SlideShare ist ein Scribd-Unternehmen logo

GDPR Breach Notification Demystifying What the Regulators Want

Symantec
Symantec

Are you confident you know how to respond to a breach in line with GDPR regulations? If you didn’t get a chance to hear Symantec expert Ilias Chantzos’ Strategy Talk at Infosec 2018, find out more here:

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
Ilias Chantzos Senior Director EMEA & APJ Government Affairs GDPR Breach Notification: Demystifying What the Regulators Want
GDPR Breach Notification: Demystifying What the Regulators Want • Not a finish line, just the start! • A marathon, not a sprint • Security vs Privacy at the strategic level What’s So Important Now That the Deadline Has Passed?
GDPR Breach Notification: Demystifying What the Regulators Want Article 32 in GDPR Reads - Security of processing - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Cybersecurity is a Basic Principle in GDPR
GDPR Breach Notification: Demystifying What the Regulators Want “State of the Art”: Finding the ‘Goldilocks’ Technologies Need to balance innovation with degree of confidence that the technology will be robust enough to deliver on its promises ! “State of the Art” - a term used, but not defined in GDPR… Mature “Goldilocks” zone Bleeding Edge
GDPR Breach Notification: Demystifying What the Regulators Want • How to define risk? • Assessment of risk – Change over time • Likelihood • Consequence • What is the likely threat – Evolution of landscape • Criminal • State • Political • Internal/External • What type of data • What type of processing • Where is the data? • Accept/Transfer/Mitigate? Appropriate to the risk
GDPR Breach Notification: Demystifying What the Regulators Want The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? “… a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” Recital 75: THE IMPACT What can happen to the data subject? “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage” GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy
GDPR Breach Notification: Demystifying What the Regulators Want GDPR and “Internal” Tensions: The Role of Realistic Guidance Security • Cannot rely on consent • Monitoring of the environment • Detection of a breach • Adequate assessment of risk • Adequate conclusions allowing notification • Timely deployment of countermeasures/patches • Encryption Privacy of Employees • Transparency of security measures/monitoring • Minimizing invasiveness of monitoring • Incident response and access to information • Retention duration of records/log files • Consultation/notification of employees • Encryption
GDPR Breach Notification: Demystifying What the Regulators Want Related Articles 4(12), 33(1, 5), 34(1) Types of personal data breaches: • “Confidentiality breach” • “Integrity breach” • “Availability breach” Consequence : The controller will be unable to ensure compliance I. Principles of Breach Notification
GDPR Breach Notification: Demystifying What the Regulators Want Breach detection: • Identify: When does a controller become “aware”? • Speed is of essence to reduce the risk • Assess: (High or Very-High Risk)  Implications • Notify: Who and within which deadlines (e.g. 72h) • Time to establish if personal data have been compromised is crucial. Key DPO role: • Providing data protection advice and information to the controller or processor • Monitoring compliance with the GDPR • Providing advice in relation to DPIAs • Communicate with the DPA II. Notification to the Supervisory Authority
GDPR Breach Notification: Demystifying What the Regulators Want The notification must: a) Describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; b) Recommend measures to mitigate the possible adverse effects of the personal data breach; c) Describe the consequences of the personal data breach; d) Describe the measures proposed or taken by the controller to address the personal data breach. II. What Should Be in the Notification to the DPA?
GDPR Breach Notification: Demystifying What the Regulators Want • Clear and plain language • Nature of the personal data breach • Measures to mitigate its possible adverse effects Communication not required if unlikely high-risk: • Deployed technical and organisational measures • E.g. Personal data unintelligible • If a controller decides not to communicate a breach, or does so with delay: • Should be demonstrably well founded • Failure to do so might cause sanctions (€10M or 2% of global turnover) • The DPA can still require a communication to be issued • Accountability III. Communication to Data Subjects
