SlideShare a Scribd company logo
1 of 13
Download to read offline
Cyber Security & Data Protection
Steve Smith– CEO - 3GRC www.3grc.co.uk
Considerations for GDPR
Session Agenda
04
03
02
01
GDPR Overview
Ideal Approach
Common Issues
Questions
2018 Looms
Overview of the key aspects of
GDPR and how it is going to
impact SMEs on a foundational
level.
A Better Way We Make Mistakes
Mechanisms for getting the
business prepared and
developing matured data centric
methodologies.
Quiz Me
Opportunity to ask industry
specific points and share
experiences in GDPR
preparation.
Common mistakes experienced
by SMEs deploying a data centric
methodology to support GDPR
compliance.
GDPR Overview
Key Aspects of GDPR
Penalties
Timescales
Applicability
Scope
Taking effect in May
2018, with an
expectation that
businesses have
begun maturing their
data centric
workflows.
Potential fines locked
at up to 4% of global
turnover or €20m,
based on due
diligence measures
and scale of a data
breach/non
compliance.
European Individuals
data both internally
and through the
supply chain,
leveraging DPIAs for
sensitive data or large
scale processing.
Any organisation
exposed to personally
identifiable material
on a European
Individual, irrespective
of location.
Regional authorities
have the power to
impose and govern,
potentially providing a
local revenue stream
and local precedents.
Accountability
GDPR Overview 1. Lawfulness, Fairness & Diversity
Processed data lawfully, fairly and in a
transparent manner in relation to the data
subject – Opt-in
2. Purpose Limitation
Personal data must be collected and
leveraged for specific purposes. Processing
of PI for archiving purposes in the public
interest, or scientific and historical purposes
is ok. Article 83(1) outlines safeguards.
3. Data Minimisation
Personal data must be adequate, relevant
and limited to those which are necessary in
relation to the purposes for which they are
processed.
4. Accuracy
PI must be accurate and where necessary, kept up to date. Steps
taken to ensure inaccurate PI is erased or rectified without delay.
Scope
Doesn’t end at the perimeter and extends
to data flows and relationships with third
parties and even fourth parties.
7. Accountability
The controller shall be responsible for and
be able to demonstrate compliance with
these principles.
6. Integrity & Confidentiality
PI must be processed in a manner ensuring appropriate
security of personal data, including unlawful processing
and accidental loss, destruction or damage.
5. Storage Limitation
PI must be kept in a form which permits
identification of data subject for no longer than
necessary based on purposes for processing.
Key
Principles
Ideal Approach
Visibility
Remediation
Maintenance
Understanding the Gaps
Leverage GDPR surveys to identify non-
compliance. Identify disparate business unit as
there is likely to be variances in workflows.
Technology can drive efficient visibility. Seek
funding from the board for remediation.
Working to Compliance
Use standard remediation risk registers to
proactively address gaps and schedule
remediation timescales. Benchmark business
variance where necessary to foster competition
and identify stragglers.
Keeping the Consistency
Once ‘compliance’ is achieved, schedule
reviews bi-annually with disparate business
workflows to identify any lapses as they occur
over time. Continue testing and auditing.
Technology assists with this process.
Logical Methodology
Many organisations are fixing gaps in time for
2018. Informed data-centric tracking is key and
brings wider business benefit through informed
security controls rather than a traditional
perimeter. Internal data flow visibility is key.
Assign Data Protection Officer
Not always mandatory, but
recommended for executive buy
in
Adjust Contracts
Apply contract clauses for all
emerging contracts and track
renewals for amendment
Incident Management
Assess your IM process to ensure it
allows speedy identification, or at
least reaction
Audit Trails
Build the data centric audit
trail for future maturity
considering right to audit
Employee Awareness
Embed a ‘little and often’ training
approach for staff, for both risk
and knowledge
Ideal Approach
Data Centric Quick Wins
Ideal Approach
Data Governance
Data Silo
Controls
Cross
reference
data asset
maps against
security
mechanisms.
Don’t rely on
the perimeter
and consider
internal
access.
Long term aspirations should include the identification of data, treating PII as a critical data
set separate from a standard hardened perimeter. This good practice is largely transferrable
to any critical business dataset.
Privacy Impact
Assessments
Consider both
privacy by
design and right
to be forgotten
in any new
systems, and
develop plans
for legacy
systems to
include controls.
Subject Access
Requests
Cannot be
charged unless
excessive or
unfounded. 30
days for
delivery,
recommend
user ownership
or data
discovery tools.
Full Data Mapping
Regularly conduct
scheduled
surveys/discovery
scans to identify
data flows,
creating a live data
asset map of PII
attributes. This
includes quantity,
transfer, owner,
data attributes.
Common Issues
Training and Awareness
Emphasis on large scale training for
a tick box, then continuing to fight
for business change and
widespread adoption. Scare tactics
alone don’t help.
Data Protection Officer Skills
Having the wrong role spearheading data
protection. A DPO needs to be onboard and
suitably informed on both legislation and
logical good practice.
Data Workflow Identification
Keeping visibility static or focusing on
structured data solely. Not leveraging
business intelligence for ownership
Registered Regulatory Authority
Not considering which regulatory authority
will be responsible for the business.
Decision making location for infosec/data
management can be the locale, rather than
majority of data.
Silo Protection
Becoming focused on doing too much rather than
intelligently applying proportionate controls and
processes based on key risk areas. What works for
one BU doesn’t always work for another.
Streamlining with Technology
3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content
Streamlining with Technology
3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content
Streamlining with Technology
3GRC – Managed GDPR Risks
Generate risks automatically, manage and discuss with
clients and their supply chain
Streamlining with Technology
3GRC – Define GDPR Surveys
Generate risks automatically, manage and discuss with
clients and their supply chain
Streamlining with Technology
3GRC – Monitor and Measure GDPR Risks
Monitor and measure risk remediation progress

