Learn if you’ve got the right security strategy, and investment plan, to protect your organization and ensure regulatory compliance with the General Data Protection Regulation (GDPR). Watch now here: https://symc.ly/2VMNHIm
1. The GDPR – One Year On
Ilias Chantzos - Sr
Director
Government Affairs
Ramses Gallego –
Strategist &
Evangelist, Officeof
the CTO
2. Are organisations truly ready?
What has improved:
• New data governance mindset and structures
• New policies, plans, procedures, documentation
• New internal structures, roles, reporting lines, collaboration
• New investmentsin services, training, technology
• New attention to accountability,compliance, documentation,
demonstrability
• New consideration for data subject rights
Persisting challenges:
• Acknowledgement that emphasis is on outcomes
• Translating legislative needs into technology decisions
• GDPR interpretation and some conflicting DPA guidance
• Concurrent compliance needs (sectorial or national)
Process
Retain &
Secure
Collect
Manage
Information
Lifecycle
3. Is enforcement happening?
• Supervisor Authorities (SAs) enhanced their capabilities
(structure, headcount, processes, technology)
• 10s of 1000s of notifications and complaints received
• Over-notifications are an issue (with conflicting indications
by SAs)
• Investigationshave been carried-out (including backlog
from pre-GDPR era) and WILL continue
• Fines have been handed, some hefty (e.g. to Google by
CNIL)
• Security breaches appear to be, anecdotally, a major source
of notifications
4. POLL QUESTION 1
• Have notifications been filled against your organization ?
1. YES
2. NO
3. Don’t know
4
5. Managing complexity (What data do you really process?)
Some of the key unchartered GDPR complexities:
• Realization of the sheer scale of data involved
• Managing data flows vs. business needs – Across infrastructures
• Managing the information cycle
• Managing Privacy vs. Security (e.g. employee endpoint)
• Protecting customer, employee and supply chain data
• Ensuring the supply chain is compliant - Accountability
• Data Subject requests – Number vs. quality
• New data sets to consider: metadata, cloud data, office applications,
shadow data/shadow apps, ‘concealed’ personal data (“indirectly
identifying”)
6. Difference Between On-premise & Cloud?
None in terms of the GDPR security & compliance
requirements.
Shadow IT
+1500Cloud Apps in Use by the Average
Enterprise
Shadow Data
1 in 3 orgs have more data in the
Cloud than on-premises
Account Takeover
81%of Data BreachesInvolve
LeveragingWeak or Stolen Passwords
Cloud Chaos
13%of Cloud Docs are
Broadly Shared*
*2018 Shadow Data Report
7. Shadow IT - The Impact on GDPR Compliance
7
• Purpose Limitation,Storage Limitation,
Confidentiality and Integrity (Article 5)
• Transparency And Information To Data
Subjects (Articles 12-14)
• Exercise Of Data Subject Rights (Articles 15-
22)
• Privacy By Design and By Default (Article 25)
• Risk Of Joint Controllership (Article 26)
• Processor Obligations and Sub-Processing
(Article 28)
• Controller-ProcessorRelationship (Article 29)
• Documentation Of ProcessingOperations
(Article 30)
• Security Of Processing (Article 32)
• Data Breach Detection And Notification
(Article 33 and 34)
• Risk Assessment, DPIA Accuracy, Prior
Consultation (Articles 35-36)
• International Transfers (Chapter V)
• Compensation And Liability (Article 82)
• Overall Accountability(Articles 5 & 24)
• Sanctions (Article 83)
8. POLL QUESTION 2
• Have you identified Shadow IT in your organization ?
1. YES
2. NO
3. NOT SURE
8
9. What are the GDPR pain-points for technologists?
• Identifying data location - Ambiguous boundaries
• The risk of a security breach:
o Increasing surface of attack and vulnerabilities
o Increasing level of sophisticationof attacks
o Insider threat – Whether malicious or not
• Managing the cloud
o Multiple suppliers
o Data sets being uploaded & downloaded
o Shadow data a severe compliance risk factor
• Loss of availability (e.g. through ransomware)
10. And How Security Technical Controls Fit
Key GDPR Compliance Considerations
10
Can you determine whatyour risk profile is?
What broad areas do I needto focus on for GDPR?
How do I manageand report on my informationrisk managementpractices?
What personal data is out thereand where is it?
Can we control what personal data is accessible andwho can accessit?
Can we control where data resides?
Can we encrypt / obfuscate personal data?
Can we detect unauthorised accessor breachesof personal data?
Can we quicklyand thoroughly notify in the eventof a breach?
Can we continuouslyevaluate the effectivenessof our security?
Risk Management
Compliance Assessments
Information Centric Security
DLP / CASB
Authentication
Encryption
Tokenisation
Breach Response
ManagedSecurity and Incident
Response Services
Security Analytics
11. Is there enough GDPR guidance?
• Like any legislation the GDPR is prone to interpretation
• Guidance published by Regulators both at EU and MS level
• European Data Protection Board (EDPB)
guidance/consultation material
• But guidance is never enough
• Complex internal contradictions of the GDPR
• E.g.: The level of monitoring of employees’ endpoint (National
labour legislations) or Controller/Processor relationship
12. POLL QUESTION 3
• What other areas do you see as major paint points to GDPR compliance ?
1. Complaint handling
2. Shadow IT
3. Record Management
4. Breach notification
5. Employee privacy rights
12
13. Summary
The GDPR One year later
• Majors improvements in data governance across organisations
• Enforcement is happening and there will be no complacency
• Full GDPR compliance doesn’t exist, the posture of the data needs
to be constantlyre evaluated and monitored.
• Digital transformation adds additional pressure on technologist
• GDPR is the model for other similar regulations worldwide
13