preparing for the gdpr: attaining and demonstrating compliance · free gdpr compliance toolkit...

Free GDPR Compliance Toolkit www.nymity.com/gdpr-toolkit.com

Preparing for the GDPR: Attaining and Demonstrating Compliance IAPP Privacy. Security. Risk.

September 16, 2016. San Jose (CA)

Copyright ©2016 by Nymity Inc. All rights reserved. This document is provided “as is” without any express or implied warranty. This document does not constitute legal advice and if you require legal advice you should consult with an attorney. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior written permission of Nymity Inc.


Preparing for the GDPR: Attaining and Demonstrating Compliance

• The EU General Data Protection Regulation

• Understanding Accountability under the GDPR

• Operationalizing Accountability

• From Accountability to Compliance: Evidence

• Appropriate Technical and Organization Measures

• How Nymity helps

• Compliance in Practice

Paul Breitbarth Nymity – The Hague (NL)

Joseph Alhadeff Oracle – Washington D.C. (US)

Andy Garner Nymity – London (UK)


Introducing Nymity A Data Privacy Research & Solutions Company

• Focus: Dedicated to global data privacy compliance research

• Established: 2002

• Offices:

• Toronto, Canada (HQ) • London, UK • The Hague, the Netherlands • Bogota, Colombia • Boulder, Colorado, USA

• Research: Inventor of several compliance

methodologies & frameworks

• Funding: Partially funded by government R&D grants

Software Solutions for the Privacy Office

Privacy Management Solutions: Nymity Attestor™ Nymity Benchmarks™ Nymity Templates™ Nymity Planner™

Compliance Research Solutions:

Nymity Research™ Nymity LawTables™ Nymity MofoNotes

Nymity LatAm™

Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity’s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance.


EU General Data Protection Regulation

• Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

• One main data protection law for all EU Member States (until further notice including UK)

• Fully applicable from 25 May 2018 to all organizations processing personal data in the EU or when offering goods and services to people in the EU

• New financial penalties in case of non-compliance • Maximum 20 million euro; or

• 4% worldwide annual turnover (whichever is higher)

What is the GDPR and why is it relevant?



• Checklist-based guidance to GDPR implementation is ubiquitous

• Nymity has a different approach that has been made available for free, based on many years of own research

• Focus on accountability and demonstrating compliance • Not a one-off exercise

• No ticking boxes

• Going concern that requires attention on an ongoing basis

Nymity’s Approach to GDPR Compliance



• We envisage three types of organizations in 2018: 1. Those who are non-compliant

2. Those who are compliant

3. Those who are able to demonstrate ongoing compliance

• Snapshot of a given moment in time (compliant) vs. readiness to deal with changing circumstances because the fundamentals of the police are sound (ongoing compliance)

• Free tools available today at www.nymity.com/GDPR-Toolkit

• More advanced solutions at a subscription basis

GDPR Compliance

http://www.nymity.com/GDPR-Toolkit




Nymity GDPR Compliance Toolkit


Article 24 Responsibility of the Controller

Article 5 Principles relating to personal data processing

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”).

Understand Accountability under the GDPR

• Replacement of the obligation to register with DPA • Understand your data processing operations on an ongoing basis: Both what and why


Accountability

• Cornerstone of the GDPR – replaces notification obligation

• Accountability requires the need to show what you are doing (demonstrate compliance): • To the supervisory authority

• To individuals

• Reduce risk of investigations and/or fines

• Quicker response to complaints and breaches - save time


Operationalizing Accountability: Structured Privacy Management

Accountability Approach to Demonstrating Compliance

Structured Privacy Management is embedding ongoing privacy management activities throughout the organization, resulting in the ability to demonstrate accountability and compliance with evidence.

Privacy management activities have been implemented and are maintained on an ongoing basis.

RESPONSIBILITY

Privacy management activities are embedded throughout the organization within each function or business unit that processes personal data.

OWNERSHIP

Documentation is produced as a result of a privacy management activity that can be used as Evidence of accountability and compliance.

EVIDENCE


Nymity Privacy Management Accountability Framework™

Privacy management activities are ongoing procedures, policies, measures, mechanisms, and other initiatives that impact the processing of personal data or that relate to compliance with privacy and data protection laws.

Accountability Approach to Demonstrating Compliance


Evidence and Compliance

• Article 24 requires organizations to “…demonstrate that the processing of personal data is performed in compliance with this Regulation.”

• Demonstrating compliance is a dialogue, the privacy office uses evidence to tell the story • Not: Are we compliant right now?

• Instead: How do we comply on an ongoing basis?


Appropriate Technical and Organizational Measures

• Appropriate dependent on the specificities of an organization

• DPA Guidance can be expected in the coming years

• Don’t wait • Many measures are likely already part of your privacy program

• Document what is currently undocumented

• Best practices available

• Make sure you are ready to tell the story behind your privacy policy and illustrate it with supporting documents

• Nymity research tools accessible via IAPP Resources



• 39 of 99 Articles in the GDPR require Evidence to demonstrate compliance • What about the others?

• Definitions

• Enforcement Actions

• Legal Obligations

• Codes of conduct



• Evidence of ongoing privacy management activities, embedded throughout the organization • 55 mandatory privacy management activities



Privacy Management Accountability Annotations



Readiness Assessment Questions



Roadmap for Demonstrable GDPR Compliance


Nymity Attestor

Andy Garner – Nymity

https://www.nymity.com/gdpr-how-nymity-helps.aspx


Compliance in practice

Joseph Alhadeff – Oracle


In Conclusion

Free GDPR Compliance Toolkit

• Privacy Management Accountability Annotations

• Accountability Roadmap for Demonstrable Compliance

• Readiness Assessment Questions

Subscription-based Solutions

How Nymity Helps


Thank you [email protected] | @EuroPaulB | +31.6.2493.6643

www.nymity.com/GDPR-Toolkit

Copyright ©2016 by Nymity Inc. All rights reserved. This document is provided “as is” without any express or implied warranty. This document does not constitute legal advice and if you require legal advice you should consult with an attorney. Forwarding this document outside your organization is prohibited. Reproduction or use of this document for commercial purposes requires the prior written permission of Nymity Inc.

preparing for the gdpr: attaining and demonstrating compliance · free gdpr compliance toolkit...

Documents