
SLIDE 2

Page 2 When is privacy not something to keep quiet about?

Statistics from EY Surveys

slide-3
SLIDE 3

Page 3 When is privacy not something to keep quiet about?

Data protection and data privacy compliance can create challenges for companies

Q: Which statement best describes your company’s status, with respect to complying with GDPR in 2018?

Base: all respondents (745)
slide-4
SLIDE 4

Page 4 When is privacy not something to keep quiet about?

Increased concern about data protection and data privacy compliance

Q: Over the past two years, how has the level of concern about these risk areas changed in your organization?

Base: all respondents (745) The “Don’t know” percentages have been omitted to allow better comparisons among the responses given.
slide-5
SLIDE 5

Page 5 When is privacy not something to keep quiet about?

What has specifically changed within

  • rganizations?
slide-6
SLIDE 6

Page 6 When is privacy not something to keep quiet about?

What is happening after May 25th?

slide-7
SLIDE 7

Page 7 When is privacy not something to keep quiet about?

Compliance by May 25th?

slide-8
SLIDE 8

Page 8 When is privacy not something to keep quiet about?

Can we expect investigations?

slide-9
SLIDE 9

Page 9 When is privacy not something to keep quiet about?

Data subject rights

slide-10
SLIDE 10

Page 10 When is privacy not something to keep quiet about?

Overview of EU residents’ privacy rights:

Rights in relation to automated decision-making and profiling Right to restrict processing Right to be informed Right of access Right to correct errors Right to be forgotten / Right to erasure Consent Right to data portability Right to object

slide-11
SLIDE 11

Page 11 When is privacy not something to keep quiet about?

After May 25, 2018, customers and employees will exercise their new rights on a large scale

11

“Please provide me with a copy of, or access to, my personal data that you have or are processing....” “Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store....” “Please provide a list of all third parties with whom you have (or may have) shared my personal data. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data....”

slide-12
SLIDE 12

Page 12 When is privacy not something to keep quiet about?

Data subject rights

Key changes

The right to be forgotten — the right to ask data controllers to erase all personal data without undue delay in certain circumstances

The right to data portability — where individuals have provided personal data to a service provider, they can require the provider to ‘port’ the data to another provider, provided this is technically feasible

The right to object to profiling — the right not to be subject to a decision based solely on automated processing

Impact

Support rights of data subjects i.e., to access, modify and erase their PII, transfer PII to another organization (data portability) and object to the processing.

Ensure professional management of such inquiries and timely handling of such demands (information must be provided without delay and at the latest within one month

  • f receipt).

Provide copies of relevant data free of charge, unless a request is manifestly unfounded or excessive, particularly if it is repetitive.

Challenges

Implement robust procedures/functionalities for data subjects to submit requests and provide transparency on data subjects rights.

Large quantity requests (GDPR does not introduce an exemption for large requests, but permits you to ask the individual to specify the information the request relates to).

Scoping of and tooling for transferring data to another

  • rganizations (as a part of data portability) is still

subject to many questions and ambiguities.

What do we see in the market:

Many of our clients prepare for a more sophisticated approach in regard to handling data subject access requests, as they consider it an opportunity to show sincerity and professionalism in times, in which customers’ levels of trust can be decisive for the success

  • f new business models.

Additionally, many companies consider mishandled data subject requests a likely vector for problems with their regulator, where they expect any disgruntled customer will quickly turn to.

slide-13
SLIDE 13

Page 13 When is privacy not something to keep quiet about?

Technology to Handle SARs

slide-14
SLIDE 14

Page 14 When is privacy not something to keep quiet about?

Financial Times Reports Google Received 2.4m Requests to be Forgotten

slide-15
SLIDE 15

Page 15 When is privacy not something to keep quiet about?

Time to get personal on data

Global Fraud Survey 2018

One in four of our respondents are likely to assert their right to have personal data erased. Even if only half of this percentage of respondents assert their right to be forgotten, the technology and administrative burden on companies will be immense.

Under 35 age group are significantly more likely (30%) to assert their right to have personal data erased.

slide-16
SLIDE 16

Page 16 When is privacy not something to keep quiet about?

Where Should I start?

Inventory In order to fully assess privacy and compliance risks,

  • rganizations will

need to understand how (customer and employee) data are used. Dataflow The second step consists of identifying and categorizing the systems used and specific data flows by the associated risks (high/medium/low risk). Prioritize dataflows Based on both the defined risk appetite of the

  • rganization and

the established risk(s) per dataflow, it will be established in which order tasks will be carried out. Assess Impact Assess the impact

  • f the dataflows on

the natural persons involved. Define actions Actions will be defined to mitigate the risks on the natural persons identified. Subsequently, this list of actions will be divided based

  • n the risk appetite
  • f the
  • rganizations,

mitigating the highest risks first. Defining risk appetite Using the gathered insights on the dataflows, the risk appetite will be defined to support expected GDPR changes, prioritize dataflows and define actions. Appropriate collection of data Relevant use

  • f data

Managed disclosure Appropriate retention and disposal Review privacy expectations

Personal Data Lifecycle Management

slide-17
SLIDE 17

Page 17 When is privacy not something to keep quiet about?

