General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
1. GDPR Enforcement Is Here.
Are you ready?
Fouad Khalil, Head of
Compliance, SecurityScorecard
June 28th, 2018
Ken Dickey, AVP Business Development,
Cadre Information Security
2. 2
About the Speakers
Fouad Khalil
Head of Compliance, SecurityScorecard
Fouad Khalil is the Head of Compliance at SecurityScorecard and is responsible for
internal and external compliance programs, auditor education, alignment with industry
best practices and global sales support. With extensive experience in the technology
space with more than 25 years spanning disciplines in software development, IT
support, program and project management and most recently IT Security and
Compliance management. Khalil’s career path in technology has provided him with
keen insights in the areas of network, system and DB administration, software
programming, system design, project and product development, and much more.
Ken Dickey
AVP – Business Development, Cadre Information Security
Ken Dickey heads the Business Development department at
Cadre. With over 29 years of experience in information technology,
Mr. Dickey has established himself as a leading expert on IT security
architecture design and deployment in both commercial and
government environments.
3. 3
Agenda
• More information about GDPR and what the industry is
experiencing to date
• What minimum requirements you should have had in place by May
25, 2018
• What you should plan to do for the next 12-18 months if you are not
completely ready
• What the FTC Privacy Shield program is and why you should self-
certify
• Key GDPR implementation takeaways
4. 4
Why Enact GDPR?
• Data Protection Directive (DPD) been around for 20 years
• DPD set minimum standards for data protection
• Over time, difficult for EU citizens to know how their data is protected
• Over time, difficult for organizations to determine which laws to comply
with
• EU Commission decided to issue a unified law that:
• Protects the rights and privacy of EU citizens
• Reduces barriers to business by facilitating data movement
• The regulation supersedes all laws passed by member states
5. 5
%&#@%!*!! GDPR :(
“The only way to avoid complying with GDPR is to avoid doing business with the EU completely.”
GDPR specific requirement that controllers should “take into account the nature, scope,
context and purposes of processing as well as the risks of varying likelihood for the rights
of natural persons, […] implement appropriate technical and organizational measures to
ensure and be able to demonstrate compliance…”
All this says is that organizations should put in place a Privacy compliance
framework to ensure data processing is in compliance with GDPR.
If organizations do not have a compliance framework in place, simply use a
recognizable one: ISO/IEC 27001:2013 or BS 10012:2017.
6. 6
GDPR’s Unprecedented Impact
Unprecedented Fines – 4% of annual worldwide turnover, or €20 million,
whichever is higher.
Global Impact – GDPR is not just an EU-specific regulation – every EU
citizens’ private data, regardless of where it is stored, must be protected.
May 25, 2018 Deadline is here – The majority of companies still have a lot of
work left to achieve compliance.
7. 7
Goals of GDPR
• Define privacy policies
• Protect personal data from breaches
• Establish consistent level of data protection across
Europe
• Improve trust between citizens and businesses
• Increase organizational accountability for data
practices
• Restrict use of personal data
• Restore control of personal information to individuals
8. 8
High Level Requirements of GDPR
• Clear, specific, freely given, and withdrawable
consent for use of personal information
• Adequate mitigation in place to minimize risk of
data breaches
• Full transparency regarding how, when, and
where personal data is used or shared
• Disposal of personal data upon request or
withdrawal of consent to process
9. 9
A Quick Glance on GDPR
Chapter / Articles Overview of Contents
I-General provisions; Articles 1-4 Subject matter and objectives, material scope, territorial scope,
definitions
II-Principles; Articles 5-11 General principles, lawfulness, consent, child consent, special
categories of personal data, processing for criminal convictions
and offenses, processing without identification
III-Rights of the data subject; Articles 12-23 Transparency, access, rectification, right to be forgotten
(erasure), restriction rights, data portability, objection rights,
automated individual decision-making (profiling)
IV-Controller and processor; Articles 24-43 Definitions, responsibilities, data protection and privacy by
design and by default, security, breaches, data protection
impact assessment (DPIA), data protection officer, codes of
conduct, certification
V-Transfer of personal data to third countries or international
organizations; Articles 44-50
General principles, adequacy, safeguards, binding corporate
rules, derogations, international cooperation
10. 10
A Quick Glance on GDPR - Continued
Chapter / Articles Overview of Contents
VI-Independent supervisory authorities; Articles 51-59 Definitions, independence, conditions, competence, tasks,
powers, reporting
VII-Cooperation and consistency; Articles 60-76 One stop shopping, mutual assistance and joint
operations, board
VIII-Remedies, liabilities and penalties; Articles 77-84 Complaints, judicial remedies, right to compensation and
liability, fines, penalties
IX-Provisions relating to specific processing situations;
Articles 85-91
Processing vs. freedom of information, processing vs.
