Fully understand how GDPR affects the life of millions of EU citizens by having in mind the 10 simple facts exposed by Dr. Karsten Kinast
The presentation gives a short glimpse in to the motivation of GDPR, the key changes it brings, and the ongoing compliance on information lifecycle it presumes.
WhatsApp 📞 9892124323 ✅Call Girls In Juhu ( Mumbai )
GDPR Part 1: Quick Facts
1. Meeting EU General Data Protection Regulation
(EUGDPR)
Adrian DUMITRESCU
Q-East Software
www.qeast.ro
2. 2
EU GDPR QUICK FACTS
#1 Applies to all
#2 Widens the definition of personal data
#3 Tightens the rules for obtaining valid consent to using personal information
#4 Makes the appointment of a DPO mandatory for certain organizations
#5 Introduces mandatory PIAs
#6 Introduces a common data breach notification requirement
#7 Introduces the right to be forgotten
#8 Expands liability beyond data controllers
#9 Requires privacy by design
#10 Introduces the concept of a one-stop shop
www.qeast.ro
https://www.kuppingercole.com/team/kinast
By Dr. Karsten Kinast
3. 3
GDPR KEY CHANGES
• Increased Territorial Scope (extra-territorial applicability)
• Penalties - Under GDPR organizations in breach of GDPR can be fined
up to 4% of annual global turnover or €20 Million (whichever is greater).
• Reduces Consent Related Ambiguities
• Enhances Data Subject Rights
www.qeast.ro
4. 4
WHY GDPR
Introduction
www.qeast.ro
2018
• FedEx has stored extremely sensitive customer data on an open Amazon S3 bucket –
passports, driving licenses, security IDs, as well as home addresses, postal codes and phone
numbers from 2009-2012 – essentially making all the information public
2017
• An open MongoDB-hosted database owned by Ai.Type exposed 577GB of customer data,
potentially revealing the information of 31 million users
• On 22nd November 2017 it was revealed that Uber failed to disclose a cyberattack that
exposed data of 57 million drivers and passengers
• In October the final numbers of the last in a series of Yahoo data breaches were made public –
3 billion users existing from 2013 to 2016 were exposed. That one caused the company to be
sold to Virgin for a 25% lesser price than initially negotiated
• In September 2017, Deloitte suffered an attack which caused the exposure of the firms ‘blue
chip’ clients, including usernames, passwords, confidential emails and personal info. The
attack went unnoticed for several months
• The Equifax attack affected 149 million consumers, revealing their SSN, dates of birth and
addresses, including 200,000 credit card numbers, data that could be used to open bank
accounts and apply for loans in the owner’s name
2016
• Tesco Bank was forced to froze their operations after 20,000 customers had money stolen
from their accounts, with 40,000 compromised in total.
2013
• Target Stores data breach put the credit-card numbers and personal information of millions of
people into the hands of cybercriminals
2011
• The first big data breach that affected users all over the world and the largest at the time, 77
million customer records, including a massive amount of credit card number, were stolen from
Sony/PSN. The attackers had access to just about every significant piece of data that
subscribers store on the system, including passwords, logins, online IDs and even addresses,
birth dates and purchase histories. The system was down for over 3 weeks.
5. 5
WHY GDPR
Introduction
www.qeast.ro
Huge financial losses for all the parties involved
• Some entities may never recover
• Fines for inadequate protection and detection of the breach
• Lawsuits and damage compensations that far extend the initial loss
Long-term branding and personal affect
• A CIO in this position will be in a very bad position
• The company is always affected on the long term
• People will be reluctant to put their data in this company’s systems, making online services
impossible
The rollout effect
• People react – if enough people react, everybody else follow
• Markets react – it always affect entities providing similar services
• Suppliers react – you will not get the same sale benefits
6. 6
FROM THE SECURITY PERSPECTIVE ALONE…
Introduction
www.qeast.ro
In the first quarter of 2018 alone, the average Quest customer faced:
• 7,739 malware attacks, a year-over-year increase of 151%
• 335 of these attacks were hidden using SSL/TLS encryption
• There were identified more than 49,800 new attack variants in the
first quarter, with
• Deep memory scanning technologies identifying 3,500 never-
before-seen variants
Did you know?
8. 8
PRIVACY AT THE HEART OF GDPR
www.qeast.ro
A state in which one is not observed or disturbed by other people
The state of being free from public attention
The ability of an individual of controlling which information is collected,
how it is used, by whom and with which objective
9. 9
GDPR MEANS ONGOING COMPLIANCE…
www.qeast.ro
Who?
What?
When?
How?
Where?
GDPR means
Ongoing
Compliance
What for?
10. 10
… ON INFORMATION LIFECYCLE
www.qeast.ro
Principles of data collection
Fair and aligned with law
With consent
Relevant
Proportional
Type of data
Collection
Retention
Duration, how long?
