gdpr is coming!
TRANSCRIPT
![Page 1: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/1.jpg)
ANITIAN
A N I T I AN intelligent information security
![Page 2: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/2.jpg)
intelligent information securityA N I T I AN
MEET THE SPEAKER – ADAM GAYDOSH
• Director of Security Intelligence at Anitian
• 17 years experience in IT Security
• Principal consultant for governance, risk and compliance practices
• PCI QSA since 2008
• Co-author of workbook on PCI compliance in AWS
• Co-developer of RiskNowTM Rapid Risk Assessment Methodology
![Page 3: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/3.jpg)
WHO
HOW
Build great security…
~ Programs ~ Controls
~ Practices ~ Leaders
WHY
We believe security is
essential to growth,
innovation, and prosperity
intelligent information securityA N I T I AN
![Page 4: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/4.jpg)
intelligent information securityA N I T I AN
WHAT
![Page 5: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/5.jpg)
intelligent information securityAN IT IAN
OVERVIEW
My Intent
• Provide a basic overview on GDPR
• Describe strategies for complying with GDPR
Presentation Outline
1. GDPR Basics
2. Significant Requirements
3. Compliance Strategies
4. Final Thoughts
![Page 6: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/6.jpg)
intelligent information securityAN IT IAN
WHAT IS GDPR?
• General Data Protection Regulation (GDPR) (Regulation (EU)
2016/679)
• A privacy regulation that generally applies to the personal
data of EU citizens (data subjects)
• Goes into effect May 25th 2018
• Focus is on the responsibilities of companies to protect
citizens’ data, and citizens rights concerning how their data
is protected and used
![Page 7: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/7.jpg)
intelligent information securityAN IT IAN
AFFECTED ORGANIZATIONS
• Applies to EU companies and those with EU citizens’ data
• Categorizes companies as either Controllers or Processors
• Controllers are responsible for how data is processed, and
are generally the collectors of the personal data, and
therefore ultimately responsible for it
• Processors are entities that handle personal data in some
manner on behalf of the controllers
![Page 8: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/8.jpg)
intelligent information securityAN IT IAN
REGULATED DATA TYPES
• Personal data: Any information relating to an identified or
identifiable natural person (‘data subject’)
o Common personally identifiable information such as
name, address, DOB
o Less common data types including photos, email
addresses, posts on social networking websites and IP
addresses
• Sensitive personal data: Personal data which is, by its
nature, particularly sensitive in relation to fundamental rights
and freedoms
o Private information that includes one’s health, race,
sexual orientation and religion
![Page 9: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/9.jpg)
intelligent information securityAN IT IAN
CERTIFICATION AND ENFORCEMENT
• Penalties are defined in Article 83
• Fines can reach up to €20 million, or 4% of the total
worldwide annual turnover (revenue) of the preceding
financial year, whichever is higher.
• A tiered approach to penalties is defined based on
specific conditions of non-compliance and organization
type
• Certification is defined in Article 42
o Still in progress at the member state level
o Article 43 refers to ISO in a discussion on certification
bodies, and seems a likely model
![Page 10: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/10.jpg)
intelligent information securityAN IT IAN
OTHER IMPORTANT GDPR CONCEPTS
• Article – The 99 sections of the GDPR that define the specific
guidance, organized by chapters
• Recitals – Officially documented guidance, interpretation
and implementation information supporting the GDPR
• Supervisory Authority – Member states’ public authority
responsible for overseeing GDPR
• Pseudonymization – Sanitized personal data that can no
longer be attributed to a specific data subject without the
use of additional information
![Page 11: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/11.jpg)
intelligent information securityAN IT IAN
NOTABLE REQUIREMENTS
• Article 25 – Data Protection by Design and Default
• Article 37 – Designation of the Data Protection Officer
• Article 17 – Right to erasure (‘right to be forgotten’)
• Articles 33 & 34 – Breach Notification
• Article 30 – Records of processing activities
![Page 12: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/12.jpg)
intelligent information securityAN IT IAN
ARTICLE 25 – DATA PROTECTION BY DESIGN
• Requirement to inventory and classify all personal data
• Likely to be the highest effort task
• Start with business process inventory and analysis, then map
data flow
• Don’t forget to identify vendors and other 3rd parties with
whom personal data is shared
![Page 13: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/13.jpg)
intelligent information securityAN IT IAN
ARTICLE 37 - DATA PROTECTION OFFICER (DPO)
• The DPO is responsible for overseeing GDPR compliance
• The DPO must report to the highest level of management
o For this reason it is often outsourced
• Primary tasks defined in Article 38:
o Advising the organization on data privacy obligations
o Monitoring compliance with data privacy obligations
o Overseeing the Data Privacy Impact Assessment (DPIA)
o Coordinating with supervisory authorities as appropriate
![Page 14: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/14.jpg)
intelligent information securityAN IT IAN
ARTICLE 17 - RIGHT TO ERASURE
• Also referred to as the “right to be forgotten”
• At the request of a data subject, all instances of their
personal data must be deleted within 72 hours
• Includes provisions to allow data subjects to stop further
sharing and processing of data
• Controllers are required to assess if there is not a
superseding reason to deny the request
