GDPR Compliance: “Explain Like I’m Five” with Data Privacy Expert

hello everyone thank you again for joining this is David Politis I'm the founder and CEO here at better cloud and today we're here for our GDP our compliance webinar this is this is a webinar that's very timely you know GDP are is it's on the horizon it's it's gonna take effect May 25th 2018 and we have been getting so many questions from our customers and just the community in general over the last two three months about GDP our and we felt like it made sense to you know to take the time we usually do webinars about our product and about SAS in general and we felt like the this was such an important topic that we needed to dedicate a webinar just to this and so we brought a data privacy expert in in today to help with this webinar and I'll introduce her in one minute but we did the same webinar yesterday for for customers and it was a it was really this it was amazing I mean we had more people register for these two webinars than we've ever had for four for our webinars in the past so obviously this is a really important topic and this is something that's on top of a lot of people's mind so we're I hope that this is useful and and that you get something out of this and and you leave with some some ideas and tactics and overall strategy in terms of how to attack this going forward but given the date given its May 25th really work has to start now and you'll see this as we go through the slides you'll see that work really has to start now for this so with that I'm going to jump right into it for those of you who have joined webinars in the past you know that I like to start with a poll just to understand our audience and and before we go into the presentation so you're gonna see a poll pop up on your screen now if you can just quickly vote here in your organization which team is primarily responsible for defining gdpr compliance strategy so again we'll just for those you listening in the background if you just come up to the you should see the poll on your screen and I'll show the results by the way of this poll as soon as we're finished voting we're at about 70 percent voted so we're just looking for another 60 people or so okay great thank you very much so let me show you the the results here of the poll so so this is this is what we what we expect you know it's you the IT professional is going to be in many cases responsible for this but at the end of the day it's it's gonna be a group effort it has to be it's the only way with the complexity of GDP are this this is something that's going to be done as a team and you see that here with the number one answer being a combination of all the departments that we mentioned being the number one answer followed by IT now I'm going to ask you a second question as a follow up here so this one is if there is a violation who's going to be blamed so again we'll let everyone take a couple seconds here to vote and then I'll show you the results okay we're again about 70 percent so thank you for voting for for anyone who hasn't yet please please go ahead and vote okay great thank you so much so let me show you the results here so of course of course it's IT of course it's going to come down this is exactly what we heard yesterday same same answers yesterday people it is gonna be on IT it's if something goes wrong it's going to come back to IT at least primarily and so that's why we felt like our community needed this and and and we you know we're excited and hopefully again I hope that after this hour you come away with some ideas of what you can do inside of your organization to prepare for this so with that let me introduce our data privacy expert so Jodi Daniels is here with me today she's from red clover advisors Jodi has a pretty amazing background impressed the background when it comes to privacy data privacy compliance so before this she was at the Bank of America as the SP SVP of enterprise privacy compliance and and before that at Cox automotive as the director of privacy she spent a lot of time in this space and his is truly an expert it was it was amazing yesterday to see all the questions that came in from from the audience and and the answers and and that that Jodi had and really it's it's complicated and and Jodi specializes in this this has been her focus now helping companies get ready for gdpr and so really we're excited and honored to have Jodi with us today and with that I'm going to hand this off to Jodi well thank you David for very kind introduction it's great to be here so let's dive in so the first is you know who does gdpr apply to you and and what what is gdpr so it's the general data protection regulation it comes out of Europe out of the European Union and really very simply it is a new set of regulations that's designed to give you citizens more control over their data so there's something that exists today called the Data Protection Directive it hasn't been updated since 1995 so times have changed we collect data we move data we transfer data we target with data we do a lot with data and so the time had come to really create a more sweeping regulation and so then the question is well who does gdpr apply to so there's a lot of people who think if I have a physical location only in the US that and I don't have one in Europe that it doesn't apply to me and the way this works is it goes with the resident it goes with the EU citizen and so if you collect data from an EU resident regardless of where you have a physical location gdpr applies to you so for example if you are a SAS provider or some type of provider of an online service or you are a processor of data on behalf of another customer and that customer gets data from EU residents then it applies to you and so you'll hear me talk about this idea of a data controller and a data processor so and I'll talk about it a lot and continue to try and give some different examples so at the beginning a data controller it's kind of what it sounds like you're a company that controls the data that you receive you make the decisions about what's going to happen with that data you are the ones who are originally collecting it and determining how it's going to be used a processor is you process data and you're processing data at the direction of a data controller so really quickly most companies not all but most companies a data controller will would be in effect or they would be considered a data controller for things like HR data so if you have any EU employees finance so if you're paying any vendors potentially AR so right if you have European customers and IT so sort of those back-office operations are often the controller side you could have the whole company be a data controller the processor you could be a a processor of somebody else's data but still parts