2. 2
Agenda
• GDPR Overview
• Key Definitions, actors
• GDPR and Cybersecurity
• GDPR Assessments and Implementation
3. 3
General Data Protection Regulation (EU) – Overview
European Union adopted General Data Privacy Regulation
(GDPR) in April 2016, to bring in a harmonized approach for
data protection across the EU.
This marks the EU’s endeavor to bolster the rights of individuals as data subjects and
to help increase trust between consumers and organizations when it comes usage of
personal data.
Coverage of Personal Data – Any data by which an EU resident can be identified:
directly or indirectly
4. 4
General Data Protection Regulation (EU) – Overview Continued…
Consent
all organizations collecting personal
data must prove clear and affirmative
consent to process that data
Data Breach Notification
to ensure continuous monitoring for
breaches of personal data and provide
timely notification to DPA
International Transfers
Removal of Safe Harbor and
safeguards such as Commission or
DPA approved contracts
Right to be Forgotten / Data
Portability
For erasure of personal data/
withdraw consent for processing
personal data
Privacy by Design
accountability obligations on data
controllers to consider compliance
with key principles of data protection.
Mandatory Privacy Impact
Assessments (PIAs)
EU Data Protection Board/
Supervisory Authority / DPO
Independent EDPB to be established
to provide guidance and ensure
consistent application of GDPR
Key enhanced considerations under new EU Data Protection Regulations- GDPR
EU General Data Protection Regulation
(GDPR) enforcement begins from May
2018
Fines up to 4% of annual global turnover
or 20 Million Euros for non-
compliance
Mandatory notification of data breach
within 72 hours – unless the PII is
encrypted
5. GDPR Key Principles
•The GDPR sets out the following six key principles:
•These principles should lie at the heart of your approach to processing personal data.
11. Controller, Processor
• Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance
with the GDPR and the fair treatment of individuals.
• Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or
processor
• Whether you are a controller or processor depends on a number of issues. The key question is – who determines
the purposes for which the data are processed and the means of processing?
• Organizations that determine the purposes and means of processing will be controllers regardless of how they
are described in any contract about processing services.
• Individuals can bring claims for compensation and damages against both controllers and processors.
• You should take the time to assess, and document, the status of each organization you work with in respect of all
the personal data and processing activities you carry out.
• The following checklists set out indicators as to whether you are a controller, a processor or a joint controller.
The more boxes you tick, the more likely you are to fall within the relevant category.
12. Controller, Processor
• Are we a Controller ?
☐ We decided to collect or process the personal data.
☐ We decided what the purpose or outcome of the processing was to be.
☐ We decided what personal data should be collected.
☐ We decided which individuals to collect personal data about.
☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from
another controller.
☐ We are processing the personal data as a result of a contract between us and the data subject.
☐ The data subjects are our employees.
☐ We make decisions about the individuals concerned as part of or as a result of the processing.
☐ We exercise professional judgement in the processing of the personal data.
☐ We have a direct relationship with the data subjects.
☐ We have complete autonomy as to how the personal data is processed.
☐ We have appointed the processors to process the personal data on our behalf.
13. Controller, Processor
• Are we a Joint Controller ?
☐ We have a common objective with others regarding the processing.
☐ We are processing the personal data for the same purpose as another controller.
☐ We are using the same set of personal data (eg one database) for this processing as another controller.
☐ We have designed this process with another controller.
☐ We have common information management rules with another controller.
14. Controller, Processor
• Are we a Processor ?
☐ We are following instructions from someone else regarding the processing of personal data.
☐ We were given the personal data by a customer or similar third party, or told what data to collect.
☐ We do not decide to collect personal data from individuals.
☐ We do not decide what personal data should be collected from individuals.
☐ We do not decide the lawful basis for the use of that data.
☐ We do not decide what purpose or purposes the data will be used for.
☐ We do not decide whether to disclose the data, or to whom.
☐ We do not decide how long to retain the data.