![Page 15: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/15.jpg)
intelligent information securityAN IT IAN
ARTICLES 33 & 34 – BREACH NOTIFICATION
• Breaches must be disclosed to the supervisory authority
within 72 hours of discovery
• Breaches must be disclosed to data subjects under certain
conditions without “undue delay,” including to Controllers
by Processors
• Personal data breaches are broadly defined:
“a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or otherwise
processed”
![Page 16: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/16.jpg)
intelligent information securityAN IT IAN
ARTICLE 30 - RECORDS OF PROCESSING ACTIVITIES
• The following information must be documented for all data
processing:
o Record type
o DPO contract information
o Purpose for processing
o Data categories
o Recipients
o Cross-border transfers
o Retention period
o Security controls
![Page 17: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/17.jpg)
intelligent information securityAN IT IAN
GDPR COMPLIANCE STRATEGIES
• GDPR Compliance Program Roadmap
• GDPR Compliance Program Priorities and Pain
Points
• GDPR and ISO 27001
![Page 18: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/18.jpg)
intelligent information securityAN IT IAN
COMPLIANCE PROGRAM ROADMAP
• Formalize Program and Responsibilities
o Assign a DPO
• Assess Risk
o Inventory and classify data
o Conduct a risk assessment
• Mitigate Risk
o Reduce scope
o Design and implement control framework
• Evaluate and Optimize
o Conduct DPIA
o Enhance controls
o Document and certify
![Page 19: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/19.jpg)
intelligent information securityAN IT IAN
PRIORITIES AND PAIN POINTS
• Priorities
o Data Inventory and Classification
o Risk Assessment and DPIAs
• Pain Points
o Consent
o Cross-border transfers
o Profiling
![Page 20: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/20.jpg)
intelligent information securityAN IT IAN
DATA INVENTORY AND CLASSIFICATION
• Start with identifying data in expected locations by mapping
the data flow of business processes
• Classifying data should not only designate data as personal
or one of the special categories, but also potentially identify
the member state of the data subject
• After the initial inventory, implement processes for
discovering data that is located where it shouldn’t be, and
deciding what to do with it
![Page 21: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/21.jpg)
intelligent information securityAN IT IAN
RISK ASSESSMENTS
• There are many aspects of GDPR that require a risk-based
determination of applicability
• Performing a risk assessment to determine appropriate
controls is a critical aspect of establishing a GDPR
compliance program
• Risk-based approaches are critical when having to
demonstrate due diligence for a decision based on
uncertainty
![Page 22: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/22.jpg)
intelligent information securityAN IT IAN
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
• The purpose is to help validate that the organization is
taking the correct actions to ensure compliance with GDPR
on an ongoing basis.
o Focus on determining if processing risk is high
• Required for Controllers
• Often used by Processors to demonstrate sufficiency of
GDPR compliance to Controllers
• Should be performed after an initial risk assessment and
implementation of baseline controls
![Page 23: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/23.jpg)
intelligent information securityAN IT IAN
PAIN POINTS - CONSENT
• “Consent” is an agreement with the data subject to allow the
processing of their personal data
• Can no longer be implicit, or opt-out
• How personal data and consent are captured must be
tracked
• Consent must be revoked at the request of data subjects at
any time
• Parental consent is required for children, which will impact
many services, such as social media
![Page 24: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/24.jpg)
intelligent information securityAN IT IAN
PAIN POINTS - CROSS-BORDER TRANSFERS
• Data transfers are allowed amongst member states and
outside of the EU
• There are a cascading series of requirements depending on
the level of data protections the receiving entity provides
• The easiest condition is if the country has been deemed
adequate by the European Commission
o The US has not!
o Cost and complexity of demonstrating adequacy
increases from there
![Page 25: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/25.jpg)
intelligent information securityAN IT IAN
PAIN POINTS - PROFILING
• Automated processing of data for making decisions about
the data subjects
o Most of the focus is on the decision itself, such as an
automatic rejection of a credit request
• When data is collected that will be profiled (and on request),
you have to notify the subject of this, along with the logic
and consequences behind this data profiling
• Subjects have the right to object to profiling
![Page 26: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/26.jpg)
intelligent information securityAN IT IAN
GDPR AND ISO 27001
• Components of an ISO 27001 compliant Information
Security Management System (ISMS) can be leveraged to
meet aspects of GDPR, including:
o Data Inventory
o Risk-based approach
o Vendor management
o Breach notification
o Continuous Improvement
o Certification
• Companies doing business internationally already widely use
ISO 27001
![Page 27: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/27.jpg)
intelligent information securityAN IT IAN
FINAL THOUGHTS & PRIORITIES
• Appoint a DPO and formalize your program
• Inventory your data, including vendors
• Adopt a risk-based approach
• Publish and iterate
![Page 28: GDPR is Coming!](https://reader033.vdocuments.net/reader033/viewer/2022051504/5a648a3e7f8b9a27568b6023/html5/thumbnails/28.jpg)
intelligent information securityAN IT IAN
EMAIL: [email protected]
TWITTER: @adam_gaydosh
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN