Ernest Staats, profile picture
Uploaded byErnest Staats
PPTX, PDF207 views

GDPR Benefits and a Technical Overview

This document provides an overview of the General Data Protection Regulation (GDPR) and outlines steps for compliance. It begins with a disclaimer about the information provided. It then lists resources for learning more about the GDPR and its 99 articles and 173 recitals. The rest of the document outlines key aspects of GDPR compliance, including identifying high and critical risk data, privacy notices, individual rights and redress, lawful and fair processing, privacy by design, data security, and data transfers.

Embed presentation

Download to read offline
Ernest Staats Master Science Information Assurance, (CISSP)®, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ GDPR: BENEFITS & TECHNICAL OVERVIEW
DISCLAIMER This presentation is a commentary on the GDPR, as Ernest Staats, interprets it, as of the date of publication. We’ve spent some time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this presentation is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. Ernest Staats, MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. This presentation is provided “as-is.” information and views expressed in this presentation, including URL and other Internet website references, may change without notice. 2
3
TO LEARN MORE ABOUT GDPR There are 99 Articles, which together define the Regulation There are 173 Recitals Essential how to understand how the Regulation will be interpreted by the EU Data Protection Authorities To understand the Articles and Recitals http://www.privacy-regulation.eu Free Guides: from Taylor Wessing 4
5 •Industry Best Practices •Data Discovery & Inventory •Implement Security Standards •Enterprise Risk Register • A shift in thinking
IDENTIFY WHICH DATA IS HIGH RISK, AND WHICH IS CRITICAL RISK 6
(ALL KEY ROLES HAVE A STAKE IN THE GAME) Controller An Entity that collects personal data for some purpose 7 Processer An entity that processes data on behalf of the controller Controllers and Processors are to implement controls to ensure a level of security appropriate to the risk (Article 32)
Any information relating to an identified or identifiable natural person “Data Subject” Name IP address / MAC address Face All PII or ePHI What is Personal data? More care needs to be taken with sensitive personal data eg. health data, religious beliefs
PRIVACY NOTICE What information is being collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? http://ico.org.uk/for-organisations/guide-to- data-protection/privacy-notices-transparency- and-control/
• Right to be informed • Right to access personal data • Right to rectification – correct errors • Right to erasure • Right to restriction • Right to data portability • Right to object 10 RIGHTS AND REDRESS
FAIR AND LAWFUL  Make sure you have a legal basis to process personal data  Only collect what you need  Clearly tell individuals what personal data you are collecting and why
DATA PROTECTION BY DESIGN AND DEFAULT 12
Appropriate technical and organisational measures shall be taken against unauthorized use or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. SECURITY OF PERSONAL DATA
WHAT CAN YOU DO? Use the CIS Critical Security Controls to baseline your systems Critical-Security-Control-Manual-Assessment-Tool-v7 Security-Control-Executive-Assessment-Tool Critical Security Control SubSet Mappings v7.0b.xlsx Use the form below to vet your cloud vendors Cloud_Provider_Security_Assessment_Questionnaire_Templ ate.xlsx Write an Incident Response Policy and Procedures 14 Absolute announced new “Free” GDPR Data Risk and Endpoint Readiness Assessments https://www.absolute.com/en/go/reports/gdpr-data-risk-assessment to accelerate compliance with the impending General Data Protection Regulation (GDPR
GDPR CONSENT 15 43 GDPR Requirements* 1. Provide notification to data subjects, in clear and plain language. 2. Request and obtain the data subject’s affirmative and granular consent. 3. Discontinue with processing activities if the data subject denies consent. 4. Provide a mechanism for data subjects to withdraw consent. 5. Obtain affirmative consent from a child’s (under age of 16) parent or guardian.
GDPR NOTICE 16 1. Provide notice of processing activities at the time personal data is obtained. 2. Provide notice of processing activities if personal data has not been obtained directly. 3. Provide the data privacy notice at all points where personal data is collected.
GDPR DATA SUBJECT RIGHTS 1-8 17 1. Provide mechanism for validating identity of the requesting data subject. 2. Provide mechanism for to request access to their personal data. 3. Provide a mechanism to respond to requests on personal data access. 4. Maintain the technological ability to trace and search personal data. 5. Provide mechanism to request rectification and rectify personal data. 6. Provide a mechanism to request the erasure of personal data. 7. Maintain the technological ability to locate and erase personal data. 8. Track to which additional controllers
GDPR DATA SUBJECTS RIGHTS 9-16 18 9. When personal data is made public, contact those entities for data erasure. 10.Provide mechanism to request the restriction of data processing. 11.Maintain the technological ability to restrict processing of personal data. 12.Provide mechanism to request copies and transmit personal. 13.Provide mechanism to respond to data portability requests. 14.Locate personal data and export in structured, machine-readable formats. 15.If processing for direct marketing, provide mechanism to object. 16.Maintain the technological ability to
GDPR DATA GOVERNANCE 19 1. Maintain audit trails to demonstrate accountability and compliance. 2. Maintain inventory of data detailing categories of data subjects. 3. Maintain auditable trails of processing activities. 4. Carry out data protection impact assessments of processing operations. 5. Provide the de-identification of personal data for archiving purposes.
GDPR PRIVACY BY DESIGN 20 1. Embed privacy controls (in service and development lifecycle). 2. Embed privacy designed to minimize the amount of personal data collected.
GDPR DATA SECURITY 21 1. Provide mechanism to pseudonymize, encrypt, or otherwise secure personal data. 2. Implement security measures in the service. 3. Confirm ongoing confidentiality, integrity, and availability of personal data. 4. Provide mechanism to restore the availability and access to personal data. 5. Facilitate regular testing of security measures.
GDPR COMPLIANCE MODEL 22 1. Controllers notify DPA within 72 hours in the event of a data breach incident. 2. Controllers notify affected data subjects of a high-risk data breach incident. 3. Processors notify controllers without undue delay of a data breach incident.
GDPR DATA TRANSFER 23 1. Track and record personal data that is forwarded to third-parties. 2. Provide mechanism for tracking and recording data transfers in and out of the EU. 3. Maintain inventory of data transfer contracts with third-parties. 4. Provide appropriate safeguards (e.g., Privacy Shield) for effective legal remedies.