☐ We may make some decisions on how data is processed, but implement these decisions under a contract with
someone else.
☐ We are not interested in the end result of the processing.
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of
personal data.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint
controllers. However, they are not joint controllers if they are processing the same data for different purposes.
Processors act on behalf of, and only on the instructions of, the relevant controller.
15. 15
Data Protection Impact Assessment (DPIA)
• A data protection impact assessment (DPIA) is a process that helps organizations identify and minimize risks that
result from data processing. DPIAs are usually undertaken when introducing new data processing processes,
systems or technologies.
• When should you conduct a DPIA?
Where a type of processing in particular using new technologies, and taking into account the nature, scope, context
and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the
controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing
operations on the protection of personal data.
DPIA must:
• Describe the nature, scope, context and purposes of the processing;
• assess necessity, proportionality and compliance measures;
• identify and assess risks to individuals; and
• identify any additional measures to mitigate those risks
16. 16
Data Protection Impact Assessment (DPIA) – Blacklist and Whitelist
Organizations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking
new processing operations.
Data protection authorities of many EU member states have published draft lists of data processing activities that
would trigger the need for a data protection impact assessment in that country
Under GDPR regime, member state data protection authorities are required to publish a “Black List” of processing
operations which are always subject to the requirement to undertake a DPIA; and are also permitted to publish a
“White List” of processing operations which are not subject to the requirement to undertake a DPIA.
17. 17
Data Protection Impact Assessment (DPIA) – Whitelist sample
The White list
The White List sets out scenarios where a DPIA is not required. Many of these scenarios are subject to further caveats set out by the recommendation. A DPIA will not be
required for the following types of processing:
• Processing operations carried out by private organizations which are necessary for compliance with a legal obligation to which the organization is subject, provided that the
law sets out the purposes of the processing, the categories of personal data to be processed and provides safeguards to prevent abuse or unlawful access or transfer;
• Processing for the purposes of the administration of salaries of people who work for or on behalf of the controller;
• Processing exclusively for the purposes of administration of personnel who work for or on behalf of the controller, where that administration is required by law or regulation,
but only to the extent that the processing does not involve health data, special categories of personal data, data concerning criminal convictions or infractions, or data to be
used to evaluate data subjects;
• Processing exclusively for the purposes of the controller’s accountancy practices. The processing must be limited to the data subjects, and the data categories which are
necessary for the controller’s accountancy practice;
• Processing in relation to the administration of shareholders and associates. The processing must be limited to the data subjects, and the data categories which are necessary
for that administration;
• Processing undertaken by a foundation, association or any other non-profit organization carrying out its day-to-day activities, but only where the data was not obtained from
third party databases and where the processing concerns:
• personal data about its own members;
• people with whom the controller regularly interacts; and
• the beneficiaries of the organization.
• Processing in relation to the registration of visitors for the purposes of a sign-in or check in procedure; although data must be limited to certain information such as the name
and professional address of the visitor and information identifying their vehicle;
• Processing by educational institutions for the management of their relationship with their own pupils or students (past, present or potential) in the context of their
educational duties; and
• Processing exclusively in relation to the management of an organization's clients or suppliers (past or present), as long as the processing does not involve data such as
‘special category personal data’, or data concerning criminal convictions or infraction
18. 18
Data Protection Impact Assessment (DPIA) – Whitelist sample
The Black list
• Where the processing involves the use of biometric data to uniquely identify individuals in a public space or in a private space accessible to the public;
• Where the personal data is collected from a third party in order to make a decision to refuse or to terminate a given services contract with an individual;
• Where special category of personal data is used for a purpose (or for purposes) other than that for which they were originally collected, except where the processing is based
on the data subject’s consent, or where necessary for the controller to meet its legal obligations;
• Where the processing is carried out using an medical implant and a personal data breach could compromise the physical health of the data subject;
• In the case of large-scale processing of personal data concerning vulnerable people, particularly children, for a purpose (or for purposes) other than that for which they were
originally collected;
• Where the data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or
behaviour, or location or movements of individuals;
• Where special categories of personal data or data of a very personal nature (such as data on poverty, unemployment, involvement in children’s services or social services,
data about domestic and private activities, or location data) are systematically shared between multiple controllers;
• In the context of large-scale Internet of Things processing of data (i.e., generated using devices which have sensors and which send data via the internet or other means such
as smart televisions, smart kitchen appliances, connected toys, smart cities, smart meters), and the purpose of the processing is to analyse or predict the economic situation,
the health, the personal preferences or interests, the reliability or behaviour, or the location or movements of individuals;
• In the context of large-scale, and/or systematic processing of telephony data, internet data, or other communication data, metadata, location data of natural persons, or data
which permits the organisation to find natural persons (such as wifi tracking or location data of those travelling via public transport) where the processing is not strictly
necessary for a service requested by the data subject; and
• In the context of large-scale processing of personal data where the behaviour (for example, viewing habits, listening habits, browsing habits, clicking activity, physical
behaviour or shopping habits) of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner using
automated processing.
