The document discusses the new EU General Data Protection Regulation (GDPR) which provides stricter rules around data protection and privacy for all EU member states. Some key points: - The GDPR replaces all current EU data protection laws and provides a two year transition period for businesses to comply. - It strengthens individual rights around access to personal data and how it is processed. - For businesses, it establishes one consistent law for all EU states and tougher sanctions for non-compliance up to 4% of global revenue. - Businesses must demonstrate accountability and compliance with principles like data minimization, security safeguards, and breach reporting within 72 hours.

1. EU Data Protection
Legislation
The General Data Protection Regulation
April 2016

2. Accelerating Next
– Continual and rapid advancement in technologies
– Changes in global thinking regarding data protection and privacy
– Business frameworks need revision and enhancement.
– EU agreed the new General Data Protection Regulation in Europe.
– Other countries are also reviewing their existing Data Protection & Privacy arrangements.
Global Changes in Data Protection & Privacy Concepts

3. What are the issues facing our customers data?
Technological factors
3
Market trends
− 13.9% year-on-year growth in
cyber crime costs to business
− 46 days to contain cyber incidents
− 53% of the cost of dealing with
cyber incidents was spent on
detection and recovery
− financial services and utilities &
energy experience substantially
higher cyber crime costs
Business trends
− Malicious insiders cause the most
costly cyber attacks
− 1.9 attacks per company are
successful every week
− $7.7 million is the global
annualized cost is to detect,
respond to, and mitigate a breach
− US annualized costs are higher at
$15 million
Business Problem
− How do I detect and deal with the
new type of Advanced Persistent
Threats (APTs)?
− How do I deal with malicious
insider attacks more rapidly and
cost-effectively?
− How do I stop my business being
disrupted and damaged by legal
actions following a cyber attack?
Source: Ponemon 2015 Cost of Cyber Crime Study:
Global & UBM 2016 Cybersecurity Trend Report

4. What are the issues facing our customers?
Human Factors – UK Local Authorities
4
Market trends
− UK Local authorities commit 4
data breaches a day
− 4236 known data breaches over 3
year period
− Breach increase of > 300% over 3
years
Business trends
− More than 400 instances of loss or
theft
− 197 mobile phone, computers,
tablets, USB lost
− 628 cases where information was
inappropriately shared via email,
fax or letter
− 99 cases of unauthorized people
accessing or disclosing data
Business Problem
− How do I detect and deal with the
negligent human factor threats?
− How do I deal with malicious
human factor threat more rapidly
and cost-effectively?
− How do I stop my business being
disrupted and damaged by legal
actions following an unauthorized
disclosure or loss of personal
data?
Source: Big Brother Watch Report 2015

5. Recent Regulatory Enforcement UK
5
– An online holiday insurance company Staysure.co.uk Ltd was fined £175,000 after IT security failings let
hackers access customer records
– South Wales Police served with a £160,000 fine for losing a video recording which formed part of the
evidence in a sexual abuse case.
– The Ministry of Justice was fined £180,000 over serious failings in the way prisons in England and Wales
have been handling people’s information & previously £140,000 for incorrect disclosure of data via email
– Sony fined £250,000 over security failings that exposed 'millions' of customers' personal data
Fundamental failing to protect data

6. NEW EU GENERAL DATA PROTECTION REGULATION
–New ‘one law’ for all EU Countries and is called the General Data Protection
Regulations (GDPR)
– Will replace all current EU data protection laws drawn from the European Data Protection Directive 95/46 EC
–It is now law as of Q1 2016
– Provides businesses with a two year transitional period to implement the requirements.
– Current laws remain effective until that date.
– Full business compliance is expected by May 2018.
–Breaches will face tougher sanctions/fines
– The Regulations relate to the processing of data relating to people – anyone! (Customers, clients, staff, etc).
– Applies to all EU businesses, and companies they engage
– Any business providing services in EU regardless of location.
6

