SlideShare a Scribd company logo

3rd party considerations gdpr

Joe Orlando
Joe Orlando

This document provides an overview of key considerations for complying with the General Data Protection Regulation (GDPR) as it relates to third party partners and suppliers. It discusses identifying personal data assets and flows, amending third party agreements to ensure compliance commitments, conducting third party vendor assessments, and technical and organizational security measures for protecting personal data such as pseudonymization, encryption, access controls and logging. The document emphasizes that controllers are responsible for personal data processed by third parties and outlines initial steps organizations can take to improve privacy and security.

Law
1 of 37
Download to read offline
GeneralData Protection Regulation GDPR Dealing with 3rd Party Partners/Suppliers Joe Orlando
TheEU Not the OnlyOneto EnactPrivacyLaw
Over80CountriesEnactedPrivacylaws CCPA Joe Orlando
SignificantDataProtectionEU Personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject…:” • Name • Location • Identification Number • OnLine ID / Cookies • Gender • Personal Preferences • Ethnic • Cultural • Social Identity • Memberships • Biometric • CCTV Video • Event photos • Insurance • Visas • Religion • InsuranceClaims 4 Joe Orlando
DataHasDifferent States AtREST 5 AtWORK InMOTION Joe Orlando
NOT“Justanother ITProject!” 6 EVERYONE “owns” the Solution. Data Controller (who NEEDS the data) Why Do You NEED the Data? Data Processor (who uses the data to complete tasks) What Do You DO with the Data? How is this Data Stored; Managed; Secured; Shared; Refreshed; Processed and Destroyed? ICTonlyFACILITATES the Outcome: Store Move Protect ICTCannotDoThis Alone. Joe Orlando
Identify DataAssets What? Where? When? Who? Why? How? Permission? Secure? HowLong? 7 Joe Orlando
PrivacybyDesignandbyDefault 8 Joe Orlando
GDPR requires businesses to implement “technical and organizational measures to provide appropriate protection to the personal data they hold.” 3 GDPRexpresslystatesthat suchmeasuresinclude: 1. The pseudonymization and encryption of personal data 2. Measures to ensure resilience of systems and services processing data 3. Measures that allow businesses to restore the availability and access to the data in the event of a breach 4. Frequent testing of the effectiveness of the security measures Joe Orlando
“ShowYourWork!” DPIA Records of Processing Incident Response Plans Breach Reporting Vendor Assessments Data Flow Mapping SSP Tests and AuditsI 10 Joe Orlando
AnIndividual’sRights • Right to Know • What PII You Have • Source of the PII you Have • ToWhere and to Whom does my PII Go • Right to Edit Inaccuracies • Right to Be Forgotten (Delete) • Right to Opt Out • Object to Processing • Object to Automatic Decision Making • Right to Portability • Limit Retention Period Joe Orlando
OBJECTIVE: SECURE THE DATA Secure the Personal Identifiable Information (PII) & Personal Health Information (PHI) to Prevent Unauthorized Access and, in the event of unauthorized access … the data they get is unintelligible. Joe Orlando
Of the 261 pages of GDPR, “encryption” appears 4 • "...implement measures to mitigate those risks, such as encryption." (P51. (83)) • "...appropriate safeguards, which may include encryption" (P121 (4.e)) • "...including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data." (P160 (1a)) • "...unintelligible to any person who is not authorised to access it, such as encryption" (P163 (3a)) Joe Orlando
Regulatory “PASS” if Using Encryption “…in case of a data breach, the controller is not required to communicate to the data subject if he or she has implemented encryption as a technical and organisational protection measure” (Article 34 Par.3 (a) GDPR). Joe Orlando
OPTIONS (Easy toHardest) RISK to PII/ PHI EXPOSURE (High toLow) SUBSET DATACOMING OUT OF PRODUCTION ACCESS MANAGEMENT & MONITORING FIELD PRESERVING DATAMASKING DATAPSEUDONYMIZATION FIELD/ROW/COLUMN ENCRYPTION FULL DISK ENCRYPTION
RaceAgainstthe Clock! 16 • Residentsof EU • EstablishaDataProtectionOfficer(somerequireinCountry) • RegisterProcessingand/or RecordsofProcessing • CrossBorder DataTransfers • DataBreachMUST BeReportedin 72 Hoursof Awareof Breachwith IncidentResponsePlan • IndividualsCanaskfor DataandControllersMustBe Responsivein 30 Days…forFREE(DSAR) • Individuals MUSTprovideCLEARPermissiontoHold Information & for HowLong? • 3rd PartyProcessorsDoesNOT EliminateYOURResponsibility • Datain Cloud–Cookies–Devices Joe Orlando
GDPRHasTeeth! Failureto Complywith the Regulation couldmean Upto 4%of GLOBALGROSS REVENUES or $20,000,000 whicheverIS GREATER As afine 17 Joe Orlando
NEXT UP: GDPR and 3rd Party Considerations
Our3rd Party Partners Joe Orlando
3rd Party Partners • Sales Channel Partners • Distributors • Resellers • Marketing Campaign Providers • 3rd Party Processors • Off Prem Storage and Backup Vendors • 3rd Party Administrators (ESOP; Benefits; Pension) • Security Providers (Physical; Swipe cards; CCTV) • 3rd Party Analytics Providers Joe Orlando
The likelihood of data going OUT from INSIDE is greater than the likelihood of data being exfiltrated from OUTSIDE Things to Consider… Joe Orlando
Amendmentsto the 3rd PartyProviderAgreements DataPrivacyAmendments(GPOandLegal) 22 • Commitment to Compliance • Commitment to Cooperation • Commitment to Validation and Audit • Commitment to Being Responsive to Our Organization and DSAR • Commitment to Incident Response • Commitment to Appropriate Record Keeping Joe Orlando
TheController OWNS theOutcome! JustBecausethe3rd PartyHasit… SecurityisstillYOURResponsibility