20. 20
GDPR and Cybersecurity
Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data
shall be:
'Processed in a manner that ensures appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate
technical or organizational measures'
This is referred as the GDPR’s ‘security principle’. It concerns the broad concept of information security.
We need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on
the security of our processing. Article 32(1) states:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and
purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural
persons, the controller and the processor shall implement appropriate technical and organizational measures to
ensure a level of security appropriate to the risk”
This means that we must have appropriate security measures to prevent the personal data we hold being
accidentally or deliberately compromised. Please keep in mind that while information security is sometimes
considered as cybersecurity (the protection of your networks and information systems from attack), it also covers
other things like physical and organizational security measures.
21. Role of a CISO in GDPR Regime
The DPO role is referred to under the entire GDPR text and specifically described under its Section 4 – articles 37, 38, and 39 detailing:
• HOW the DPO should be designated by the company/entity
• WHAT shall be the position within the corporate structure
• WHICH specific tasks must a DPO assure and be responsible for
To understand whether a CISO may assume the role of DPO in the same organization, we must understand the tasks and duties of both
profiles and assess if there are conflicts of interest that may jeopardize the required assurance of Personal Data Protection
Article 38(6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organization ensure that ‘any such tasks and
duties do not result in a conflict of interests’
Typically, the CISO bears the responsibility for defining the overall corporate Information Security / Cyber Security / Digital Security Policy
and aims mainly to safeguard the Organization's Assets.. However, being the DPO means he/she would also be assessing / auditing such
corporate guidelines to ensure compliance towards GDPR and any Privacy Regulation intended to ensure data subjects’ personal data
protection. Most of the time, these goals represent conflicting interests
However many small, medium organizations have the CISO function’s as a DPO given the operational nature and the ability of a CISO to
ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
22. 22
Solution Mapping to GDPR Requirements (Representative)
GDPR Key Principles Translated Requirements Recommended Measures and Solutions
Governance & Legal & Finance • Sensitive personal information for
disposition – Right to be forgotten
• Respond to data subjects – legal
inquiries, audits & reporting
• Contractual Obligations for data
transfers
• Governance solutions (DPO Dashboard)
• Sensitive data definition and mapping across systems
• Policy and Procedures Framework Redefinition
• Process Definition
• Fines and Obligations Management
• Reporting Internal and External
Data and Content Governance
and Processing
• Consent> Capture > Transform >
Process > Archive> Erase
• Content and Information Management,
• Consent Management and Subject Rights Management,
• Application Impact & Transformation
Data Security
(Integrity & Confidentiality –
Secure sensitive data
throughout data lifecycle)
Key GDPR articles addressed:
Article 5, Article 13a, Article
23, Article 25, Article 30,
Article 32a, Article 32, Article
34, Article 35
• Personal Data Assessment –
identifying sensitive information that
will fall under GDPR regulations
• Data Classification, Identification, and Discovery
• Vendor Risk Assessments
• Data Protection Impact Assessments
• Application Security Scans and Secure Code Reviews
• Ensure the protection of identified
sensitive data (PII, PHI, PCI)
• Privacy by Design
Data Level Security Controls:
• Data De-identification, Pseudonymization, Data Level
Encryption, Disk/ Storage Encryption, Tokenization, Key
Management, Database Activity Monitoring
• Device Encryption,
• Digital Rights Management,
• Data Leak Prevention
