Getting Started with GDPR Compliance

© 2016 IDERA, Inc. All rights reserved.
Proprietary and confidential.
GETTING STARTED WITH GDPR
COMPLIANCE
Kim Brushaber, IDERA, Senior Product Manager

2© 2017 IDERA, Inc. All rights reserved.
WHAT IS GDPR?

“
The General Data Protection Regulation (GDPR) is a legal
framework that sets guidelines for the collection and
processing of personal information of individuals within the
European Union (EU).

MAY 25, 2018
The Day that GDPR goes into effect
213 Days from now

WHY DO WE NEED GDPR?
 Let’s Start with Some Data Facts

“
Over 5 million data records are lost or stolen
every day
http://breachlevelindex.com/

“
The median number of days that attackers stay
dormant within a network before detection is
200 days
https://swimlane.com/10-hard-hitting-cyber-security-statistics/

“
The average cost of a single data breach in 2020
will exceed $150 million, as more business
infrastructure gets connected
https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion

9© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 9© 2017 IDERA, Inc. All rights reserved.
EQUIFAX DATA BREACH
 The breach affected 145.5 million customers
 Employees acknowledged a security issue with their web application
(using Apache Struts) 2 months before the breach occurred
• The patch came out 4 months beforehand on Mar 8, 2017
 It took a full day to respond to the data breach which took the flawed
web application offline (July 29 - 30, 2017)
 6 weeks after the breach, the public was alerted (Sept 7, 2017)
 The communication to respond to the breach included a website that
was not owned by Equifax (luckily it was not malicious)
 Equifax is not alone – there have been 25 Very High Profile Cyber
Attacks in 2017 so far (http://www.wired.co.uk/article/hacks-data-breaches-2017)

INDIVIDUAL CONCERNS IN DATA SECURITY
 By 2020 over 30 Billion devices will be connected to the internet
 49% of Americans feel that their personal information is less secure than it
was five years ago
 Over 73% of consumers in America want companies to be transparent
about personal data
 78% of people claim to be aware of the risks of unknown links in emails, yet
click on those links anyway
 86% of internet users are actively trying to minimize, anonymize and hide
the visibility of their digital footprints
Facts pulled from: Data Privacy Day | National Cyber Security Alliance and Zogby Consumer Poll | Pew Research Center | https://blog.barkly.com/cyber-security-statistics-2017

DATA SECURITY INDUSTRY FACTS
 95% of breached data records in 2016 came from:
• Government
• Retail
• Technology
 43% of cyber attacks targeted small businesses
 Over 75% of the health care industry was infected in malware in the
past year
 70% of US oil and gas companies were hacked last year
Facts pulled from: http://www.techrepublic.com/article/forrester-what-can-we-learn-from-a-disastrous-year-of-hacks-and-breaches/ |
https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html | https://www.scmagazine.com/75-of-healthcare-industry-hit-with-malware-
report/article/569614/ | http://www.businesswire.com/news/home/20170216005632/en/Study-Reveals-Cybersecurity-Readiness-Gaps-America%E2%80%99s-Oil

DATA SECURITY EXECUTIVE PERSPECTIVE
 90% of CIOs admit to wasting millions on inadequate cybersecurity
 90% of CIOs have already been attacked or expect to be attacked by
bad guys hiding in their encryption
 87% of CIOs believe their security controls are failing to protect their
businesses
 85% of CIOs expect criminal misuse of keys and certificates to get
worse
https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf

DATA SECURITY PREPAREDNESS
 In 2014 70% of Millennials admitted to bringing outside applications
into the enterprise in violation of IT policies
 52% of organizations that suffered successful cyber attacks in 2016
aren't making any changes to their security in 2017
 Only 38% of global organizations claim they are prepared to handle a
sophisticated cyberattack
 Only 37% of organizations have a cyber incident response plan
Facts pulled from: https://blog.barkly.com/cyber-security-statistics-2017 | https://swimlane.com/10-hard-hitting-cyber-security-statistics/ | PWC Economic Crime Survey |
https://www.wired.com/insights/2014/09/millennials-mobile-security/

HOW DO WE START TO ADDRESS THIS?
 What does GDPR Cover?

