GDPR Benefits and a Technical Overview

Security Director GC & Network Paladin at Network Paladin
May. 10, 2018
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
GDPR  Benefits and a Technical Overview
1 of 23

More Related Content

What's hot

Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambethThe Integrate Agency CIC
May 6   evolving international privacy regulations and cross border data tran...May 6   evolving international privacy regulations and cross border data tran...
May 6 evolving international privacy regulations and cross border data tran...Ulf Mattsson
EU GDPR - 12 Steps To Compliance EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance Tom Haynes

What's hot(20)

Similar to GDPR Benefits and a Technical Overview

Gain Visibility & Control of IT Assets in a Perimeterless WorldGain Visibility & Control of IT Assets in a Perimeterless World
Gain Visibility & Control of IT Assets in a Perimeterless WorldQualys
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceCobweb
Data privacy & social mediaData privacy & social media
Data privacy & social mediaProf. Jacques Folon (Ph.D)
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessSirius
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group

More from Ernest Staats

Information security trends and steps for (OSAC) Middle East divsion Information security trends and steps for (OSAC) Middle East divsion
Information security trends and steps for (OSAC) Middle East divsion Ernest Staats
Tsc2021 cyber-issuesTsc2021 cyber-issues
Tsc2021 cyber-issuesErnest Staats
IT Staff NDA Template Employee Confidentiality AgreementIT Staff NDA Template Employee Confidentiality Agreement
IT Staff NDA Template Employee Confidentiality AgreementErnest Staats
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
Cy safe 2.0_workbookCy safe 2.0_workbook
Cy safe 2.0_workbookErnest Staats
Privacies are ComingPrivacies are Coming
Privacies are ComingErnest Staats

Recently uploaded

Product Research PresentationProduct Research Presentation
Product Research PresentationDeahJadeArellano
The Flutter Job Market At The MomentThe Flutter Job Market At The Moment
The Flutter Job Market At The MomentAhmed Abu Eldahab
"The Intersection of architecture and implementation", Mark Richards"The Intersection of architecture and implementation", Mark Richards
"The Intersection of architecture and implementation", Mark RichardsFwdays
GDSC ZHCET Google Study Jams 23.pdfGDSC ZHCET Google Study Jams 23.pdf
GDSC ZHCET Google Study Jams 23.pdfAbhishekSingh313342
OpenAI API crash courseOpenAI API crash course
OpenAI API crash courseDimitrios Platis
"From Orchestration to Choreography and Back", Yevhen Bobrov "From Orchestration to Choreography and Back", Yevhen Bobrov
"From Orchestration to Choreography and Back", Yevhen Bobrov Fwdays