IT Security – Avoid/ Report
Breaches
Key GDPR articles addressed:
Article 31, Article 33
• Data breach notification
• Security breach response and
reporting
• Continuous monitoring
• Incident Management
• SIEM & Event Correlation (Monitor & Control),
• Incident Response Management
• Network & Information Systems Security
• Infrastructure Design
• Data Storage
KeySecurityFocusArea
24. Typical GDPR Implementation Lifecycle
• GDPR readiness Assessment
• Data classification
• Data Inventory
• Privacy Impact Assessment
• Technology Assessment
• Overall GDPR road map & recommendations
• Design & Architecting
• Security architecture design
• Privacy architecture design
• Technology Implementation
• Vulnerability management
• Data Leak Prevention and Digital
Rights Management
• SIEM / UBA
• Identity and Access Management
• Data Governance solutions
• Encryption and pseudonymization
• Perimeter and Application and
database Security
• etc.
• Process frameworks Implementation
• GDPR aware Security Operation Center
• SIEM & UEBA monitoring and management
• Data Leak Monitoring and Management via
DLP / DRM
• Vulnerability & Patch Management
• Database Activity Monitoring
• Compliance monitoring and Management
• Data encryption & Key management
• Identity and Access Management Services
• Email & Gateway Security monitoring
• Applications security monitoring and
Management (WAF)
• Breach / Incident monitoring, management
and reporting
Assessment Design & Implementation Monitor & Manage
25. 25
Assessment Services
Solution Description
Delivery eco system
Technology/ Tools Responsibility
GDPR readiness Assessment Quick Assessment identifies the current state and readiness of your organization privacy polices and
status inline with GDPR.
Data Mapping and Classification Understand the business model and data sources and data flow. Classify them inline with GDPR(PI, SPI)
based on data flow map.
Data Inventory Data discovery scans for sensitive data elements like PI, SPI in various data sources and systems and
provides a view of where sensitive data resides, thus enabling organizations to align appropriate data
protection controls
Privacy Impact Assessment Identify and assess impact or PI and SPI data in the particulate environment . Outcome of the exercise
will be detailed PI / SPI data risk/impact heat map
Technology & Infrastructure
Assessment
Key management solution provides the necessary ability to generate, distribute, store, rotate, and
revoke encryption keys as required to protect the sensitive information in databases/file systems
GDPR roadmap and
recommendations
Create and suggest the GDPR road map based on the inputs from above activities and provide
recommendations. This will help the customer to continue to move to design/implement and
Manage/Monitor phases
26. 26
Design & Implementation Services
Solution Description
Delivery eco system
Technology
/Framework
Responsibility
Privacy architecture design Design the organization process and technology architecture keeping privacy in mind inline with GDPR
Security architecture design Design the organization security process and technology architecture inline with GDPR to protect PI and
SPI data
Implementation of technology
components / tools
In order to prevent / manage data breaches and protect PI and SPI , organization needs to implement /
upgrade various security controls. Cognizant team will help to evaluate , design and implement those
tools as per industry best practices
Process framework
implementation
Develop and enhance various privacy policies and processes. Process redesign if required and controls
implementation
27. 27
Data Security Centric Services
Solution Description
Delivery eco system
Technology Responsibility
Data Discovery Data discovery scans for sensitive elements in various data sources and systems and provides a view of
where sensitive data resides, thus enabling organizations to align appropriate data protection controls
Data Anonymization Data Anonymization (Static Data Masking) ensures protection of sensitive production data such as PII in
the non-production environments to avoid exposure to testers/ developers
Dynamic data masking – Provides real-time masking of sensitive production data.
