Are you confident you know how to respond to a breach in line with GDPR regulations? If you didn’t get a chance to hear Symantec expert Ilias Chantzos’ Strategy Talk at Infosec 2018, find out more here:
Exploring the Future Potential of AI-Enabled Smartphone Processors
GDPR Breach Notification Demystifying What the Regulators Want
1. Ilias Chantzos
Senior Director EMEA & APJ Government Affairs
GDPR Breach
Notification:
Demystifying What
the Regulators Want
2. GDPR Breach Notification:
Demystifying What the Regulators Want
• Not a finish line, just the start!
• A marathon, not a sprint
• Security vs Privacy at the
strategic level
What’s So Important Now That the Deadline Has Passed?
3. GDPR Breach Notification:
Demystifying What the Regulators Want
Article 32 in GDPR Reads
- Security of processing -
Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the
rights and freedoms of natural persons, the controller and the processor shall implement
appropriate technical and organisational measures to ensure a level of security appropriate to the
risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of
processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the
event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing.
Cybersecurity is a Basic Principle in GDPR
4. GDPR Breach Notification:
Demystifying What the Regulators Want
“State of the Art”: Finding the ‘Goldilocks’ Technologies
Need to balance innovation with degree of confidence that the
technology will be robust enough to deliver on its promises
! “State of the Art” - a term used, but not defined in GDPR…
Mature
“Goldilocks” zone
Bleeding Edge
5. GDPR Breach Notification:
Demystifying What the Regulators Want
• How to define risk?
• Assessment of risk – Change over time
• Likelihood
• Consequence
• What is the likely threat – Evolution of landscape
• Criminal
• State
• Political
• Internal/External
• What type of data
• What type of processing
• Where is the data?
• Accept/Transfer/Mitigate?
Appropriate to the risk
6. GDPR Breach Notification:
Demystifying What the Regulators Want
The Regulatory Terms Of Reference
Article 4 Paragraph 12: THE BREACH
What can happen to data?
“… a breach of security leading to the
accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or
access to, personal data transmitted,
stored or otherwise processed”
Recital 75: THE IMPACT
What can happen to the data subject?
“The risk to the rights and freedoms of
natural persons, of varying likelihood and
severity, may result from personal data
processing which could lead to physical,
material or non-material damage”
GDPR / DPA EXPECTATION:
Anticipate, Avoid, Mitigate, Compensate
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report, Remedy
7. GDPR Breach Notification:
Demystifying What the Regulators Want
GDPR and “Internal” Tensions: The Role of Realistic Guidance
Security
• Cannot rely on consent
• Monitoring of the environment
• Detection of a breach
• Adequate assessment of risk
• Adequate conclusions allowing
notification
• Timely deployment of
countermeasures/patches
• Encryption
Privacy of Employees
• Transparency of security
measures/monitoring
• Minimizing invasiveness of monitoring
• Incident response and access to
information
• Retention duration of records/log files
• Consultation/notification of employees
• Encryption
8. GDPR Breach Notification:
Demystifying What the Regulators Want
Related Articles 4(12), 33(1, 5), 34(1)
Types of personal data breaches:
• “Confidentiality breach”
• “Integrity breach”
• “Availability breach”
Consequence : The controller will be unable to ensure compliance
I. Principles of Breach Notification
9. GDPR Breach Notification:
Demystifying What the Regulators Want
Breach detection:
• Identify: When does a controller become “aware”?
• Speed is of essence to reduce the risk
• Assess: (High or Very-High Risk) Implications
• Notify: Who and within which deadlines (e.g. 72h)
• Time to establish if personal data have been
compromised is crucial.
Key DPO role:
• Providing data protection advice and information to the
controller or processor
• Monitoring compliance with the GDPR
• Providing advice in relation to DPIAs
• Communicate with the DPA
II. Notification to the Supervisory Authority
10. GDPR Breach Notification:
Demystifying What the Regulators Want
The notification must:
a) Describe the nature of the personal data breach
including the categories and number of data
subjects concerned and the categories and
number of data records concerned;
b) Recommend measures to mitigate the possible
adverse effects of the personal data breach;
c) Describe the consequences of the personal data
breach;
d) Describe the measures proposed or taken by the
controller to address the personal data breach.
II. What Should Be in the Notification to the DPA?
11. GDPR Breach Notification:
Demystifying What the Regulators Want
• Clear and plain language
• Nature of the personal data breach
• Measures to mitigate its possible adverse effects
Communication not required if unlikely high-risk:
• Deployed technical and organisational measures
• E.g. Personal data unintelligible
• If a controller decides not to communicate a breach, or does so with delay:
• Should be demonstrably well founded
• Failure to do so might cause sanctions (€10M or 2% of global turnover)
• The DPA can still require a communication to be issued
• Accountability
III. Communication to Data Subjects
12. GDPR Breach Notification:
Demystifying What the Regulators Want
• Notification of controller by processor without assessing risk
• Partial notification is possible….
