SlideShare a Scribd company logo

GDPR Overview and Impact in 40 Characters

Priyanka Aash
Priyanka Aash

This was presented at Chennal Local Chapter - CISO Platform By Dhana Madaswamy

Technology
1 of 31
Download to read offline
GDPR Overview GDPR and its Impact
2 Agenda • GDPR Overview • Key Definitions, actors • GDPR and Cybersecurity • GDPR Assessments and Implementation
3 General Data Protection Regulation (EU) – Overview European Union adopted General Data Privacy Regulation (GDPR) in April 2016, to bring in a harmonized approach for data protection across the EU. This marks the EU’s endeavor to bolster the rights of individuals as data subjects and to help increase trust between consumers and organizations when it comes usage of personal data. Coverage of Personal Data – Any data by which an EU resident can be identified: directly or indirectly
4 General Data Protection Regulation (EU) – Overview Continued… Consent all organizations collecting personal data must prove clear and affirmative consent to process that data Data Breach Notification to ensure continuous monitoring for breaches of personal data and provide timely notification to DPA International Transfers Removal of Safe Harbor and safeguards such as Commission or DPA approved contracts Right to be Forgotten / Data Portability For erasure of personal data/ withdraw consent for processing personal data Privacy by Design accountability obligations on data controllers to consider compliance with key principles of data protection. Mandatory Privacy Impact Assessments (PIAs) EU Data Protection Board/ Supervisory Authority / DPO Independent EDPB to be established to provide guidance and ensure consistent application of GDPR Key enhanced considerations under new EU Data Protection Regulations- GDPR EU General Data Protection Regulation (GDPR) enforcement begins from May 2018 Fines up to 4% of annual global turnover or 20 Million Euros for non- compliance Mandatory notification of data breach within 72 hours – unless the PII is encrypted
GDPR Key Principles •The GDPR sets out the following six key principles: •These principles should lie at the heart of your approach to processing personal data.
Core Actors in GDPR
7 Key Definition – Personal Data
Organization’s Obligations
GDPR Myths Vs Reality
10 Key Components – GDPR
Controller, Processor • Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals. • Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor • Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing? • Organizations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services. • Individuals can bring claims for compensation and damages against both controllers and processors. • You should take the time to assess, and document, the status of each organization you work with in respect of all the personal data and processing activities you carry out. • The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.
Controller, Processor • Are we a Controller ? ☐ We decided to collect or process the personal data. ☐ We decided what the purpose or outcome of the processing was to be. ☐ We decided what personal data should be collected. ☐ We decided which individuals to collect personal data about. ☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller. ☐ We are processing the personal data as a result of a contract between us and the data subject. ☐ The data subjects are our employees. ☐ We make decisions about the individuals concerned as part of or as a result of the processing. ☐ We exercise professional judgement in the processing of the personal data. ☐ We have a direct relationship with the data subjects. ☐ We have complete autonomy as to how the personal data is processed. ☐ We have appointed the processors to process the personal data on our behalf.
Controller, Processor • Are we a Joint Controller ? ☐ We have a common objective with others regarding the processing. ☐ We are processing the personal data for the same purpose as another controller. ☐ We are using the same set of personal data (eg one database) for this processing as another controller. ☐ We have designed this process with another controller. ☐ We have common information management rules with another controller.
Controller, Processor • Are we a Processor ? ☐ We are following instructions from someone else regarding the processing of personal data. ☐ We were given the personal data by a customer or similar third party, or told what data to collect. ☐ We do not decide to collect personal data from individuals. ☐ We do not decide what personal data should be collected from individuals. ☐ We do not decide the lawful basis for the use of that data. ☐ We do not decide what purpose or purposes the data will be used for. ☐ We do not decide whether to disclose the data, or to whom. ☐ We do not decide how long to retain the data. ☐ We may make some decisions on how data is processed, but implement these decisions under a contract with someone else. ☐ We are not interested in the end result of the processing. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Processors act on behalf of, and only on the instructions of, the relevant controller.
15 Data Protection Impact Assessment (DPIA) • A data protection impact assessment (DPIA) is a process that helps organizations identify and minimize risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems or technologies. • When should you conduct a DPIA? Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. DPIA must: • Describe the nature, scope, context and purposes of the processing; • assess necessity, proportionality and compliance measures; • identify and assess risks to individuals; and • identify any additional measures to mitigate those risks
16 Data Protection Impact Assessment (DPIA) – Blacklist and Whitelist Organizations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country Under GDPR regime, member state data protection authorities are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and are also permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.