7. HIGH-LEVEL OBLIGATIONS/PRINCIPLES OF THE REGULATIONS
– OPENNESS & TRANSPARENCY
– data processing must be fair and lawful and transparent
– PURPOSE LIMITATION
– data shall only be processed for an explicit and legitimate purpose and shall not be further processed in any manner that is
incompatible with that purpose.
– DATA MINIMISATION
– only necessary data shall be processed to achieve the purpose and shall not be excessive
– ACCURACY
– data must be accurate for the processing purpose and inaccuracies must be erased or rectified without delay
– STORAGE LIMITATION
– data can only be kept for as long as is necessary to fulfil the purpose and then must be anonymised or erased
– INTEGRITY AND CONFIDENTIALITY
– data can only be processed if it is done in a secure way
– e.g. encryption, data loss prevention, access controls, policies, process, procedures.
– ACCOUNTABILITY
– Businesses must be able to actively ‘demonstrate compliance’ to the regulations.
7

8. FOR INDIVIDUALS
The new rules strengthen the existing rights and provide individuals with more control over their
personal data.
– MORE INFORMATION ABOUT DATA
– individuals will be provided with more information on how their data is processed; this information must be available in
a clear and understandable way
– DATA PORTABILITY
– provisions for easier transfer of personal data between service providers
– "RIGHT TO BE FORGOTTEN“
– when an individual no longer want their data to be processed, and provided that there are no legitimate grounds for
retaining it, the data shall be deleted
8

9. FOR BUSINESSES
– ONE LAW
– One set of rules for all 28 EU states, which will make it simpler
and cheaper for companies to do business in the EU.
– ONE-STOP-SHOP
– businesses will only have to deal with one national supervisory
authority.
– TERRITORIAL REACH
– companies based outside of Europe will have to apply the same
rules if offering services in the EU.
– RISK-BASED APPROACH
– No one size fits all obligation; the rules allow for tailoring based
on a balance of respective risk.
– PRIVACY BY DESIGN
– Businesses must apply data protection safeguards into all
products and services (Privacy by design). For example, privacy
enhancing technologies and techniques such as encryption and
pseudonomysation.
– NO MORE REGISTRATION
– registration not needed, but businesses must maintain
documentary evidence of compliance.
– DATA PROTECTION OFFICER
– where businesses meet certain criteria they must designate a
Data Protection Officer
– PRIVACY IMPACT ASSESSMENTS
– Privacy impact assessment are to be conducted where
processing activities present specific risk to the rights and
freedoms of individuals
– BREACH NOTIFICATION
– Businesses must notify of a breach within 72 hours so that
users can take appropriate measures.
– TOUGHER SANCTIONS
– for businesses that flout the rules of the regulations they could
face fines of up to 4% of global turnover or €20m whichever is
greater.
9

10. Data Protection & Privacy
CRA – Cyber Risk Architecture
10

11. Data Protection & Privacy (DPP)
Objective
Securing the information assets
Methods, tools and techniques to identify and classify information,
define data security modeling and associated security requirements,
to protect data by preventing unauthorized loss, modification and use
of data.
Sub-Domains
Physical Security (PS)
Strategy,
Leadership
& Governance
(SLG)
Security Resilient
Architecture (SRA)
Cyber Defense (CD)
Applications
Security (AS)
Converged Security (CS)
Risk & Compliance
Management (RCM)
Resilient Workforce (RW)
Security & Operations Management (SOM)
Identity &
Access
Management
(IAM)
Infrastructure
& Network
Security (INS)
Data
Protection &
Privacy (DPP)
Data Security
Lifecycle
Management
Certificate &
Key
Management
Data Discovery
& Classification
Data ProtectionData Assurance
© Copyright 2016 Hewlett Packard Enterprise Development LP 11

12. Data ProtectionData Assurance
Data Discovery
& Classification
Identifying, classifying and tagging data elements such as geolocation, content, file type or other attributes.
Based on information asset classification schema and data patterns, process to automatically discover and identify data repositories in the organization, how
data is used and by whom or which processes, then by analyzing data patterns and values, improving data inventory and classification.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Data Tagging
Data Discovery
& Inventory
© Copyright 2016 Hewlett Packard Enterprise Development LP 12