of your company like your finance marketing and HR parts that could be a controller so important to understand those differences and we'll talk more about it and the final really important piece to know is that here in the US we are think about data from sort of the end customers perspective and there's different rules for employees and business customers or our vendors or sort of put yet in a whole different bucket so gdpr treats all people the same so your employees your customers your vendors your partners anyone who you're collecting personal data to is sort of treated equally in this regard there are some extra elevated controls for HR data but I the base level gdpr applies to all of them so now that we know a little bit about who it applies to why should we care so well there's a variety of reasons the first is if you've been reading the headlines you've probably seen that there's some massive fines that can come from just a single violation it can be up to 20 million euros or two to four percent of global turnover whichever is greater so obviously from a financial perspective that can be a really big hit to any sized company beyond just the financial piece there's some other reasons why we all should care so first is that customers EU customers are going to start expecting this so since it's a regulation and a requirement companies are going to need to adhere to it and so there's going to be that level of of expectation you're going to have if you're a processor for example there's probably companies coming to you asking our ugdp are compliant and you're going to a want to do that to maintain that business do that because there's the expectation that you do and finally if you do it more quickly and you recognize the benefit it can really be a competitive advantage so I hope all of you recognize that you can be kind of first out of the gate to be the gdpr compliant or you're moving towards that and that really can be a leg up on your competition and additionally you know if you think about all the efforts that you're going to go through and we'll talk about kind of the data collection and some the requirements but at the end of the day you're going to have this amazing treasure trove an understanding of where all the data is in your company and how you're using it that will help you be more effective and efficient in your business decisions and you'll have everything in a centralized place so that's actually a really good thing because if anyone's ever asked you a question about XYZ data we might be wondering well I think it's in this system over here I'm not totally sure and now we'll have the ability to really know where it is so you know some of the reasons why does GDP are even exist so we've talked about what it is who it applies to why we need to care so why does this regulation exist while I mentioned first it's an update to an existing regulation and in Europe privacy is really a fundamental right it is just a baseline we look at privacy and protecting the data first and foremost gdpr is about ensuring that the rights and freedoms of an EU resident is not put at a higher risk it's not violated it's about protecting that data so we have the concepts of privacy and security in GDP our so it is the data protection regulation and often when people think about data protection they think about security right so we've had a variety of different breaches here's just a selection right the Equifax breach is potentially the worst leak of personal information ever in effect in half of the US residents we have uber which announced a data breach sort of a year afterwards and a variety of others we could keep going on so that's the security piece and there's also a privacy component and so I like to describe privacy and security and the difference between them by using a house example so if I was to have a house and I've closed all the curtains and I'm inside you wouldn't be able to see me so I have my privacy right but that doesn't mean you can't break through the window so I didn't have very good security conversely if I the most amazing alarm system and really grates external barriers where you can't break through my window or my doors and get in my house but I left all the curtains open no one's saying you can't just stand right outside and see everything that's happening inside I have no privacy so privacy is around the use and the collection security is the is the physical technical administrative safeguards to actually protect and you'll see why that's important as we go through so we talked a little bit about the consequences and costs of non-compliance so if you don't comply there's some really significant fines that can come your way we could also lose customers so if someone asks us are we gdpr compliant and our answer is no we don't know we're working on it slowly we might not make them a deadline they might go and find somebody who is and so we might lose customers we also might lose trust you know if if this is all about being able to protect someone's data then you know anytime there's a violation and/or there's a piece that we're not quite meeting we could easily lose someone's trust with all those different data breaches it's really hard to try and regain a customer right so think about how much does it cost to get a new customer and think about all the different data breaches that have been out there you know it's it's hard to have to pull them back in and I always like to tell my clients I really prefer all the PR to be about the amazing things that you're doing as opposed to trying to protect and resurrect the brand that you've spent so long trying to build and then we'd have to also deal if there is a non-compliance or a breach or an incident or violation with auditors and regulators so each member state has its own local Data Protection Authority and those are the ones who are what's the right word they'll be the ones made managing any of the incidents so they could come knock on your door if there's a reported violation they might just not find your door because they feel like it but you'd have to contend with those local data protection authorities and in the member state where either a you do business or a resident an ee resident reported an incident to one of those local authorities so we I've been talking a lot about data so let's get into what kind of data are we talking about so gdpr uses the phrase personal data so if you here in the US we often talk about personally identifiable information and even for awhile people have been talking about PII but the way gdpr is written and the way we should refer to it as personal data and personal data means kind of the basics of what you would expect name email address phone date of birth a national identifier things like that but it's broader than just that