GDPR Breach Notification: Demystifying What the Regulators Want • Notification of controller by processor without assessing risk • Partial notification is possible…. • Immediate detection of breach (Recital 87) and technical/organizational consequences • Planned system outage is not a breach • Take into account interest of law enforcement investigation in cases of disclosure to data subjects (Recital 88) – Relevant for non-EU LEA • No retention requirements by GDPR – Incumbent upon the controller to keep data about the incident • Joint controllership should foresee also in a controller taking the lead for notification purposes Some Technical Considerations
GDPR Breach Notification: Demystifying What the Regulators Want “The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement”
GDPR Breach Notification: Demystifying What the Regulators Want What is the Difference Between On-premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?
GDPR Breach Notification: Demystifying What the Regulators Want Brexit UK Government Positions • UK law • Data transfer impact • Subcontractor clause • Direct application of EU law by doing business in Europe • A “UK Privacy Shield” necessitated by the Investigatory Powers Act? • Human Rights convention and adequacy What About BREXIT? Any company that works with information relating to individuals in the EU will have to comply with the requirements of the GDPR
GDPR Breach Notification: Demystifying What the Regulators Want Breaches Across Multiple Locations or Jurisdictions • Data concerning different nationals within the EU • Data within different locations • Data held by different processors / cloud operators • Lead DPA? • National DPA? • Who is your regulator? Different scenarios Who to notify? How is the investigation likely to happen? What is the likely risk?
GDPR Breach Notification: Demystifying What the Regulators Want Use Cases Supporting GDPR Across Data Privacy & Security How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured PROTECTDETECTRESPONDPREPARE
GDPR Breach Notification: Demystifying What the Regulators Want Use Case 3 Minimising Risk in Case of a Breach o General Risk Assessment o Risk of Breach of Sensitive Data, Professional Secrecy o Risk of Identity Theft or Fraud Relevant GDPR Articles: o Article 5(2) o Article 24 o Recitals 74, 77, 78, 82 o Article 32(1d) How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance PROTECTDETECTRESPONDPREPARE Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured
GDPR Breach Notification: Demystifying What the Regulators Want Legislative and Standards Landscape Regulatory Level General Data Protection Regulation (GDPR) All Industries Holding Personal Data Network Information Security Directive (NISD) a.k.a. Cyber Directive Critical National Infrastructure: Financial Services; Energy; Water; Food; Transport; Health; Government; and Emergency Services National LevelDPA 10 Steps Cyber Essentials FTSE 350 Cyber CREST Industry LevelFinancial Services CBEST / FCA / PRA PCI / PSD MAS / Swiss / Lux Energy / Utilities Health and Safety CPNI PCI / DSS Technical Standards ISO 27001 ISO 27005 ISO 27018 COBIT
GDPR Breach Notification: Demystifying What the Regulators Want • Train people • Establish protocols • Exercise • Look at your contracts • Look who you are doing business with • Manage your risk lifecycle properly (threats, risks, technology, organization) • Then consider how your technology investments can help you already and where you need to invest/develop further • GDPR does not start or end with tech but tech can help you start with GDPR It’s Not Just About Technology
GDPR Breach Notification: Demystifying What the Regulators Want Plan wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy via your security program Identify skill & knowledge gaps to determine when to bring in external partners and which ones Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Define a well-documented breach notification process first, and then identify technology that can help with breach detection, resolution, and notification Key Takeaways
GDPR Breach Notification: Demystifying What the Regulators Want THANK YOU