UnderGDPR–VendorAssessmentQuestions 24 • Awareness and understanding of GDPR regulations and data protection principles • Lawfulness of processing and further processing and legitimate interests • Consent management • Information notices • Data Subject rights, access, rectification, portability, erasure, object & restriction of processing processes • Record retention policies and processes • Privacy By Design, including ImpactAssessments • Cross Border Transfers of Personal and Sensitive Data • Data governance obligations • Personal data breaches and notifications • Sub-Contractor Agreements and Controls • Codes of conduct and certifications • Roles, Responsibilities and Competencies • Co-operation and consistency between supervisory authorities, remedies and liabilities • Derogations, special conditions and delegated acts, implementing acts and final provisions • Subcontracted processes, processors and security controls Joe Orlando
Consider YOUR Development Environment AND Your VENDOR’S 2/5/2018 4 Joe Orlando
GradingYour3rd Party Partner Joe Orlando
I Section Sub-section Criteria - Checks Score Section Sub-section Participating 3rd Party Vendor must ensure that they are fully compliant with the Our Organization Security Policy. 0 The 3rd Party Provider Security Policy Baseline creates a general security and data protection baseline adapted to Our Organization needs. The 3rd Party Provider Security Policy Baseline addresses all elements of data flows into Our Organization, including national and cross-border data flows. 0 The 3rd Party Provider shall take all reasonable steps to ensure data security (including data confidentiality, integrity, authenticity, availability and non-repudiation). 0 3rd Party Provider must ensure that cross-border data is not transmitted via these services to a Member State that either does not belong to or is not allowed into the cross-border environment. 0 3rd Party Vendor shall ensure that communication of identifiable personal data is subject to secure communication and end-to-end security measures. 0 6.3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and shall 0 a) allow authorised official bodies to duly inspect the established mechanisms 3rd Party Vendor for data collection, processing, translation and transmitting 0 b) make logs available for legal purposes, e.g. if requested by a individual. 0 The 3rd Party Vendor must ensure that we have clearly identified the responsible data controller and data processor in accordance with the provisions of the General Data Protection Regulation. 0
Area Not Compliant Security IncidentManagement Information Security Incidents Does the 3rd Party Provider has policies in place which set out how information security incidents, and breaches to the confidentiality of data, should be managed? 0 Are the security responsibilities of technical staff, data security officer addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment? Does the 3rd Party Provider engage employees and third party users of information processing facilities to sign a confidentiality (non-disclosure) agreement? 0 Incidents affecting security MUST be reported to the designated (by each 3rd Party Vendor ) point of contact through appropriate management channels as quickly as possible. 0 Is all staff trained in security procedures and the correct use of the information processing facilities to minimize possible security incidents and risks. 0 Responsibilities and procedures for the management and operation of information processing facilities must be established. This includes the development of appropriate operating instructions and incident response procedures. 0 Average Area Score 0 Area Not Compliant Cryptography Cryptograph ic controls -Does the 3rd Party Provider verify that CA (Certificate Authorities) are registered as such in the EU Trusted Lists of Certification Service Providers? - Is there a documented procedure and defining this and where? 0 - Does the 3rd Party Provider have documented descriptions on service addresses and certificates compliant to the appropriate Regulators? 0 0 Average Area Score 0 Area Not Compliant Information security aspects of business continuitymanagement Information security continuity Planning information security continuity • Have the availability requirements been established for the 3rd Party network? •Have the availability requirements between the 3rd Party Provider and its service providers been defined and established? Are these documented in the Service Level or similar Agreements? 0 Redundancies Availability of information processing facilities • Does the 3rd Party Provider have a backup procedure for at least the critical assets? •Does the 3rd Party Provider have defined backup times (Recovery Point Objective) in alignment with the business and (if applicable) in the multilateral or other agreements between the partners in the 3rd 0
Average Area Score 0 Area Not Compliant Physical and environmental security Physical security measures should exist in the 3rd Party Vendor premisses where authorized users have access to the e Information System and the respective information storing facilities (i.e. network, server roo3rd Party Vendor etc.) to ensure that only authorized personnel have physical access. Environmental Safeguard measures should protect premises and syste3rd Party Vendor from hazards and destruction. 0 Secure Areas Physical security perimeter •Are the physical areas where the processing facilities and staff operating the e system defined and documented (e.g. under Asset Management, Procedure or elsewhere)? •Is the 3rd Party Vendor operations environment including networks adequately segragated from environments operated by external parties? •Are the 3rd Party Vendor personnel offices segragated in order to protect security of operations and preclude access by unauthorised personnel? 