it also includes things like online identifiers such as a cookie a tag a pixel an IP address GPS location data it includes a whole category of special categories or sensitive data like religious ethnic political genetic biometric um sexual orientation health financial data and if you collect any children's information generally speaking gdpr treats children under the age of 16 but there are some member states that might treat children that are actually under the age of 13 so when we think about this personal data we really have to understand what we're collecting and how we're using it so as an example if you're collecting HR benefit information and you offer domestic partner coverage and you ask what is the gender of that domestic partner you may know if it's the sexual orientation of that person if you're asking for dietary needs and perhaps someone marks kosher you might know the religious preference of that per as Jewish so not a hundred percent but that's the way people are starting to think about and interpret GD P R so it's and those are just two examples so it's incredibly important to really understand what data you collect where it is and how it's being used so GD P R introduces a variety of different data rights and we'll talk about some of them here so one of the big ones is the right to be forgotten this concept is sort of I can delete my data some of you might remember the google case that happened several years ago and this is where people can request for their data to be deleted so to be able to be deleted you have to know as a company where is that data so if Jodi sends you a note to say hey delete all of Jodi Daniels data are you aware of where I am what data do you have on me where do I sit and then what's the process internally to be able to meet that so you might be able to technically do it so perhaps today while you're listening you say I'm good I know how we can delete the data that's great do you have a process in place because that request might come through your contact us button online a customer call center it might come through a complaint line it might come through a variety of different places and you need to know okay how to educate your team members and be who's gonna be the final person determining that request sometimes the data can't be deleted you might have to keep some or all of that data for legal reasons for tax reasons for other regulatory purposes perhaps in the interests of Public Health there's a couple different exceptions so when data can't be deleted so again that process of being able to circulate the requests should the right group of people internally to be able to determine yes we can fulfill this no we can't is really important the other piece is it has to be met with what they call undue delay so we can't sit on this and take three months to figure it out and there's a symbiotic relationship that you'll start to see between the data controllers and the data processors so I mentioned before a processor takes the direction from a data controller so if someone wants to request their data to be deleted it really needs to start with the data controller that data controller makes the decision yes we should delete it no we shouldn't which parts where it is and then the data controller let's say said yes we need to delete this data it has to communicate that to a data processor so if you're a data processor you also have to have a process in place to be able to receive that request and know where all the data is for your customers to be able to manage to that request so you have to ensure you have the technical capabilities as well as the business process so the next piece is data portability and the requirements of the technical capability and the business process are just what I described for the data deletion part the right to be forgotten so we have to make sure we understand well first let me make sure we're all clear on what data portability is so this is around being able to port to move my data from your system to potentially a competitor's now it only applies to automated data so if you have a stack of paper it doesn't apply to that but think like I'm a media list or I'm an order history or I'm transactional information so the idea is I could go and I can see all the information that you have about me and I want to be able to move it to it to something else and a machine-readable format could be a CSV file as an example so you basically can't give me like gobbly gook that I don't know anything what to do you have to put it in a format that I can then move to another company and so like I was saying it's important to have the balance of the technical capability so can you do that today as well as the business process and often the business process and the Tecla capability aren't always necessarily the same groups so it's important to make sure that your employees will be trained and to consider how you'll actually be able to execute on those parts when it comes to data breaches a data breach requires under gdpr to notify authorities within 72 hours authorities are the local data protection authority those in the member states where you do business as I was mentioning before and keep in mind right now all incidents will qualify as a data breach but if it meets the definition of data breaches 72 hours is your time frame and that's really a tight timeframe and so the notion of our controllers and processors come back in this 72 hour time frame so often I think up to now people have thought well I outsourced it to XYZ company I don't I don't have to really worry about it as much I'm not as liable for it and that idea goes away under gdpr they've purposefully designed the requirements for controllers and processors to really be responsible for the data from end to end and what I mean by that is first off 72 hours is not 72 business hours so holidays and weekends are included and the clock starts ticking for a controller even if it's the processor that has the data breach so again you can see how strong communication is going to be required between the data controller and the data processor so if your processor you need to make sure that you have a clear communication line to who in a data controller if your data controller you need to make sure that your data processors have a really strong security program and are able to identify data breaches quickly timely and communicate them to you often this will be articulated via an agreement in a written manner so it will require you to go back through your agreements retro Act and then look for all agreements going forward and think about okay what is it that I need to get from each party and document that document those requirements so that it's extremely clear I also encourage you to ensure that you've reviewed and updated your