Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

26 May 2018, from GDPR to sustainable GDP

451 views

Published on

This webinar provided important insights on the importance of the upcoming new General Data Protection Regulation which will become enforceable in May 2018. Moreover, it covered the requirements that will help you get GDPR compliant, and the method/techniques that help you build sustainable data protection practices.

Main points covered:

• How to move from GDPR to GDP way of thinking?
• How can we use the GDPR to build data protection into the company DNA?
• What is required, for all parties in the story, to make it work?
• How can we build sustainable data protection practices?

Presenter:

Peter Geelen is owner and managing consultant at Quest For Security, Belgium. His domain of expertise ranges from Enterprise Security, Identity & Access management, Information protection, Privacy, Cybersecurity, Cloud security, Corporate security policies, Security hardening, and disaster recovery planning. Mr. Geelen is a successfully accredited and authorized trainer for Microsoft MCT, ISC² and PECB. He received the Microsoft MVP Enterprise Mobility (Identity and Access) award, five times so far from 2008 – 2018.

Link to the recorded webinar:

Additional links:

Enisa Report on GDPR Certification:
https://www.enisa.europa.eu/news/enisa-news/enisa-report-concepts-and-recommendations-on-european-data-protection-certification-mechanisms

Recommendations on European Data Protection Certification (Download):
https://www.enisa.europa.eu/publications/recommendations-on-european-data-protection-certification/at_download/fullReport

