Are you GDPR Ready?  May 25 2018 is just around the corner and the efforts are really heating up.  Please come enjoy discussing this topic with other like-minded folks. This MeetUp brings together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

The next topic will be “GDPR and the Legal Basis for Processing: Is consent really required?”

This Meetup will cover the legal bases for processing under GDPR, including an analysis of the legitimate interests and other exceptions allowing for lawful processing, as well as the basic requirements for consent. Austin Chambers, CIPP/US, CIPP/C, CIPP/E, from Lewis Bess Williams and Weese will be presenting.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/.

This informative meeting will be held on Tuesday, March 27th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/

On an early April morning in 1953, Union Pacific 4005, known as “The Big Boy”, was hauling sixty-two cars westbound at nearly 70 miles per hour along the tracks in southern Wyoming. Weighing in at a whopping 1,200,000 pounds, Big Boy was the biggest steam locomotive ever built.

At about 9:55 AM, the massive locomotive barreled toward Red Desert where the switch operator had erroneously opened the siding switches due to a miscommunication in the morning’s track line-up message.

An eyewitness recounts the incredible event: “the head brakeman and the fireman were screaming at the top of their voices to the engineer, STOP, STOP, RED SWITCH AHEAD! But it was too late.”

The 4005 entered the open switch at 50 mph causing it to careen off the rails and skid along its left side tearing up rail and roadbed. The locomotive, tender, and first 18 cars derailed. The cab of the locomotive was destroyed as the tender tore into it twisting and smashing the metal. The first 12 cars were badly damaged and piled in a 70-foot high heap. The engineer and fireman aboard were killed instantly.

While the engineer had many controls in the main cab of the locomotive and made an emergency attempt to break, the train entered the siding rails at an unsafe speed nonetheless. The scattered load of dead hogs, tractors, typewriters, coal, sewing machines, and other goods was not the result of a single point of failure. Rather, it was the fault of a systemic breakdown in communication and culture.

What does this massive catastrophe teach us about privacy and responsible data stewardship? A massive breach of privacy data can feel just like the 4005 wreck. The collateral damages incurred due to a large-scale data breach are broad and not easily remedied. In order to prevent the loss of personal data, we must establish a culture of privacy by design and responsible data stewardship.

Realizing no single control can prevent a data disaster, we must retrofit existing process and design new systems employing these control planes:

• Visibility – “What assets are we protecting?”
• Audit-ability – “Are we compliant to applicable regulations?”
• Controllability – “Is the location and access to our data properly controlled?”
• Agility – “How quickly can we adapt to change?”
• Automation – “Are our processes repeatable?”
• Scale – “Are we scaling to meet the demands of our constituents?”

When we work these six control planes into our culture of design, we are better prepared to avoid a massive privacy train wreck. GDPR provides us with an opportunity to take a look at our existing maturity of data stewardship and the related risk levels. If we take advantage of the impending deadline to review our current posture, we can emerge with an improved opportunity for transformation and not just a “check-the-boxes” response.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

As businesses are being impacted by the European Union’s (EU) enactment of the General Data Protection Regulation (GDPR), many are asking themselves questions around the ownership of their privacy program. Do I need a Data Protection Officer (DPO)? Can I get by assigning this to my CISO, Director of Compliance, or my General Council?

The GDPR requirements for a DPO, their duties and reporting structure, are spelled out in Section 4 of the regulation, which encompasses Articles 37-39.

According to Article 37, you must assign a DPO if:

• You are a public authority processor
• You regularly and systematically monitor data subjects on a large scale
• You are processing on a large scale any special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10

This article goes on to state that public authorities are able to designate a single resource that can aggregate the responsibility across multiple organizations. This decision needs to take into account the bandwidth of the DPO and how scalable the policies and processes are across the organizations.

It is also important to note that the DPO can be an employee of the organization or a contracted resource. In either case, the controller must publish the contact details of the DPO and ensure the EU supervisory authorities have this information.

While there are parts of the GDPR that are considered unclear or grey, the requirements for a DPO are very clear. The DPO role is new for many U.S. based companies, but it should bring a strong sense of certainty around privacy to any company where EU citizen/resident data needs to be managed.

If you have questions about whether or not you need a DPO, please contact us at: https://www.americancsm.com/services/privacy-by-design/

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.

 

 

Do you understand how to measure your security and compliance program? – if not, check out this webinar with our own Janelle Hsia, Director of Privacy and Compliance.  Learn how good metrics can build the story you bring to management to help ensure your data stays protected and secure.

Click here for the Webinar hosted on Surveygizmo.

As the deadline for GDPR, May 25, 2018, nears, many companies are still struggling with their implementation and some are complete. This MeetUp brings together privacy practitioners, GRC leads, and others interested in and leading their GDPR transformations. The goal of this group is to discuss and share learnings, emerging best practices, technical solutions, and keep up to date on regulation changes.

You are welcome to join this group via MeetUp.com at https://www.meetup.com/meetup-group-coxjsIUF/ . Our next meeting will be focused on an overview of GDPR, allowing the group to determine future topics and the level of detail desired. Carlin Dornbusch from American Cyber Security Management will present the GDPR Overview and lead the group through Q&A.

This informative meeting will be held on Tuesday, February 27th, 2018, at the Trimble office in Westminster: 10368 Westmoor Dr, Westminster, CO 80021.

Details on GDPR specifics can be found on the EU’s official website: http://www.eugdpr.org/