incident response plan because planning is going to be your best medicine it might not go exactly as you plan it but you'll be in much better shape if you have the list of people internally that you're going to be calling and contacting will have on your shortlist forensic and attorneys if necessary if you have any templates that you can create for communication purposes out to your controllers or processors to your customers to the outside world if you have all of that created and there's an incident you'll be able to better spend your time defusing the incident I'm getting it managed as opposed to first trying to figure out what to do another big consideration when it comes to incident response plans in managing data breaches is do you know what should go in email and what should be you know done via phone calls and being able to determine all of those upfront so you know net net in the world of data breaches is you're not off the hook if you're the controller and you have everything in a processor and if you have a process and if you are a processor then you are your controller is is reliant on you and so you want to make sure that you can meet those obligations so in the world of gdpr there's also this really big notion of transparency so to say what you do and do what you say so we do that and accomplish it through a privacy notice and a privacy notice we're all familiar most likely with the privacy policy and GPR wants it to be concise yet complete and in plain language that anyone can understand so I kind of love this quote right before I write my name on the board I'll need to know how you're planning to use that data so it's important for a customer to know okay I'm going to give you all my data what are you going to do with it are you gonna share it are you gonna use it what's gonna happen with it so you'll want to review your privacy notice and ensure that all new products and any changes meet what you have in your privacy notice so if all you if everything that you're doing is outlined in that notice and it also needs to be a kind of a detailed level then you need to make sure that you're being able to manage to that notice so if you have a new process you want to think about okay so who in the company is responsible for my privacy notice and how can I update that if I need to in the idea of data protection there's a couple different pieces so you want to minimize your exposure the whole idea of gdpr is I want to minimize the risk of the rights and freedoms to my to the personal data that I'm collecting so there's a few points first is this idea of minimization only collect what you really need only share what you really need and only keep the data that you've collected for the period of time that you absolutely need it there's also this idea of a data protection officer and you might have read some in some places a data protection officer might not be needed if you have 250 employees or less and that's actually a misnomer it really has to go to the type of data that you're collecting and processing so if you're collecting large large amounts of data if you're collecting any type of data that ultimately if there was a breach or if anything was to happen to it or how I was using it could I violate the risks and freedoms of a of the person that I've collected that data from so if we kind of go back to why gdpr exists and we think about that whole privacy is a fundamental right that's really where this comes in because this whole concept is designed around the and customer and the whole idea is I want to ensure that I'm collecting data I'm communicating when I'm collecting I'm telling them what I'm doing I'm only gonna do what I told them I'm gonna do I'm gonna protect their data and I'm only gonna use their data either for the purposes that I've outlined because I'm delivering a product or service to them and that I am going to manage and minimize any risk to their rights and freedoms so you might have to appoint a Data Protection Officer if the kind of processing that you're doing fits those categories a data protection officer generally reports to the highest parts of the company and to the board and can be a contract person or can be a part-time person in the company their job is to help them figure out the best strategy for using data and ensuring the overall program so we've talked a lot about what is gdpr who it applies to the type of data a bit about transparency in the notice data rights and so now we want to walk through a ten step action plan that you can take so the very first thing is you need to assign someone in the company to focus on gdpr it doesn't have to be a full-time person but there needs to be someone whose role and and everyone knows you were focused on GPA next is you need to start listing all the systems that has the data so you know make a long laundry list one of the requirements of gdpr is to provide a regulator or an authority if requested a documentation of all the processing activities that you are doing so if your data controller if your data processor you need to list out the the processing activities so what do I mean by that I mean that you're going to know in system a you're collecting these three data elements you share it with these two companies and Sally and Jimmy have access to it we keep it for this long you need to be able to know all this and all the data that you have in it and for what purpose so it's not enough to only have your systems and and like what's in them because I think a lot of companies have that information today we have to take it a step farther and be able to know how we're using it and where it's getting shared that's the other element to sort of the privacy piece so you have to know if your data controller or a data processor so I hope you have a good sense now of kind of the concepts of controller or processor and these really make a big difference because if you're a controller you're the one required to provide that privacy notice to meet that transparency requirement you're also the one to have to get any consent and we'll talk about consent a little bit later but you're the one required to collect that consent so it's important to know if you are a controller or you are a processor and again if you're a processor you're taking the direction from a controller and it really is a very close-knit relationship between the two and you'll want to ensure that you identify which bucket you're in and for any of your processors so that you can start updating any agreements and determining what you need to do there so for number four that's a tie in really to what I've just said so you want to understand the transfer of data between you and a third party your third party might be processors they might be vendors they might be marketing companies so or you might be