Published in: Education
  • Be the first to comment

26 May 2018, from GDPR to sustainable GDP

  1. 1. 1
  2. 2. Presenter Bio 2 Peter Geelen Managing Consultant - Quest For Security http://ffwd2.me/pgeelen Identity & Access, Security, Privacy, CISO, Coach, Accredited Trainer,… ISO27001 Master – CIPP/E & CIPM * Certified for Enterprise and Cloud Security & Privacy
  3. 3. • GDPR today • Y2K vs GDPR • Beyond the hype – the GDPR Core • Why is it so difficult? • Moving to GDP • Making it sustainable, GDP in your DNA. • Take-aways Session objectives and takeaways. From GDPR To sustainable GDP 3
  4. 4. GDPR Today 4
  5. 5. Where are we today? 5 Ready, 4% Well underway, 11% Started; 23% Not Ready - preliminary plan, 39% Not Ready - plan in place, 18% HUH??,… Source: TrustArc (7 jun 2017)
  6. 6. GDPR, a hype? 6 Business / Marketing Focus • Fines • Direct Marketing • Tools, tools, tools… • Focus on failure 25 may 2018, pressure increasing exponentially Information overload causing GDPR fatigue
  7. 7. Y2K vs GDPR 7
  8. 8. Y2K vs GDPR? 8 Similarities • Last minute response to deadline… • Technology focus • Platform design issues… Differences • Source of the issue (Law vs technology) • Long term effect, GDPR is to stay… • Principles
  9. 9. Some side notes 9 As with Y2K, many companies think implementing “just the GDPR stuff” is enough… But data protection is a moving target Getting compliant vs keeping compliant Not ‘Compliant’ = violation of the law (You know what happens, right?)
  10. 10. Some side notes 10 Plus, there are some major flaws in the GDPR only approach • GDPR is law, not security best practice, • Law is years behind reality • Protection is minimum minimorum • GDPR is about personal data, not your company data • Very few (or say: no) successful reference cases • There is not certification (yet)
  11. 11. Why didn’t we move earlier? 11 We could have started 2 (or 4) years ago, but - No one got killed (yet)… - Responsibility doesn’t hurt - Accountability, … (not yet)* - The subject doesn’t/cannot exercise the power…
  12. 12. What if… 12 We could compare it with aviation… - Secure by default - Secure by design - Every detail matters (to the level of nuts & bolts) - Regulation is up to date with reality - Updated on the fly
  13. 13. Beyond the hype – the GDPR core 13
  14. 14. Free Give-away 14 GDPR official text • http://bit.do/GDPR_All (All languages) • http://bit.do/GDPR_EN (88p, EN only) Did you take the time to read it, yet?
  15. 15. GDPR Crash Course 15 GDPR regulation, 88 pages with • 173 Recitals • 99 articles (not mentioning the executive directive) Recitals are the reasons why GDPR exists. Articles formulate ‘the law’ Applies to any data sourced from EU people or EU based company offices.
  16. 16. GDPR Crash Course 16 1995: Directive 95/46/EC is adopted 2011: EDPS publication 2012: EC proposal to strengthen online privacy rights and digital economy 03/2014: EP adopts GDPR 12/2015: EP, Council and EC reach an agreement on the GDPR 24/5/2016: The Regulation enters into force 25/5/2018: GDPR will apply
  17. 17. What’s new then? 17 The novelty on GDPR is focus on… • Privacy by Design/Default • State of the art techniques • People/Process/Technology • Purpose/data limitation … and more
  18. 18. GDPR Crash Course Articles 18 Chapter Topic Articles Chapter 1 General 1 2 3 4 Chapter 2 Principles 5 6 7 8 9 10 11 Chapter 3 Rights of the subject 12 13 14 15 16 17 18 19 20 21 22 23 Chapter 4 Controller & processor 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Chapter 5 Data transfers 44 45 46 47 48 49 Chapter 6 Supervisors 51 52 53 54 55 56 57 58 59 Chapter 7 Cooperation & consistency 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 Chapter 8 Remedy & liability 77 78 79 80 81 82 83 84 Chapter 9 Specific processing 85 86 87 88 89 90 91 Chapter 10 Delegated acts 92 93 Chapter 11 Final 94 95 96 97 98 99
  19. 19. GDPR Crash Course Chapter 2 19 Articles Content Article 5 Principles relating to processing of personal data Article 6 Lawfulness of processing Article 7 Conditions for consent Article 8 Conditions applicable to child's consent in relation to information society services Article 9 Processing of special categories of personal data Article 10 Processing of personal data relating to criminal convictions and offences Article 11 Processing which does not require identification
  20. 20. GDPR Crash Course Article 5 20 • lawfulness, fairness and transparency • purpose limitation • data minimization • accuracy • storage limitation • integrity and confidentiality • accountability Watch out: You can’t use prod data in dev
  21. 21. GDPR Crash Course Chapter 3 21 Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13 Information to be provided where personal data are collected from the data subject Article 14 Information to be provided where personal data have not been obtained from the data subject Article 15 Right of access by the data subject Article 16 Right to rectification Article 17 Right to erasure (‘right to be forgotten’) Article 18 Right to restriction of processing
  22. 22. GDPR Crash Course Chapter 3 22 Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20 Right to data portability Article 21 Right to object Article 22 Automated individual decision-making, including profiling Article 23 Restrictions
  23. 23. GDPR Crash Course Chapter 4 23 Article 25 Data protection by design and by default
  24. 24. Why is it so difficult? 24
  25. 25. 25 Management Legal ITBusiness Project Management DPO Accountable?? Me in court?? Get that GDPR fixed. NOW! That’s an IT Job. We don’t do projects We need rules. Business, what first? Budget please. We don’t manage projects! Don’t care about the law. Make it run. Cheap, Fast. Reliable. Secure. Hey legal, cover mgtm @$$ Focus on customer/prospect privacy protection. … Customer/Prospect HEY!! You got my data, I’m talking to you!! We can’t write policies. Poke the DPO.