More Related Content

PPT
Building a register of data processing
byTim Gough
 
PDF
GDPR and Hadoop
byJanosch Woschitz
 
PDF
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
PPTX
The EU General Protection Regulation and how Oracle can help
byNiklas Hjorthen
 
PDF
Privacy by design
byMichelangelo van Dam
 
PDF
GDPR presentation
bySamantha Deeks
 
PPTX
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
PPTX
Gdpr action plan - ISSA
byUlf Mattsson
 
Building a register of data processing
byTim Gough
 
GDPR and Hadoop
byJanosch Woschitz
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
byFrank Dawson
 
The EU General Protection Regulation and how Oracle can help
byNiklas Hjorthen
 
Privacy by design
byMichelangelo van Dam
 
GDPR presentation
bySamantha Deeks
 
Understanding the EU's new General Data Protection Regulation (GDPR)
byAcquia
 
Gdpr action plan - ISSA
byUlf Mattsson
 

What's hot

PDF
GDPR for Dummies
byCaroline Boscher
 
PPTX
#CyberSafeLambeth
byThe Integrate Agency CIC
 
PPTX
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
PPTX
EU GDPR - 12 Steps To Compliance
byTom Haynes
 
PDF
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
PPTX
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
PDF
Csa privacy by design & gdpr austin chambers 11-4-17
byTrish McGinity, CCSK
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PDF
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
byChris Doolittle
 
PPTX
GDPR - Fail to Prepare, Prepare to Fail!
byFintan Swanton
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
PDF
GDPR Awareness for YOU
byCliff Gibson
 
PDF
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
PPT
BigData and Privacy webinar at Brighttalk
byUlf Mattsson
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
PDF
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
byTrivadis
 