PERSONAL DATA COVERED BY GDPR
Any information that can be classified as personal details – or that can
be used to determine your identity
 Name
 Identification number
 Email address
 Online user identifier
 Social media posts
 Physical, physiological or genetic information
 Medical information
 Location
 Bank details
 IP address
 Cookies

GDPR PRINCIPLES (ARTICLE 5)
Personal data shall be:
 Processed lawfully, fairly and in a transparent manner
• The public wants to know what you are doing with their data
 Collected for specified, explicit and legitimate purposes
• Bye-bye, Spam! (hopefully)
 Adequate, relevant and limited to what is necessary
• You can’t collect it and use it somewhere else
 Accurate and kept up to date
• Give your users ways to update their data
 Kept in a form which permits identification of data subjects for no longer
than is necessary
• Tell people how long you’ll keep their information
 Processed in a manner that ensures appropriate security, including
protection against unauthorized or unlawful processing, accidental loss,
destruction or damage
• Time to get really serious about stopping data breaches!

RIGHTS OF INDIVIDUALS VIA GDPR (ARTICLES 12 - 23)
 Right to access their personal data
 Right to rectification
• Users should be able to correct inaccurate info
 Right to erasure
• Users can request to be “forgotten”
 Right to restriction of processing
• Users can limit the way their information is processed
 Right to data portability
• Users should be able to obtain a copy of their data
 Right to object
• Users can object to the processing of their data
 Right to not be subjected to a decision based solely on automated
processing or profiling
• This has significant impact on B2B Marketing

WHO IS RESPONSIBLE (CHAPTER 4, ARTICLES 24 - 43)
 Data Controller – Any organization that collects data from EU
residents
 Data Processor – Organization that processes data on behalf of the
controller (i.e. cloud service providers)
 Data Protection Officer – An individual within the organization that is
an expert in Data Protection Law

GDPR PENALTIES/SANCTIONS (ARTICLE 83)
Depending on the nature of the infraction:
 A warning in writing in cases of first and non-intentional non-compliance
 Regular periodic data protection audits
 A fine of up to 10M Euro or 2% of annual worldwide turnover from the
previous year
 A fine of up to 20M Euro or 4% of annual worldwide turnover from the
previous year

WHAT ELSE IS IN GDPR?

ADDITIONAL ARTICLES TO CONSIDER
 Article 15 – Control Exposure to Personal Data
 Article 30 – Record Processing Activities
 Article 32 – Security of Processing (encryption)
 Article 33 – Notification of Personal Data Breach to Supervisory
Authority
 Article 35 – Data Protection Impact Assessment (handling risks)

ADDITIONAL GDPR CONSIDERATIONS
 GDPR is explicit that you can not store data “just in case”
• You should have very clear processes that indicate why you are
storing the data
 GDPR is explicit that users can object to data profiling
• How will you limit data profiling and how do users opt out of
profiling?
 GDPR states that you must have processes documented to outline:
• How and what data is collected?
• Where is data stored?
• Who has access to the data? And who should be able to access it?
• How do you remove the data when the time comes?
• How do you alert supervising authorities to a data breach?

HOW AND WHAT DATA IS COLLECTED?
* Business Process Diagram created using ER/Studio Business Architect

WHERE IS DATA STORED?

WHO HAS ACCESS TO THE DATA?

HOW DO YOU REMOVE THE DATA?

WHAT HAPPENS WITH A DATA BREACH?

GDPR COMPLIANCE PREPARATION
 How do I get started?
 Clearly-defined Business Processes are ESSENTIAL

GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM

FOR MORE DETAILS ON GDPR PREPARATION
 Read the Blog via:
• http://community.idera.com/blog/b/community_blog/posts/gettin
g-prepared-for-gdpr
• Or navigate to community.IDERA.com >Blog > “Getting Prepared
for GDPR”
 Download the Whitepaper via:
• IDERA.com > Resources > Resource Center> “Whitepaper:
Governing GDPR Challenges with Enterprise Data Architecture”

HOW ER/STUDIO BUSINESS ARCHITECT CAN HELP
 GDPR is going to require you to have your processes documented –
ER/Studio Business Architect allows you to create Business Process
Models to document those processes, complete with External Data Objects
 The act of creating Business Process Models allows all employees across
the organization to identify where they are impacting personal data
 Checking these models into the Repository and publishing them to Team
Server allows you to post these processes for the whole organization to
have visibility

IMPORTANT POINTS TO REMEMBER
 Privacy Notices Must Be Transparent
• You must communicate in clear and plain language how you intend
to use the personal information that you collect
 Customer’s Rights Must Be Upheld and Published Publicly
• You must communicate how you intend to uphold rights identified
within the GDPR regulations
 Data Breaches Must Be Communicated Within 72 hours
• In order to respond quickly, everyone in your organization should
know what their responsibilities are in the case of a breach

IN CONCLUSION
 GDPR is going to change the way we handle sensitive personal data
in the future (and that’s not a bad thing)
 Companies need to review all of the personal data in their systems
and understand how they will:
• Process it
• Encrypt it
• Secure it
 Large fines can be assessed if you collect data on EU members and
do not comply with these regulations
 Companies will need to be transparent in their processes and have
that information clearly documented for both internal employees as
well as the customers they are collecting data on

