Is your company based in the US and also operating in the EU? There are things you MUST learn about the Global Data Protection Regulation (GDPR) - this law, which goes into effect May 25, 2018 - will have an impact on your business. This expert webinar will help you prepare for what's ahead.
Sean Martin, CISSP, Editor-in-Chief, ITSPmagazine
Here are some topics we explored:
GDPR program ownership - Is a DPO necessary?
What a risk-based regulation means to the business.
How to manage risk and reduce exposure.
Policy definition and control implementation requirements.
When something goes wrong, who do you bow down to? The EU or the US?
Register and Watch
Is a DPO necessary for your business?
What's the status of your GDPR budget?
FINAL THOUGHTS FROM THE PANELISTS
Laz: If you don’t have a plan, at a minimum - please share this webinar with your executive team and work on building and funding a plan to support GDPR. Reach out to your network of trusted advisors and ask what they are doing in this space.
If you have a program and funding in place, remember that GDPR doesn’t ‘go away’ in May, 2018. Please plan on building the plan to support processes and/or controls needed for GDPR.
Webber: GDPR is principle based and risk based regulation. Not one size fits all. Even if ultimately you conclude it's not proportionate to expend considerable time today on EU compliance, you owe it to your business to take a little time to explore the potential impact on the business and the risks (and on the data subjects whose data you hold). Technically the law is not optional. Don't think about fines, think about why good data handling may benefit you as a business globally and why you have a duty to protect data you hold as a custodian. A lot of GDPR can be translated into good business practices and can deliver business benefit.
HERE ARE SOME ANSWERS TO QUESTIONS RAISED DURING THE WEBINAR FOR WHICH WE WERE UNABLE TO ADDRESS DURING THE LIVE SESSION
Question: What are the gaps between EU Privacy Shield and GDPR? What are the critical areas between the two?
Hagerman: This is a more complicated answer than space allows as I can’t line out each specific difference. Privacy Shield requires that US companies agree to abide by the specific Privacy Shield Principals agreed to by the US Dept. of Commerce and the EU Commission (see http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision-annex-2_en.pdf). These principals are substantially similar to the provisions of the GDPR and have been “blessed” as meeting the EU’s adequacy requirements. However, just meeting Privacy Shield does not guarantee that you are meeting all of the relevant provisions of the GDPR as it is focused solely on US companies receiving personal information from EU residents and does not cover all potential situations where an organization has business dealings in the EU. For this reason, I recommend conducting a separate GDPR assessment.
Question: What continuous monitoring tool would be beneficial to provide assurance to the regulators?
Laz: Great question. I would take a look at the Informatica Data Governance & Compliance for the Enterprise toolset for monitoring the GDPR environment. Please remember though - the toolset you choose must ultimately have the business processes clearly defined and implemented to whatever solution you’re using.
Question: To what extent do I have to be selling goods and services to EU citizens? If I just have a globally available website that sells services to anyone and an EU person happens to use this, where I'm not specifically targeting the EU, does GDPR apply? Is GDPR so binary?
Hagerman: If you collect personal information form any EU citizen then you are subject to the GDPR. It doesn’t matter if you are specifically targeting EU citizens or business.
Question: But if not in Europe, your example a California company without a footprint there... what jurisdiction does Europe have over an outside company? How would they enforce?
Webber: Correct the EU regulators have no jurisdiction to enforce in California. However, they can find ways to enforce over any EU based entities. Technically, if you are caught by GDPR but have no EU presence, you are supposed to register an EU based representative under Article 27. Even if the Supervisory Authorities can't reach you they can create publicity and reach out to local regulators if they chose to. Taking an "I'm not in the jurisdiction" approach is possible but what if you then plan EU expansion or circumstances change. Avoidance and running this argument is not the greatest tactic long term.
Question: Budget depends on how many businesses are doing European business... no?
Webber: Yes of course. As I mentioned during the webinar, there is no one-size fits all. You need to assess risk, the extent to which you are caught and whether this law is a priority. Budget issues are impacted by all kinds of factors. If you're not caught by the territorial tests of the GDPR you're not subject to the GDPR.
Question: What is the difference between DPO and CISO? The same or interchangeable in this context? Or DPOs are more regulatory driven?
Hagerman: I believe Mark addressed this very well in his remarks during the webinar. A DPO has prescribed duties and responsibilities including reporting requirements and acts as a direct liaison between the organization and the various EU member data protection offices/officers.
Question: Ultimately the business needs to own on an ongoing basis perhaps by Chief Data Officer or head of EDM. Maybe legal or compliance should drive the need of the project, but an owner outside of compliance needs to own, no?
Laz: Well - it depends on your organization. Ultimately, the program must be driven by the top down - regardless of where the owner is located. The owner must be aligned with the Board of Directors and Executive Staff for this initiative.
Question: Why would legal own? They are a second line of defense and do not generally have the background to manage information or info technology. Is this the legal profession muscling in own an area of regulation where the US surplus of lawyers can work? I say this more humorously but I would bet that in companies outside the US, this is not legally owned. Another choice might be the head of enterprise data management which is a function fairly well established in the financial services industry?
Webber: While I never said legal should own, the panel recognised cross-functional involvement was key, including legal. The nature of the business and its governance strategy will determine who owns and controls this kind of compliance. Legal will inevitably have a role and I'll say that in the majority of situations where Fieldfisher has been brought in (here in the US and in Europe), legal is the primary owner and driver. I'll accept that, the larger the business, the less likely this is to be the case. Highly regulated businesses are more likely to have more sophisticated compliance functions already. As I said during the webinar, you need an owner with the time, inclination and internal clout to manage multiple stakeholders and effect actual business process change. In practice this takes a number of business functions working together.