  26. 26. And, where to start? 26 Re(tro)actively plumbing the holes in your security? Which holes? (Security is not just technology…) PPT: Rules, policies or infrastructure first? Proactively starting the new projects with the Security-by- design approach? What about the existing platforms? Quick wins for maximum visibility (reputation) Or using the 20/80 Pareto principle? (high impact with mini effort)
  27. 27. ISO27001 to the rescue 27 Don’t think too hard, pick the data protection key points… The GDPR / Data protection requirements map almost 1-on-1 to ISO27001
  28. 28. Mapping GDPR to ISO27001 28 GDPR ISO 27001 1…4 Intro, scope, Reference, Terms <Business> 4. Context of the organization Policy Accountability/Responsability Legal 5. Leadership <Project Mgmt> 6. Planning Awareness 7. Support Security implementation Data Protection 8. Operations Monitoring 9. Performance evaluation <and keep improving> 10. Improvement Competence Awareness Communication
  29. 29. ISO27001 Measures 29 ISO 27001 Annex = ISO27002 (A)5 IT Sec policies (A)6 Understanding Your organization (A)7 Human resources (A)8 Asset management (incl. classification) (A)9 Access control (A)10 Cryptography (A)11 Physical & environment
  30. 30. ISO27001 Measures 30 ISO 27001 Annex = ISO27002 (A)12 Operations (A)13 Network (A)14 System acquisition (A)15 Suppliers (A)16 Incident management (A)17 BCM/DRP (A)18 Compliance
  31. 31. ISO27001 Small steps 31 Source: http://www.conceptdraw.com/
  32. 32. Moving to GDP 32
  33. 33. Newsflash 33 Source: https://twitter.com/Gartner_SYM/status/927802476572549121 6 Nov 2017 “GDP, privacy and #security are not a one and done. It’s a conversation we are going to have a long time. @BradSmi #GartnerSYM”
  34. 34. GDP Focus Shift 34 GDPR demands to build data protection with • With primary focus on privacy • From the ground up But… there is no privacy without security And, there is more to protect than just privacy. To overcome the GDPR shortcomings, better adopt Security by design – security by default
  35. 35. GDP is more … 35 Getting Data protection in place is not a 1-off, it’s a long term investment… And, you need to get EVERYONE on onboard GDP is an ecosystem
  36. 36. GDP is more … 36 Management Legal ITBusiness Your Employees
  37. 37. How to make GDP sustainable 37
  38. 38. GDP in your DNA 38 People tend to forget and get sloppy Security fades over time if you stop fueling it The IT Security fuel • Awareness • Behaviour • Culture
  39. 39. GDP in your DNA 39 The goal of awareness is to change behavior Changing habits and behavior take time (90d+) Main components 1. Competence (Knowledge & Skills) 2. Training 3. Communication*
  40. 40. Security & communi- cation 40 1. You cannot “not communicate” - Even when you say nothing, you say something 2. Bad communication is worse than no communication - Don’t put a IT guy in front of camera’s, let MarCom handle it 3. Human brain doesn’t handle NEGATION very well - Don’t think about the pink elephant 4. Attention span - Max 3 concepts, ideas at a time - Focus 10 minutes 5. KISSS (Keep it short, stupid … and sexy) https://www.isc2chapter-belux.com/wp-content/uploads/2017/10/01-ISC2-BELUX-Security-ABC-Intro.pdf
  41. 41. Security & communi- cation 41 6. Repeat 7. Repeat 8. … Repeat
  42. 42. Supporting Security ABC 42 People will only change behavior if their company backs them up. Importance of Company Security reputation Supporting • Just (righteous) culture • Responsible disclosure • Constructive feedback • Transparent (do what you say, say what you do) • Continuous improvement
  43. 43. Takeaways 43
  44. 44. Conclusions 44 Take a bit of time to dive into GDPR yourself • It’s there and it will stay • Better get ready, even if your not a lawyer Get the best out of security best practices • Get into ISO27001, ISO27002 (Implementation), ISO27005 (Risk) • ISO27018 (PII in Cloud) • ISO27032 (CyberSecurity) • ISO29100 Privacy Framework Get GDP in your DNA, using the security ABC • Build Layered Security in People, Process & Technology • Be ready for any security threat in the future
  45. 45. PECB 45 GDPR White paper https://pecb.com/whitepaper/general-data-protection- regulation-gdpr Turning GDPR into an opportunity https://pecb.com/article/how-to-turn-gdpr-compliance- into-an-opportunity
  46. 46. © 2017 Quest For Security. All rights reserved. PECB and other product names are or may be registered trademarks and/or trademarks or their respective owners in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of the respective owners as of the date of this presentation. Because vendors must respond to changing market conditions, it should not be interpreted to be a commitment on the part of the vendors or Quest For Security, and Quest For Security cannot guarantee the accuracy of any information provided after the date of this presentation. QUEST FOR SECURITY MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION No Security without Identity, No Identity without Security
  47. 47. General Data Protection Regulation (GDPR) Training Courses  GDPR Introduction 1 Day Course  GDPR Foundation 2 Days Course  Certified Data Protection Officer 5 Days Course Exam and certification fees are included in the training price. https://pecb.com/en/education-and-certification-for-individuals/data-protection| www.pecb.com/events
  48. 48. ? THANK YOU Peter@questforsecurity.be http://www.questforsecurity.be https://www.linkedin.com/in/pgeelen/ @geelenp

×