17 Data Protection Impact Assessment (DPIA) – Whitelist sample The White list The White List sets out scenarios where a DPIA is not required. Many of these scenarios are subject to further caveats set out by the recommendation. A DPIA will not be required for the following types of processing: • Processing operations carried out by private organizations which are necessary for compliance with a legal obligation to which the organization is subject, provided that the law sets out the purposes of the processing, the categories of personal data to be processed and provides safeguards to prevent abuse or unlawful access or transfer; • Processing for the purposes of the administration of salaries of people who work for or on behalf of the controller; • Processing exclusively for the purposes of administration of personnel who work for or on behalf of the controller, where that administration is required by law or regulation, but only to the extent that the processing does not involve health data, special categories of personal data, data concerning criminal convictions or infractions, or data to be used to evaluate data subjects; • Processing exclusively for the purposes of the controller’s accountancy practices. The processing must be limited to the data subjects, and the data categories which are necessary for the controller’s accountancy practice; • Processing in relation to the administration of shareholders and associates. The processing must be limited to the data subjects, and the data categories which are necessary for that administration; • Processing undertaken by a foundation, association or any other non-profit organization carrying out its day-to-day activities, but only where the data was not obtained from third party databases and where the processing concerns: • personal data about its own members; • people with whom the controller regularly interacts; and • the beneficiaries of the organization. • Processing in relation to the registration of visitors for the purposes of a sign-in or check in procedure; although data must be limited to certain information such as the name and professional address of the visitor and information identifying their vehicle; • Processing by educational institutions for the management of their relationship with their own pupils or students (past, present or potential) in the context of their educational duties; and • Processing exclusively in relation to the management of an organization's clients or suppliers (past or present), as long as the processing does not involve data such as ‘special category personal data’, or data concerning criminal convictions or infraction
18 Data Protection Impact Assessment (DPIA) – Whitelist sample The Black list • Where the processing involves the use of biometric data to uniquely identify individuals in a public space or in a private space accessible to the public; • Where the personal data is collected from a third party in order to make a decision to refuse or to terminate a given services contract with an individual; • Where special category of personal data is used for a purpose (or for purposes) other than that for which they were originally collected, except where the processing is based on the data subject’s consent, or where necessary for the controller to meet its legal obligations; • Where the processing is carried out using an medical implant and a personal data breach could compromise the physical health of the data subject; • In the case of large-scale processing of personal data concerning vulnerable people, particularly children, for a purpose (or for purposes) other than that for which they were originally collected; • Where the data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, or location or movements of individuals; • Where special categories of personal data or data of a very personal nature (such as data on poverty, unemployment, involvement in children’s services or social services, data about domestic and private activities, or location data) are systematically shared between multiple controllers; • In the context of large-scale Internet of Things processing of data (i.e., generated using devices which have sensors and which send data via the internet or other means such as smart televisions, smart kitchen appliances, connected toys, smart cities, smart meters), and the purpose of the processing is to analyse or predict the economic situation, the health, the personal preferences or interests, the reliability or behaviour, or the location or movements of individuals; • In the context of large-scale, and/or systematic processing of telephony data, internet data, or other communication data, metadata, location data of natural persons, or data which permits the organisation to find natural persons (such as wifi tracking or location data of those travelling via public transport) where the processing is not strictly necessary for a service requested by the data subject; and • In the context of large-scale processing of personal data where the behaviour (for example, viewing habits, listening habits, browsing habits, clicking activity, physical behaviour or shopping habits) of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner using automated processing.
19 Data Protection Impact Assessment (DPIA) - Infographic
20 GDPR and Cybersecurity Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be: 'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures' This is referred as the GDPR’s ‘security principle’. It concerns the broad concept of information security. We need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of our processing. Article 32(1) states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” This means that we must have appropriate security measures to prevent the personal data we hold being accidentally or deliberately compromised. Please keep in mind that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organizational security measures.
Role of a CISO in GDPR Regime The DPO role is referred to under the entire GDPR text and specifically described under its Section 4 – articles 37, 38, and 39 detailing: • HOW the DPO should be designated by the company/entity • WHAT shall be the position within the corporate structure • WHICH specific tasks must a DPO assure and be responsible for To understand whether a CISO may assume the role of DPO in the same organization, we must understand the tasks and duties of both profiles and assess if there are conflicts of interest that may jeopardize the required assurance of Personal Data Protection Article 38(6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organization ensure that ‘any such tasks and duties do not result in a conflict of interests’ Typically, the CISO bears the responsibility for defining the overall corporate Information Security / Cyber Security / Digital Security Policy and aims mainly to safeguard the Organization's Assets.. However, being the DPO means he/she would also be assessing / auditing such corporate guidelines to ensure compliance towards GDPR and any Privacy Regulation intended to ensure data subjects’ personal data protection. Most of the time, these goals represent conflicting interests However many small, medium organizations have the CISO function’s as a DPO given the operational nature and the ability of a CISO to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
