GDPR Compliance: What You Need to Know Before May 2018
•Download as PPTX, PDF•
1 like•1,023 views
Scheduled to come into effect May 25, 2018, the General Data Protection Regulation (GDPR) has struck fear into compliance officers around the world. Much confusion surrounds this new regulation as organizations everywhere work to understand its new requirements and adjust business processes accordingly. In this webinar, we review: -- Key GDPR requirements -- Data types regulated under GDPR -- How GDPR impacts EU and non-EU businesses -- Steps to becoming GDPR compliant -- Consequences of non-compliance -- How SecurityIQ helps you meet security awareness GPDR requirements To learn more about SecurityIQ, visit: https://securityiq.infosecinstitute.com/
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR Compliance: What You Need to Know Before May 2018
Similar to GDPR Compliance: What You Need to Know Before May 2018 (20)
More from Infosec
More from Infosec (20)
Recently uploaded
Recently uploaded (20)
GDPR Compliance: What You Need to Know Before May 2018
- 3. Today ● What is the GDPR? ● Protected Data Types ● GDPR & Personal Data Rights ● GDPR Business Requirements ● Consequences of Non-Compliance ● 6 Steps to Becoming GDPR Compliant ● Personnel Training Requirements
- 4. What is GDPR? The General Data Protection Regulation (GDPR): ● Defines personal and sensitive data ● Details how personal and sensitive data must be handled ● Establishes fines for noncompliance ● Sets new requirements for breach notifications
- 5. Protected Data Types Personal Data Information used to determine individual identities Sensitive Personal Data Special categories of personal data requiring strong protections
- 6. Personal Data Rights for EU Citizens 1. Consent for personal data to be shared and processed 2. Access to personal data 3. Right to be forgotten 4. Right to portability 5. Right to rectification
- 7. GDPR Regulations Apply To Data Processors Entities processing data on behalf of the controller (Clouds) Data Controllers Entities deciding what personal data must be processed and how processing will occur
- 8. Business Regulations for EU Organizations EU organizations may need to: ● Appoint a data protection officer ● Review data collection procedures ● Create a data protection awareness program ● Perform ongoing information audits ● Complete Data Protection Impact Assessments
- 9. Business Regulations for Non-EU Organizations Businesses with just one EU- based client or employee are subject to GPDR compliance
- 10. Consequences of Non-Compliance Fine Amount Reasons 2% of annual global revenue, or €10 million (whichever is higher) ● Data breaches ● Not employing the services of a DPO ● Not conducting a DPIA ● Not keeping appropriate records 4% of annual global revenue, or €20 million (whichever is higher) ● Failing to gain consent ● Not upholding consumer rights under GDPR rules ● Moving data outside the EU within the confines of Chapter 5 of the GDPR
- 17. Other Impacts of Non-Compliance ● Cost of rectification ● Damaged company reputation ● Lost consumer trust ● Declining share value
- 18. Employee Training Requirements GDPR mandates: ● Awareness raising and training of staff involved in the processing operations (Article 37) ● Appropriate data protection training to personnel having permanent or regular access to personal data (Article 43)
- 20. Meeting GDPR Compliance with SecurityIQ Privacy & EU GDPR training module including: ● GDPR definition & purpose ● Protected data types ● Information lifecycle ● Non-compliance consequences ● Data protection principles ● Personal data rights
- 22. Meeting GDPR Compliance with SecurityIQ Role-based Training Data protection principles exercise Personal data lifecycle exercise Data use exercises Data disposal exercise Engaging exercises, animations, voice narration for better results Comprehensive library 100+ phishing simulation templates 100+ security awareness modules
Editor's Notes
- The General Data Protection Regulation (GDPR) evolved from its predecessor, the Data Protection Directive 95/46/EC. GDPR is a fully fledged regulation for modern, cloud-based data transactions. It mandates specific controls over how personal data of EU citizens is handled and unifies privacy laws across EU states.
- The GDPR covers two types of data, specified in the regulation as: 1. Personal Data Personal data is information that can be used to determine individual identities. It can be thought of as an “identifier” used to directly or indirectly link data to individuals. This can include names, locations or online identifiers like IP addresses. It also includes economic, cultural or physiological data that could be linked together to determine individual identities. 2. Sensitive Personal Data Sensitive personal data under the GDPR are special categories of personal data that require stronger protections. Sensitive personal data includes genetic data, biometric data and other data types that can reveal information such as religion, race or ethnic origin.
