Download Privacy, Security, IT and the New European

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts
no text concepts found
Transcript 
PANELISTS:
SESSION ID: PRV-T11
Bridging Privacy, Security, IT and
Information Governance to prepare
for new European General Protection
Regulation
MODERATOR:
#RSAC
Dana Louise Simberkoff, JD, CIPP/US
Chief Compliance and Risk Officer
AvePoint Inc.
@danalouise
Bojana Bellamy
President
Centre for Information Policy Leadership
@the_cipl
JoAnn Stonier
EVP, Chief Information Governance &
Privacy Officer
Mastercard
@privacydesign
Michelle Dennedy
Chief Privacy Officer
Cisco
@mdennedy
The new EU Data Protection Regulation requires that you rethink
privacy, security and information governance strategy.
#RSAC
Understand and articulate the “new” (and not new) obligations the EU
GDPR will create for the CISO, IT and the CIO
Privacy and Security by Design and Default
Privacy Impact Assessments
Inventory and Data Maps for all Systems that hold PII
Mandatory Breach Notification
Etc….
Securely Manage and Share Information utilizing a “Risk Based”
approach
Ensure IT, Security and Privacy Work Better Together
EU Data Protection Regulation at a Glance
Harmonisation and some
progress
•Harmonised rules, but
not fully (e.g. employee
data, children data)
•One Stop Shop: Lead
DPA for pan-European
matters, in cooperation
with other DPAs; Local
DPA for local matters
and redress for
individuals
•Risk-based approach
•Some reduction of
administrative burden
(no national registration
of processing. or prior
authorisation)
•BCR, seals and
certifications
Wider scope
•Controller and processor
•Extraterritorial
application to foreign
controller and processor
•Wider definition of
personal data and
sensitive data;
anonymous data and
pseudonymisation
•Processing children data
under 16 require
parental consent
Increased obligations
Strengthened rights of
individuals
•DP principles tightened
(consent,
transparency/notices)
•Right to erasure
•Profiling rules
•Right not to be subject
to automated profiling /
right to object
•Privacy Impact
Assessment
•Privacy by Design
•Breach notification - to
DPAs and individuals
•Direct obligations and
liability for processor
•Accountability - privacy
program
•Internal record of
processing
•DP Officer
•Data portability
Increased enforcement,
fines, liability
•Regulatory fines up to
4% of annual worldwide
turnover
•Individual action
•Class action
•Criminal sanctions (in
national laws)
•Larger role for European
Data Protection Board
(EDPB)
Panel Questions…
How do we reconcile the idea that “more is better”
when it comes to data or is that even a conflict?
What do the CIO, CISO and “The Business” Need to
know about the GDPR?
What do you see as the role of automation?
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Resources
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
•
•
•
•
•
•
Developed by AvePoint
Distributed exclusively by IAPP
Global Support provided by
AvePoint
Educational Resource ***Cost
Free***! (AvePoint Global
Research and Development
Team)
Extended by the Privacy
Community!
https://www.privacyassociation.org/resource_center/av
epoint_privacy_impact_assessment_system
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,
without the prior written consent of AvePoint, Inc.
#RSAC
Resources
• IAPP web page:
https://www.privacyassociation.org/resource_center/avepoint_privacy_impact_assessment_system
• APIA website (on avepoint.com):
http://www.avepoint.com/privacy-impact-assessment/
• Centre for Information Policy Leadership
https://www.informationpolicycentre.com/
• Privacy and Information Security Law Blog
http://www.huntonprivacyblog.com
• EU GDPR Readiness Benchmark- CIPL-AvePoint (coming in 2016)
#RSAC
Our Contact Information…
Dana Simberkoff, JD, CIPP/US , Chief Compliance and Risk Officer,
AvePoint Inc., [email protected] @danalouise
Bojana Bellamy, President, Centre for Information Policy Leadership
[email protected] @THE_CIPL
JoAnn Stonier, EVP, Chief Information Governance & Privacy Officer,
Mastercard [email protected] @privacydesign
Michelle Dennedy, Chief Privacy Officer, Cisco @mdennedy
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
GDPR Background
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
EU Data Protection Regulation at a Glance
Harmonisation and
some progress
• Harmonised rules, but
not fully (e.g.
employee data,
children data)
• One Stop Shop: Lead
DPA for pan-European
matters, in
cooperation with other
DPAs; Local DPA for
local matters and
redress for individuals
• Risk-based approach
• Some reduction of
administrative burden
(no national
registration of
processing. or prior
authorisation)
• BCR, seals and
certifications
Wider scope
• Controller and
processor
• Extraterritorial
application to foreign
controller and
processor
• Wider definition of
personal data and
sensitive data;
anonymous data and
pseudonymisation
• Processing children
data under 16 require
parental consent
Increased obligations
Strengthened rights
of individuals
• DP principles
tightened (consent,
transparency/notices)
• Right to erasure
• Profiling rules
• Right not to be subject
to automated profiling
/ right to object
• Privacy Impact
Assessment
• Privacy by Design
• Breach notification - to
DPAs and individuals
• Direct obligations and
liability for processor
• Data portability
Increased
enforcement, fines,
liability
• Regulatory fines up to
4% of annual
worldwide turnover
• Individual action
• Class action
• Criminal sanctions (in
national laws)
• Larger role for
European Data
Protection Board
(EDPB)
• Accountability privacy program
• Internal record of
processing
• DP Officer
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Privacy Impact
Assessments,
based on risk
to individuals
Privacy by
Design and
Privacy by
Default
Third party
providers
(software and
services)
Internal
inventory of
processing
Wide
regulated
personal
data
Security
breach
notification
Coordin
ated
action
DPO,
CIO,
CISO
Tension
privacy v.
security
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
• Two sides of
the same
coin
• There is no
privacy
without
security
Converg
ence
Privacy =
Security
Governa
nce
Conflict
• Privacy can
be breached
without a
breach of
security
• Protecting
assets and
information
creates privacy
©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. No part of this may berisks
reproduced, stored in a
• Enabling
business
growth and
innovation
retrieval system, or transmitted in any form or by any means, without the prior written consent of AvePoint, Inc.
Related documents
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Brian O - Omega Dental Group
Brian O - Omega Dental Group
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616a, Fall 2011 Project Description Your project
Misc. Privacy Topics (concluding)
Misc. Privacy Topics (concluding)
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Privacy Statement - Handprints and Footsteps
Privacy Statement - Handprints and Footsteps
HIPPA Compliance Form
HIPPA Compliance Form
Donor Privacy Policy
Donor Privacy Policy
Innovative Applications of Artificial Intelligence Techniques in
Innovative Applications of Artificial Intelligence Techniques in