Empfohlen

How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Precisely
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 

Empfohlen

How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
Government Technology and Services Coalition
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Precisely
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
Kimberly Simon MBA
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Government Technology and Services Coalition
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
Shawn Tuma
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEB
MEHMET FATIH YALDIZ
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
Black Duck by Synopsys
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
Flaskdata.io
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
DATUM LLC
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
lisaabe
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
NetworkCollaborators
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
EQS Group
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
Bill Despo
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
Ulf Mattsson
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
ControlCase
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
PECB
 

Weitere ähnliche Inhalte

Was ist angesagt?

New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
Jerika Phelps
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
Bill Despo
 

Was ist angesagt? (20)

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEB
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 

Ähnlich wie GDPR Breach Notification Demystifying What the Regulators Want

Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
David Erdos
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
Shadi A. Razak
 

Ähnlich wie GDPR Breach Notification Demystifying What the Regulators Want (20)

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 

Mehr von Symantec

Mehr von Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 
Symantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 WebinarSymantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 Webinar
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

GDPR Breach Notification Demystifying What the Regulators Want

  • 1. Ilias Chantzos Senior Director EMEA & APJ Government Affairs GDPR Breach Notification: Demystifying What the Regulators Want
  • 2. GDPR Breach Notification: Demystifying What the Regulators Want • Not a finish line, just the start! • A marathon, not a sprint • Security vs Privacy at the strategic level What’s So Important Now That the Deadline Has Passed?
  • 3. GDPR Breach Notification: Demystifying What the Regulators Want Article 32 in GDPR Reads - Security of processing - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Cybersecurity is a Basic Principle in GDPR
  • 4. GDPR Breach Notification: Demystifying What the Regulators Want “State of the Art”: Finding the ‘Goldilocks’ Technologies Need to balance innovation with degree of confidence that the technology will be robust enough to deliver on its promises ! “State of the Art” - a term used, but not defined in GDPR… Mature “Goldilocks” zone Bleeding Edge
  • 5. GDPR Breach Notification: Demystifying What the Regulators Want • How to define risk? • Assessment of risk – Change over time • Likelihood • Consequence • What is the likely threat – Evolution of landscape • Criminal • State • Political • Internal/External • What type of data • What type of processing • Where is the data? • Accept/Transfer/Mitigate? Appropriate to the risk
  • 6. GDPR Breach Notification: Demystifying What the Regulators Want The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? “… a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” Recital 75: THE IMPACT What can happen to the data subject? “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage” GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy
  • 7. GDPR Breach Notification: Demystifying What the Regulators Want GDPR and “Internal” Tensions: The Role of Realistic Guidance Security • Cannot rely on consent • Monitoring of the environment • Detection of a breach • Adequate assessment of risk • Adequate conclusions allowing notification • Timely deployment of countermeasures/patches • Encryption Privacy of Employees • Transparency of security measures/monitoring • Minimizing invasiveness of monitoring • Incident response and access to information • Retention duration of records/log files • Consultation/notification of employees • Encryption
  • 8. GDPR Breach Notification: Demystifying What the Regulators Want Related Articles 4(12), 33(1, 5), 34(1) Types of personal data breaches: • “Confidentiality breach” • “Integrity breach” • “Availability breach” Consequence : The controller will be unable to ensure compliance I. Principles of Breach Notification
  • 9. GDPR Breach Notification: Demystifying What the Regulators Want Breach detection: • Identify: When does a controller become “aware”? • Speed is of essence to reduce the risk • Assess: (High or Very-High Risk)  Implications • Notify: Who and within which deadlines (e.g. 72h) • Time to establish if personal data have been compromised is crucial. Key DPO role: • Providing data protection advice and information to the controller or processor • Monitoring compliance with the GDPR • Providing advice in relation to DPIAs • Communicate with the DPA II. Notification to the Supervisory Authority