22 Solution Mapping to GDPR Requirements (Representative) GDPR Key Principles Translated Requirements Recommended Measures and Solutions Governance & Legal & Finance • Sensitive personal information for disposition – Right to be forgotten • Respond to data subjects – legal inquiries, audits & reporting • Contractual Obligations for data transfers • Governance solutions (DPO Dashboard) • Sensitive data definition and mapping across systems • Policy and Procedures Framework Redefinition • Process Definition • Fines and Obligations Management • Reporting Internal and External Data and Content Governance and Processing • Consent> Capture > Transform > Process > Archive> Erase • Content and Information Management, • Consent Management and Subject Rights Management, • Application Impact & Transformation Data Security (Integrity & Confidentiality – Secure sensitive data throughout data lifecycle) Key GDPR articles addressed: Article 5, Article 13a, Article 23, Article 25, Article 30, Article 32a, Article 32, Article 34, Article 35 • Personal Data Assessment – identifying sensitive information that will fall under GDPR regulations • Data Classification, Identification, and Discovery • Vendor Risk Assessments • Data Protection Impact Assessments • Application Security Scans and Secure Code Reviews • Ensure the protection of identified sensitive data (PII, PHI, PCI) • Privacy by Design Data Level Security Controls: • Data De-identification, Pseudonymization, Data Level Encryption, Disk/ Storage Encryption, Tokenization, Key Management, Database Activity Monitoring • Device Encryption, • Digital Rights Management, • Data Leak Prevention IT Security – Avoid/ Report Breaches Key GDPR articles addressed: Article 31, Article 33 • Data breach notification • Security breach response and reporting • Continuous monitoring • Incident Management • SIEM & Event Correlation (Monitor & Control), • Incident Response Management • Network & Information Systems Security • Infrastructure Design • Data Storage KeySecurityFocusArea
High Level Milestones for a successful GDPR Implementation
Typical GDPR Implementation Lifecycle • GDPR readiness Assessment • Data classification • Data Inventory • Privacy Impact Assessment • Technology Assessment • Overall GDPR road map & recommendations • Design & Architecting • Security architecture design • Privacy architecture design • Technology Implementation • Vulnerability management • Data Leak Prevention and Digital Rights Management • SIEM / UBA • Identity and Access Management • Data Governance solutions • Encryption and pseudonymization • Perimeter and Application and database Security • etc. • Process frameworks Implementation • GDPR aware Security Operation Center • SIEM & UEBA monitoring and management • Data Leak Monitoring and Management via DLP / DRM • Vulnerability & Patch Management • Database Activity Monitoring • Compliance monitoring and Management • Data encryption & Key management • Identity and Access Management Services • Email & Gateway Security monitoring • Applications security monitoring and Management (WAF) • Breach / Incident monitoring, management and reporting Assessment Design & Implementation Monitor & Manage
25 Assessment Services Solution Description Delivery eco system Technology/ Tools Responsibility GDPR readiness Assessment Quick Assessment identifies the current state and readiness of your organization privacy polices and status inline with GDPR. Data Mapping and Classification Understand the business model and data sources and data flow. Classify them inline with GDPR(PI, SPI) based on data flow map. Data Inventory Data discovery scans for sensitive data elements like PI, SPI in various data sources and systems and provides a view of where sensitive data resides, thus enabling organizations to align appropriate data protection controls Privacy Impact Assessment Identify and assess impact or PI and SPI data in the particulate environment . Outcome of the exercise will be detailed PI / SPI data risk/impact heat map Technology & Infrastructure Assessment Key management solution provides the necessary ability to generate, distribute, store, rotate, and revoke encryption keys as required to protect the sensitive information in databases/file systems GDPR roadmap and recommendations Create and suggest the GDPR road map based on the inputs from above activities and provide recommendations. This will help the customer to continue to move to design/implement and Manage/Monitor phases
26 Design & Implementation Services Solution Description Delivery eco system Technology /Framework Responsibility Privacy architecture design Design the organization process and technology architecture keeping privacy in mind inline with GDPR Security architecture design Design the organization security process and technology architecture inline with GDPR to protect PI and SPI data Implementation of technology components / tools In order to prevent / manage data breaches and protect PI and SPI , organization needs to implement / upgrade various security controls. Cognizant team will help to evaluate , design and implement those tools as per industry best practices Process framework implementation Develop and enhance various privacy policies and processes. Process redesign if required and controls implementation
