Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR: Requirements for Cloud Providers

1,663 views

Published on

This webinar delivers an overview of:
- The GDPR and what it means for Cloud service providers
- The technical and organisational measures applicable to Cloud service providers
- The policies and procedures required by the GDPR
- The 'privacy by design' and 'privacy by default' requirements
- The rights of data subjects
- Breach notification obligations
- The impact of subcontracting on Cloud service providers
- ISO 27018 and implementing security controls for personally identifiable information in the Cloud.

A recording of this webinar is available here:
https://www.youtube.com/watch?v=8i7adBubDzw

Published in: Business
  • If you want to download or read this book, copy link or url below in the New tab ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GDPR: Requirements for Cloud Providers

  1. 1. GDPR: Requirements for Cloud Providers Alan Calder Founder & Executive Chair IT Governance Ltd February 2017 www.itgovernance.co.uk
  2. 2. Introduction • Alan Calder • Founder – IT Governance Ltd • The single source for everything to do with IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th Edition (Open University textbook) • www.itgovernance.co.uk
  3. 3. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 IT Governance Ltd: GRC One-stop shop All verticals, all sectors, all organisational sizes
  4. 4. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 We will cover: • The GDPR and what it means for Cloud service providers. • The rights of data subjects • The policies and procedures required by the GDPR. • The ‘privacy by design’ and ‘privacy by default’ requirements. • .Breach notification obligations. • The impact of subcontracting on Cloud service providers. • The technical and organisational measures applicable to Cloud service providers • ISO 27018 and implementing security controls for PII in the Cloud • Introducing: Network and Information Security Directive 4
  5. 5. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 GDPR: Top Ten Aspects of the Regulation • Increased fines - • Opt-in/opt-out - • Breach notification - • Territorial Scope - • Joint Liability - • Data Subject Rights - • Level playing field - • Data transfer - • Common enforcement - • Collective redress - 4% of global turnover or €20,000,000 Clear, pro-active, use data only as agreed, easy opt-out 72 hours to regulators, users ”without delay” Global: all organizations with data on EU individuals Data Controllers & Processors The users are in charge Regulation, 28 laws becoming one Data keeps privacy rights as it moves globally Authorities will be strict Class action lawsuits from individuals Administrative penalties to be “effective, proportionate and dissuasive.” Effective across EU from 25 May 2018 Copyright Skyhigh Networks 2017 – v1.0
  6. 6. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Data protection model under GDPR Information Commissioner’s Office (ICO) (supervisory authority) Data controller (organisations) Data subject (individuals) Data processor Third countries Third parties Duties Rights Disclosure? Inform? Security? Guarantees? Assessment Enforcement European Data Protection Board Complaints
  7. 7. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 GDPR: Controllers or processors outside the EU Article 27: Representatives of controllers or processors not established in the Union • Where the controller or the processor are not established in the Union: – They shall designate in writing a representative in the Union; – Representative shall be established where data processing or profiling resides; – The representative shall be mandated to be addressed by supervisory authorities and data subjects for the purposes of the Regulation; – Designation of representative does not absolve controller or processor from legal liabilities.
  8. 8. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Rights of Data Subjects • The controller shall take appropriate measures to provide any information … relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 11-1) • The controller shall facilitate the exercise of data subject rights (Article 11-2) – Rights to º Consent º Access º Rectification º Erasure º Restriction º Objection – the right to data portability; – the right to withdraw consent at any time; – the right to lodge a complaint with a supervisory authority; – The right to be informed of the existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject.
  9. 9. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Article 5 & 6: Lawfulness • Processing must be lawful – which means, inter alia: – Data subject must give consent for specific purposes – Other specific circumstances where consent is not required º So that controller can comply with legal obligations etc • One month to respond to Subject Access Requests – & no charges • Controllers and processors clearly distinguished – Clearly identified obligations – Controllers responsible for ensuring processors comply with contractual terms for processing information – Processors must operate under a legally binding contract º And note issues around extra-territoriality