0 Physical entry controls •Are the 3rd Party Vendor building premises where staff operates the system have controlled building entrances and exits? •Are building entrances and exits equipped with intruder prevention and alarm syste3rd Party Vendor ? Are visitors logged in a visitors logbook and guided when visiting the 3rd Party Vendor premises? •Does server/computer room facilities have a visitor log system used by 3rd Party Vendor for logging entrances and exits to the systems rooom of the 3rd Party Vendor , either automatically or manually? •Are Intruder Alarm Systems attached to a backup power supply system (battery, generator or UPS) to ensure that server rooms are adequately protected and accessible during a disruption to the main power supply system? •Are the permission rights of personnel to those areas documented, reviewed and updated at specified intervals? (Note: Retention period of access logs and any CCTV recordings respect the nationally applicable legislation for private and personal data protection) 0 A.11.1.3 Securing offices, roo3rd Party Vendor and facilities •Are 3rd Party Vendor offices where staff operates the e information system protected by physical measures adequate for the level of sensitivity of the system? 0 Equipment should be physically protected from security threats and environmental hazards. Protection of equipment is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage. This should also take into consideration equipment location and disposal. Special controls may be required to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure. 0
Information security policies Management direction for information security Policies for information security •Does the 3rd Party Provider have documented policies that define how personally identified information is safeguarded? 0 0 Review of the policies for information security •Are the 3rd Party Vendor responsibilities defined for managing the lifecycle of the Security Policies ensuring that they are always kept up to date? 0 Average Area Score 0 Area Not Compliant Organization of information security Internal organization Information security roles and responsibilities •Are the responsibilities for the 3rd Party Vendor Processes (especially for information security) included in the security policies? • Are the specific processes and assets of the 3rd Party Vendor identified and defined? • Are the local responsibilities for the protection of assets for the 3rd Party Vendor documented and carried out? • Is the process of information security risk management documented and suitable? • Does the information security risk management process include the 3rd Party Vendors processes and assets? 0 Segregation of duties • Does the 3rd Party Provider a responsible for the security of information within the context of e ? 0 Average Area Score 0 Area Not Compliant Operations Security Integrity When information is sent from one country to another, it must be assured that the information has been properly received by the end user (source of country B). (note: this requirement is applicable under Information Security Domain in the area "Integrity") 0 Confidentiality The 3rd Party Provider must ensure that Our Organization data is not transmitted to 3rd Party Vendor not belonging or allowed into the Our Organization environment. The 3rd Party Provider must ensure the security (confidentiality, integrity, availability, non-repudiation, authenticity and auditability) of data processed on their territory. Event loggin, protection of log information Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. Logging facilities and log information shall be protected against tampering and unauthorized access. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. 3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and shall enable a review of the mechanisms in place to protect 3rd Party data. A62:G67A59:G67C63 Not Scored Area
UnderGDPR–WeareAll OneFamily Joe Orlando
There are options… where to start 2/5/2018 ▪ Subsetting Data used in Test/QAandDev ▪ Data Minimization ▪ Pseudonymisation / Masking ▪ Rigid Roles BasedAccess Controls and Management ▪ Reduce UnauthorizedAccess toPII/PHI ▪ Automatic Logging and Monitoring of UserActivities (Regular Testing) ▪ Lock Down Download and Mobile MediaAbility ▪ Make “Data in Motion” and “At Rest”Unintelligible ▪ Format Preserving Encryption ▪ Field; Column; Row Encryption ▪ Encrypt Workstations (& Laptops)or ▪ Full Disk Encryption with Individual Workstation Keys ▪ Provide end to end encryption (in motion and atrest) Joe Orlando
Some First Steps… ✓ Reduce the number ofAccess Points (Minimize User and AuthorizedAccess) ✓ Segregate,As MuchAs Possible, the Production Users – Testers - Developers and QAUsers ✓ Ensure Secure DataTransmission ✓ Rigidly RestrictAccess by Well Defined Role/Authorization ✓ Prevent Data Download to PortableMedia ✓ Ensure Comprehensive Training on Handling PII/PHIas Part of Employee Code of Ethics ✓ Reduce # of people who are “authorized to see”Sensitive Data (PII/PHI) 2/5/2018 Joe Orlando
Some First Steps… ✓ Minimize; Pseudonymise; Mask Data as Much as Viable ✓ Ensure Data Secured “At Rest” and “In Motion” ✓ Rigidly Restrict Access by WellDefined Role/Authorization ✓ Implement End Point Security (DLP) ✓ Deliberately Reduce Potential Attack Surfaces (Vulnerabilities) that Potentially Expose PII/PHI ✓ Administer Regular Test & Audits on Internal and3rd Party “Data Privacy by Design and Default” Procedures, Policies and Protocols 2/5/2018 Joe Orlando
OPTIONS (not mutually exclusive) Data At Rest • Pseudonymisation and Masking • Rigid Roles Based Access Controls and Management • Encrypt Workstations (& Laptops) to Prevent Download and Export Data In Motion • Safe or Encrypted Transfer (SFTP (connection); encrypt (the data)) • TLS Tunnel and/or ZIX for mail transport Data In Use • Data Minimization • Data Subsetting • Rigid Roles Based Access Controls and Management • Pseudonymisation and Masking • Format Preserving Encryption • Field; Column; Row Encryption Joe Orlando
Options: Specific Ideas Data At Rest • File Share • BitLocker • USB/Media Lock down • DLP Policies • Restricted Access to Db Data In Motion • CASB • DLP • Network Protocols • ACLS • VPN • Firewall Data In Use • Rigid User Access Rules and Regular Reviews • Proactive User Lifecycle Management • Multi Factor Authentication Joe Orlando
ThankYou! Joe Orlando +1352 409 5869 Joe@jgorlndo.com

