5. Concepts/Players
Security ≠ Privacy DPIA (Data Protection Impact Assessment)
Personally Identifiable Information (PII) DPO (Data Protection Officer) / GDPR Owner
PIMS (Personal Information Management System) DPPS (Data Protection Policy Statement)
DP (Data processor) DC (Data Collector)
Confidentiality, Integrity, Availability, Authenticity,
Compliance, Resilience, Correctness
ICO (Information Commissioner Office - UK)
EU (European Union 28 countries, soon 27!) NIST (National Institute for Standards and
Technology)
6. GDPR Main Characteristics
• Scope
• Consent
• Fines and Penalties
• Privacy by Design
• Data Protection Impact Analysis (DPIA or PIA)
• Data Portability
• Right to Access
• Right to be Forgotten
• Breach Notification
7. Where to Start: Roadmap
• Identify GDPR Data
• Map GDPR Data
• Mapping GDPR data to the Risks
• Mapping safeguarding requirements to data classification
• Mapping safeguarding requirements to the IT governance
framework
• Confidentiality, Integrity, Availability, Authenticity, Compliance,
Resilience and Correctness
8. Roadmap (Cont.)
•Resilience is related to business continuity and
DR
•Adequate incident management
•GDPR requires Authenticity and Corrective
Action Management
9. Roadmap (Cont.)
• Minimisation: Least Privilege
• Pseudonymisation: the processing of personal data in a way that they can no longer
be attributed to a specific data subject
• Encryption of all communication, file systems, storage, backups, …..
• Documentation: all relevant matters to be documented for the purpose of change
management
• Risk Assessment (GDPR does not instruct any security measures but requires the
RA to be performed. But which Risk?
• Data Protection Impact Assessment (DPIA) or Privacy Impact Analysis (PIA) –
ISO/IEC31000 or ISO/IEC29134)
• Implementation of SIEM, Security Analytics, MDM,…
10. DATA Protection Policy Statement
(DPPS)
Organisations should answer the following questions
in regards to DPPS:
• what will be done?
• what resources will be required?
• who will be responsible?
• when it will be completed?
• how the results will be evaluated?
11. DATA Protection Policy Statement (DPPS)
(Cont.)
• DPPS describes the GDPR compliance which is relevant to other
policies such as the Information Security Policy
• The Board of Directors should approve and support the development,
implementation, maintenance and continual improvement of a
documented Personal Information Management System (PIMS). BoD
are responsible and accountable
• The establishment of objectives for data protection and privacy, which
are in PIMS and GDPR Objectives Record.
12. DATA Protection Policy Statement (DPPS)
(Cont.)
• Data Protection Officer (DPO)/GDPR owner, is responsible
for reviewing the register of processing annually in the light of
any changes to organisation’s activities.
• The DPPS should be applied to all Employees/Staff
• Partners and any third parties working with or for the
organisation, and who have or may have access to personal
data, will be expected to have read, understood and to comply
with DPPS.
13. Standards and Guidelines
• ISO 27000:2014
• ISO 27001:2013
• ISO/IEC 27017:2015
• ISO 27018:2014
• ISO/EC 29151
• ISO/IEC 29100
• ISO/IEC 29134:2017
• ISO/IEC 29151:2017
• COBIT
• ISO 31000
• NIST
14. IT Must Ensure:
• Implement controls to reduce risk of data being compromised but make
sure controls really manage risks
• Authentication and Authorisation provided to a single entity of GDPR
data
• The creation of a single application allocated to GDPR data
• All systems and services are monitored
• Incident management process is in place
15. GDPR Misunderstandings
• Fine obscurity
• It is not just about EU Citizens
• GDPR is not simply a DLP
• To purchase new solution doesn’t cover everything
• Outsourcing doesn’t let us to be free
16. Concluded Points
• Data classifications and risk assessment are at the heart of GDPR thus,
GDPR will be tied up to risks management and assurance objectives.
• The maturity level of risk mitigation and IT governance defines the maturity
of GDPR readiness.
• GDPR will reinforce the IT security governance framework for organisations
who have one. For those who don’t have it, will create a legal purpose to build
one.
• GDPR will help organisations to build effective, more secure IT services and
systems and create an environment of trust and simplification of complex IT
security measures.
Editor's Notes
Obscurity – is GDPR about making us obscure/unknown?