- Consent for personal data to be shared and processed. The GDPR requires organizations to gain consent from individuals prior to data sharing and processing. Consent must be given in the form of a “clear affirmative act,” meaning consent must be expressly collected and demonstrated. Opt-out buttons are no longer allowed, and organizations must implement a mechanism to manage users’ revocations of consent. Access to personal data. Individuals must be allowed to easily access their data collected and stored by organizations. The GDPR specifically states the “data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily.” Right to be forgotten. This is one of the most difficult-to-manage requirements of the GDPR. Under this directive, individuals must be able to remove all traces of their personal data from an organization if they wish. This would apply, for example, if the user removes consent to share. Right to portability. The data subject must be allowed to transfer their data easily between controllers. Right to rectification. The data subject must have the right to have inaccurate data rectified.
- Appoint a Data Protection Officer (DPO). Article 37 of the GDPR requires organizations to assign a DPO if the organization’s core activities involve either of the following: Data processing requiring regular and systematic monitoring of individuals on a large scale. Large-scale processing of special categories of data and personal data relating to criminal convictions. A DPO has a number of duties, including balancing regulatory requirements with business processes, training staff on proper data handling and liaising with supervisory authorities. Some organizations may be exempt from the DPO requirement if they do not handle personal data. Smaller organizations may also work with a consultant to remain in compliance without adding significantly to overhead. Review data collection procedures for compliance with GDPR requirements. This must include the entire lifecycle of data collection, storage, management, processing and data deletion/archival. Create a data protection awareness program. This will ensure staff members are aware of the various GDPR rules around data processing and breach notifications. Perform ongoing information audits. This step will ensure the organization knows what data is collected and how it is processed at all times. Complete Data Protection Impact Assessments (DPIA). Essentially, DPIAs are Privacy Impact Assessments. According to the GDPR, DPIAs will “evaluate, in particular, the origin, nature, particularity and severity” of the “risk to the rights and freedoms of natural persons.”
- Noncompliance with GDPR carries more than a large fine. The GDPR is ultimately about protecting personal information. If you do not protect your customers’ personal information, you may also find there are other consequences. These include: 1. Cost of rectification. Data has intrinsic value to everyone. This includes your organization, your customers and cybercriminals. The Ponemon Institute values the average cost of rectification following a breach as $141 per record. 2. Damaged company reputation. If your company suffers a breach, you must notify supervisory authorities within 72 hours. If the breach is deemed high risk, you must also inform those impacted (your customers). 3. Lost consumer trust. Compensation claims and customer attrition could well outstrip noncompliance fines. 4. Declining share value. A study by Oxford Economics found share value can drop by 1.8 percent after a cyberattack.
- Depending on the role of the employee, your training program should include the following topics: ● What is the purpose of the GDPR? ● What constitutes personal and sensitive personal data? ● What are the principles of the GDPR? Which Articles exemplify each principal? ● What are the roles of the processor, controller and DPO? ● What data does your organization need to collect? Why? ● How do the new consent rules affect your current data collection processes? ● What are the rights of the data subject? ● What types of breaches fall under GDPR notification requirements? ● What type of rules impact collection of data on children? ● Where and when can techniques like pseudonymization and anonymization be used?
- SecurityIQ by InfoSec Institute helps you fulfill these personnel training requirements under GDPR. (articles 37 & 43) It does this by integrating Role-based security awareness training Real-life phishing simulations And automatically personalized learning plans for each employee All into a single easy-to-use platform. Our goal is to help you prevent data breaches by boosting your employees’ security aptitude and transforming their security behaviors. With SecurityIQ, our clients have demonstrated drops in their phishing susceptibility rates to near 0%.
- One of the ways SecurityIQ fulfills GDPR’s personnel training requirements is through our Privacy & EU GDPR training module which covers all the education components you see here.
- Here’s a quick example of a GDPR training module What our clients really appreciate with SecurityIQ is how it automates the often tedious program development and ongoing management of their security awareness initiatives.
- What our clients really appreciate with SecurityIQ is how it automates the often tedious program development and ongoing management of their security awareness initiatives. First of all, we provide them: More than 130 frequently updated training modules And over 200+ real-world phishing simulation templates All ready to use out-of-the box or to customize as they needed More importantly, SecurityIQ continually monitors and tracks employees’ learning progress and security behaviors. It uses this data to automatically create personalized security education experiences for each employee by providing the right level of training and reinforcement at the right time and frequency to keep them engaged and motivated.
- I encourage you to give SecurityIQ a try and see for yourself. Simply go to securityiq.infosecinstitute.com to get started with a free account.