Recommended

3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy Laws3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy LawsJoe Orlando
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Software Integrity Group
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 

Recommended

3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy Laws3rd party considerations Under GDPR and Privacy Laws
3rd party considerations Under GDPR and Privacy LawsJoe Orlando
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role Everything you Need to Know about The Data Protection Officer Role
Everything you Need to Know about The Data Protection Officer Role HackerOne
 
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...
Synopsys Security Event Israel Presentation: Taking Your Software to the GDPR...Synopsys Software Integrity Group
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsHarrison Clark Rickerbys
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketingSpotler
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll BureauBrightPay Payroll and Auto Enrolment Software
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceGeek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 

More Related Content

What's hot

2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...Harrison Clark Rickerbys
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Kroll
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theftAmber Gupta
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protectionsp_krishna
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Dione McBride, CISSP, CIPP/E
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketingSpotler
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Frank Dawson
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceGeek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
 

What's hot (20)

2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
Blockchains: Opportunities & Risks for Law Firms [RelativityFest 2018]
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
Data Privacy in India and data theft
Data Privacy in India and data theftData Privacy in India and data theft
Data Privacy in India and data theft
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
GDPR changes affect direct marketing
GDPR changes affect direct marketingGDPR changes affect direct marketing
GDPR changes affect direct marketing
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceGeek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and Governance
 

Similar to 3rd party considerations gdpr

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Dealing with 3rd parties under gdpr
Dealing with 3rd parties under gdprDealing with 3rd parties under gdpr
Dealing with 3rd parties under gdprJoe Orlando
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceMongoDB
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)AltheimPrivacy
 

Similar to 3rd party considerations gdpr (20)

GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
Dealing with 3rd parties under gdpr
Dealing with 3rd parties under gdprDealing with 3rd parties under gdpr
Dealing with 3rd parties under gdpr
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
GDPR, Data Privacy.
GDPR, Data Privacy.GDPR, Data Privacy.
GDPR, Data Privacy.
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
Security and Privacy in Deals (altheim & mahajan)(6-3 -2015)
 

More from Joe Orlando

Creating brand advocates
Creating brand advocatesCreating brand advocates
Creating brand advocatesJoe Orlando
 
Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Joe Orlando
 
Digital marketing solutions summary
Digital marketing solutions summaryDigital marketing solutions summary
Digital marketing solutions summaryJoe Orlando
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challengingJoe Orlando
 
Products dont sell themselves excerpt
Products dont sell themselves excerptProducts dont sell themselves excerpt
Products dont sell themselves excerptJoe Orlando
 
Ignore customers at your own peril
Ignore customers at your own perilIgnore customers at your own peril
Ignore customers at your own perilJoe Orlando
 
General Data Protection Regulation kick off
General Data Protection Regulation kick offGeneral Data Protection Regulation kick off
General Data Protection Regulation kick offJoe Orlando
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summaryJoe Orlando
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Joe Orlando
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistJoe Orlando
 
How can we innovate?
How can we innovate?How can we innovate?
How can we innovate?Joe Orlando
 
Creating value by getting rid of it
Creating value by getting rid of itCreating value by getting rid of it
Creating value by getting rid of itJoe Orlando
 
Creating Brand Advocates
Creating Brand AdvocatesCreating Brand Advocates
Creating Brand AdvocatesJoe Orlando
 

More from Joe Orlando (13)

Creating brand advocates
Creating brand advocatesCreating brand advocates
Creating brand advocates
 
Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]Digital marketing strategy presentation [autosaved]
Digital marketing strategy presentation [autosaved]
 
Digital marketing solutions summary
Digital marketing solutions summaryDigital marketing solutions summary
Digital marketing solutions summary
 