  • 10. GDPR Breach Notification: Demystifying What the Regulators Want The notification must: a) Describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; b) Recommend measures to mitigate the possible adverse effects of the personal data breach; c) Describe the consequences of the personal data breach; d) Describe the measures proposed or taken by the controller to address the personal data breach. II. What Should Be in the Notification to the DPA?
  • 11. GDPR Breach Notification: Demystifying What the Regulators Want • Clear and plain language • Nature of the personal data breach • Measures to mitigate its possible adverse effects Communication not required if unlikely high-risk: • Deployed technical and organisational measures • E.g. Personal data unintelligible • If a controller decides not to communicate a breach, or does so with delay: • Should be demonstrably well founded • Failure to do so might cause sanctions (€10M or 2% of global turnover) • The DPA can still require a communication to be issued • Accountability III. Communication to Data Subjects
  • 12. GDPR Breach Notification: Demystifying What the Regulators Want • Notification of controller by processor without assessing risk • Partial notification is possible…. • Immediate detection of breach (Recital 87) and technical/organizational consequences • Planned system outage is not a breach • Take into account interest of law enforcement investigation in cases of disclosure to data subjects (Recital 88) – Relevant for non-EU LEA • No retention requirements by GDPR – Incumbent upon the controller to keep data about the incident • Joint controllership should foresee also in a controller taking the lead for notification purposes Some Technical Considerations
  • 13. GDPR Breach Notification: Demystifying What the Regulators Want “The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement”
  • 14. GDPR Breach Notification: Demystifying What the Regulators Want What is the Difference Between On-premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?
  • 15. GDPR Breach Notification: Demystifying What the Regulators Want Brexit UK Government Positions • UK law • Data transfer impact • Subcontractor clause • Direct application of EU law by doing business in Europe • A “UK Privacy Shield” necessitated by the Investigatory Powers Act? • Human Rights convention and adequacy What About BREXIT? Any company that works with information relating to individuals in the EU will have to comply with the requirements of the GDPR
  • 16. GDPR Breach Notification: Demystifying What the Regulators Want Breaches Across Multiple Locations or Jurisdictions • Data concerning different nationals within the EU • Data within different locations • Data held by different processors / cloud operators • Lead DPA? • National DPA? • Who is your regulator? Different scenarios Who to notify? How is the investigation likely to happen? What is the likely risk?
  • 17. GDPR Breach Notification: Demystifying What the Regulators Want Use Cases Supporting GDPR Across Data Privacy & Security How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured PROTECTDETECTRESPONDPREPARE
  • 18. GDPR Breach Notification: Demystifying What the Regulators Want Use Case 3 Minimising Risk in Case of a Breach o General Risk Assessment o Risk of Breach of Sensitive Data, Professional Secrecy o Risk of Identity Theft or Fraud Relevant GDPR Articles: o Article 5(2) o Article 24 o Recitals 74, 77, 78, 82 o Article 32(1d) How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance PROTECTDETECTRESPONDPREPARE Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured
  • 19. GDPR Breach Notification: Demystifying What the Regulators Want Legislative and Standards Landscape Regulatory Level General Data Protection Regulation (GDPR) All Industries Holding Personal Data Network Information Security Directive (NISD) a.k.a. Cyber Directive Critical National Infrastructure: Financial Services; Energy; Water; Food; Transport; Health; Government; and Emergency Services National LevelDPA 10 Steps Cyber Essentials FTSE 350 Cyber CREST Industry LevelFinancial Services CBEST / FCA / PRA PCI / PSD MAS / Swiss / Lux Energy / Utilities Health and Safety CPNI PCI / DSS Technical Standards ISO 27001 ISO 27005 ISO 27018 COBIT
  • 20. GDPR Breach Notification: Demystifying What the Regulators Want • Train people • Establish protocols • Exercise • Look at your contracts • Look who you are doing business with • Manage your risk lifecycle properly (threats, risks, technology, organization) • Then consider how your technology investments can help you already and where you need to invest/develop further • GDPR does not start or end with tech but tech can help you start with GDPR It’s Not Just About Technology
  • 21. GDPR Breach Notification: Demystifying What the Regulators Want Plan wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy via your security program Identify skill & knowledge gaps to determine when to bring in external partners and which ones Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Define a well-documented breach notification process first, and then identify technology that can help with breach detection, resolution, and notification Key Takeaways
  • 22. GDPR Breach Notification: Demystifying What the Regulators Want THANK YOU