  10. 10. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Articles 7 - 9: Consent • Consent must be clear and affirmative – Must be able to demonstrate that consent was given – Silence or inactivity does not constitute consent – Written consent must be clear, intelligible, easily accessible, else not binding; – Consent can be withdrawn any time, and as easy to withdraw consent as give it; • Special conditions apply for child (under 16) to give consent • Explicit consent must be given for processing sensitive personal data – Race, ethnic origin, gender, etc – Specific circumstances allow non-consensual processing eg to protect vital interests of the data subject • Secure against accidental loss, destruction or damage (article 5)
  11. 11. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 GDPR: Cloud processor obligations Policy and procedure requirements Article 28: Processor A legal contract must ensure that the processor: • processes the personal data only on documented instructions from the controller; • ensures that persons authorised to process the personal data observe confidentiality; • takes appropriate security measures; • respects the conditions for engaging another processor; • assists the controller by appropriate technical and organisational measures; • assists the controller in ensuring compliance with the obligations to security of processing; • deletes or returns all the personal data to the controller after the end of the provision of services; • makes available to the controller all information necessary to demonstrate compliance with the Regulation.
  12. 12. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 NIS: Network & Information Security Directive • In place from May 2018 • Improve national cyber security capabilities, improve EU co-operation • Operators of essential services: – Energy (electricity, oil and gas) – Transport (air, rail, water and road) – Banking (credit institutions) – Financial market infrastructures (trading venues and central counterparties) – Health (healthcare providers) – Water (drinking water suppliers and distributors) • Digital service providers: – Search engines – Online marketplaces – Cloud computing services • Take appropriate security measures and notify the relevant national authorities of serious incidents • Non-EU entities: – Designate a representative in one of the member states in which they offer their services, – Fall under the jurisdiction of that member state. • Administrative penalties to be “effective, proportionate and dissuasive.”
  13. 13. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 NIS: Key Requirements • Must notify serious incidents to the relevant national authority; • Take appropriate security measures, such as: – Technical and organisational measures that are appropriate and proportionate to identified risks. – Measures that ensure a level of network and information systems security appropriate to identified risks. – Measures that prevent and minimise the impact of incidents on the IT systems used to provide the services, – with a view to ensuring the continuity of those services – Must also have the “information necessary to assess the security of the network and information systems”, including º documented security policies, º evidence of effective implementation - eg the results of a security audit carried out by the competent authority or a qualified auditor.
  14. 14. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 What Apps & Cloud Services are we using? Copyright Skyhigh Networks 2017 – v1.0
  15. 15. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Article 44: International Transfers • Any transfer of personal data by controller or processor shall take place only if certain conditions are complied with: – Transfers on the basis of adequacy; – Transfers subject to the appropriate safeguards – Binding corporate rules apply. • All provisions shall be applied to ensure the protection of natural persons is not undermined. • To countries with similar data protection regulations – Cloud providers are a key risk area – Highest penalties apply to breaches of these provisions • Cloud providers need to ensure they are able to differentiate their EU and non-EU provision and provide clarity to data subjects and controllers
  16. 16. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Article 33: Data Breaches • Mandatory data breach reporting – within 72 hours – Describe actions being taken to º Address the breach º Mitigate the consequences – Data subjects contacted ‘without undue delay’ º Unnecessary if appropriate protection is already in place º Consider encryption for all mobile devices, for all databases, and for email – Penetration testing to identify potential attack vectors should be standard • Failure to report within 72 hours must be explained
  17. 17. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Privacy Compliance Framework • A framework for maintaining and improving compliance with data protection requirements and good practice • Roles & Responsibilities • Monitoring, testing and audits Organizational & administrative measures
