On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. Are you properly prepared? According to Gartner, not many will be: “By the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements".
3. The latest research
A majority of FTSE 350 and Fortune 500
companies are overestimating their capabilities
when it comes to GDPR compliance.
92 per cent of European
businesses are
unprepared for GDPR.
According to research from law firm Paul Hastings.
Survey of 400 European businesses
by RSM and the European Business
Awards.
4. GDPR is Here! What now?
Or
Are you
Compliant?
In state of
Readiness?
• Your company is in constant state of change.
• Your processes are in a constant state of change.
What happens to your GDPR Team
going forward?
Legal | Marketing | Infosec | IT
5. What priorities
should drive
your readiness?
Analysis of Data
Retention
Tracking key GDPR Readiness Priorities
Technical Security Data Deletion
Communicating to the
Business
Data Flows
6. What personal information should you be concerned with?
Shoe Size
Eye color
IP Address
“Any information relating to the identified
or identifiable natural person”
Hair Color
DNA
RNA
Name
Address
Phone Weight
Online
Identifier
Income
Cultural Profile
GPS/Localization
Email
Browser Cookies
Race
Religion
Image
Fingerprint
Height
Biometrics
7. Which Security Controls Should be in Place?
Logging Access
Control
Data
Mapping
Authentication EncryptionAnti-Malware
8. What about Shadow IT?
Are you able
to track
unsanctioned
user activity?
We don’t know what
we don’t know
Data ownership
issues
Data flows
Data Protection
Impact Assessment
9. CISO Challenges
• Best of Breed Security
• Privacy by Design
• 72 Hour Reporting
• Encryption Challenges
“Only 20% of GDPR is within my purview!”
10. How Zscaler can Help
SSL Interception at Scale
Application Visibility: All Ports, All Protocols
Payload data is not written to disk
Logging data retained with European Union
Pseudonymisation and obfuscation where required
We need to frame the discussion around the areas we want to discuss.
A Royal Mail Data Services survey has found that three out of 10 UK companies are falling short of the data quality required for the EU’s General Data Protection Regulation
Almost one-third of UK organisations lack the data quality enforcement processes required for the EU’s General Data Protection Regulation (GDPR), according to research from Royal Mail Data Services.
FTSE350 and F500 over stating readiness: https://ibsintelligence.com/ibs-journal/fortune-ftse-companies-declare-readiness-gdpr-half-actually-anything/
Market research business Forrester has identified that 80% of firms affected by the GDPR will not be compliant with the Regulation when it comes into force on 25 May 2018. https://www.lexology.com/library/detail.aspx?g=353b4336-657f-4db7-a13d-ba06e3881bdb
92 per cent of European businesses are unprepared for GDPR. Survey of 400 European businesses by RSM and the European Business Awards. https://www.institutionalassetmanager.co.uk/2017/12/08/259129/92-cent-european-businesses-are-unprepared-gdpr
Communicating to the organisation, we could expand this section. 1. educating internally on the GDPR and 2 ensuring consistent and effective communication between departments.
How do you ensure a joined up approach across departments?
Data protection from external sources. Website etc.
Chris – clearly, there are lots of things to do – what should an organisation focus on?
We’ve put on screen a number of data centric points which I’ll come onto in a moment but, for me, the most important thing is to work in understanding the business architecture of your company.
What about shadow IT and Apps held outside the organisation which the org doesn’t know about?
How will this impact Privacy by design
How will this impact DPIAs
Chris, you wrote regularly regarding the challenges for CISO – I see you’ve noted down a few in relation to GDPR.
Article 17 – Right to Erasure – how to make sure data is securely and appropriately removed from systems – tough when systems are relational databases
Article 33 – 72 hour reporting window.
Could you talk use through them?
Seed questions:
You spoke about multiple data centres – how does that help us with GDPR requirements?
What about my mobile and roaming users?
Can I go anywhere to find further information about Zscaler and GDPR?