gdpr: the day after… - oracle | integrated cloud ... · gdpr: the day after | march 21, 2017 we...

GDPR: The Day After…

Pierre-Luc REFALO

2Copyright © 2017 Capgemini and Sogeti. All Rights Reserved

GDPR: The day after | March 21, 2017

25+ years in Information & Cyber Security consultancy

CISO for SFR & Vivendi Universal (1997 – 2002)

Author

Teacher

Speaker

The speaker: Pierre-Luc REFALOGlobal Head of Strategic Cybersecurity Consulting

2002 2012

2013 Award



« Success consists of going from failure to failure

without loss of enthusiasm! »

Sir Winston Churchill



http://breachlevelindex.com/

(1) Ponemon Institute - Research Report - 2016(2) Hiscox - Cyber Readiness Report – 2017(3) Verizon - DBIR - 2016

201 daysaverage time to detect a cyber

incident. (1)

70 daysaverage time to recover after a

targeted attack. (1)

89% of breaches had a financial or

espionage motive. (3)

90% of cyberespionage breaches

capture trade secrets or

proprietary information. (3)

$445bnestimated annual cost to the

global economy from cyber

crime. (2)

“The processing of personal data should be designed to serve mankind.

The right to the protection of personal data is not an absolute right;

it must be considered in relation to its function in society and be

balanced against other fundamental rights,

in accordance with the principle of proportionality. ”

GDPR – Recital #4 – 27 April 2016

You’ve been breached: just a question of time …



What?

You’ve been breached: impacts are real and maybe huge

Economic impact

Loss of revenue, fines,

additional costs, etc...

Reputation impact

The nightly news, market brand, etc.

Operational impact

Disrupted process, stress, etc.

Legal impact

Contractual clauses, Law suits, Class

actions, etc.



You’ve been breached: you have to understand …

When?How?



You’ve been breached: real life…

Target Corporation suffered one of the largest cyber

breaches to date..

Source: Columbia University, Benjamin Dean

$252 millions: loss of revenue (Q4 2013)

$57 millions: reduced taxes$90 millions: Insurance reimbursement

https://www.youtube.com/watch?v=ZgTtycPracY

John Mulligan (Target CFO) had to

face a Senate judiciary committee

for almost 3 hours.

40 millions of financial data stolen70 millions of personal data stolen

Net loss = $105 millions (0,1% of 2014 sales)





Extracts from GDPR: Section 2 – Security of Personal Data

Article 32



Did you monitor your Systems and Crown Jewels?



Did you protected your data and assets (enough)?



Did you perform a Privacy Impact Assessment?



Did you perform a Privacy Impact Assessment?

3. PIA on new business initiatives – scope: new product & service development, marketing

programs, campaigns, etc.

Data protection impact assessment (as described in art.35, GDPR) are required, where the

usage of new technologies is likely to result in a high risk to the rights and freedoms of natural

persons. Risk mitigating measures have to be designed into products by default (art.25,

GDPR).

1. PIA on organization - scope: privacy governance & policies

The organizational privacy impact assessment reviews basically all GDPR articles and gives

insight to define the organizations privacy governance and policy framework.

2. PIA on operations – scope: business processes, systems & people

The operational privacy impact assessment is very much related to the responsibility of the

controller (art.24, GDPR). It reviews the technical & organizational measures of the existing

operations to be compliant with the GDPR.

Three different PIA approaches

It is not a one off exercise; privacy is here to stay!



Did you implement Data Discovery and Classification?



Did you implement Data Discovery and Classification?The new Digital Landscape – IT & IoT

Data

CenterData analysis

Connected

Objects

(IoT

Products)

Sensors

Data

AcquisitionHub of

sensors

Hub of

sensors

Public

Cloud

Big Data

Internet

ObjectObject

Gateway Data aggregation

App

Gateway

Private

Cloud

App



Did you implement Data Discovery and Classification?

Collect

Profile data to get a structure

and format overview

Identify Personal Data, in DB,

tables and fields

Start looking at deduplication

Catalogue findings on fields,

table and DB level

Connect to all relevant

DB and systemsIdentify

Classify

According to risks

- the nature

- The scope

- the volume

- the users

- the access

- the location

- the process itself



Do you plan a Journey to the Cloud?

Cloud services provide better security than many on premise infrastructures.