transferring data outside the EU and if you're transferring data outside of the EU there's a whole different set of requirements things like privacy shield standard clauses and a variety of other ones and I don't want to get too deep into that but know that if you're have data into you and it's leaving and going somewhere else so literally get it outside you have to meet this other set of requirements and under gdpr you have to know where the data is going between yourself and another party so that you have all the rights requirements in place in your contract and you're very clear on the data controller and data processor relationship so number five is document the personal data that's collected in each system so I mentioned this a little bit when I was talking about understanding all the systems that collect the data so you really need to be able to drill in and know all the data elements and if you think back to my example of dietary needs and HR benefits as just a couple examples that really won't be identified until you truly get to this level of detail and be able to start documenting it then you need to know you know what automated data might be deleted how can we meet the right to be forgotten requirements and the same for data portability so we want to determine where are we today on being able to meet the data portability requirements and can we meet them and for both the data rights and data portability I want to stress again it's you if you can meet them today that is awesome if you're gonna have a class forward to be able to meet them fabulous you also have to ensure you have a business process to meet the technical capability in the idea of consent can you document and provide evidence of that a users opted in to marketing programs so in GDP our world consent is flicked compared to what many people in the US are used to it is an opt-in model all of it is an opt-in model to be able to deliver marketing content you also have to be able to document the consent path so if today I opt in and tomorrow I changed my mind and I opt out and then the day after that I am really fickle and I opt back in again you have to be able to manage that opt-in opt-out path and provide evidence that showed yes I opted in what date in all of those types of things so the consent model is really important especially from a marketing program and so some people have asked me well what about all the people that I have to date and do I you know just email them and no it's not a prospective regulation all the people are included so you have to really really work with your marketing teams to understand what you need to be doing if you haven't already collected consent there's also a couple very specific requirements for consent for example it can't really be a checked inbox like a pre check box and it can't be a condition of service it truly has to be this complete separate opt-in requirement so we'll also want to review any security controls and determine what gaps exist so as you started starting to identify all the different data I encourage you while you're doing the data inventory and understand documentation and getting a sense of okay I have these five systems and all these data elements and each of them also ask well how is it protected who has access to it and at that moment you'll be able to start identifying where their security gaps and and begin a plan to remediate any of those and you know number 10 would be reviewed the data breach plan so again you have to be able to report what qualifies as a data breach in 72 hours and if you're a processor and a controller it's critical to know what your responsibilities are to to your you know partner controller or processor and so I hope that you find that these 10 ways you'll be able to take action today I'm so pick one get started on that and at this moment I'm gonna turn it back over to David for our next polling question thank you very much Jody um okay so let me go ahead and share our next poll here so so with all the information that Jody just shared and just and and whatever you were working with before this webinar we'd love to get a sense from you where do you need the most help when it comes to GDP our preparation again we're going to share this with everyone here that we're gonna share the results and so I think it's it's you'll find this you'll find the answers you're interesting so again if you're if you're in the background listening you can come back to answer this poll that would be great so and where do you need the most help with GDP our preparation we have no idea what we're doing identifying resources whether that be people or budget conducting a readiness assessment launching a data inventory project or in some cases you may feel like you're fully prepared to comply with GDP our so again we'll wait we've got we're at about sixty percent now voted so we'll wait for some more responses here another thirty seconds or so okay great thank you very much okay so here are the results of the survey and pretty pretty spread out of course except for the last answer that we're fully prepared to comply with GDP are this is exactly again how the results came out yesterday you know it's it's the six months is going to go by fast and that's what we've seen is that no one's really ready and set up to do this yet I think a lot of people are are delaying some of this work and and definitely with six months left to go it's you know there's a lot of work left to do so again hopefully this is this is interesting let me come back here to our slide so one of the things that we did with with Jody she helped us write this white paper around GDP are you can find the white paper at better slash GDP are – WP so this is a white paper that Jody helped us write this this talks a lot about better cloud and how better club specifically can help you with your GPR compliance so they're they're having many pieces to this there's gonna be people as we process there's gonna be there's a lot that goes into GDP our and just using better cloud is not going to make you GDP our compliant by any stretch of the imagination but we can help and from a product perspective especially when it has to do with your SAS applications and the sprawl and all the data that's that's across all of them we can help and and this white paper talks about how so if you're an existing customer and you you're interested in seeing the areas of the product that you may want to dig into you know please please go ahead and download this well we'll send the link out again later on with with the recording of this webinar and then if you're not a customer and you're interested in learning more about better cloud specifically about better cloud for gdpr or just in general about better cloud now is definitely a good time to reach out to us and were