More Related Content

What's hot

An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPRTripwire
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017Amarach Research
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?Chris Bullock
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findwise
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshellInitio
 
SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution Google
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 

What's hot (20)

An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
 
GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017GDPR and Irish SMEs May 2017
GDPR and Irish SMEs May 2017
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 
SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 
GDPR for dummies
GDPR for dummies  GDPR for dummies
GDPR for dummies
 

Viewers also liked

Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)Huub de Jong
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016stefanjung
 
TCF Nieuwsbrief Bovib Modelovereenkomst
TCF Nieuwsbrief  Bovib ModelovereenkomstTCF Nieuwsbrief  Bovib Modelovereenkomst
TCF Nieuwsbrief Bovib ModelovereenkomstRoy Kolmschot ✔
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017CloudWATCH Consortium
 
2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminarThe CMR Agency
 
gdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeersgdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeersThe CMR Agency
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
efecto doppler
efecto dopplerefecto doppler
efecto doppleryenifer
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationGhostery, Inc.
 

Viewers also liked (17)

Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Ahorn Presentation_F1
Ahorn Presentation_F1Ahorn Presentation_F1
Ahorn Presentation_F1
 
MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)MindMap AVG Louwers Advocaten V 4.0 (EN)
MindMap AVG Louwers Advocaten V 4.0 (EN)
 
White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016White-Paper_Security-DBSec_EU-GDPR_06-2016
White-Paper_Security-DBSec_EU-GDPR_06-2016
 
Gdpr security services
Gdpr security servicesGdpr security services
Gdpr security services
 
TCF Nieuwsbrief Bovib Modelovereenkomst
TCF Nieuwsbrief  Bovib ModelovereenkomstTCF Nieuwsbrief  Bovib Modelovereenkomst
TCF Nieuwsbrief Bovib Modelovereenkomst
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017GDPR clinic - CloudWATCH at Cloud Security Expo 2017
GDPR clinic - CloudWATCH at Cloud Security Expo 2017
 
2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar
 
Gdpr compliance
Gdpr complianceGdpr compliance
Gdpr compliance
 
gdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeersgdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeers
 
