gdpr compliance and elasticsearch · gdpr compliance and elasticsearch webinar - march 2018 webinar...
TRANSCRIPT
1
Mike PaquetteMarch 13, 2018
GDPR Compliance and Elasticsearch
GDPR Compliance and Elasticsearch Webinar - March 2018
2
Webinar Housekeeping & Logistics
• Slides and recording will be available following the webinar
• Chat via IRC #elastic-webinar‒ #elastic-webinar @ Freenode‒ Click ”Join the Chat” link, create an IRC account
• Please select high resolution in the YouTube video player
GDPR Compliance and Elasticsearch Webinar - March 2018
Webinar AbstractThe European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect May 25, 2018. The Elastic Stack (formerly known as the ELK stack) — Elasticsearch, Kibana, Beats, and Logstash — can catalyze your GDPR-compliance preparedness and ensure data management processes for the long term.
Join Mike Paquette, Director of Product, Security Market, for a presentation on GDPR and live Q&A.
Highlights include:
• Handling GDPR Personal Data• How to secure and get in compliance with your Elasticsearch data• Using the Elastic Stack to Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
4
Mike joined Elastic in 2016 from Prelert, where he'd been VP of Products for Prelert's machine learning technology.
Mike's focus at Elastic is to help users and customers succeed with security-related applications of the Elastic Stack.
Starting his career as an ASIC designer, Mike has led the development of SIEM, network IPS, DDoS Defense, and network monitoring solutions.
Mike is a co-author of a patent on DDoS defense.
Mike also manages Elastic’s Internal GDPR Compliance Projects.
GDPR Compliance and Elasticsearch Webinar - March 2018
Disclaimer
This webinar is provided for informational purposes only. It does not offer legal or audit advice. This webinar should not be relied on as a complete or accurate statement of the law. An organization’s compliance with GDPR may be dependent on many factors outside the scope of this webinar, ranging from its privacy policies and practices to its information security controls and organizational structures. For a complete and accurate statement of law, or for legal advice for a particular situation, the viewer should consult a competent attorney.
Do we have your “explicit consent” to continue? Yes YesAre you sure?
GDPR Compliance and Elasticsearch Webinar - March 2018
66
Elastic the Company:“Is Elastic, the company, compliant with GDPR?”
Elastic Cloud Services:“Are Elastic Cloud Services compliant with GDPR?”
Using Elastic Products:“Can Elastic products help my
organization meet GDPR requirements?”
Scope of This Webinar
GDPR Compliance and Elasticsearch Webinar - March 2018
77 GDPR Compliance and Elasticsearch Webinar - March 2018
(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications,the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
TRUE or FALSE?
According to GDPR, processing of personal data
should serve mankind.
TRUEGDPR Compliance and Elasticsearch Webinar - March 2018
9
Rights of Data Subjects
• The right to be informed• The right of access• The right to rectification• The right to erasure• The right to restrict processing• The right to data portability• The right to object• The right not to be subject to automated decision-making including
profiling
Expanded from previous Directive
GDPR Compliance and Elasticsearch Webinar - March 2018
(1) 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
CHAPTER 1GENERAL PROVISIONS
Article 4 Definitions
GDPR Compliance and Elasticsearch Webinar - March 2018
11
Handling GDPR Personal Data
GDPR Compliance and Elasticsearch Webinar - March 2018
12
Simplified GDPR Logical FlowHandling “Personal Data”
GDPR Compliance and Elasticsearch Webinar - March 2018
13
Process for GDPR Compliance
GDPR Compliance and Elasticsearch Webinar - March 2018
14
Example GDPR Compliance Initiative ProcessPrepare, Protect, Privacy Processes
GDPR Compliance and Elasticsearch Webinar - March 2018
15
Example GDPR Compliance Initiative ProcessPrepare, Protect, Privacy Processes
GDPR Compliance and Elasticsearch Webinar - March 2018
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
CHAPTER IVCONTROLLER AND
PROCESSOR
Section 2SECURITY OF PERSONAL DATA
Article 32 Security of processing
GDPR Compliance and Elasticsearch Webinar - March 2018
17
Example GDPR Compliance Initiative ProcessPrepare, Protect, Privacy Processes
GDPR Compliance and Elasticsearch Webinar - March 2018
18
Example GDPR Compliance Initiative ProcessPrepare, Protect, Privacy Processes
GDPR Compliance and Elasticsearch Webinar - March 2018
19
Using the Elastic Stack to Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
20
4
Elastic StackOpen source Products
GDPR Compliance and Elasticsearch Webinar - March 2018
21
X-PackSingle install
Extensions for the Elastic StackSubscription pricingNew! Open code
Security
Alerting
Monitoring
Reporting
Graph
Machine Learning
GDPR Compliance and Elasticsearch Webinar - March 2018
Elastic CloudEnterprise
Provision and manage multiple Elastic Stack environments; Expose logging as a service to your
entire organization
GDPR Compliance and Elasticsearch Webinar - March 2018
23
Elastic Features Help Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
24
Elastic Features Help Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
25
Elastic Features Help Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
26
Elastic Features Help Meet GDPR Requirements
GDPR Compliance and Elasticsearch Webinar - March 2018
Questions?
GDPR Compliance and Elasticsearch Webinar - March 2018
Thank You● GDPR white paper:
○ https://www.elastic.co/gdpr● GDPR blogs:
○ https://www.elastic.co/blog/a-quick-flight-over-gdpr-elasticsearch○ https://www.elastic.co/blog/introduction-to-gdpr-with-elasticsearch
● Web : www.elastic.co ● Products : https://www.elastic.co/products ● Forums : https://discuss.elastic.co/ ● Community : https://www.elastic.co/community/meetups● Twitter : @elastic
GDPR Compliance and Elasticsearch Webinar - March 2018