PeopleSoft Time & Attendance WorkerDB Taleo Oracle USERS Workday

Most Start by Separating Client and Employee Data

17 Customer Ecosystem Workforce Ecosystem

Marketing Data Reservation Systems Payment Systems Travel Agent Platform Customer Surveys USERS Includes Unstructured Storage Extracts, Archives, and Backups Customer & Contacts Cargo Operations Vendors & Loyalty BU Travel Agents Rouge Aeroplan Cargo Altitude Worldwide Operations BU Leisure Rouge Customer Profiles Loyalty Programs Includes Unstructured Storage Extracts, Archives, and Backups Value Statement  Illustrates a high-level view
  • f enterprise footprint for
impacted business units, applications, and data stores  Enables information owners, users, and managers to understand their GDPR compliance scope for inventorying during Phase 2
  • f EY’s GDPR Execution
Framework
slide-18
SLIDE 18

Page 18 When is privacy not something to keep quiet about?

Know Where Your Data is Located

18

Travel Agencies Custome r Support Agents Customers Regulatory Agencies Reservation Systems Loyalty Systems Payment Processors Transaction Managemen t Systems

Value Statement  GDPR requires detailed mapping of the flow of EU PI  Documents a preliminary view of the data exchanges that must be evaluated and inventoried during Phase 2 of EY’s GDPR Execution Framework  Forms the basis for accountable, timely reporting; data subject rights fulfillment; and reliable event response
slide-19
SLIDE 19

Page 19 When is privacy not something to keep quiet about?

Internal Investigations

slide-20
SLIDE 20

Page 20 When is privacy not something to keep quiet about?

Handling Investigations and Litigation post GDPR (1/2)

Update or develop your discovery protocols Consider working with privacy counsel to develop standard collection, processing and

review protocols to have consistent procedures

Whenever possible, collect, filter and review data in the local country and cull the data set

to only the most responsive.

Embed steps to identify and categorize personal data during data collection. The

information will help you assess the impact of GDPR on the discovery effort.

Assess the scope of personal data during early case assessment. The early

understanding of the impact will help you to anticipate the challenges ahead and plan your production schedule accordingly.

Develop a phased production scheduled by the data’s risk profile and relevance to the

  • matter. Begin with the most relevant data and with the least risk, such as public data or

data not subject to GDPR.

Anonymize or pseudo-anonymize personal information that is subject to data transfer

clauses of GDPR.

slide-21
SLIDE 21

Page 21 When is privacy not something to keep quiet about?

Greater responsibility on both controllers and processors of personal data, Cross-border activities: derogation for data transfers now available under Article 49(e). After 25 May 2018, multi-step analysis to fully consider compliance under the GDPR: Step 1: Processing is limited to only that data which is adequate, relevant and limited to what

is necessary.

Controllers should first consider the use of anonymized or pseudonymized data, where

the controller maintains the ability to reverse the anonymization if necessary. To the extent not sufficient, data should be filtered so that any personal data ultimately disclosed is adequate, relevant and not excessive.

Adequate safeguards must be in place to make sure of, among other things, the

security and accuracy of the data.

Step 2: If available, Binding Corporate Rules, standard data protection clauses and Privacy

Shield can be used to facilitate the access to, and movement of data out of, the European Union prior to production to any third party.

That much more limited set can then be produced, subject to appropriate safeguards

and security which can be provided through protective orders and technical means.

Handling Investigations and Litigation post GDPR (2/2)

slide-22
SLIDE 22

Page 22 When is privacy not something to keep quiet about?

Despite the compliance challenges, implementing the GDPR standards offers a host

  • f strategic opportunities that may align with other existing initiatives, including:

GDPR can be a strategic opportunity

Improving visibility of customer privacy data:

 Increases cyber protection effectiveness  Reduces risk and compliance concerns

Disposing of redundant or unnecessary data:

 Reduces compliance data volume scope  Improves operational efficiencies  May realize an aggressive ROI

Adopting a global approach:

 Could simplify compliance efforts  Lowers risk of potential lawsuits  Strengthens privacy brand

New data maps could streamline:

 Insider threat focus and detection  Breach response  eDiscovery and legal hold  Knowledge management

Improving cross-functional information flows and cross-system reporting could deliver new insights in:

 Post-marketing surveillance  Supply chain efficiencies  Return on sales and marketing spend

Creating PII inventories across the enterprise allows for other critical information assets to be tracked to assist with broader risk and compliance concerns.
slide-23
SLIDE 23

Page 23 When is privacy not something to keep quiet about?

The key takeaways

GDPR is a “game changer” in the world of privacy and impacts our clients substantially.

1

Understand the importance

The regulation is effective by 25 May 2018. Compliance must be reached.

2 Time for action

GDPR is not only a compliance exercise but also of strategic value

3

Beyond compliance

slide-24
SLIDE 24

Page 24 When is privacy not something to keep quiet about?

&