Type of data
Security
People
Process
Technology
Loss of data
The allowance is related to:
Specific data
Determined goal
Notification of changes
Process
Governance Retention and
Security
Information
Lifecycle
Governance of:
Access
Right to modify
Destruction policy
Data transfer
Applicable laws/rights
11. 11
PRIVACY AT THE CORE OF GDPR
www.qeast.ro
Identity and/or passport number
Date of birth and age
Phone numbers (including mobile)
Email address/es
Physical address
Gender, Race and Ethnic origin
Photos, voice recordings, video footage (also CCTV)
Marital/Relationship status and family relations
Criminal record
Private correspondence
Financial information
Membership to organizations/unions
Physical and mental health including medical history
P I A
12. 12
GDPR MEANS ONGOING COMPLIANCE…
www.qeast.ro
GDPR means
Ongoing
Compliance
Control
Visibility
Authentication
Data Protection
Adaptive Security
Automation
13. 13
GDPR GUIDING PRINCIPLES
www.qeast.ro
• Understand what personal data you process
• Know where it is and how it flows in the organisation
• Consider privacy at every level
• Always think user first
• Review your information risk management
• Ensure you have appropriate mitigations in place
• Don’t forget detection and response planning
14. 14
MAIN ACTIONS THAT SHOULD BE TAKEN IN ORDER TO COMPLY
• Prepare for data security breaches
• Establish a framework for accountability
• Embrace privacy by design
• Analyze the legal basis on which you
use personal data
• Check your privacy notices and policies
• Bear in mind the rights of data subjects
• Be aware of cross-border data transfers
www.qeast.ro
15. 15
GDPR COMPLIANCE ROADMAP
Prepare AuthorizationProtect &
Secure
ReviewManage
Data Protection Impact
Assessment
Obtain prior Authorization from
the Supervisory Authority
Data Protection Officer
Protect all data Data Protection Compliance
Review
Define the way data is
collected and managed
www.qeast.ro
16. 16
PROTECT PRIVACY DATA
Implement data security requirements
• ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal
data
• take preventive, corrective and mitigating action in near real time against vulnerabilities
• regularly test, assess and evaluate the effectiveness of security policies
Implement backup and data recovery policies
• Create a backup policy that clearly identifies roles, responsibilities, schedule, location, formats
• Define the differences between backups and archiving data
• Include archiving in addition to processes such as data rescue, data reformatting, data conversion, metadata
Designate a data protection officer
Prepare AuthorizationProtect &
Secure
ReviewManage
www.qeast.ro
17. DATA PROTECTION IS ABOUT INFORMATION
#1 Backup and Continuous Data Protection
#2 Information Security
www.qeast.ro
18. SIX AREAS OF INTEREST
#1 Collecting, Storing and Processing Personal Data
#2 Data Discovery, cataloguing and Classifying
#3 Data Protection from Loss or Theft
#4 Endpoint and Perimeter Security
#5 Identity and Access Management
#6 Security and Event Log Management
www.qeast.ro
GDPR applies to all
The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens. This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
2. The GDPR widens the definition of personal data
While the definition of personal data has always been fairly wide, the GDPR broadens it even further, bringing new kinds of personal data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
3. The GDPR tightens the rules for obtaining valid consent to using personal information
Having the ability to prove valid consent for using personal information is likely to be one of the biggest challenges presented by the GDPR. The GDPR requires all organizations collecting personal data to be able to prove clear and affirmative consent to process that data
4. The GDPR makes the appointment of a DPO mandatory for certain organizations
According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs needs to be appointed. Therefore, any business that depends on processing personal information will have to appoint a DPO, who will be an extension of the data protection authority to ensure personal data processes, activities and systems conform to the law by design.
5. The GDPR introduces mandatory PIAs
The inclusion of mandatory privacy impact assessments (PIAs) in the GDPR is mainly due to the influence of the UK’s Information Commissioner’s Office, which has worked a lot with PIAs in the past. The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimize risks to data subjects. This means before organizations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress.
6. The GDPR introduces a common data breach notification requirement
The regulation requires organizations to notify the local data protection authority of a data breach within 72 hours of discovering it. This means organizations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach
7. The GDPR introduces the right to be forgotten
One of these is the data minimization principle that requires organizations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject. It also means organizations have ensure they have the processes and technologies in place to delete data in response to requests from data subjects.
8. The GDPR expands liability beyond data controllers
In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organizations that touch personal data.
9. The GDPR requires privacy by design
This means that software, systems and processes must consider compliance with the principles of data protection. However, the proper erasure of information, for example, is not something often seen in software. But in the future, all software will be required to be capable of completely erasing data, which will be a challenge for a lot of software engineers
10. The GDPR introduces the concept of a one-stop shop
In the past, Ireland has been popular with large US corporations, such as Google, because of the country’s relatively permissive data protection authority. However, that all disappears with the GDPR, which allows any European data protection authority to take action against organisations, regardless of where in the world the company is based
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU
Privacy Impact Assessment
Instead of 28 interpretations of the Directive Protection…
One harmonized Data Protection LAW for all of the EU state members
Data Protection covers two major areas:
#1 – Ensuring information exists and is always actual within systems and applications, which is done via data backup and replication
In other words, data backup and replication technologies ensure that PEOPLE will always be able to use and exchange most recent corporate INFORMATION in their day-to-day job activities
#2 - Ensuring information is safe and secure
In other words, access control technologies ensure that INFORMATION will be accessed, changed and shared only by the RIGHT people, at the RIGHT time and by using the RIGHT tools so that corporate intellectual property is safe from theft or loss, and the information management tools used are working without downtime
Data Protection covers two major areas:
#1 – Ensuring information exists and is always actual within systems and applications, which is done via data backup and replication
In other words, data backup and replication technologies ensure that PEOPLE will always be able to use and exchange most recent corporate INFORMATION in their day-to-day job activities
#2 - Ensuring information is safe and secure
In other words, security technologies ensure that INFORMATION will be accessed, changed and shared only by the RIGHT people, at the RIGHT time and by using the RIGHT tools so that corporate intellectual property is safe from theft or loss, and the information management tools used are working without downtime