13. Data ProtectionData Assurance
Data Discovery
& Classification
Activities to define a data model and semantics for security to support technical experts and security officers understanding of the data security requirements to
be taken into account in application design or system development (example: Database design). This includes business oriented data constraints and
relationships among data defined by the organization, by industry standards or some regulations to allow interoperability between organizations and applications
(example: bank routing codes to allow inter-bank transactions).
Activities to ensure that data is cleansed and standardized to a defined model before it is used, including data origin identification for audit and compliance
purpose.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Data Security
Modeling
Data Assurance
© Copyright 2016 Hewlett Packard Enterprise Development LP 13

14. Data ProtectionData Assurance
Data Discovery
& Classification
Methods and tools to prevent copying, modification or distribution of intellectual property, copyrighted material or other digital media, by copy-, write-, forward- or
print-protecting the information.
Protecting Personally Identifiable Information, Personal Health Information, cardholder data, or other confidential and sensitive records by substituting field
values with a vault-based or vault-less tokens stored in look-up tables that can be used to de-tokenize to original values.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Digital Rights
Management
Data
Tokenization
Protecting Personally Identifiable Information, Personal Health Information, cardholder data or other confidential and sensitive records by hiding data with
random characters, and by using different techniques such as substitution, encryption or shuffling. Synonymous with data anonymization.
Data Masking
Preventing unauthorized loss and use of sensitive or confidential information, by protecting data in use, in transit and at rest, based on information classification
labels, tags or other identifiers.
Preventing unauthorized access to sensitive or confidential information by administrators or third parties, by encrypting data at rest in databases or file systems.
Data Loss
Prevention
Data Encryption
continued on next slide…
© Copyright 2016 Hewlett Packard Enterprise Development LP 14

15. Data ProtectionData Assurance
Data Discovery
& Classification
Preventing unauthorized use and loss of sensitive or confidential information in case of theft or loss of endpoint device, by encrypting internal or removable
storage.
Preventing data from being modified, tampered or altered by unauthorized users.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Disk Encryption
Data Integrity
© Copyright 2016 Hewlett Packard Enterprise Development LP 15

16. Data ProtectionData Assurance
Data Discovery
& Classification
Solutions for data restoration in the event of hardware or software failures or disasters.
Solutions for backup generation which can subsequently be used in the event of hardware or software failures or disasters.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Data Recovery
Data Backup
The process of moving older data that is no longer actively used to a separate storage device for long-term retention, needed future references, as well as for
regulatory compliance.
Data Archiving
Recovering and converting data from complex, outdated or decommissioned systems.
Irrevocably destroying data prior to disposal of internal or removable storage or when terminating third party ICT services.
Data Migration
Data
Destruction
© Copyright 2016 Hewlett Packard Enterprise Development LP 16

17. Data ProtectionData Assurance
Data Discovery
& Classification
The complete process of registration, issuance, distribution, storage, backup, usage, renewal, expiration, revocation, recovery, notification, archiving and
auditing of certificates in PKI environments.
The trusted entity that issues certificates and vouches that certificates belong to an individual or organization, compliant to the Certificate Policy (CP) and
Certificate Practice Statement (CPS).
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Certificate
Lifecycle
Management
Certificate
Authority
The organizational entity responsible for assuring the identity and authenticity of entities requesting certificates.
Registration
Authority
The defined business practices and procedures surrounding the entire use of PKI.
The defined business practices and procedures surrounding the entire use of keys.
Certificate
Policy
Management
Key Policy
Management
continued on next slide…
© Copyright 2016 Hewlett Packard Enterprise Development LP 17

18. Data ProtectionData Assurance
Data Discovery
& Classification
The complete process of registration, key generation, distribution, storage, backup, integrity, usage, renewal, expiration, revocation, recovery, notification,
archiving and auditing of private and public keys including but not limited to SSH and IPSec.
The science and mathematics of encrypting and decrypting data by using block ciphers, stream ciphers or hashes with symmetric or asymmetric algorithms, and
by using different strengths and protocol to prevent unauthorized users to decrypt the data.
Data Protection & Privacy (DPP)
Capabilities
Certificate & Key
Management
Data Security
Lifecycle
Management
Key Lifecycle
Management
Cryptography
© Copyright 2016 Hewlett Packard Enterprise Development LP 18

19. Thankyou
19
Peter Ridley
UK&I Practice Lead
Data Protection & Privacy
Enterprise Security Services