2. Disclaimers
The opinions expressed in this presentation is my own & doesn’t reflect
my current or past organizations I work or worked with.
I am from Technical Team & NOT Legal/Compliance J
3. What’s for today
GDPR is Business transformation and not an IT project
From IT perspective
- Who has access?
- Where is it stored?
- How is it shared?
- How is it protected?
- How is it leaked?
So you hold
Cust Data
4. Why?
• Businesses building on basis Data is new Oil
• API, APP & IoT World Emerging - Data Mashup
• Corporate too Powerful
• GDPR is regulating industry keeping Customer at its heart
• Customers have been Guinea Pigs - Marketing Labs
• Need Digital Identity Sovereignty
Customer
Decides
5. GDPR Intro
• Trust & Protect
• Ask business to change – Protect Customer
• Customer owns his Data
• Take it serious
• Fine – 2-4% group turnover / €10m-20m – the higher one
Not just
another
Regulation!
6. Why breach?
• Steal Identity
• Financial gains
• Advert & Marketing
• Spying, Stalking, Bullying
Breach Impact
• Brand & Reputation damage
• Loss of business
• Fine
Defensible Position
• Admit there will be breach
• No hacker proof system
• Justify you did best to protect
11. Hackers
• Motivation – Money
• GDPR may lead to more Ransomware
• Pay the ransom
• Or face Breach Impacts
• Still need to report
• Currently
• Any profile data that helps Identity theft & Ads Industry
• Financially attractive companies – rich in data volume
Breach is a
Breach!
14. Protect Your Customer
• Anti-Virus
• Anti-Malware
• Cookies Encrypted
• TLS 11.2
• Know their Behavior
• List of Trusted Devices
• Trusted Location/Network
• Protect yourself from Customer 2nd Factor
Authentication
15. Baseline Safeguards
• No external drive
• Laptop Encrypted
• Websites Access Controlled
• Shared Admin Password
• No plaintext passwords in DB
• Antivirus & OS updates
• TLS Security for Websites
• VPN from home or outside
• Legal Contracts with Third-party Data Processors
• Consent Management Software
16. Intermediate Safeguards
• Protect your network – DMZ, Internal, Secure, Firewalls
• Open only selected ports
• DB & Backups encrypted
• 2nd Factor Authentication
• Vulnerability Scanner Software
• Anti-malware – eg Trusteer
• Unix desktops if possible – MacOSX J
• Pseudonymisation whenever possible
17. Advanced Safeguards
• Defense in Depth – Multi Ring fence
• Industry Standard IAM Products
• Threat Detection & Prevention
• Cyber Security Software
• Web Application Firewalls
• Privileged Access Management {PAM}
• Secure Restricted Zone
• Penetration Testing
• Hardware Security Module Encryption {HSM}
• Total Pseudonymisation
18. Are you tracking online Customers?
• Cookies
• Online Customer Tracking on your websites?
• Google Analytics Websites?
• Search Engines Indexing?
• Blog/Comments on your websites
• Date feeding Ads industry
• Real time bidding {RTB}
• Google, Facebook, Amazon are changing ways they operate
19. PSD2 Dimension
• Breach - Fintech are responsible & they are DC
• Debate – Banks are still Data Controllers wrt Fintech
Customers
Fintech CompaniesBanksThird Party
DP DC DC