GDPR Benefits and a Technical Overview

Editor's Notes

  1. There are 99 Articles, which together define the Regulation •What’s equally important are the Recitals ›173 Recitals in total ›They provide a way to interpret the Articles ›Essential how to understand how the Regulation will be interpreted by the EU Data Protection Authorities •To help easily navigate the Articles and Recitals, there are some great online resources  ›Ex: http://www.privacy-regulation.eu
  2. Data Inventory •This lists what data you collect, and where you store and process that data •Keep it simple! •Your legal representation may have a free spreadsheet for this exercise.  If not, create a spreadsheet with the following columns: ›Department ›System ›Admin ›Who is the data about ›Data Type ›Where is it located ›Who provided the data ›Why did you collect the data •Inventory in-hand, go talk with your outside counsel for next steps Industry Best Practices Common Security Standard and Frameworks A shift in thinking Who does the data belong to How are we going to handle data? To comply with GDPR, organizations must know their data.  There’s no way to follow GDPR without knowing about the data that one collects and processes. Knowing one’s data is essential to protecting it.  An organization must understand the type of data it has, why it has it, how it is used, and with whom it is shared, among other things.  This is the first step to getting a handle on data protection
  3. You’ve just inventoried your data (Data Inventory). We now need to understand what risks are associated with personal and sensitive data •Identify which data is high risk, and which is critical risk  •If you don’t have a Risk Register, you can easily create one with the following columns: ›The data set ›The vulnerability associated with that data ›The threat associated with that ›Likelihood of the threat ›Impact of the threat ›Recommended control(s)
  4. Both Data Controllers and Processers must Detect & prevent a personal data breach, which is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data (Article 4) GDPR looks for controllers and processors to implement controls to ensure a level of security appropriate to the risk (Article 32) Controller “The natural or legal person, which, …, determines the purposes and means of the processing of personal data.” Processer “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” Solution Purveyor CSV ISP Consultant
  5. Data protection law applies when your Org, as data controllers are processing personal data. What is personal data? It includes any records, as well as information held and used about identified or identifiable natural persons. CCTV images, website photos and information, apps, etc. Paper-based and digital. Personal Data (from GDPR) “…means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” “Processing” refers to anything you do with personal data – collecting, using, analysing, sharing, and disposal. The GDPR defines personal data quite broadly.  According to the GDPR Article 4, personal data is “any information relating to an identified or identifiable natural person.” Many privacy laws cover identified people but fail to adequately cover identifiable people.  In contrast, the GDPR has a broad definition of identifiable: “[A]n identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” It is alarming how much data that we think isn’t linkable to a person can actually be linked to that person.  The GDPR understands this; many other privacy laws don’t
  6. Privacy notices are an important and necessary way of being transparent and telling parents, pupils and staff what you’re doing with their information. You should have a clear privacy notice and make people aware of it, in a way they’re likely to see and understand – for example, on your website, on your noticeboard, in communications with parents and staff. It should tell people the detail in the bullet points on the slide. make sure you tailor any templates you use so that they clearly and accurately reflect what you do with people’s data. You’ll also have to consider how you provide privacy notices to staff, about what you do with their data. Our recently-updated guidance - Privacy notices, transparency and control code of practice - is a must-read to help you comply in this area.
  7. Right to be informed about the person data organizations have about them Right to access personal data Right to rectification – correct errors in personal data or add to incomplete records Right to erasure (aka “the right to be forgotten”) Right to restriction on processing of personal data Right to data portability Right to object to the processing of personal data
  8. Over the next few minutes, we’re going to highlight some of the principles in a bit more detail to see how they apply to what schools do, and what you need to do about it. Principle 1 requires that: Personal data shall be processed fairly, lawfully and in accordance with an appropriate schedule condition (2 or 2&3) Make sure you have a legal basis for the processing: Lawful – don’t break any other law e.g. common law duty of confidentiality; Human Rights Act Need a good legal justifiable reason/basis for the processing. In the DPA these are found in schedules 2 and 3 - for processing personal data you must identify a relevant schedule 2 condition that applies, and if the personal data is sensitive (health, racial or ethnic origin, religious beliefs, criminal offences, sexual life, etc) a relevant schedule 3 condition must also apply. Example conditions that schools may currently rely on are: - necessary for a legal obligation - necessary for a function of a public nature exercised in the public interest - consent Note that most of the conditions require the processing to be ‘necessary’ – this means you should only collect and use what you need for your purpose. Fair: No unwarranted detrimental effects on individuals Within the reasonable expectations of users whose personal data it is. Clearly tell them what you’re doing with their data. Privacy notices and other, more innovative ways. This is also an important principle when deciding if it’s OK to share / disclose information to, other organisations.
  9. Image used with permission from  https://www.serveit.com/gdpr-for-developers-data-protection-by-design-and-default/ Article 25 of the GDPR mandates that data protection be built in starting at the beginning of the design process.  This means that data protection cannot be an afterthought and must be documented. By default, only personal data necessary for each specific purpose of the processing should be processed.  Default settings should be set so that personal data isn’t accessible to an indefinite number of people.
  10. To comply, you need to ensure that your organization has taken appropriate technical and organizational measures to protect the personal data it processes. Think about all the personal data you hold: Manual records – what files do you have? How can you keep these appropriately secure? - where do you store them? (locked cabinets, locked rooms etc) - who has access to them? (staff, other third parties?) - Have you got any stored away in an archive? - Do you securely destroy records in line with a retention policy? - How do you transport them if needed? - What about if you need to share information? How is it sent? Do you know if it’s been received by the correct recipient? - Do staff need to take records out of the office, for working at home or at other premises? Do you allow this? What about electronic files and portable devices? – - lots of what we have already said already applies - are the files / devices encrypted? - do you have a secure password policy that staff stick to? - do you have role-based access controls with individual logons? - what about uploading or sending data to other organisations when you need to, what mechanisms do you use? Are they secure? - do staff have the ability to access internal systems and data outside of organization? How? - Do you allow BYOD (bring your own device)? Examples of security incidents we’ve seen: Human error, often combined with inadequate policies in place: Full attendance record mistakenly sent to new employer as part of a reference Letters and emails sent to the wrong clients, staff, including, disciplinary, health and other sometimes sensitive information Sensitive personal data lost in the post – - personal data found at printer by another staff or client Staff or client reports sent to the wrong address - email addressing - non-use of BCC where it would have been appropriate - text message re staff behaviour meant for supervisor sent to wrong person in error - data file with staff and client personal data accidentally placed in shared drive - spreadsheet uploaded to website - full details of sensitive information Technical measures - passwords passwords to access sensitive information not sufficiently strong Technical security measures website security - personal data accessible. Insufficient pen testing, inaccurate coding sending sensitive information via unprotected email - lost unprotected USB sticks including sensitive private data - unencrypted drives / laptops / devices stolen from homes / cars / bags website hacked, administrator passwords stolen. One staff used the same password for their website administrator access and their access to the main organization database. Hackers accessed information from the database. The seventh principle also sets out the requirements for when you use data processors (as we mentioned before, for example using Iron Mountian or other system providers for processing your data, using shredding companies to shred confidential paper waste, using cloud IT providers) When you use a data processor, the seventh principle requires: - that you choose a processor who offers sufficient guarantees that they can look after your data properly - that you have a written contract in place setting out that the processor keeps the data as secure as you would have to under the law, and that they are to only process data in they way you instruct them to - that you take reasonable steps to ensure that the processor complies
  11. “…organizations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a privacy breach or customer complaint, regulators may require firms to exhibit evidence of their compliance and risk management strategies, including a privacy impact assessment (PIA) when appropriate.” Source: Brief: You Need An Action Plan For The GDPR; Forrester Research; October 2016