PDF
Top 10 GDPR Requirements
byRusty Stanberry
 
GDPR for Dummies
byCaroline Boscher
 
#CyberSafeLambeth
byThe Integrate Agency CIC
 
May 6 evolving international privacy regulations and cross border data tran...
byUlf Mattsson
 
EU GDPR - 12 Steps To Compliance
byTom Haynes
 
Beginning your General Data Protection Regulation (GDPR) Journey
byMicrosoft Österreich
 
EU GDPR (training)
byElizabeth Baker, JD, CRCMP
 
Csa privacy by design & gdpr austin chambers 11-4-17
byTrish McGinity, CCSK
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Teleran Data Protection - Addressing 5 Critical GDPR Requirements
byChris Doolittle
 
GDPR - Fail to Prepare, Prepare to Fail!
byFintan Swanton
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
GDPR Awareness for YOU
byCliff Gibson
 
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
BigData and Privacy webinar at Brighttalk
byUlf Mattsson
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
byeHealth Forum
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
byTrivadis
 
Top 10 GDPR Requirements
byRusty Stanberry
 

Similar to GDPR Benefits and a Technical Overview

PDF
GDPR and API Security
byWSO2
 
PPT
The Countdown is on: Key Things to Know About the GDPR
byCase IQ
 
PPTX
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
PDF
10 Key GDPR Requirements You Must Know to Protect Your Business
byVISTA InfoSec
 
PDF
Mind Your Business: Why Privacy Matters to the Successful Enterprise
byEric Kavanagh
 
PPTX
General Data Protection Regulation (GDPR)
byControlCase
 
PPTX
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PDF
Mcis 2018 DEFeND Project
byDEFeND Project
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PPSX
Gdpr demystified - making sense of the regulation
byJames Mulhern
 
PPTX
Gdpr brief and controls ver2.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
GDPR, Data Privacy.
byLiviu Claudiu Cismaru
 
PPTX
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
PPTX
EU's General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
PPTX
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
PDF
Beyond GDPR Compliance - Role of Internal Audit
byOmo Osagiede
 
PPTX
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
GDPR and API Security
byWSO2
 
The Countdown is on: Key Things to Know About the GDPR
byCase IQ
 
My presentation- Ala about privacy and GDPR
byzayadeen2003
 
10 Key GDPR Requirements You Must Know to Protect Your Business
byVISTA InfoSec
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
byEric Kavanagh
 
General Data Protection Regulation (GDPR)
byControlCase
 
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
Mcis 2018 DEFeND Project
byDEFeND Project
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
Gdpr presentation
bySudarsan Reddy
 
Gdpr demystified - making sense of the regulation
byJames Mulhern
 
Gdpr brief and controls ver2.0
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
GDPR, Data Privacy.
byLiviu Claudiu Cismaru
 
GDPR Breakfast Briefing for Business Advisors
byHarrison Clark Rickerbys
 
EU's General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
byHarrison Clark Rickerbys
 
Beyond GDPR Compliance - Role of Internal Audit
byOmo Osagiede
 
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 

More from Ernest Staats

PPTX
Information security trends and steps for (OSAC) Middle East divsion
byErnest Staats
 
PPTX
Tsc2021 cyber-issues
byErnest Staats
 
DOCX
IT Staff NDA Template Employee Confidentiality Agreement
byErnest Staats
 
PPTX
A guide to Sustainable Cyber Security
byErnest Staats
 
DOCX
Cy safe 2.0_workbook
byErnest Staats
 
PPTX
Privacies are Coming
byErnest Staats
 
PPTX
Parenting and the media challenge
byErnest Staats
 
PPTX
How to use technology in ministry & parenting
byErnest Staats
 
PPTX
Privacies are coming
byErnest Staats
 
PPTX
Idwg bimonthly security exchange cyber only section
byErnest Staats
 
PDF
Data Detox Kit Optimized
byErnest Staats
 
PPTX
Compter Forensics Intro for Students
byErnest Staats
 
PPTX
Risk Management Approach to Cyber Security
byErnest Staats
 
DOCX
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
DOCX
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
PPTX
Harbin clinic iot-mobile-no-vid
byErnest Staats
 
