Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

3GRC approach to GDPR V 0.1


Published on

Cyber Security & Data Protection Considerations for GDPR,
GDPR Overview,
Data Centric Quick Wins,
Streamlining with Technology,
Monitor and Measure GDPR Risks,

Published in: Technology
  • Be the first to comment

3GRC approach to GDPR V 0.1

  1. 1. Cyber Security & Data Protection Steve Smith– CEO - 3GRC Considerations for GDPR
  2. 2. Session Agenda 04 03 02 01 GDPR Overview Ideal Approach Common Issues Questions 2018 Looms Overview of the key aspects of GDPR and how it is going to impact SMEs on a foundational level. A Better Way We Make Mistakes Mechanisms for getting the business prepared and developing matured data centric methodologies. Quiz Me Opportunity to ask industry specific points and share experiences in GDPR preparation. Common mistakes experienced by SMEs deploying a data centric methodology to support GDPR compliance.
  3. 3. GDPR Overview Key Aspects of GDPR Penalties Timescales Applicability Scope Taking effect in May 2018, with an expectation that businesses have begun maturing their data centric workflows. Potential fines locked at up to 4% of global turnover or €20m, based on due diligence measures and scale of a data breach/non compliance. European Individuals data both internally and through the supply chain, leveraging DPIAs for sensitive data or large scale processing. Any organisation exposed to personally identifiable material on a European Individual, irrespective of location. Regional authorities have the power to impose and govern, potentially providing a local revenue stream and local precedents. Accountability
  4. 4. GDPR Overview 1. Lawfulness, Fairness & Diversity Processed data lawfully, fairly and in a transparent manner in relation to the data subject – Opt-in 2. Purpose Limitation Personal data must be collected and leveraged for specific purposes. Processing of PI for archiving purposes in the public interest, or scientific and historical purposes is ok. Article 83(1) outlines safeguards. 3. Data Minimisation Personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed. 4. Accuracy PI must be accurate and where necessary, kept up to date. Steps taken to ensure inaccurate PI is erased or rectified without delay. Scope Doesn’t end at the perimeter and extends to data flows and relationships with third parties and even fourth parties. 7. Accountability The controller shall be responsible for and be able to demonstrate compliance with these principles. 6. Integrity & Confidentiality PI must be processed in a manner ensuring appropriate security of personal data, including unlawful processing and accidental loss, destruction or damage. 5. Storage Limitation PI must be kept in a form which permits identification of data subject for no longer than necessary based on purposes for processing. Key Principles
  5. 5. Ideal Approach Visibility Remediation Maintenance Understanding the Gaps Leverage GDPR surveys to identify non- compliance. Identify disparate business unit as there is likely to be variances in workflows. Technology can drive efficient visibility. Seek funding from the board for remediation. Working to Compliance Use standard remediation risk registers to proactively address gaps and schedule remediation timescales. Benchmark business variance where necessary to foster competition and identify stragglers. Keeping the Consistency Once ‘compliance’ is achieved, schedule reviews bi-annually with disparate business workflows to identify any lapses as they occur over time. Continue testing and auditing. Technology assists with this process. Logical Methodology Many organisations are fixing gaps in time for 2018. Informed data-centric tracking is key and brings wider business benefit through informed security controls rather than a traditional perimeter. Internal data flow visibility is key.
  6. 6. Assign Data Protection Officer Not always mandatory, but recommended for executive buy in Adjust Contracts Apply contract clauses for all emerging contracts and track renewals for amendment Incident Management Assess your IM process to ensure it allows speedy identification, or at least reaction Audit Trails Build the data centric audit trail for future maturity considering right to audit Employee Awareness Embed a ‘little and often’ training approach for staff, for both risk and knowledge Ideal Approach Data Centric Quick Wins
  7. 7. Ideal Approach Data Governance Data Silo Controls Cross reference data asset maps against security mechanisms. Don’t rely on the perimeter and consider internal access. Long term aspirations should include the identification of data, treating PII as a critical data set separate from a standard hardened perimeter. This good practice is largely transferrable to any critical business dataset. Privacy Impact Assessments Consider both privacy by design and right to be forgotten in any new systems, and develop plans for legacy systems to include controls. Subject Access Requests Cannot be charged unless excessive or unfounded. 30 days for delivery, recommend user ownership or data discovery tools. Full Data Mapping Regularly conduct scheduled surveys/discovery scans to identify data flows, creating a live data asset map of PII attributes. This includes quantity, transfer, owner, data attributes.
  8. 8. Common Issues Training and Awareness Emphasis on large scale training for a tick box, then continuing to fight for business change and widespread adoption. Scare tactics alone don’t help. Data Protection Officer Skills Having the wrong role spearheading data protection. A DPO needs to be onboard and suitably informed on both legislation and logical good practice. Data Workflow Identification Keeping visibility static or focusing on structured data solely. Not leveraging business intelligence for ownership Registered Regulatory Authority Not considering which regulatory authority will be responsible for the business. Decision making location for infosec/data management can be the locale, rather than majority of data. Silo Protection Becoming focused on doing too much rather than intelligently applying proportionate controls and processes based on key risk areas. What works for one BU doesn’t always work for another.
  9. 9. Streamlining with Technology 3GRC – Define GDPR Surveys Create GDPR Surveys, Use or Tailor Existing Content
  10. 10. Streamlining with Technology 3GRC – Define GDPR Surveys Create GDPR Surveys, Use or Tailor Existing Content
  11. 11. Streamlining with Technology 3GRC – Managed GDPR Risks Generate risks automatically, manage and discuss with clients and their supply chain
  12. 12. Streamlining with Technology 3GRC – Define GDPR Surveys Generate risks automatically, manage and discuss with clients and their supply chain
  13. 13. Streamlining with Technology 3GRC – Monitor and Measure GDPR Risks Monitor and measure risk remediation progress