The countdown has begun. Not only towards the moment when British Parliament invokes Article 50 and starts the official Brexit-procedure but also towards May 25th 2018, the day that the EU General Data Protection Regulation – or GDPR – takes effect. The good news: you have until that day to prepare your organisation to comply with the legislation. The bad news: although it sounds like a long time, there’s a lot to be done.
Professional Resume Template for Software Developers
GDPR Webinar - feb
1. Be Prepared for
the GDPR Legislation
Vincent Vanbiervliet
Product Management, Data Protection
21 February 2018
2. Agenda
2
• What is the GDPR
• How companies lose data
• A risk-based approach to the GDPR
• Recommendations
• Resources
• Q&A
We are an IT security company, and not a legal firm. This means that the content of this presentation represents our
views, and it does NOT constitute legal advice. If you wish to ensure your company is legally covered, consider
consulting specialized legal counsel.
3. 3
GDPR in less than two minutes…
All organizations that hold personally identifiable
data on EU individuals. Even organizations based
outside of the EU must comply.
Who?
The EU General Data Protection Regulation
(GDPR) is a new law that strengthens privacy
for EU individuals.
What?
Enforcement begins on 25 May 2018. Many
countries implementing sooner.When?25
4. 4
GDPR in less than two minutes…
Tough penalties
€€€ Up to €20,000,000 or 4% of annual
global revenue
…in addition to all other costs associated with a data breach…
The GDPR gives authorities greater powers to
take actions against businesses that breach the
new laws.
5. Three months and counting…
5
What’s your approach?
Varied levels of readiness:
- By geography
- By company size
- By vertical industry
- By business type
- Etc.
Are you prepared?
Many approaches:
- PANIC!
- “Wait-and-see”
- “It doesn’t apply to me”
- Risk-based approach
- Etc.
…and we see lots of different tactics!
8. How Companies Lose Data 2017
12
58%27%
2%
12%
1% Hacking or Malware
Unintended Disclosure
Portable Devices
Physical loss
Other
2017 Data Breaches – Privacy Rights Clearinghouse
Includes mega-breaches,
totalling 1.7B records:
1,370M – River City Media (Disc)
145M – Equifax (Hack)
198M – Deep Root Analytics (Disc)
9. How far do you go to manage the risk to your data/IT assets?
Risk mitigation IT SECURITY SCALEBASIC LOWEST RISK
LOWER HIGHER
Hacking, malware, or
malicious code (57%)
Portable devices and
physical loss (17%)
Unintended
disclosure (22%)
Other (4%)
Advanced
malware
Ransomware
and exploits
Unauthorized
access and
credential theft
Lost or stolen
laptops and
storage devices
Lost or stolen
mobile devices,
tablets, and
IoT devices
Human error,
loss via email,
or loss via
cloud storage
Malicious
insider
Top causes for
data loss*
Common ways
to loose data
Effort
* Percentages based on number of incidents according to data from Privacy Rights Clearinghouse
Apathy =
10. Must-have Controls, Policies, and Actions
14
Define and document what you consider to be
“State of the Art”, and be prepared to defend it.
STATE OF
THE ART
1. Stop the top causes of data loss
2. Stop threats at the door
3. Reduce human error
REDUCE WAYS
TO LOSE DATA
What personal data do I have? Where is it?
Why do I have it? Do I need it? Etc.
DATA
GOVERNANCE
11. How to Prepare for the GDPR
15
Take ownership of your GDPR Readiness1.
Evaluate your risk exposure2.
Determine your investment level3.
Get executive buy-in4.
Invest in “state of the art” best practices5.
12. How far do you go to manage the risk to your data/IT assets?
Risk mitigation IT SECURITY SCALEBASIC LOWEST RISK
LOWER HIGHER
Hacking, malware, or
malicious code (57%)
Portable devices and
physical loss (17%)
Unintended
disclosure (22%)
Other (4%)
Advanced
malware
Ransomware
and exploits
Unauthorized
access and
credential theft
Lost or stolen
laptops and
storage devices
Lost or stolen
mobile devices,
tablets, and
IoT devices
Human error,
loss via email,
or loss via
cloud storage
Malicious
insider
Endpoint Protection Intercept X Server Security Device Encryption Sophos Mobile SafeGuard Encryption
On premisesSophos Central
Top causes for
data loss*
Common ways
to loose data
Which Sophos
tools could help
Effort
* Percentages based on number of incidents according to data from Privacy Rights Clearinghouse
13. Summary and Suggestions
17
• The GDPR is coming 25 May 2018
• The GDPR is good practice, not just a lead weight
• The GDPR preparations are useful for most compliance laws
• The GDPR can provide unexpected competitive advantages
1. Learn more, become aware and accountable
2. Develop a plan, show positive action, and document it
3. Reduce the ways you can lose data
14. Useful Links
18
• Sophos GDPR landing page:
https://www.sophos.com/eu
• European Data Protection Supervisor:
https://edps.europa.eu/
• European Commission, new overview of GDPR reform:
https://europa.eu/dataprotection
• European Commission, Article 29 Working Party (“WP29”):
http://ec.europa.eu/justice/data-protection/article-29/index_en.htm
15. 19
Full GDPR text on the go!
Search for
“EU Data Protection”
(by EDPS)