GDPRR: The Key Changes
GDPRR: The Key ChangesGDPRR: The Key Changes
GDPRR: The Key Changes
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
efecto doppler
efecto dopplerefecto doppler
efecto doppler
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 

Similar to 3GRC approach to GDPR V 0.1 www.3grc.co.uk

Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
 
Will you be ready to comply with new EU Data Protection Regulation in time?
Will you be ready to comply with new EU Data Protection Regulation in time?Will you be ready to comply with new EU Data Protection Regulation in time?
Will you be ready to comply with new EU Data Protection Regulation in time?Per Norhammar
 
Security, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightSecurity, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightN-iX
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...David Kearney
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Gerson Trigueiros
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaperJim Wilson
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfCIOWomenMagazine
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uaeRishalHalid1
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
 
Standing Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramStanding Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramRafael Moscatel CRM, IGP
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyIvan Tsarynny
 
PrivacyOps Framework
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps FrameworkFeroot
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analyticsMarc Vael
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadVisitor Analytics
 

Similar to 3GRC approach to GDPR V 0.1 www.3grc.co.uk (20)

Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
GDPR: Time to Act
GDPR: Time to ActGDPR: Time to Act
GDPR: Time to Act
 
Will you be ready to comply with new EU Data Protection Regulation in time?
Will you be ready to comply with new EU Data Protection Regulation in time?Will you be ready to comply with new EU Data Protection Regulation in time?
Will you be ready to comply with new EU Data Protection Regulation in time?
 
Security, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightSecurity, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it right
 
BRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEBBRG_TAP_IG_20150826_WEB
BRG_TAP_IG_20150826_WEB
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)Eu data protection regulations (point-of-view)
Eu data protection regulations (point-of-view)
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
What is CT- DPO.pdf
What is CT- DPO.pdfWhat is CT- DPO.pdf
What is CT- DPO.pdf
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
General Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian FirmsGeneral Data Protection Regulation (GDPR) Implications for Canadian Firms
General Data Protection Regulation (GDPR) Implications for Canadian Firms
 
Standing Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance ProgramStanding Up A Holistic And World Class Information Governance Program
Standing Up A Holistic And World Class Information Governance Program
 
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot PrivacyPrivacy Operations (PrivacyOps) Framework - Feroot Privacy
Privacy Operations (PrivacyOps) Framework - Feroot Privacy
 
PrivacyOps Framework
PrivacyOps FrameworkPrivacyOps Framework
PrivacyOps Framework
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
GDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free DownloadGDPR & Data Privacy Guide - Free Download
GDPR & Data Privacy Guide - Free Download
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 