PDF
Securely Erase your Device
byErnest Staats
 
PPTX
Border crossing mobile social media life-saving security tips
byErnest Staats
 
PPTX
Social & mobile security
byErnest Staats
 
Information security trends and steps for (OSAC) Middle East divsion
byErnest Staats
 
Tsc2021 cyber-issues
byErnest Staats
 
IT Staff NDA Template Employee Confidentiality Agreement
byErnest Staats
 
A guide to Sustainable Cyber Security
byErnest Staats
 
Cy safe 2.0_workbook
byErnest Staats
 
Privacies are Coming
byErnest Staats
 
Parenting and the media challenge
byErnest Staats
 
How to use technology in ministry & parenting
byErnest Staats
 
Privacies are coming
byErnest Staats
 
Idwg bimonthly security exchange cyber only section
byErnest Staats
 
Data Detox Kit Optimized
byErnest Staats
 
Compter Forensics Intro for Students
byErnest Staats
 
Risk Management Approach to Cyber Security
byErnest Staats
 
Why security is the kidney not the tail of the dog v3
byErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
FBI & Secret Service- Business Email Compromise Workshop
byErnest Staats
 
Harbin clinic iot-mobile-no-vid
byErnest Staats
 
Securely Erase your Device
byErnest Staats
 
Border crossing mobile social media life-saving security tips
byErnest Staats
 
Social & mobile security
byErnest Staats
 

Recently uploaded

PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Introduction-------- to-------ARM Cortex
byPujaSengupta6
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
AI for Risk Management & Fraud Detection ppt.pdf
byalexmartincaneda
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Introduction-------- to-------ARM Cortex
byPujaSengupta6
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 