Cybersecurity regulation will be challenging
Cybersecurity regulation will be challengingCybersecurity regulation will be challenging
Cybersecurity regulation will be challenging
 
Products dont sell themselves excerpt
Products dont sell themselves excerptProducts dont sell themselves excerpt
Products dont sell themselves excerpt
 
Ignore customers at your own peril
Ignore customers at your own perilIgnore customers at your own peril
Ignore customers at your own peril
 
General Data Protection Regulation kick off
General Data Protection Regulation kick offGeneral Data Protection Regulation kick off
General Data Protection Regulation kick off
 
Protecting pii and phi exec summary
Protecting pii and phi exec summaryProtecting pii and phi exec summary
Protecting pii and phi exec summary
 
Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3Forecast cybersecurity regulation v3
Forecast cybersecurity regulation v3
 
OUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - ChecklistOUTSTANDING OUTSOURCING - Checklist
OUTSTANDING OUTSOURCING - Checklist
 
How can we innovate?
How can we innovate?How can we innovate?
How can we innovate?
 
Creating value by getting rid of it
Creating value by getting rid of itCreating value by getting rid of it
Creating value by getting rid of it
 
Creating Brand Advocates
Creating Brand AdvocatesCreating Brand Advocates
Creating Brand Advocates
 

Recently uploaded

如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书Fir L
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...shubhuc963
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书Fir L
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书SD DS
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书Fir sss
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书1k98h0e1
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementShubhiSharma858417
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfMilind Agarwal
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxsrikarna235
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书Fir sss
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionNilamPadekar1
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书SD DS
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书Fir L
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一jr6r07mb
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptjudeplata
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书Fir L
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaNafiaNazim
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书FS LS
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSDr. Oliver Massmann
 

Recently uploaded (20)

如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书如何办理提赛德大学毕业证(本硕)Teesside学位证书
如何办理提赛德大学毕业证(本硕)Teesside学位证书
 
Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...Good Governance Practices for protection of Human Rights (Discuss Transparen...
Good Governance Practices for protection of Human Rights (Discuss Transparen...
 
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
如何办理美国加州大学欧文分校毕业证(本硕)UCI学位证书
 
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
如何办理(uOttawa毕业证书)渥太华大学毕业证学位证书
 
如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书 如何办理佛蒙特大学毕业证学位证书
如何办理佛蒙特大学毕业证学位证书
 
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
昆士兰科技大学毕业证学位证成绩单-补办步骤澳洲毕业证书
 
John Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A HistoryJohn Hustaix - The Legal Profession: A History
John Hustaix - The Legal Profession: A History
 
Special Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreementSpecial Accounting Areas - Hire purchase agreement
Special Accounting Areas - Hire purchase agreement
 
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdfWhy Every Business Should Invest in a Social Media Fraud Analyst.pdf
Why Every Business Should Invest in a Social Media Fraud Analyst.pdf
 
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptxConstitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
Constitutional Values & Fundamental Principles of the ConstitutionPPT.pptx
 
如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书 如何办理纽约州立大学石溪分校毕业证学位证书
如何办理纽约州立大学石溪分校毕业证学位证书
 
Trial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 seditionTrial Tilak t 1897,1909, and 1916 sedition
Trial Tilak t 1897,1909, and 1916 sedition
 
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
如何办理(GWU毕业证书)乔治华盛顿大学毕业证学位证书
 
如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书如何办理美国波士顿大学(BU)毕业证学位证书
如何办理美国波士顿大学(BU)毕业证学位证书
 
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
定制(WMU毕业证书)美国西密歇根大学毕业证成绩单原版一比一
 
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.pptFINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
FINALTRUEENFORCEMENT OF BARANGAY SETTLEMENT.ppt
 
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
如何办理新加坡南洋理工大学毕业证(本硕)NTU学位证书
 
Arbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in IndiaArbitration, mediation and conciliation in India
Arbitration, mediation and conciliation in India
 
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
如何办理密德萨斯大学毕业证(本硕)Middlesex学位证书
 
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTSVIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
VIETNAM – LATEST GUIDE TO CONTRACT MANUFACTURING AND TOLLING AGREEMENTS
 