3GRC approach to GDPR V 0.1 www.3grc.co.uk

  • 1. Cyber Security & Data Protection Steve Smith– CEO - 3GRC www.3grc.co.uk Considerations for GDPR
  • 2. Session Agenda 04 03 02 01 GDPR Overview Ideal Approach Common Issues Questions 2018 Looms Overview of the key aspects of GDPR and how it is going to impact SMEs on a foundational level. A Better Way We Make Mistakes Mechanisms for getting the business prepared and developing matured data centric methodologies. Quiz Me Opportunity to ask industry specific points and share experiences in GDPR preparation. Common mistakes experienced by SMEs deploying a data centric methodology to support GDPR compliance.
  • 3. GDPR Overview Key Aspects of GDPR Penalties Timescales Applicability Scope Taking effect in May 2018, with an expectation that businesses have begun maturing their data centric workflows. Potential fines locked at up to 4% of global turnover or €20m, based on due diligence measures and scale of a data breach/non compliance. European Individuals data both internally and through the supply chain, leveraging DPIAs for sensitive data or large scale processing. Any organisation exposed to personally identifiable material on a European Individual, irrespective of location. Regional authorities have the power to impose and govern, potentially providing a local revenue stream and local precedents. Accountability
  • 4. GDPR Overview 1. Lawfulness, Fairness & Diversity Processed data lawfully, fairly and in a transparent manner in relation to the data subject – Opt-in 2. Purpose Limitation Personal data must be collected and leveraged for specific purposes. Processing of PI for archiving purposes in the public interest, or scientific and historical purposes is ok. Article 83(1) outlines safeguards. 3. Data Minimisation Personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed. 4. Accuracy PI must be accurate and where necessary, kept up to date. Steps taken to ensure inaccurate PI is erased or rectified without delay. Scope Doesn’t end at the perimeter and extends to data flows and relationships with third parties and even fourth parties. 7. Accountability The controller shall be responsible for and be able to demonstrate compliance with these principles. 6. Integrity & Confidentiality PI must be processed in a manner ensuring appropriate security of personal data, including unlawful processing and accidental loss, destruction or damage. 5. Storage Limitation PI must be kept in a form which permits identification of data subject for no longer than necessary based on purposes for processing. Key Principles
  • 5. Ideal Approach Visibility Remediation Maintenance Understanding the Gaps Leverage GDPR surveys to identify non- compliance. Identify disparate business unit as there is likely to be variances in workflows. Technology can drive efficient visibility. Seek funding from the board for remediation. Working to Compliance Use standard remediation risk registers to proactively address gaps and schedule remediation timescales. Benchmark business variance where necessary to foster competition and identify stragglers. Keeping the Consistency Once ‘compliance’ is achieved, schedule reviews bi-annually with disparate business workflows to identify any lapses as they occur over time. Continue testing and auditing. Technology assists with this process. Logical Methodology Many organisations are fixing gaps in time for 2018. Informed data-centric tracking is key and brings wider business benefit through informed security controls rather than a traditional perimeter. Internal data flow visibility is key.
  • 6. Assign Data Protection Officer Not always mandatory, but recommended for executive buy in Adjust Contracts Apply contract clauses for all emerging contracts and track renewals for amendment Incident Management Assess your IM process to ensure it allows speedy identification, or at least reaction Audit Trails Build the data centric audit trail for future maturity considering right to audit Employee Awareness Embed a ‘little and often’ training approach for staff, for both risk and knowledge Ideal Approach Data Centric Quick Wins
  • 7. Ideal Approach Data Governance Data Silo Controls Cross reference data asset maps against security mechanisms. Don’t rely on the perimeter and consider internal access. Long term aspirations should include the identification of data, treating PII as a critical data set separate from a standard hardened perimeter. This good practice is largely transferrable to any critical business dataset. Privacy Impact Assessments Consider both privacy by design and right to be forgotten in any new systems, and develop plans for legacy systems to include controls. Subject Access Requests Cannot be charged unless excessive or unfounded. 30 days for delivery, recommend user ownership or data discovery tools. Full Data Mapping Regularly conduct scheduled surveys/discovery scans to identify data flows, creating a live data asset map of PII attributes. This includes quantity, transfer, owner, data attributes.
  • 8. Common Issues Training and Awareness Emphasis on large scale training for a tick box, then continuing to fight for business change and widespread adoption. Scare tactics alone don’t help. Data Protection Officer Skills Having the wrong role spearheading data protection. A DPO needs to be onboard and suitably informed on both legislation and logical good practice. Data Workflow Identification Keeping visibility static or focusing on structured data solely. Not leveraging business intelligence for ownership Registered Regulatory Authority Not considering which regulatory authority will be responsible for the business. Decision making location for infosec/data management can be the locale, rather than majority of data. Silo Protection Becoming focused on doing too much rather than intelligently applying proportionate controls and processes based on key risk areas. What works for one BU doesn’t always work for another.
  • 9. Streamlining with Technology 3GRC – Define GDPR Surveys Create GDPR Surveys, Use or Tailor Existing Content
  • 10. Streamlining with Technology 3GRC – Define GDPR Surveys Create GDPR Surveys, Use or Tailor Existing Content
  • 11. Streamlining with Technology 3GRC – Managed GDPR Risks Generate risks automatically, manage and discuss with clients and their supply chain
  • 12. Streamlining with Technology 3GRC – Define GDPR Surveys Generate risks automatically, manage and discuss with clients and their supply chain
  • 13. Streamlining with Technology 3GRC – Monitor and Measure GDPR Risks Monitor and measure risk remediation progress