• Immediate detection of breach (Recital 87) and
technical/organizational consequences
• Planned system outage is not a breach
• Take into account interest of law enforcement investigation in
cases of disclosure to data subjects (Recital 88) – Relevant for
non-EU LEA
• No retention requirements by GDPR – Incumbent upon the
controller to keep data about the incident
• Joint controllership should foresee also in a controller taking
the lead for notification purposes
Some Technical Considerations
13. GDPR Breach Notification:
Demystifying What the Regulators Want
“The occurrence of several different infringements committed
together in any particular single case means that the supervisory
authority is able to apply the administrative fines at a level which
is effective, proportionate and dissuasive within the limit of
the gravest infringement”
14. GDPR Breach Notification:
Demystifying What the Regulators Want
What is the Difference Between On-premise & Cloud?
None in terms of the security requirements
But do you have the same visibility and control
over data in the cloud?
15. GDPR Breach Notification:
Demystifying What the Regulators Want
Brexit UK Government Positions
• UK law
• Data transfer impact
• Subcontractor clause
• Direct application of EU law by doing
business in Europe
• A “UK Privacy Shield” necessitated by
the Investigatory Powers Act?
• Human Rights convention and
adequacy
What About BREXIT?
Any company that works with information
relating to individuals in the EU will have to
comply with the requirements of the GDPR
16. GDPR Breach Notification:
Demystifying What the Regulators Want
Breaches Across Multiple Locations or Jurisdictions
• Data concerning
different nationals
within the EU
• Data within different
locations
• Data held by
different processors
/ cloud operators
• Lead DPA?
• National DPA?
• Who is your
regulator?
Different scenarios Who to notify? How is the
investigation likely
to happen?
What is the likely
risk?
17. GDPR Breach Notification:
Demystifying What the Regulators Want
Use Cases
Supporting GDPR Across
Data Privacy & Security
How Can
Technology
Help?
Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Email
Server
Web /
CASB
Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
VIP
Technology Risk Management
DLP
Data Insight
CASB
Audit
CCS
EPM
Understand
Data Risk
Understand,
Report, and
Remediate
Compliance
Unparalleled Threat Intelligence
Endpoint
175M
endpoints
protected
Email
2Bm emails
scanned/day
Web
1.2Bn web
requests
secured/day
Physical & Virtual
Workloads
64K
Datacenters
protected
Cloud
Security
12,000 cloud
applications
secured
PROTECTDETECTRESPONDPREPARE
18. GDPR Breach Notification:
Demystifying What the Regulators Want
Use Case 3
Minimising Risk in Case
of a Breach
o General Risk Assessment
o Risk of Breach of Sensitive
Data, Professional Secrecy
o Risk of Identity Theft or
Fraud
Relevant GDPR Articles:
o Article 5(2)
o Article 24
o Recitals 74, 77, 78, 82
o Article 32(1d)
How Can
Technology
Help?
Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Email
Server
Web /
CASB
Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
VIP
Technology Risk Management
DLP
Data Insight
CASB
Audit
CCS
EPM
Understand
Data Risk
Understand,
Report, and
Remediate
Compliance
PROTECTDETECTRESPONDPREPARE
Unparalleled Threat Intelligence
Endpoint
175M
endpoints
protected
Email
2Bm emails
scanned/day
Web
1.2Bn web
requests
secured/day
Physical & Virtual
Workloads
64K
Datacenters
protected
Cloud
Security
12,000 cloud
applications
secured
19. GDPR Breach Notification:
Demystifying What the Regulators Want
Legislative and Standards Landscape
Regulatory Level
General Data Protection Regulation (GDPR)
All Industries Holding Personal Data
Network Information Security Directive (NISD) a.k.a. Cyber Directive
Critical National Infrastructure: Financial Services; Energy; Water; Food; Transport; Health; Government; and Emergency Services
National LevelDPA 10 Steps Cyber Essentials FTSE 350 Cyber CREST
Industry LevelFinancial Services
CBEST / FCA / PRA
PCI / PSD
MAS / Swiss / Lux
Energy / Utilities
Health and Safety
CPNI
PCI / DSS
Technical Standards
ISO 27001 ISO 27005 ISO 27018 COBIT
20. GDPR Breach Notification:
Demystifying What the Regulators Want
• Train people
• Establish protocols
• Exercise
• Look at your contracts
• Look who you are doing business with
• Manage your risk lifecycle properly (threats, risks, technology, organization)
• Then consider how your technology investments can help you already and
where you need to invest/develop further
• GDPR does not start or end with tech but tech can help you start with GDPR
It’s Not Just About Technology
21. GDPR Breach Notification:
Demystifying What the Regulators Want
Plan wisely, implementation may take longer than you think
Engage with your board, report on progress in addressing data privacy via your
security program
Identify skill & knowledge gaps to determine when to bring in external
partners and which ones
Explain the risk and treat it as an opportunity to build the business case and
drive the investment you need to mitigate the risk
Define a well-documented breach notification process first, and then identify
technology that can help with breach detection, resolution, and notification
Key Takeaways