3rd party considerations gdpr

  • 1. GeneralData Protection Regulation GDPR Dealing with 3rd Party Partners/Suppliers Joe Orlando
  • 2. TheEU Not the OnlyOneto EnactPrivacyLaw
  • 4. SignificantDataProtectionEU Personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject…:” • Name • Location • Identification Number • OnLine ID / Cookies • Gender • Personal Preferences • Ethnic • Cultural • Social Identity • Memberships • Biometric • CCTV Video • Event photos • Insurance • Visas • Religion • InsuranceClaims 4 Joe Orlando
  • 6. NOT“Justanother ITProject!” 6 EVERYONE “owns” the Solution. Data Controller (who NEEDS the data) Why Do You NEED the Data? Data Processor (who uses the data to complete tasks) What Do You DO with the Data? How is this Data Stored; Managed; Secured; Shared; Refreshed; Processed and Destroyed? ICTonlyFACILITATES the Outcome: Store Move Protect ICTCannotDoThis Alone. Joe Orlando
  • 9. GDPR requires businesses to implement “technical and organizational measures to provide appropriate protection to the personal data they hold.” 3 GDPRexpresslystatesthat suchmeasuresinclude: 1. The pseudonymization and encryption of personal data 2. Measures to ensure resilience of systems and services processing data 3. Measures that allow businesses to restore the availability and access to the data in the event of a breach 4. Frequent testing of the effectiveness of the security measures Joe Orlando
  • 10. “ShowYourWork!” DPIA Records of Processing Incident Response Plans Breach Reporting Vendor Assessments Data Flow Mapping SSP Tests and AuditsI 10 Joe Orlando
  • 11. AnIndividual’sRights • Right to Know • What PII You Have • Source of the PII you Have • ToWhere and to Whom does my PII Go • Right to Edit Inaccuracies • Right to Be Forgotten (Delete) • Right to Opt Out • Object to Processing • Object to Automatic Decision Making • Right to Portability • Limit Retention Period Joe Orlando
  • 12. OBJECTIVE: SECURE THE DATA Secure the Personal Identifiable Information (PII) & Personal Health Information (PHI) to Prevent Unauthorized Access and, in the event of unauthorized access … the data they get is unintelligible. Joe Orlando
  • 13. Of the 261 pages of GDPR, “encryption” appears 4 • "...implement measures to mitigate those risks, such as encryption." (P51. (83)) • "...appropriate safeguards, which may include encryption" (P121 (4.e)) • "...including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data." (P160 (1a)) • "...unintelligible to any person who is not authorised to access it, such as encryption" (P163 (3a)) Joe Orlando
  • 14. Regulatory “PASS” if Using Encryption “…in case of a data breach, the controller is not required to communicate to the data subject if he or she has implemented encryption as a technical and organisational protection measure” (Article 34 Par.3 (a) GDPR). Joe Orlando
  • 15. OPTIONS (Easy toHardest) RISK to PII/ PHI EXPOSURE (High toLow) SUBSET DATACOMING OUT OF PRODUCTION ACCESS MANAGEMENT & MONITORING FIELD PRESERVING DATAMASKING DATAPSEUDONYMIZATION FIELD/ROW/COLUMN ENCRYPTION FULL DISK ENCRYPTION
  • 16. RaceAgainstthe Clock! 16 • Residentsof EU • EstablishaDataProtectionOfficer(somerequireinCountry) • RegisterProcessingand/or RecordsofProcessing • CrossBorder DataTransfers • DataBreachMUST BeReportedin 72 Hoursof Awareof Breachwith IncidentResponsePlan • IndividualsCanaskfor DataandControllersMustBe Responsivein 30 Days…forFREE(DSAR) • Individuals MUSTprovideCLEARPermissiontoHold Information & for HowLong? • 3rd PartyProcessorsDoesNOT EliminateYOURResponsibility • Datain Cloud–Cookies–Devices Joe Orlando
  • 17. GDPRHasTeeth! Failureto Complywith the Regulation couldmean Upto 4%of GLOBALGROSS REVENUES or $20,000,000 whicheverIS GREATER As afine 17 Joe Orlando
  • 18. NEXT UP: GDPR and 3rd Party Considerations
  • 20. 3rd Party Partners • Sales Channel Partners • Distributors • Resellers • Marketing Campaign Providers • 3rd Party Processors • Off Prem Storage and Backup Vendors • 3rd Party Administrators (ESOP; Benefits; Pension) • Security Providers (Physical; Swipe cards; CCTV) • 3rd Party Analytics Providers Joe Orlando
  • 21. The likelihood of data going OUT from INSIDE is greater than the likelihood of data being exfiltrated from OUTSIDE Things to Consider… Joe Orlando
  • 22. Amendmentsto the 3rd PartyProviderAgreements DataPrivacyAmendments(GPOandLegal) 22 • Commitment to Compliance • Commitment to Cooperation • Commitment to Validation and Audit • Commitment to Being Responsive to Our Organization and DSAR • Commitment to Incident Response • Commitment to Appropriate Record Keeping Joe Orlando
  • 23. TheController OWNS theOutcome! JustBecausethe3rd PartyHasit… SecurityisstillYOURResponsibility
  • 24. UnderGDPR–VendorAssessmentQuestions 24 • Awareness and understanding of GDPR regulations and data protection principles • Lawfulness of processing and further processing and legitimate interests • Consent management • Information notices • Data Subject rights, access, rectification, portability, erasure, object & restriction of processing processes • Record retention policies and processes • Privacy By Design, including ImpactAssessments • Cross Border Transfers of Personal and Sensitive Data • Data governance obligations • Personal data breaches and notifications • Sub-Contractor Agreements and Controls • Codes of conduct and certifications • Roles, Responsibilities and Competencies • Co-operation and consistency between supervisory authorities, remedies and liabilities • Derogations, special conditions and delegated acts, implementing acts and final provisions • Subcontracted processes, processors and security controls Joe Orlando
  • 25. Consider YOUR Development Environment AND Your VENDOR’S 2/5/2018 4 Joe Orlando