3 topics remain under data owner / controller accountability:Governance, Risk & Compliance

Identity and Access Management

Information & Data Protection

Two key challenges:Internet of Things and connected objects

Geo-strategy & Sovereignty



Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Applications

Data

Virtualization

Runtime

Middleware

O/S

Servers

Storage

Networking

Custo

mer

M

anages

On-PremisesInfrastructure

(as a Service)

Platform

(as a Service)Software

(as a Service)

Information and Data Protection

Identity & Access Management

Governance Risk & Compliance










Clo

ud S

upplie

r Manages

Clo

ud S

upplie

r Manages

Clo

ud S

upplie

r Manages

Custo

mer

M

anages

Custo

mer

M

anages

Custo

mer

M

anages

The type of cloud service drives how shared responsibility is

assigned between the Cloud Service Provider and the organisation

….while Governance, Risk and Compliance, Identity & Access Management and

Information & Data Protection will always be the responsibility of the

customer



Data Protection is a long term challenge that Capgemini handles

globally since 2014

Binding Corporate Rules

2014: 2 key Group Initiatives



We release a new survey on “Cybersecurity & Privacy for Financial Institutions”The Currency of Trust: Why Banks and Insurers Must Make Customer Data Safer and More Secure

Source: Capgemini’s Digital Transformation Institute Cybersecurity and Privacy Survey

Hig

hL

ow

HighLow

Strength of data privacy policies vs. strength of security framework

Banking Insurance

Str

en

gth

of

Se

cu

rity

Fra

mew

ork

31%

20% 29%

20%

Privacy-passives

Security-sloths

Pace-setters

Strength of Data Privacy Policies

Laggards



We provide 12 « end to end services » to help our clients to comply with GDPR

Capgemini is a trusted partner from a strategic / tactical / operational perspective

Organize

Strategic

1

Operational

Protect

1112

Monitor

4 3

2

5 6

7

10 9

8

3

2

4

1

IDaaS

Data & Data Base

Security *

+ Anonymization

Awareness & Change

Management

IAM Fast Track

Compliance

Tracking

Organization

Transformation &

Professionalization

Data Automatic

Classification

SOC &

SOCaaS

Data Leak

Prevention

Data Discovery

* Incl. Key Management System

Data Protection

Maturity Assessment &

Roadmap

Privacy Impact

Assessment



Data Privacy & Protection is at the heart of our internal CySIP program

Be Secure Protect digital assets within Capgemini

Protect the personal data of Capgemini

employees and customers

Secure our delivery to clients

Be Trusted Comply with the law

Provide solid cyber security and data

privacy solutions to our clients

Win More Become a leader in Cyber Security and Data Privacy by being

exemplary within our organization

Provide best-in-class cybersecurity, alongside technology solutions

The CySIP Program aims at leveraging the Capgemini Cybersecurity Unit to protect Capgemini’s digital

assets and reputation; to secure delivery management; and to develop business

BUSINESS

RISK COMPLIANCE



Takeaways: 2017-2018 Challenges

1- Digital Risk Officer – 2- Data Leak Prevention

The last stretch: Data Privacy / Protection Transformation Program

Make sure a proper Data Protection Governance is in place including a Data Protection Officer when

required - working with CISO and DRO1

Establish accountability (Controller and Processor) for Personal Data Processing

Implement encryption and enhance IAM within Database

Translate GDPR to make it understandable to …

IT Staff: Developers, architects, project managers, etc.

Business Lines (Marketing, Sales, Supply chain, etc.) and central functions (HR, Purchase, etc.)

Cloud services stakeholders

On a case by case basis, prepare or develop a « DLP2 » initiative

Shadow IT controls

Threat Hunting

Deep / Dark Web monitoring

Implement a « security AND privacy by design » process

Set up or revise privacy impact assessment procedures and privacy-by-design methods

Handle increased requirements for security of processing taking into account the risk profile of data

processed (pseudonimization in particular)

Think about a specific « Design Authority » (decision making body) for critical processes



Takeaways: Data and People are structuring Digital Risk Management



Takeaways: Privacy vs Security is still a challenge…

« Those who would give up essential liberty to purchase a little

temporary safety deserve neither liberty nor safety.”

Benjamin Franklin – 1705 - 1790

gdpr: the day after… - oracle | integrated cloud ... · gdpr: the day after | march 21, 2017 we...

Documents