Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR security services - Areyou ready ?

941 views

Published on

GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.

Published in: Law
  • Be the first to comment

GDPR security services - Areyou ready ?

  1. 1. General Data Protection Regulation (GDPR) IBM APPROACH DESCRIPTION IBM Security Services 19 September 2016
  2. 2. 2 IBM Security • GDPR will replace national data protection laws of all 28 EU member states in May 2018 • GDPR also has international reach – applying to any organization that processes data of EU data subjects. • Fines for non-compliance will increase substantially up to a maximum fine of € 20 million or 4% of global annual sales, whichever is higher • GDPR will fundamentally change the way companies must manage personal data 10/31/201 GDPR = General Data Protection Regulation IBM is getting ready: as large data processor IBM understands its responsibilities and has set up an Advanced Data Protection Program that will also help its customers addressing the GDPR! 2
  3. 3. 3 IBM Security Supervisory Authority: • Data protection regulators. • One-Stop shop: Companies active in multiple EU countries can choose a first point of contact, e.g, a central supervisory authority for all their business in the EU. This lead supervisory authority then supervises all processing activities throughout the EU. • The EU will create a European Data Protection Board (EDPB) to arbitrate during disputes arising from supervisory authority decisions. Data Protection Officer (DPO): • Advises & monitors GDPR/privacy law/policy compliance, conducts awareness trainings, advises wrt privacy impact assessments (PIA) / audits, contact for supervisory authorities. • A DPO can be a member of staff or a hired contractor. Group companies can share a DPO. • DPO's contact details must be published. • Public authorities (with some minor exceptions). • Any organisation that processes personal data on a "large scale" or that monitor personal data. • Companies in e.g., Germany (national law). Processor: • Person (legal entity or individual) that processes personal data on behalf of the controller • Example: typically IBM in the context of providing services to a client (e.g., client payroll) Controller: • Person (legal entity or individual) that determines the purpose and the means of the processing of personal data • The controller has responsibility to determine and implement appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access • Example: If IBM runs the payroll service for a client, the client has to fulfill the role of controller to ensure that the payroll service is getting only the information necessary for processing Processing: • operations performed on personal data • EU Directive gives examples: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction Sensitive Personal Data: Subcategory of Personal Data • Gets extra protection under the law information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life (again not closed list; can be extended based on the national legislation) Personal Data: • information that can identify a person (individual), not a legal person (e.g., a company). There’s no closed list on what personal data is. • Examples are: name, email address, telephone number, address, license plate, an IP address, a photo, a combination of info that could lead to identifying a person. • In other parts of the world (e.g,. In the US and thus also IBM internally) the term “Personal Identifiable Information” (PII) is often used. Rather similar term (ignoring legal subtleties) Supervisory Authority Terms The most important terms you need to know when talking about Data Privacy. Personal Data • Sensitive Personal Data Controller Data Protection Officer Processing Processor Personal Data • Sensitive • Personal Data Controller Data Protection Officer Processing Processor Supervisory Authority View slide in presentation mode!
  4. 4. 4 IBM Security Ready for GDPR? Questions to Ask Yourself • Where do you process personal data? Where do you store personal data? Do you move personal data outside the EU? • Do you deploy privacy by design techniques? Have you set up organizational and technical measures to prevent uncontrolled collection, unauthorized access and retrieval of personal data? • Do you have a data classification program to produce a copy on record of personal data? • Do you have a response process to address requests by individuals? Are you able to provide evidence that you deleted personal data as requested? • Do you have a data governance program in place? Have you set up organizational measures (access limitation, processes, governance, collection minimization) • Do you actively monitor external news on data breaches? Do you have a remediation process to address data breaches? Do you have an established ERS? Do you collect personal data? Do you move personal data outside the EU? Have you set up organizational and technical measures to prevent uncontrolled collection, unauthorized access and retrieval of personal data? Do you have a data classification program? Do you collect sensitive personal data? Do you have a data governance program in place? Do you have a response process to address requests by individuals? Are you able to produce a copy on record of personal data on request? Do you have a designated responsible for privacy in your organization? Where do you store personal data? Do you have a remediation process to address data breaches? Do you have an established ERS? Do you actively monitor external news on data breaches? Do you deploy privacy by design techniques?
  5. 5. 5 IBM Security Legal Getting Ready Program Setup Program Execution and Implementation Why IBM? Readiness Assessments (Legal) Consulting Services Security Software Implementation Guidance IBM covers the full program with • Legally-trained consultants for the readiness phase • Data protection experts for consulting services for business • Industry-leading security tools • Implementation specialists
  6. 6. 6 IBM Security IBM helps addressing Protection of Personal Data in all Phases. IDENTIFY personal data Security Intelligence Awareness Gap Analysis Identification of Personal Data PREVENT privacy violations Identity&Access Management Database Security Privacy by Design Data Masking & Encryption MANAGE personal data Third-Party Management Data Governance Privacy Officer Information Requests DETECT & RESPOND data breach handling PersonalDataProtectionProgram Emergency Response Services Monitoring & Detection Remediation Resilient Systems Access Rights Mapping
  7. 7. 7 IBM Security Roadmap GDPR Program (Example 1) Manufacturer w existing SIEM / SOC (8x5) capabilities. IT environment managed by third party. Delivery team: Data Privacy Experts and SOC/SIEM consultants. 2016 2017 2018 Phase Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Project Mobilization & Identification of Personal Data Set up Data Protection Governance IDENTIFYMANAGEPREVENT Work Stream 1 Work Stream 2 Work Stream 3 Embedding Privacy by Design Establishing Data Breach Protection & Monitoring GDPR Enforcement May 2018 DETECT& RESPOND Work Stream 4 Continuous Data Protection capabilities delivery Applied PbD Compliance Model New Trends & Technologies
  8. 8. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

×