public access to official documents, processing vs.
employment, processing vs. archiving, historical research,
scientific research, professional secrecy, churches and
religious associations
Chapters III through V are the main body of normative content that causes significant effort for organizations having to comply with GDPR.
11. 11
Polling Question
What constitutes personal data under GDPR?
A. Tax ID / SSN
B. Bank Information
C. Online Identifiers
D. Credit card data
E. All the above
12. 12
Personal Data
• Understand your environment
• What data? Is it personal?
• From Article 4 section 1: ‘Personal data’ means any information relating to an
identified or identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that
natural person’
• Article 17, 20, and 24 present three examples of why inventorying personal
data is a good first step to understanding the ramifications of GDPR.
Understanding its Scope and How It Factors Into Your Environment
15. 15
“When in Doubt - Protect!!”
All data is in scope of
GDPR.
Organizations are restricted
when it comes to de-
identification (scoping
out) of data.
Recommendation treat all
as “Protected Data!!”
16. 16
Let’s Highlight Some Key Requirements
• Article 5 – The six privacy principles
• Article 15 – Right of access
• Article 17 – Right to be forgotten and to data erasure
• Article 20 – Right to data portability
• Articles 25 & 32 – Requires implementation of reasonable data protection
measures
• Articles 33 & 34 – Reporting data breaches to supervisory authority and individuals
• Article 35 – Data protection Impact Assessment
• Article 37 – Appoint data protection officers
• Article 50 – Extends data protection requirements internationally
• Article 83 – Outlines fines for non-compliance
17. 17
Do You Need a Data Protection Officer (DPO)?
First ask, do we need to appoint a DPO? If any below apply to
your organization then yes:
• Processing is carried out by a public authority or body;
• Core activities consist of processing operations which require
regular or systematic monitoring of data subjects at a large
scale;
• Core activities consist of processing on a large scale of special
categories of data (Article 9) and data relating to criminal
convictions and offenses (Article 10)
18. 18
Role of the DPO
• A DPO shall be designated on the basis of professional qualities: such as law
degree, data protection/security certifications, experience in implementing privacy
frameworks, experience with risk management standards; to name a few.
• The DPO is a protected and independent role as stated by GDPR.
• Primary tasks:
a. Ensures everyone knows their GDPR obligations,
b. Monitors compliance including assignment of responsibilities, awareness-rising
and staff training,
c. Provides advise regarding the DPIA and monitor its performance,
d. Cooperates with supervisory authorities – main contact point.
19. 19
Data Mapping
• Data mapping is simply best practice. You cannot protect your information if you don’t
know:
• That information exists,
• Where it is, and
• The conditions under which it’s kept.
• What you need to build your data map are the following:
• Data items – the information itself.
• Formats – the state in which data items are stored.
• Transfer methods – the explicit methods by which data items move from one location to
another.
• Locations – the site where data locations are stored and where processing happens.
20. 20
Data Protection Impact Assessment (DPIA)
• The DPIA is a key tool for the DPO and mandated by the GDPR.
• DPIA must contain at a minimum (naming a few):
• A description of the processing and purposes,
• An assessment of the necessity of the processing,
• An assessment of the risks to the rights and freedoms of data subjects,
• All safeguards and security measures to demonstrate compliance,
• An indication of data protection by design,
• List of recipients of personal data,
• Details whether data subjects have been consulted,
• And more…
• DPIAs are a tool to manage risk, but are only a part of the whole process.
21. 21
Highlights of your Data Rights
• Core rules remain the same – comply with all 6 general principles,
• Consent – stricter requirements on obtaining consent to justify processing of personal data,
• Additional protection for children – child consent only valid if authorized by parent (under 16
years old)
• New data access rights:
• Right to be forgotten,
• Right to data portability.