THANKS!
Any questions?
You can find me on Twitter at:
Kim Brushaber
@Brushaber_IDERA

ADDITIONAL DETAILS ON GDPR ARTICLES

ARTICLE 15 – CONTROL EXPOSURE TO PERSONAL DATA
 Control accessibility - who is accessing data and how
 Minimize data being processed in terms of:
• Amount of data collected
• Extent of data processed
• Storage period
• Accessibility
 Produce safeguards for control management

ARTICLE 30 – RECORDS OF PROCESSING ACTIVITIES
 Log and monitor your operations
 Maintain an audit record of processing activities on personal data
 Monitor access to processing systems

ARTICLE 32 – SECURITY OF PROCESSING
Security mechanisms to protect personal data
 Employ pseudonymization and encryption
 Ensure ongoing confidentiality, integrity, availability and resilience of
processing systems and services
 Restore availability and access in the event of an incident
 Provide a process for regularly testing and assessing effectiveness of
security measures

ARTICLE 33 – NOTIFICATION OF PERSONAL DATA BREACH
TO THE SUPERVISORY AUTHORITY
 Detect breaches
 Assess the impact on personal data records
 Assess whether the personal data is identifiable
 Describe the nature of the breach
 Describe your measures to remedy it

ARTICLE 35 – DATA PROTECTION IMPACT ASSESSMENT
 Describe processing operations, including why you need them and
how big they are
 Assess risks that are associated with processing personal data
 Apply measures to address risks and protect personal data
 Demonstrate (and document) your compliance with GDPR

GDPR COMPLIANCE PREPARATION

GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM

SET UP DATA PROTECTION OFFICER(S)
 Data Protection Officers have expert knowledge on Data Protection Law
 They are like Compliance Officers but are experts on:
• IT processes
• Data security
• Continuity issues regarding holding and processing personal info
 They are responsible for cooperating with the supervising authority

CREATE ORGANIZATIONAL AWARENESS AND PRODUCE
GUIDELINES
 Your organization should be aware of the GDPR regulations and how
they impact data
 You should produce guidelines or procedures that identify what to do
with personal information across your systems
 Processes and procedures regarding GDPR regulations and personal
information should be available throughout the organization
 Engage your employees to help to create your processes if you have
not already done so

ANALYZE DATA ACROSS ALL APPLICATIONS, DATA MODELS
AND DATABASES
 Which servers and/or databases contain personal data?
 Which columns or rows can be marked as containing personal data?
 Which systems are involved in storing or moving sensitive data?
 Who has access to what elements of data in the database system?
 What elements and features of the database systems can be
accessed and potentially exploited to gain access to those systems?
 Where does the data go when it leaves your systems?

REVIEW EXISTING PROCEDURES THAT PERTAIN TO GDPR
 How can I be more transparent in what activities are taken in regards
to personal data?
 How do I create evidence that I am in compliance?
 How do I ensure that all of my processes and procedures are kept up
to date?
 How do I ensure that all of my processes and procedures are being
followed?

REVIEW DATA PRIVILEGES AND ACCOUNTABILITIES
 How can I ensure that the right people are accessing the information?
 What do I need to do to limit who can access the sensitive data?
 Who is accountable for the different aspects of personal information?
 How can I keep track of who has accessed sensitive data?

DOCUMENT AND MANAGE INDIVIDUAL RIGHTS
 Step through the Individuals Rights (Articles 12-23) and identify how
you plan to address them
• Right to access their personal data
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Right to not be subjected to a decision based solely on automated
processing or profiling
 Keep records of what customers have consented to and when they
consented to it

DEFINE DATA BREACH PROCESS
 Which security controls are in place to protect the data?
 What levels of encryption are in place?
• While in transit between systems
• While at rest in my system
• While in use by my system
 When do I need to make my data available?
 What mechanisms are in place to prevent data loss?
 How do I detect a breach with my data?
 How can I respond to a breach that has occurred?

DEVELOP DATA IMPACT ASSESSMENT
 What are the impacts of unintended data changes?
 What are the risks associated with unintended data changes?
 Where are data elements used across applications and databases?
 How will you ensure that compliance with these procedures continues?
 What are the risks of falling behind on compliance?

THANKS!
Any questions?
You can find me on Twitter at:
Kim Brushaber
@Brushaber_IDERA

Getting Started with GDPR Compliance

More Related Content

What's hot

Similar to Getting Started with GDPR Compliance

More from DATAVERSITY

Recently uploaded

Getting Started with GDPR Compliance