GDPR Benefits and a Technical Overview

  • 1.
    Ernest Staats MasterScience Information Assurance, (CISSP)®, CEH, MCSE, CNA, CWNA, Security+, I-Net+, Network+, Server+, A+ GDPR: BENEFITS & TECHNICAL OVERVIEW
  • 2.
    DISCLAIMER This presentation isa commentary on the GDPR, as Ernest Staats, interprets it, as of the date of publication. We’ve spent some time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. As a result, this presentation is provided for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure compliance. Ernest Staats, MAKE NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. This presentation is provided “as-is.” information and views expressed in this presentation, including URL and other Internet website references, may change without notice. 2
  • 3.
  • 4.
    TO LEARN MOREABOUT GDPR There are 99 Articles, which together define the Regulation There are 173 Recitals Essential how to understand how the Regulation will be interpreted by the EU Data Protection Authorities To understand the Articles and Recitals http://www.privacy-regulation.eu Free Guides: from Taylor Wessing 4
  • 5.
    5 •Industry Best Practices •DataDiscovery & Inventory •Implement Security Standards •Enterprise Risk Register • A shift in thinking
  • 6.
    IDENTIFY WHICH DATAIS HIGH RISK, AND WHICH IS CRITICAL RISK 6
  • 7.
    (ALL KEY ROLESHAVE A STAKE IN THE GAME) Controller An Entity that collects personal data for some purpose 7 Processer An entity that processes data on behalf of the controller Controllers and Processors are to implement controls to ensure a level of security appropriate to the risk (Article 32)
  • 8.
    Any information relatingto an identified or identifiable natural person “Data Subject” Name IP address / MAC address Face All PII or ePHI What is Personal data? More care needs to be taken with sensitive personal data eg. health data, religious beliefs
  • 9.
    PRIVACY NOTICE What information isbeing collected? Who is collecting it? How is it collected? Why is it being collected? How will it be used? Who will it be shared with? http://ico.org.uk/for-organisations/guide-to- data-protection/privacy-notices-transparency- and-control/
  • 10.
    • Right tobe informed • Right to access personal data • Right to rectification – correct errors • Right to erasure • Right to restriction • Right to data portability • Right to object 10 RIGHTS AND REDRESS
  • 11.
    FAIR AND LAWFUL Make sure you have a legal basis to process personal data  Only collect what you need  Clearly tell individuals what personal data you are collecting and why
  • 12.
    DATA PROTECTION BYDESIGN AND DEFAULT 12
  • 13.
    Appropriate technical and organisationalmeasures shall be taken against unauthorized use or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. SECURITY OF PERSONAL DATA
  • 14.
    WHAT CAN YOUDO? Use the CIS Critical Security Controls to baseline your systems Critical-Security-Control-Manual-Assessment-Tool-v7 Security-Control-Executive-Assessment-Tool Critical Security Control SubSet Mappings v7.0b.xlsx Use the form below to vet your cloud vendors Cloud_Provider_Security_Assessment_Questionnaire_Templ ate.xlsx Write an Incident Response Policy and Procedures 14 Absolute announced new “Free” GDPR Data Risk and Endpoint Readiness Assessments https://www.absolute.com/en/go/reports/gdpr-data-risk-assessment to accelerate compliance with the impending General Data Protection Regulation (GDPR
  • 15.
    GDPR CONSENT 15 43 GDPRRequirements* 1. Provide notification to data subjects, in clear and plain language. 2. Request and obtain the data subject’s affirmative and granular consent. 3. Discontinue with processing activities if the data subject denies consent. 4. Provide a mechanism for data subjects to withdraw consent. 5. Obtain affirmative consent from a child’s (under age of 16) parent or guardian.
  • 16.
    GDPR NOTICE 16 1. Providenotice of processing activities at the time personal data is obtained. 2. Provide notice of processing activities if personal data has not been obtained directly. 3. Provide the data privacy notice at all points where personal data is collected.
  • 17.
    GDPR DATA SUBJECTRIGHTS 1-8 17 1. Provide mechanism for validating identity of the requesting data subject. 2. Provide mechanism for to request access to their personal data. 3. Provide a mechanism to respond to requests on personal data access. 4. Maintain the technological ability to trace and search personal data. 5. Provide mechanism to request rectification and rectify personal data. 6. Provide a mechanism to request the erasure of personal data. 7. Maintain the technological ability to locate and erase personal data. 8. Track to which additional controllers
  • 18.
    GDPR DATA SUBJECTSRIGHTS 9-16 18 9. When personal data is made public, contact those entities for data erasure. 10.Provide mechanism to request the restriction of data processing. 11.Maintain the technological ability to restrict processing of personal data. 12.Provide mechanism to request copies and transmit personal. 13.Provide mechanism to respond to data portability requests. 14.Locate personal data and export in structured, machine-readable formats. 15.If processing for direct marketing, provide mechanism to object. 16.Maintain the technological ability to
  • 19.
    GDPR DATA GOVERNANCE 19 1.Maintain audit trails to demonstrate accountability and compliance. 2. Maintain inventory of data detailing categories of data subjects. 3. Maintain auditable trails of processing activities. 4. Carry out data protection impact assessments of processing operations. 5. Provide the de-identification of personal data for archiving purposes.
  • 20.
    GDPR PRIVACY BYDESIGN 20 1. Embed privacy controls (in service and development lifecycle). 2. Embed privacy designed to minimize the amount of personal data collected.
  • 21.
    GDPR DATA SECURITY 21 1.Provide mechanism to pseudonymize, encrypt, or otherwise secure personal data. 2. Implement security measures in the service. 3. Confirm ongoing confidentiality, integrity, and availability of personal data. 4. Provide mechanism to restore the availability and access to personal data. 5. Facilitate regular testing of security measures.
  • 22.
    GDPR COMPLIANCE MODEL 22 1.Controllers notify DPA within 72 hours in the event of a data breach incident. 2. Controllers notify affected data subjects of a high-risk data breach incident. 3. Processors notify controllers without undue delay of a data breach incident.
  • 23.
    GDPR DATA TRANSFER 23 1.Track and record personal data that is forwarded to third-parties. 2. Provide mechanism for tracking and recording data transfers in and out of the EU. 3. Maintain inventory of data transfer contracts with third-parties. 4. Provide appropriate safeguards (e.g., Privacy Shield) for effective legal remedies.