  • 27. I Section Sub-section Criteria - Checks Score Section Sub-section Participating 3rd Party Vendor must ensure that they are fully compliant with the Our Organization Security Policy. 0 The 3rd Party Provider Security Policy Baseline creates a general security and data protection baseline adapted to Our Organization needs. The 3rd Party Provider Security Policy Baseline addresses all elements of data flows into Our Organization, including national and cross-border data flows. 0 The 3rd Party Provider shall take all reasonable steps to ensure data security (including data confidentiality, integrity, authenticity, availability and non-repudiation). 0 3rd Party Provider must ensure that cross-border data is not transmitted via these services to a Member State that either does not belong to or is not allowed into the cross-border environment. 0 3rd Party Vendor shall ensure that communication of identifiable personal data is subject to secure communication and end-to-end security measures. 0 6.3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and shall 0 a) allow authorised official bodies to duly inspect the established mechanisms 3rd Party Vendor for data collection, processing, translation and transmitting 0 b) make logs available for legal purposes, e.g. if requested by a individual. 0 The 3rd Party Vendor must ensure that we have clearly identified the responsible data controller and data processor in accordance with the provisions of the General Data Protection Regulation. 0
  • 28. Area Not Compliant Security IncidentManagement Information Security Incidents Does the 3rd Party Provider has policies in place which set out how information security incidents, and breaches to the confidentiality of data, should be managed? 0 Are the security responsibilities of technical staff, data security officer addressed at the recruitment stage, included in contracts, and monitored during an individual’s employment? Does the 3rd Party Provider engage employees and third party users of information processing facilities to sign a confidentiality (non-disclosure) agreement? 0 Incidents affecting security MUST be reported to the designated (by each 3rd Party Vendor ) point of contact through appropriate management channels as quickly as possible. 0 Is all staff trained in security procedures and the correct use of the information processing facilities to minimize possible security incidents and risks. 0 Responsibilities and procedures for the management and operation of information processing facilities must be established. This includes the development of appropriate operating instructions and incident response procedures. 0 Average Area Score 0 Area Not Compliant Cryptography Cryptograph ic controls -Does the 3rd Party Provider verify that CA (Certificate Authorities) are registered as such in the EU Trusted Lists of Certification Service Providers? - Is there a documented procedure and defining this and where? 0 - Does the 3rd Party Provider have documented descriptions on service addresses and certificates compliant to the appropriate Regulators? 0 0 Average Area Score 0 Area Not Compliant Information security aspects of business continuitymanagement Information security continuity Planning information security continuity • Have the availability requirements been established for the 3rd Party network? •Have the availability requirements between the 3rd Party Provider and its service providers been defined and established? Are these documented in the Service Level or similar Agreements? 0 Redundancies Availability of information processing facilities • Does the 3rd Party Provider have a backup procedure for at least the critical assets? •Does the 3rd Party Provider have defined backup times (Recovery Point Objective) in alignment with the business and (if applicable) in the multilateral or other agreements between the partners in the 3rd 0
  • 29. Average Area Score 0 Area Not Compliant Physical and environmental security Physical security measures should exist in the 3rd Party Vendor premisses where authorized users have access to the e Information System and the respective information storing facilities (i.e. network, server roo3rd Party Vendor etc.) to ensure that only authorized personnel have physical access. Environmental Safeguard measures should protect premises and syste3rd Party Vendor from hazards and destruction. 0 Secure Areas Physical security perimeter •Are the physical areas where the processing facilities and staff operating the e system defined and documented (e.g. under Asset Management, Procedure or elsewhere)? •Is the 3rd Party Vendor operations environment including networks adequately segragated from environments operated by external parties? •Are the 3rd Party Vendor personnel offices segragated in order to protect security of operations and preclude access by unauthorised personnel? 0 Physical entry controls •Are the 3rd Party Vendor building premises where staff operates the system have controlled building entrances and exits? •Are building entrances and exits equipped with intruder prevention and alarm syste3rd Party Vendor ? Are visitors logged in a visitors logbook and guided when visiting the 3rd Party Vendor premises? •Does server/computer room facilities have a visitor log system used by 3rd Party Vendor for logging entrances and exits to the systems rooom of the 3rd Party Vendor , either automatically or manually? •Are Intruder Alarm Systems attached to a backup power supply system (battery, generator or UPS) to ensure that server rooms are adequately protected and accessible during a disruption to the main power supply system? •Are the permission rights of personnel to those areas documented, reviewed and updated at specified intervals? (Note: Retention period of access logs and any CCTV recordings respect the nationally applicable legislation for private and personal data protection) 0 A.11.1.3 Securing offices, roo3rd Party Vendor and facilities •Are 3rd Party Vendor offices where staff operates the e information system protected by physical measures adequate for the level of sensitivity of the system? 0 Equipment should be physically protected from security threats and environmental hazards. Protection of equipment is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage. This should also take into consideration equipment location and disposal. Special controls may be required to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure. 0
