Download to read offline
Uploaded byCloud Thing
cloudThing GDPR Information Guide - Scott Jenkins
The document outlines critical updates on GDPR, emphasizing the escalating security threats and challenges enterprises face in adopting SaaS, with statistics showing prevalent user-related security incidents. Key changes include the requirement for data subjects’ consent, the rights to data erasure, and the obligation to report breaches within 72 hours. The document also highlights resources for compliance and the UK’s plan to ensure cybersecurity amidst GDPR regulations.
More Related Content
Similar to cloudThing GDPR Information Guide - Scott Jenkins
cloudThing GDPR Information Guide - Scott Jenkins
- 1. Scott Jenkins |Account Director GDPR Update July 2017
- 2. The Evolving ThreatLandscape 73% OF ENTERPRISES indicated security as a top challenge holding back SaaS adoption 87% OF SENIOR MANAGERS admit to regularly uploading work files to a personal email or cloud account 75% OF ALL NETWORK INTRUSIONS are due to compromised user credentials 80% OF EMPLOYEES admit to using non- approved SaaS apps in their jobs 200+ The average number of days that attackers reside within a victim’s network before detection
- 3. It’s Not FakeNews
- 4. Nobody is Immune… Ransomwarevirus attack causes Barts Health Trust to cancel 2,800 patient appointments. “The attack had affected thousands of files on the trust’s Windows XP operating system”!
- 5. Almost 70% of securityincidents within the Public Sector were caused by users in 2015/16
- 6. GDPR Background The GDPRis part of the EU Commission’s Digital Single Market strategy The EU Parliament approved the GDPR on 14th April 2016 GDPR becomes law on 25th May 2018 We have 288 working days to help our customers The ICO is likely to represent the UK on EU Data Protection Board GDPR will still apply after the UK leaves the EU on 29th March 2019
- 7. What’s changing? Privacyby Design - the inclusion of data protection from the onset of system design Data Subjects are required to understand how their data is being processed and they must give their consent The GDPR also provides data subjects with the right to: • confirmation that their personal data is being processed and for what purpose • remove consent for data to be processed • have their data erased • request an electronic copy of the information that is being held
- 8. …continued The GDPRapplies to data controllers and data processors regardless of the geographical location A Data breach must be reported within 72 hours All parties in B2B partnerships, joint venture or outsource agreement must be compliant Potential fines will be 4% of turnover up to a maximum of €20m euro
- 9. An Opportunity toTransform £1.9 billion of support over five years to ensure UK cyberspace is a secure place to do business.
- 10. Security Privacy Compliance Transparency Microsoft Digital CrimesUnit - https://youtu.be/qbmgQYHnm60 Committed to Security, Privacy & Compliance
- 11. Dynamics 365 Office365 Centralised data repository Role-based access & security Data encryption Process & workflow Case management Audit management Data intelligence Windows 10Azure EM+S Data Loss Prevention eDiscovery Advanced Data Governance O365 audit logs Advanced Threat Protection Threat Intelligence & More Azure Active Directory Azure Information Protection Azure Security Center Data Encryption in transit & in rest Azure Key Vault Azure Active Directory Intune for MDM Azure Information Protection Cloud App Security Advanced Threat Analytics Windows Hello Windows Defender Device Guard Credentials Guard BitLocker Drive Encryption Windows Information Protection & more
- 12. Resources Gov.UK – UKDigital Strategy https://www.gov.uk/government/publications/uk-digital-strategy Information Commissioner's Office https://ico.org.uk/for-organisations/data-protection-reform/overview-of- the-gdpr/introduction/ European Commission notice http://ec.europa.eu/justice/data-protection/reform/index_en.htm Microsoft Trust Centre https://www.microsoft.com/en- us/TrustCenter/Privacy/gdpr/default.aspx GDPR Activity Hub https://github.com/SharePoint/sp-dev-gdpr-activity- hub/blob/master/Documentation/User-Guide.md
Editor's Notes
- #3 I wanted to start with a bit of background information as to why GDPR is important to our customers. Each organization will have an Information Security Officer or the Data Protection Officer and these are just a few of the challenges that they will have to deal with in this evolving threat landscape. All of these stats are frightening but I’m sure that you’ll agree that the thought of an attacker residing within a victim’s network for an average of 200 days before being detected is pretty scary! I’m also terrified to think of 87% of senior managers uploading information to personal drives and email is really alarming given their position in the company and their ability to access extremely sensitive information – yet they do it anyway to be more productive.