were you know we the the new platform that we built and and launched earlier this year is has really been taking off and and there's a lot we can help with around policies in your environment now and automated policies so if you're interested please register for a demo better slash gdpr my email address is david better cloud if you're interested you can reach out to me and I can put you in touch with someone so before we're gonna go we're gonna go to questions here in one second so again if you're in the webinars channel you can start asking questions there and and we will I will be handing those questions over to Jodi since she's the expert I am NOT okay so let me just look here so one question which I can't answer will you share the presentation and webinar recording the answer is yes we will do that that'll go out tomorrow probably by the end of tomorrow so you will you will see the recording and that will have obviously all the slides there so you may want to share that with others on your team let me see here so next question it's going to be a challenging one showed you may not have an answer but how is the right to be forgotten compatible with blockchain yeah that is really complicated one that I will fully admit I don't III don't even want to attempt to guess at that answer blockchain is is a complicated one you'd have to start breaking down what is considered personal data within in that and you get into a whole conversation with well where is the personal data and blockchain that's part of why people like blockchain because there isn't a whole lot of personal data associated to it so that is a very fascinating question I think I'm gonna have to take that one offline and and I appreciate your understanding is there an exemption from GD P R for companies under a certain size for example very small micro businesses of fewer than ten people yeah that's a great question um no GD P R applies to all companies even what they call soul traders which could just be you know me as an independent so your extent of the requirements might be smaller because you might not be working with as many complex systems but it is all about the personal data that you hold and there's not a size requirement do you think GD P R will prevent banks from selling data into credit agencies like Experian so I think it goes into the type of data that is collected and the purpose for its it all goes back to the type of data that's collected and what is considered personal data and so when banks are selling that information some of that is financial data which is not tied to you the person so it will probably augment and and definitely affect the types of data that is shared but I'm not convinced it will necessarily eliminate all data transfers I don't think it's gonna put all data brokers out of business I think it's gonna change I think it's gonna significantly change the model here's a question this is an interesting one actually we had this internally do you need consent for transactional emails verse marketing yeah no that's a great question you do not need consent to be able to deliver transactional emails or service emails anything that is going to deliver the service or product that you've bought for marketing emails you absolutely consent so where is going to get grey is that transactional email that you think is kind of transactional but actually is more marketing which is not too dissimilar from the can-spam requirements in the US or castle in Canada but if I were to use kind of a retail example because I think that's just a really easy one so if you buy something the email that says thank you for your order and your order is being shipped tell us about your order those are transactional emails if you're now on the hey we're so glad you're here come check us out on the social media page and tell us all about why you love our products that's probably going to be more in the marketing hmm that was actually a question we had as well another interesting question is internal chat messages between people working in the same company are they subject to gdpr so yes and no it depends on what the topic is so company information so if I have my company email Jodie Daniels at company comm that information is included however if I'm using it for business company purposes only then it it's part of the company and it's not considered personal data it's considered company data if in my chat box I am telling my best friends at the company about all my personal information and then I come back to you and I say well you know I really don't want that in your database anymore and you didn't have a strong policy on no personal data in the chat box it gets kind of murky and each member some member states have really strict employee HR rules that might mean on the side of the employee as opposed to the company so it kind of depends on the type of data that is in that chat box and its purpose but if it was strictly company information and and that was it all company company company then it would be excluded from the definition of personal data but the company's the person's email address would be considered personal data for example externally to another vendor what are the biggest similarities and differences between PCI compliance and GDP are so PCI compliance you know definitely includes personal data and is all around the protection of that data but GDP our first expands the definition of personal data and is beyond just the scope of financial data so GDP R is much broader in scope and has many more requirements I feel like PCI compliance if you're there you're actually in a great place and you probably just need to expand a little bit more okay so this is a similar in the similar realm here one of the top the ten steps that we suggested was review security controls and determine what gaps exist are there specific security controls to be implemented implemented under GDP are like PCI similar yeah so GDP R doesn't specify too many specific ones because they want this regulation to stand the test of however many years it's gonna last till the next update so you know they will say to industry best practices industry standard there is a concept though of suited month as I can't even say the word because it's so hard but basically it's trying to break down what we often consider it's like a step beyond encryption and trying to truly break apart the data so that it lives in in a variety of separate places all by itself and anonymous individually if you you could put it all back together again but if you separate it all by itself you can't so it doesn't reduce that concept but otherwise it is more just whatever the latest industry standard is and so the person who asks the question of lime a small company so does that you know do I get special treatment they would say