Editor's Notes

  • #5 There are 99 Articles, which together define the Regulation •What’s equally important are the Recitals ›173 Recitals in total ›They provide a way to interpret the Articles ›Essential how to understand how the Regulation will be interpreted by the EU Data Protection Authorities •To help easily navigate the Articles and Recitals, there are some great online resources  ›Ex: http://www.privacy-regulation.eu
  • #6 Data Inventory •This lists what data you collect, and where you store and process that data •Keep it simple! •Your legal representation may have a free spreadsheet for this exercise.  If not, create a spreadsheet with the following columns: ›Department ›System ›Admin ›Who is the data about ›Data Type ›Where is it located ›Who provided the data ›Why did you collect the data •Inventory in-hand, go talk with your outside counsel for next steps Industry Best Practices Common Security Standard and Frameworks A shift in thinking Who does the data belong to How are we going to handle data? To comply with GDPR, organizations must know their data.  There’s no way to follow GDPR without knowing about the data that one collects and processes. Knowing one’s data is essential to protecting it.  An organization must understand the type of data it has, why it has it, how it is used, and with whom it is shared, among other things.  This is the first step to getting a handle on data protection
  • #7  You’ve just inventoried your data (Data Inventory). We now need to understand what risks are associated with personal and sensitive data •Identify which data is high risk, and which is critical risk  •If you don’t have a Risk Register, you can easily create one with the following columns: ›The data set ›The vulnerability associated with that data ›The threat associated with that ›Likelihood of the threat ›Impact of the threat ›Recommended control(s)
  • #8 Both Data Controllers and Processers must Detect & prevent a personal data breach, which is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data (Article 4) GDPR looks for controllers and processors to implement controls to ensure a level of security appropriate to the risk (Article 32) Controller “The natural or legal person, which, …, determines the purposes and means of the processing of personal data.” Processer “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” Solution Purveyor CSV ISP Consultant
  • #9 Data protection law applies when your Org, as data controllers are processing personal data. What is personal data? It includes any records, as well as information held and used about identified or identifiable natural persons. CCTV images, website photos and information, apps, etc. Paper-based and digital. Personal Data (from GDPR) “…means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” “Processing” refers to anything you do with personal data – collecting, using, analysing, sharing, and disposal. The GDPR defines personal data quite broadly.  According to the GDPR Article 4, personal data is “any information relating to an identified or identifiable natural person.” Many privacy laws cover identified people but fail to adequately cover identifiable people.  In contrast, the GDPR has a broad definition of identifiable: “[A]n identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” It is alarming how much data that we think isn’t linkable to a person can actually be linked to that person.  The GDPR understands this; many other privacy laws don’t
  • #10 Privacy notices are an important and necessary way of being transparent and telling parents, pupils and staff what you’re doing with their information. You should have a clear privacy notice and make people aware of it, in a way they’re likely to see and understand – for example, on your website, on your noticeboard, in communications with parents and staff. It should tell people the detail in the bullet points on the slide. make sure you tailor any templates you use so that they clearly and accurately reflect what you do with people’s data. You’ll also have to consider how you provide privacy notices to staff, about what you do with their data. Our recently-updated guidance - Privacy notices, transparency and control code of practice - is a must-read to help you comply in this area.
  • #11 Right to be informed about the person data organizations have about them Right to access personal data Right to rectification – correct errors in personal data or add to incomplete records Right to erasure (aka “the right to be forgotten”) Right to restriction on processing of personal data Right to data portability Right to object to the processing of personal data