- #4 And we’re seeing this more an more Yahoo recently confirmed a data breach where the data from 500 million user accounts was stolen including email addresses, telephone numbers, dates of birth & passwords. TalkTalk lost 100,000 customers and suffered costs of £60m as a result of a cyber-attack on their website in October 2015. They were fined £400k So complacency can be very costly – just ask Sony During an interview in 2007, Sony Director of Information Security, Jason Spaltro, said “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss” In 2011 The Play Station Network (PSN) owned by Sony was hacked and the PSN was offline for several days causing misery for it’s members and forced Sony executives to offer compensation and a public apology to its 70 million members. In 2014 Sony had a further data breach on their corporate network and 6500 members of staff had there personal files, medical records and emails hacked and confidential information was public distributed Sony were fined £250k however the estimated cost for this complacency is estimated to have cost Sony more than $275m plus serious reputational damage!
- #5 As we’ve seen recently, no organization is immune to this threat. Earlier this year staff at Barts Health Trust received a message warning that the trust’s four hospitals were experiencing a ransomware virus attack. The trust didn’t pay the ransom but they had to cancel 2,800 patient appointments as a result of their systems being down. As you can see from the quote on the screen there the breach occurred on their Windows XP operating systems. Which is frightening to think that these guys are running on operating systems were built 15 years ago and that have not been supported by Microsoft for the past 2 years!
- #6 But finding ways to be more productive is part of human nature which means that people will go to great lengths to be more productive. IT has to be more of a partner to the business, to help solve these problems, rather than the team that just says “NO” If we click on hacking you will see that this is generally down to poor security on websites around user log in details and access control If like me you have experienced objections recently around the security of data on the Microsoft Cloud I would just share this dashboard with them?
- #7 GDPR is one of 16 recommended improvements set out within the European Commission’s Digital Single Market strategy On April 14th 2016 the EU Parliament approved the GDPR as an evolution of the EUs existing Data Protection Directive which was established more than 2 decades ago The Digital Single Market strategy was created to ensure that Europe embraces the digital revolution and exploits the digital opportunities for people and businesses within the EU. As of today, our customers have 288 working days to become compliant when with the GDPR, as this will become a legal requirement on 25th May 2018, without any further UK laws being required. Each EU member state will have at least one Supervisory Authority on the European Data Protection Board and the UK is likely to be represented by the Information Commissioner’s Office (ICO) so keep an eye on their news feeds for further updates. GDPR will still apply post-Brexit as we’re going to see on next the slide
- #8 Any organization that conforms to best practice accreditations such as ISO27001 shouldn’t find GDPR too onerous and all future requirements for system design are likely to include privacy. However, there’s lots of detail behind each of these points but at a high level these are the key changes that your customers should be aware of: Data subjects have to give their consent to the collection of any piece of data that can identify them – username, email, telephone etc. and this includes an IP address down to a granular level. As well as access to any data that is being processed
- #9 The GDPR applies to any organisation, including Public Sector and Non-for Profit, that processes or stores data within the EU, or any organisation that processes or stores data relating to EU citizens regardless of their geographical location. A data breach must be reported to relevant authorities within 72 hours The fine for breaching the GDPR will be 4% of turnover or 20 million euro which ever figure is greater. Basically, any organisation with revenues above 500m euro will be fined 20m euro and anyone with revenues below this figure will be fined 4% of revenue. Sony, Yahoo and TalkTalk would all receive the maximum fine under GDPR
- #10 GDPR provides our customers with a genuine opportunity to drive digital transformation across their organisation. And as you will recall, last year the chancellor confirmed at FD that the UK Government will be investing nearly £2 billion to ensure that Britain remains a global leader in cyber security.
- #11 As a trusted enterprise platform vendor, Microsoft is making a deep commitments to security, privacy, compliance, and reliability. This includes the creation their Digital Crimes Unit which was established to investigate and fight cyber crime Microsoft provides best-in-class security with over a decade of experience of building Enterprise software and online services
- #12 Microsoft are investing $15bn into their cloud infrastructure and security is at it’s core. You’ll notice that I’ve also started with D365, as once you manage to find a sponsor for these critical business conversation you will be able to drive real business value and open up those transformational conversations. Winning D365 opportunities will also pull through all of the other workloads for identity management and mobility as well as the ability to seamless integrate with other services in the Microsoft Cloud like O365 for productivity. Finally, coming back to the example of Barts Health Trust we need to be talking to our customers about driving the adoption of a modern and secure desktop to reduce the impact of a breach.