  18. 18. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Developing policies and procedures that comply with the Regulation • “implement appropriate technical and organisational measures” Data protection policy Information security policy Public trust charter Document and record control policy Subject access procedures Complaints procedures Information notices procedures Enforcement notices procedures Risk management strategy Security policies and procedures Data quality procedures Data retention and archive procedures Information management policy Data disposal procedures System/data- specific procedures Data collection procedures fair/lawful/adequate Data use procedures Third-party exchange agreements Notification procedures Training and awareness programme Audit and compliance policy Internal audit procedures Due diligence and third parties audit procedures Compliance standards Data processor standards and agreements
  19. 19. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Technical measures • Review current data sets and services – Don’t forget employee data • Set minimum standards for clouds & app services • Implement contracts with approved services • Define approved cloud services – Migrate users to approved services • Implement policies to block/allow/warn users of risks • Implement monitoring, DLP, anomaly checking • Integrate with LDAP, AD, SSO services • Publish approved cloud services list • Review requests for new cloud services Copyright Skyhigh Networks 2017 – v1.0
  20. 20. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Article 40 et seq: Certifications • Requirement is to apply appropriate administrative organizational and administrative measures. • How can you demonstrate this? – Codes of conduct and certifications may be used to demonstrate compliance with GDPR – Recognised international standards (eg ISO/IEC 27001/27018) – Recognised national management standards (eg BS 10012 – for a PIMS or Personal Information Management System) – Recognised national technical standards (eg Cyber Essentials in the UK, CCM) – Emergence of new standards, privacy seals etc across EU • Certification does not absolve controller of need to comply
  21. 21. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 • Application & Interface Security (controls AIS-01 to 03) • Audit Assurance & Compliance (AAC-01 to 03) • Business Continuity Management & Operational Resilience (BCR-01 to 12) • Change Control & Configuration Management (CCC-01 to 05) • Data security & Information Lifecycle Management (DSI-01 to 08) • Datacentre Security (DCS-01 to 09) • Encryption & Key Management (EKM-01 to 04) • Governance and Risk Management (GRM-01 to 12) • Human Resources (HRS-01 to 12) • Identity & Access Management (IAM-01 to 13) • Infrastructure & Virtualization Security (IVS-01 to 12) • Interoperability & Portability (IPY-01 to 5) • Mobile Security (MOS-01 to 20) • Security Incident Management, E-Discovery & Cloud Forensics (SEF-01 to 05) • Supply Chain Management, Transparency and Accountability (STA-01 to 09) • Threat and Vulnerability Management (TVM-01 to 03) Cloud Controls Matrix
  22. 22. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 ISO 27001 Annex A 14 Control Categories & ISO 27018 5 Information security policies 6 Organisation of info. security 7 Human resources security 8 Asset Management 9 Access Control 12 Operations security 14 System acq, dev & mnt. 16 Info. security incident management 17 Info. sec aspects of BC Mngt 18 Compliance 11 Physical & environmental sec 15 Supplier relationships 10 Cryptography 13 Comms security 114 CONTROLS 19 ISO 27018 Extension
  23. 23. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 IT Governance: GDPR self-help • 1-Day accredited Foundation course (classroom, online, distance learning – www.itgovernance.co.uk/shop/product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course • 4-Day accredited Practitioner course (classroom, online, distance learning) – www.itgovernance.co.uk/shop/product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course • Pocket guide www.itgovernance.co.uk/shop/Product/eu-gdpr-a- pocket-guide • Implementation Manual www.itgovernance.co.uk/shop/Product/eu-general- data-protection-regulation-gdpr-an-implementation-and- compliance-guide • Documentation toolkit www.itgovernance.co.uk/shop/product/eu-general-data-protection- regulation-gdpr-documentation-toolkit
  24. 24. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 IT Governance: GDPR Consultancy • Gap analysis • Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the DPA or the GDPR. • Data flow audit • Data mapping involves plotting out all of the organisations’ data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Information Commissioner notification support (a legal requirement for DPA compliance) • Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. • Implementing a personal information management system (PIMS) • Establishing a PIMS as part of your overall business management system will ensure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an ISMS compliant with ISO 27001 • We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without the hassle, no matter where your business is located. • Cyber health check • The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. www.itgovernance.co.uk/dpa-compliance-consultancy
  25. 25. TM www.itgovernance.co.uk Copyright IT Governance Ltd 2017 – v1.0 Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

×