• Profiling
• Inform data subjects of any profiling (online tracking, behavior advertising, …)
• More robust privacy notices.
23. 23
Polling Question
Which is the most critical step of a GDPR program
implementation?
A. Personal data management, data subjects, consent, etc.
B. Risk management and DPIA.
C. Personal Data Breaches, incident management reporting.
D. Management committment and awareness training.
E. All the above!!
24. 24
Federal Trade Commission’s Privacy Shield Program
Article 44 – General principle of transfers
Prevent unauthorized data transfers outside member states or to
unauthorized third parties.
• The Privacy Shield program, administered by the International Trade
Administration (ITA) within the U.S. Department of Commerce, enables
U.S.-based organizations to join one or both of the Privacy Shield
Frameworks in order to benefit from the adequacy determinations.
• The European Commission has so far recognized Andorra, Argentina,
Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle
of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited
to the Privacy Shield framework) as providing adequate protection.
25. 25
• All Member States of the European Union are bound by the European Commission’s finding of “adequacy,”
and Switzerland is bound by the Swiss Government's finding of "adequacy";
• Participating organizations are deemed to provide “adequate” privacy protection, a requirement (subject to
limited derogations) for the transfer of personal data outside of the European Union under the EU Data
Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection;
• EU Member State requirements for prior approval of data transfers either are waived or approval will be
automatically granted.
• Compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and
medium-sized enterprises.
• Proper Intent; Give individuals more control over their personal data, Mitigate the risk of harm due to a
breach.
• Regulations are coming here soon
Why Self-Certify to the Privacy Shield Program?
26. 26
• Plan to implement Privacy by Design
• Prepare a data-centric security
model
• Perform eDiscovery and data
classification exercises, everywhere
• Perform a DPIA especially when 3rd
parties are involved
• Implement compensating controls
How to Self-Certify to the Privacy Shield Program?
Self Assessment Outside Verification
Published Privacy Policy Must Be
Accurate
Published Privacy Policy Must Be
Accurate
Indicate the Privacy Policy Conforms to
Privacy Shield Principles
Indicate the Privacy Policy Conforms to
Privacy Shield Principles
Individuals are Informed on Complaint
Process and Independent Mechanism
Individuals are Informed on Complaint
Process and Independent Mechanism
Verify Procedures for Training Employees
and How They’re Disciplined
Methods of Review include auditing,
random reviews, use of decoys or use of
technology tools
Document Procedure for Periodic
Reviews of Compliance
Firm is listed in the Self Certification form
Document Everything in the Journey to
Compliance
Document Everything in the Journey to
Compliance
Investigations Trigger Records Release Investigations Trigger Records Release
27. 27
https://www.privacyshield.gov/PrivacyShield/ApplyNow
Answer a few questions
Wait for the verdict
• Create an Account
• Contact Info – Org & Corp. Officer
• Which framework Swiss and/or EU
• Org Characteristics – Size Matters
• Other Covered Entities/Divisions
• Choose Your Recourse Mechanism for Dispute
Resolution
• Describe the purpose for collecting data
• Choose Statutory Body – DOT or FTC
• Select your Verification Provider
• Upload Privacy Policy & Submit URL
• Pay the bill
How to Self-Certify to the Privacy Shield Program?
Start Here
28. 28
Polling Question
Who is driving your organization towards GDPR
compliance?
A. CEO/CIO
B. Compliance/Legal Team
C. Your Customers
D. Nobody, Just Curious
29. 29
What We Know So Far
• Over the last year, 39% of businesses did not spend any time planning or preparing for the GDPR. (Data Compliance Doctor)
• 28% of businesses already had in-house talent to help them navigate GDPR while 26% hired new team members. (Data
Compliance Doctor)
• 69% of companies contacted their customers around consent via e-mail. 43% contacted them via phone call, 38% via letter, 20%
via text and 24% in-person. (Data Compliance Doctor)
• 39% of organizations report spending less than €100,000, whilst 15% report spending more than €5 million" (Deloitte)
• 61% of respondents see further benefits of remediation activities beyond compliance" (Deloitte)
• Hubspot asked 363 C-level executives in UK, Ireland, Germany, Austria, and Switzerland what kind of activities their companies
were undertaking to prepare for GDPR coming into force. Many of them, 44 percent, were updating their contracts and data
protection policies. However, 22 percent ticked the ‘none of the above’ box. (Statista)
• 44% updated their contracts and data protection policies (Statista)
• 32% liaisoned with vendors who process personal data to upgrade their contracts (Statista)
• 31% optimized their IT security in the process (Statista)
• 76% of C-level executives believe that Germany and the UK will be the EU countries with the strongest enforcement of GDPR.