  • #12 Over the next few minutes, we’re going to highlight some of the principles in a bit more detail to see how they apply to what schools do, and what you need to do about it. Principle 1 requires that: Personal data shall be processed fairly, lawfully and in accordance with an appropriate schedule condition (2 or 2&3) Make sure you have a legal basis for the processing: Lawful – don’t break any other law e.g. common law duty of confidentiality; Human Rights Act Need a good legal justifiable reason/basis for the processing. In the DPA these are found in schedules 2 and 3 - for processing personal data you must identify a relevant schedule 2 condition that applies, and if the personal data is sensitive (health, racial or ethnic origin, religious beliefs, criminal offences, sexual life, etc) a relevant schedule 3 condition must also apply. Example conditions that schools may currently rely on are: - necessary for a legal obligation - necessary for a function of a public nature exercised in the public interest - consent Note that most of the conditions require the processing to be ‘necessary’ – this means you should only collect and use what you need for your purpose. Fair: No unwarranted detrimental effects on individuals Within the reasonable expectations of users whose personal data it is. Clearly tell them what you’re doing with their data. Privacy notices and other, more innovative ways. This is also an important principle when deciding if it’s OK to share / disclose information to, other organisations.
  • #13 Image used with permission from  https://www.serveit.com/gdpr-for-developers-data-protection-by-design-and-default/ Article 25 of the GDPR mandates that data protection be built in starting at the beginning of the design process.  This means that data protection cannot be an afterthought and must be documented. By default, only personal data necessary for each specific purpose of the processing should be processed.  Default settings should be set so that personal data isn’t accessible to an indefinite number of people.
  • #14  To comply, you need to ensure that your organization has taken appropriate technical and organizational measures to protect the personal data it processes. Think about all the personal data you hold: Manual records – what files do you have? How can you keep these appropriately secure? - where do you store them? (locked cabinets, locked rooms etc) - who has access to them? (staff, other third parties?) - Have you got any stored away in an archive? - Do you securely destroy records in line with a retention policy? - How do you transport them if needed? - What about if you need to share information? How is it sent? Do you know if it’s been received by the correct recipient? - Do staff need to take records out of the office, for working at home or at other premises? Do you allow this? What about electronic files and portable devices? – - lots of what we have already said already applies - are the files / devices encrypted? - do you have a secure password policy that staff stick to? - do you have role-based access controls with individual logons? - what about uploading or sending data to other organisations when you need to, what mechanisms do you use? Are they secure? - do staff have the ability to access internal systems and data outside of organization? How? - Do you allow BYOD (bring your own device)? Examples of security incidents we’ve seen: Human error, often combined with inadequate policies in place: Full attendance record mistakenly sent to new employer as part of a reference Letters and emails sent to the wrong clients, staff, including, disciplinary, health and other sometimes sensitive information Sensitive personal data lost in the post – - personal data found at printer by another staff or client Staff or client reports sent to the wrong address - email addressing - non-use of BCC where it would have been appropriate - text message re staff behaviour meant for supervisor sent to wrong person in error - data file with staff and client personal data accidentally placed in shared drive - spreadsheet uploaded to website - full details of sensitive information Technical measures - passwords passwords to access sensitive information not sufficiently strong Technical security measures website security - personal data accessible. Insufficient pen testing, inaccurate coding sending sensitive information via unprotected email - lost unprotected USB sticks including sensitive private data - unencrypted drives / laptops / devices stolen from homes / cars / bags website hacked, administrator passwords stolen. One staff used the same password for their website administrator access and their access to the main organization database. Hackers accessed information from the database. The seventh principle also sets out the requirements for when you use data processors (as we mentioned before, for example using Iron Mountian or other system providers for processing your data, using shredding companies to shred confidential paper waste, using cloud IT providers) When you use a data processor, the seventh principle requires: - that you choose a processor who offers sufficient guarantees that they can look after your data properly - that you have a written contract in place setting out that the processor keeps the data as secure as you would have to under the law, and that they are to only process data in they way you instruct them to - that you take reasonable steps to ensure that the processor complies
  • #16 “…organizations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a privacy breach or customer complaint, regulators may require firms to exhibit evidence of their compliance and risk management strategies, including a privacy impact assessment (PIA) when appropriate.” Source: Brief: You Need An Action Plan For The GDPR; Forrester Research; October 2016