  • 30. Information security policies Management direction for information security Policies for information security •Does the 3rd Party Provider have documented policies that define how personally identified information is safeguarded? 0 0 Review of the policies for information security •Are the 3rd Party Vendor responsibilities defined for managing the lifecycle of the Security Policies ensuring that they are always kept up to date? 0 Average Area Score 0 Area Not Compliant Organization of information security Internal organization Information security roles and responsibilities •Are the responsibilities for the 3rd Party Vendor Processes (especially for information security) included in the security policies? • Are the specific processes and assets of the 3rd Party Vendor identified and defined? • Are the local responsibilities for the protection of assets for the 3rd Party Vendor documented and carried out? • Is the process of information security risk management documented and suitable? • Does the information security risk management process include the 3rd Party Vendors processes and assets? 0 Segregation of duties • Does the 3rd Party Provider a responsible for the security of information within the context of e ? 0 Average Area Score 0 Area Not Compliant Operations Security Integrity When information is sent from one country to another, it must be assured that the information has been properly received by the end user (source of country B). (note: this requirement is applicable under Information Security Domain in the area "Integrity") 0 Confidentiality The 3rd Party Provider must ensure that Our Organization data is not transmitted to 3rd Party Vendor not belonging or allowed into the Our Organization environment. The 3rd Party Provider must ensure the security (confidentiality, integrity, availability, non-repudiation, authenticity and auditability) of data processed on their territory. Event loggin, protection of log information Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. Logging facilities and log information shall be protected against tampering and unauthorized access. System administrator and system operator activities shall be logged and the logs protected and regularly reviewed. 3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and shall enable a review of the mechanisms in place to protect 3rd Party data. A62:G67A59:G67C63 Not Scored Area
  • 32. There are options… where to start 2/5/2018 ▪ Subsetting Data used in Test/QAandDev ▪ Data Minimization ▪ Pseudonymisation / Masking ▪ Rigid Roles BasedAccess Controls and Management ▪ Reduce UnauthorizedAccess toPII/PHI ▪ Automatic Logging and Monitoring of UserActivities (Regular Testing) ▪ Lock Down Download and Mobile MediaAbility ▪ Make “Data in Motion” and “At Rest”Unintelligible ▪ Format Preserving Encryption ▪ Field; Column; Row Encryption ▪ Encrypt Workstations (& Laptops)or ▪ Full Disk Encryption with Individual Workstation Keys ▪ Provide end to end encryption (in motion and atrest) Joe Orlando
  • 33. Some First Steps… ✓ Reduce the number ofAccess Points (Minimize User and AuthorizedAccess) ✓ Segregate,As MuchAs Possible, the Production Users – Testers - Developers and QAUsers ✓ Ensure Secure DataTransmission ✓ Rigidly RestrictAccess by Well Defined Role/Authorization ✓ Prevent Data Download to PortableMedia ✓ Ensure Comprehensive Training on Handling PII/PHIas Part of Employee Code of Ethics ✓ Reduce # of people who are “authorized to see”Sensitive Data (PII/PHI) 2/5/2018 Joe Orlando
  • 34. Some First Steps… ✓ Minimize; Pseudonymise; Mask Data as Much as Viable ✓ Ensure Data Secured “At Rest” and “In Motion” ✓ Rigidly Restrict Access by WellDefined Role/Authorization ✓ Implement End Point Security (DLP) ✓ Deliberately Reduce Potential Attack Surfaces (Vulnerabilities) that Potentially Expose PII/PHI ✓ Administer Regular Test & Audits on Internal and3rd Party “Data Privacy by Design and Default” Procedures, Policies and Protocols 2/5/2018 Joe Orlando
  • 35. OPTIONS (not mutually exclusive) Data At Rest • Pseudonymisation and Masking • Rigid Roles Based Access Controls and Management • Encrypt Workstations (& Laptops) to Prevent Download and Export Data In Motion • Safe or Encrypted Transfer (SFTP (connection); encrypt (the data)) • TLS Tunnel and/or ZIX for mail transport Data In Use • Data Minimization • Data Subsetting • Rigid Roles Based Access Controls and Management • Pseudonymisation and Masking • Format Preserving Encryption • Field; Column; Row Encryption Joe Orlando
  • 36. Options: Specific Ideas Data At Rest • File Share • BitLocker • USB/Media Lock down • DLP Policies • Restricted Access to Db Data In Motion • CASB • DLP • Network Protocols • ACLS • VPN • Firewall Data In Use • Rigid User Access Rules and Regular Reviews • Proactive User Lifecycle Management • Multi Factor Authentication Joe Orlando
  • 37. ThankYou! Joe Orlando +1352 409 5869 Joe@jgorlndo.com