you need to also have the latest industry standards it does when I was a small company here's a interesting one again actually this another question we had internally can a salesperson cold email a prospect without consent no unfortunately no that rule is actually very similar in Kassel which is a Canadian anti-spam legislation so I was a I was asked this question yep just yesterday by a client as well and so imagine you get a business card so you get that business card the business card is not a form of consent it's not documented I've handed you the business card I could say I didn't hand you the business card you got it I don't know how but so it's not a form of documented consent you can cold call so gdpr does not talk about you can't cold calls so um you can you know I think and the same is true actually with castles so I think what you'll see now I I would encourage you not to use an autodialer that's a whole different conversation you know I would I would encourage your sales teams to do old-fashioned relationship building and I think that could be a benefit so if we want to look at you know you can't do that what can I do that can encourage and facilitate really great relationships you know hey it was great to meet you at the trade show last week I wanted to reconnect right so it'll help build those types of relationships which could be a good thing mm-hmm okay this is a this is one that came up yesterday a number of times how curious how your clients Jodi might be dealing with employee data particularly with the right to be forgotten as it relates to HR data work emails etc yeah so it goes to the question that we someone asks just a few ago um so your HR data is HR data and it's company data and I might need to keep it for legal purposes for tax purposes I have to keep the date that data for as long as I need but for example is in my HR data I had my dietary preference I'm not sure I really would need that forever so but you probably would need my name my birthday at my address to be able to show yes I worked here for a period of time for legal and tax purposes around the world so the HR data is considered company data now at the same time there are member states that have even stricter HR data requirements so it's kind of based on each member state that you're in but generally speaking if I'm an employee I do have the right to be forgotten it also will go back to how specific your policies are and/or your policy like if it was email do you have a strict policy that says you cannot mix personal and company email or is it you can use your company email for anything so if you have strict policies that delineate it was only to be used for company email and then I come along and I say well I really want to get my personal email because I sent it well then you violated company policy and that could be a whole different scenario hmm so it exists but you have a little bit better protection from the employee side let me ask you another question in terms of who falls under this because there's a question of the micro businesses sub-10 employees do religious institutions with EU members or missionaries fall under this yeah I haven't seen any exceptions to people I haven't if someone finds one I'd love to see it but I I have not seen like people are exempt from gdpr because this goes to the fundamental right of each EU resident and however it's collected everyone still needs to play along you just may not have as it might not be as complicated it just might be simpler this is a this is a from from better IT one of the statements here the way I understand GDP our worst case scenario could come down to deleting all the employees emails because we really can't determine whether or not there is personal data in those emails and and no one's gonna go filter through all you know millions and billions of emails is that is that correct I'm I guess sure that would be a worst-case scenario but I'm not sure you necessarily have to have to do that um you probably I think it depends on the situation but I think it you might be able to to argue you might need to have those company emails for retention purposes for legal purposes for business purposes right so if I was to request to be forgotten there are some exemptions that a company can take when it comes to employee data and again it kind of depends on the member state like Germany has some really specific HR rules so I don't want to say that carte blanche you just would have to delete every single email from an employee because I don't think that's necessarily the intention I think I also think you'll probably find some tools I think you're gonna see a suite of gdpr tools come out to be able to help companies be able to go through all those emails and and identify okay these are the four that are the ones that are a problem and we need to be able to get rid of those and you can keep the other 96 thousand so I think you'll see a lot more gdpr tools just like you see security tools today I mean some of the ones you know that David you've talked about it better cloud you'll they'll be increased enhancements I'm happy to continue talking about that particular question with anyone great so one of the questions I see was for Jodi's email address so here you've got Jodi's email address Jodi at red clover advisors comm you need help with a strategy you need help talking through these questions I mean this is the most questions we've ever gotten we're never gonna get through all of these you know good questions these are actually the questions that we asked Jodi when we start talking to her a couple months ago same exact questions it's it's a it's a little bit daunting when you start when you first hear about this and if you read the book that Jodi showed me that has you know the official guide for gdpr it's it's it's it's it's this is gonna be challenging for everyone I think everyone's in the same boat here this is gonna be this is gonna be challenging it's gonna take a lot of work and so yeah if you need Jody is definitely a good person to reach out to email addresses here again you'll you'll have all this in the recording and if you're looking for a solution to help with a part of your your GPR compliance obviously we'd love to do that with you and like Jodi said we're going to be working more and within our product in order to to enable our customers to as much as we can comply with GDP argh and a lot of this is people processes you know regulations that we we are not going to be able to piece of the regulation when I can be able to help but so with that thank you very much for taking the time to join us today we hope that this was was interesting informative useful and again please please reach out to Jodi if you need a need help with your GE PR strategy thank you very much have a great day