30. 30
Things not predicted or Expected
• Big company names claim that they will be fully compliant by the effective date.
It has become apparent that companies cannot truly measure GDPR
compliance without visibility into how supervisory authorities will evaluate their
privacy posture.
• Many organizations have zoned in on executing the DPIAs without focus on the
most critical step of a successful GDPR compliance campaign - mapping the
data.
• GDPR comes with hefty fines for non-compliance. Industry reports reflect that
companies are evaluating other options for non-compliance, such as obtaining
insurance against these fines and costs associated with litigation, investigation,
and compensation.
31. 31
GDPR Next Steps
• Manage your GDPR program as an enterprise
wide process improvement initiative.
• Identify and classify personal data - enterprise
wide data mapping is critical.
• Manage and continuously evaluate your risk -
mandatory data protection impact assessment
• Establish your governance - DPO, managing
consent, policies and procedures, processing
register.
• Implement Internal Controls in support of GDPR
requirements - controls mapped to articles
compliance, reviewed, tested and independently
audited
32. 32
GDPR Next Steps – Con’t
• Data security is critical as GDPR specifically
addresses the CIA and requires the risk based
approach to security and risk mitigation.
• Manage your GDPR compliance through the supply
chain (data processed outside your boundaries)
• Clearly define your breach notification process to
Supervisory authorities and data subjects.
• Manage your awareness program through company-
wide initiatives.
33. 33
Final Words
• Ignoring or delaying GDPR compliance could have costly repercussions.
• GDPR has many obligations, but plenty of them can be resolved quickly and
easily.
• Large organizations could face significant budgetary, IT, Personnel, governance
and communications implications.
• Senior management buy-in is CRITICAL!! Could face failure without.
• Know what, where and how data is processed.
• Educate the masses – training and awareness is key!!
• Be ready to report a breach – stringent notification requirements.
35. Thank You
Fouad Khalil, Head of Compliance
Security Scorecard
Ken Dickey, AVP – Business
Development
Cadre Information Security
Hinweis der Redaktion
The purpose of this slide is to spend a VERY brief moment introducing and covering what everyone in the audience knows: GDPR has teeth. “Majority” bullet is from sc magazine uk article.b james walker.
The purpose of this slide is to spend a VERY brief moment introducing and covering what everyone in the audience knows: GDPR has teeth. “Majority” bullet is from sc magazine uk article.b james walker.
The purpose of this slide is to spend a VERY brief moment introducing and covering what everyone in the audience knows: GDPR has teeth. “Majority” bullet is from sc magazine uk article.b james walker.
Article 17 (Right to erasure / ‘right to be forgotten’): ‘The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay’. Article 20 (Right to data portability): ‘The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format’ Article 24 (Responsibility of the Controller): (1) ‘The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’.
Yes. That is 9 billion records.
And many of these records were stolen or exposed because of lapses in basic security best practices.
Attackers are exploiting human fallibility. We make mistakes. We can be tricked.
Some of the breaches associated with these records were the result of
a targeted phishing attack
an end user mistake,
Vulnerabilities and configuration errors.
Maintaining normal authorized access to data is challenging enough.
Add to the mix the threats we continually face.
How can we truly manage access? In my opinion, we must govern all normal or trusted access continuously to allow us the ability to minimize threats and risks to our environments.
Verification requirements of the Recourse, Enforcement and Liability Principle
Resource Mechanism Providers:
BBB EU Privacy Shield Program
DMA Privacy Shield Program
ICDR/AAA Privacy Shield Program
JAMS Privacy Shield Program
VeraSafe Privacy Shield Program
Whistic
Verification providers are similar entities, most provide all GDPR and data privacy services
Statutory Body in US are:
DOT
FTC