Structured Data Encryption (at
Database Level)
Database encryption protects sensitive data residing in the production databases. This can be done
either by leveraging native TDE techniques such as Oracle TDE, SQL Server TDE or by leveraging third
party solutions
Data Encryption – File/ Folder
level Encryption
File/ folder level encryption protects unstructured data (PII) on servers and file systems such as word
documents, PDFs, Database files, etc.
Key Management Key management solution provides the necessary ability to generate, distribute, store, rotate, and
revoke encryption keys as required to protect the sensitive information in databases/file systems
Digital Rights Management
(DRM)
DRM enables organizations to control usage of information wherever it goes, both within and outside of
the organization’s boundaries.
Data Loss Prevention (DLP) DLP provides visibility into what data leaves the network and how sensitive information is being used. It
enables users to monitor and control end point activities thus reducing the risk of a data breach.
Database activity monitoring DAM prevents data leaks from Application databases and files to ensure the integrity of
information deployed across various customer environment. It ensures continuous monitoring
of Application databases and enforces policies for sensitive data access towards compliance.
28. 28
Incident/Breach monitoring, Management and Reporting Services
Solution Description
Delivery eco system
Technology/Tools Responsibility
SIEM & UBA Monitoring and
Management
Monitor cyber attacks that may lead to data breach via SIEM and UBA monitoring and management.
Anomalous patterns and behavior at people, network, data level are monitored and required remedial
actions are taken
Data leakage monitoring and
prevention
Data leakage via files, emails and gateway level is monitored and managed using Data Leak
Prevention(DLP) and protected via Digital Rights Management System on a continuous basis
Vulnerability (Infra and Application)
and Patch Management
In order to prevent data breaches the first step is to identity the vulnerabilities that exist in your
network, servers, user computers, applications and database. Cognizant’s state of the art vulnerability
and patch management program of Cognizant helps you to protect your infrastructure by protectively
identifying and fixing them on time before the exploitation leads to breaches. Also secure SDLC helps
to identify vulnerabilities at early stage during development stage.
Identity and Access Management
solutions
The solution enable organizations to apply necessary access controls at various levels to different user
groups in order to avoid unauthorized access to sensitive data - Entitlement/ Role/Profile/Group based
access control, On a Need to know or least privileges, SOD and port based access control. Also this
helps to address Erasure , Subject access requests etc.
Web Application Firewall WAF is a security control to protect Web applications against attacks and vulnerabilities. It provides
real-time monitoring of traffic before it reaches the web application to identify potential data
breaches.
Email Security & Web Gateways Email Security protects sensitive data which is sent over emails by leveraging access control and
encryption techniques. Web gateways prevent accidental and intentional data leakages by inspecting
web traffic
Breach / Incident monitoring,
management and reporting
Incident Response Management technology and helps to detect any incidents, risks, data breaches/
attacks, and remediate or mitigate their impact. Incident response service may help to fulfill
organization to address 72 hours breach notification of GDPR.
30. GDPR – Summary
Heavy Penalties for non
adherence
4% of annual global or revenue
or Euro 20 million
Applies to non-EU companies
too
If your company process
Personal data of subjects in
EU.
Wide scope of Personal data
definition
Includes Social identity,
economic, cultural, Mental,
genetic data
72 hours breach
notification
Report the breach within 72
hours of breach identification
72
Data Protection Officer
High volume / Sensitive
/Government personal data
handles need to appoint DPO
Data Protection Impact
Assessment
For the projects with high
privacy risks
Data Subject rights
Consent , Right to be forgotten,
Portable format data request
and parental consent for
children
Privacy by Design
Adopt privacy by design concept
at organization, People,
Technology and process levels
Data controllers must ensure
Contracts and processors
also directly liable for security
Of personal data
Controllers & Processors