  1. We have a shorter video on Data Protection and GDPR which you might find interesting – select our logo to see all our videos

  2. Just one slight correction. The statement GDPR applies to EU residents is incorrect. In fact you cannot find the word Resident in the entire article or recitals. It applies simply to any nature persons (Data subjects) residing in the EU. The terms EU Resident would generally imply someone that working in the EU and paying taxes, even though he/she might be a non EU citizen. However GDPR covers an even larger group. You can be a temporary visitor to the EU and this will apply to you as well.

  3. If you don't know what sensitive data your applications have and would like automatic mapping and visibility into sensitive data, source of creation, what transforms it flows through and where it exits the application, check out

  4. Do you deal with GDPR and cookies? At Pixman we have developed the gdpr4free library for ourselves and our clients. It helps block third-party tracking services until a visitor to your site actively approves cookies within the consent panel and only then unlocks the tracking library. It's simple, spectacular, GDPR compliant and, most importantly, fair to the visitors of your site. We think it's such a great product that we have decided to distribute it for free. Download here:

  5. Very helpful thank you Jodi for taking the time to explain

  6. Explain like I am five my ass….

  7. How is this ELI5 ? Granted its well explained but i doubt any 5 year old understands any of what you are talking about.

  8. Do You Want To Know, How To Make Your WordPress Site GDPR Compliance Click Here:

  9. I really like this material and I want to share in my social media. So, could I share this material in Social Media?

  10. Hello, DP Fasttrack Training is holding workshops and training courses for people with the interest of changing their profession or excelling within the Data Protection/Information Security field, anyone who is interested in training for a DPO (data protection officer) position as well as ISO27001 Information Security Analyst; anyone who is interested in all disciplines in GDPR (Data Protection Analysis, Data Privacy Manager, Breach Analyst, Information Manager, Rights Officer, DPO (data protection officer) position as well as ISO27001 Information Security Analyst roles – this is your course.

    Right now it's a niche market as the GDPR regulations are coming into force May 25th 2018 and very soon the second phase of the regulation the e-Privacy regulation is on the horizon and the demand for jobs are high and lucrative. This is an Introductory course with CV help and Team material, homework etc. as well as one on one help from the PM Data Protection Officer and Information Security Analyst of a reputable international company;
    A team of Data Protection Specialist have put together a workshop and training course on GDPR, Data protection and Information Security, specifically how to implement the new regulations GDPR and the security certification standard of ISO27001 into the working environment.

    £350 per course over three consecutive weeks on the Saturdays (7hrs each day) London UK based. For more inquiries please contact Me via YouTube. Thanks

  11. Explain Like I’m Five ??? the kid would fall asleep as i almost did….

  12. Helpful, the 10 step action plan is at 29:45 mark in video for those interested.

  13. this will only benefit larger companies; regulation only affects chance for the small companies to grow and compete with the large fish; UE is closing more and more to a socialist empire

  14. very good very good, I can see this being a huge law case like the big companies dunno where they have all our data at this stage how can we be insured it all going to be deleted when we want it removed the big companies need to all encrypted the data so they have no access to peoples data and start using ids given by the companies to "Identify the person" while not having access to all your personal data…biggest comapnies only changing terms now theirs somthing weird about that its the big companies need to be took up for the whole worlds peronsal data the cunts are selling it its not all black hats….the big comapnies wont tell us shit

  15. African leaders should start taking tips:

  16. Good video thanks

  17. This is another example of people looking to the government to fix issues they should be proactive and responsible for! the fines make it an OBVIOUS money grab by the EU, nothing new here. I am responsible for my data and what I GIVE OUT. Too much government, too many stupid worthless obstacles for business also. Now if I am in the US and I get a complaint how they are going to enforce this? I will comply because I am a law abiding citizen. Too bad the NSA, and other government organization can do what they want to with data. Wake up people.

  18. like.. totally!

  19. I have showed this to my 5 year old and he is not speaking to me now. Please help.

  20. At you say that it cannot be a "tick" that says somebody "opts in" as consent but rather the "complete separate opt in requirement". And this means what? How do you show that somebody "ticked" what is likely only a box? Does it mean you have to grab the web-session, details about their machine, etc.

    And if you have mailing lists and want to know if people will consent to you marketing to them – whether pre 2018-05-25 or after, how do you get this sort of consent?

  21. Does the U.S. have anything similar and would that mean that Edward Snowden will be honoured (instead of threatened with treason or whatever ridiculous threat he has had) ? I guess my point is, whilst we are all being charged a filing fee with this regulation and threatened with fines, the governments continue to take whatever information they want and allow corporations to install smart meters etc. (to collect our information) I don't think UK citizens are safe from government breaches in collecting data either.

  22. These regulations are entirely overbearing and nonsensical in too many ways. It doesn't seem like much thought was given to the ramifications this will have on the entire internet. Worse, national sovereignty has literally gone out the window, as have the rights to put what you want on your website. Now, you'll have a big ugly banner on your pages whether you want one, or not.

    We are all like fish in a barrel waiting to be blasted by the new overlords who have regulated everyone into illegality.

    Perhaps the most ironic part of this travesty is that as January 24th, the vast majority of EU states appear unprepared for new EU-wide data protection and privacy rules set for launch end of May. That's cute. ( SRC: )

    Do as we say, not as we do.

  23. TL;DW

  24. GDPR Staff Awareness Course

  25. explain like I'm 5 but runs over 56 minutes?

  26. play it at 1.5 speed…

  27. Not a great seminar in my view – did not deal sufficiently with the very obvious problem of Payment Processors – widespread in use by businesses of all sizes to collect payments for purchases of goods/services. There's clearly NO WAY that a breach at one of those (eg Paypal or Stripe) could even be picked up by a micro business and communicated to customers within a 72 hour timeframe. For one thing the business is unlikely to know what data was collected other than perhaps a customer name and possibly a transaction ID/amount and date. Given that the payment processors may hold information for some time (keeping card details on file for future transactions being a common thing) the business where the Data Controller resides has no way of knowing any of that information, where it's kept or how. Therefore I would have expected some insight into how these Payment Processors are expected to handle this stuff. Personally I would expect them to be able to contact the customer direct – after all they have all the relevant information Name, Address and Financial Details.

  28. Great webinar

Leave a Reply

Your email address will not be published. Required fields are marked *