27 Data Security Centric Services Solution Description Delivery eco system Technology Responsibility Data Discovery Data discovery scans for sensitive elements in various data sources and systems and provides a view of where sensitive data resides, thus enabling organizations to align appropriate data protection controls Data Anonymization Data Anonymization (Static Data Masking) ensures protection of sensitive production data such as PII in the non-production environments to avoid exposure to testers/ developers Dynamic data masking – Provides real-time masking of sensitive production data. Structured Data Encryption (at Database Level) Database encryption protects sensitive data residing in the production databases. This can be done either by leveraging native TDE techniques such as Oracle TDE, SQL Server TDE or by leveraging third party solutions Data Encryption – File/ Folder level Encryption File/ folder level encryption protects unstructured data (PII) on servers and file systems such as word documents, PDFs, Database files, etc. Key Management Key management solution provides the necessary ability to generate, distribute, store, rotate, and revoke encryption keys as required to protect the sensitive information in databases/file systems Digital Rights Management (DRM) DRM enables organizations to control usage of information wherever it goes, both within and outside of the organization’s boundaries. Data Loss Prevention (DLP) DLP provides visibility into what data leaves the network and how sensitive information is being used. It enables users to monitor and control end point activities thus reducing the risk of a data breach. Database activity monitoring DAM prevents data leaks from Application databases and files to ensure the integrity of information deployed across various customer environment. It ensures continuous monitoring of Application databases and enforces policies for sensitive data access towards compliance.
28 Incident/Breach monitoring, Management and Reporting Services Solution Description Delivery eco system Technology/Tools Responsibility SIEM & UBA Monitoring and Management Monitor cyber attacks that may lead to data breach via SIEM and UBA monitoring and management. Anomalous patterns and behavior at people, network, data level are monitored and required remedial actions are taken Data leakage monitoring and prevention Data leakage via files, emails and gateway level is monitored and managed using Data Leak Prevention(DLP) and protected via Digital Rights Management System on a continuous basis Vulnerability (Infra and Application) and Patch Management In order to prevent data breaches the first step is to identity the vulnerabilities that exist in your network, servers, user computers, applications and database. Cognizant’s state of the art vulnerability and patch management program of Cognizant helps you to protect your infrastructure by protectively identifying and fixing them on time before the exploitation leads to breaches. Also secure SDLC helps to identify vulnerabilities at early stage during development stage. Identity and Access Management solutions The solution enable organizations to apply necessary access controls at various levels to different user groups in order to avoid unauthorized access to sensitive data - Entitlement/ Role/Profile/Group based access control, On a Need to know or least privileges, SOD and port based access control. Also this helps to address Erasure , Subject access requests etc. Web Application Firewall WAF is a security control to protect Web applications against attacks and vulnerabilities. It provides real-time monitoring of traffic before it reaches the web application to identify potential data breaches. Email Security & Web Gateways Email Security protects sensitive data which is sent over emails by leveraging access control and encryption techniques. Web gateways prevent accidental and intentional data leakages by inspecting web traffic Breach / Incident monitoring, management and reporting Incident Response Management technology and helps to detect any incidents, risks, data breaches/ attacks, and remediate or mitigate their impact. Incident response service may help to fulfill organization to address 72 hours breach notification of GDPR.
Third Party Assessment for GDPR Compliance
GDPR – Summary Heavy Penalties for non adherence 4% of annual global or revenue or Euro 20 million Applies to non-EU companies too If your company process Personal data of subjects in EU. Wide scope of Personal data definition Includes Social identity, economic, cultural, Mental, genetic data 72 hours breach notification Report the breach within 72 hours of breach identification 72 Data Protection Officer High volume / Sensitive /Government personal data handles need to appoint DPO Data Protection Impact Assessment For the projects with high privacy risks Data Subject rights Consent , Right to be forgotten, Portable format data request and parental consent for children Privacy by Design Adopt privacy by design concept at organization, People, Technology and process levels Data controllers must ensure Contracts and processors also directly liable for security Of personal data Controllers & Processors
Sources and References https://gdpr-info.eu/ https://www.itgovernance.co.uk https://ico.org.uk https://gdpr.eu https://www.cnil.fr https://www.isaca.org/info/gdpr/index.html

Recommended

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 

Recommended

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRPriyab Satoshi
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
GDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationGDPR Basics - General Data Protection Regulation
GDPR Basics - General Data Protection RegulationVicky Dallas
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR The Pathway Group
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR OverviewTrish McGinity, CCSK
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysQualsys Ltd
 
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Eryk Budi Pratama
 
GDPR
GDPRGDPR
GDPRGopi PD
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacyprimeteacher32
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection PresentationIBM Business Insight
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...CIO Edge
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationIain Wicks MCIPR
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNA Putra
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographicMarketing Team at Crown Worldwide Group
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowTerry Gorry
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 

More Related Content

What's hot

Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Eryk Budi Pratama
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Complianceaccenture
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...CIO Edge
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNA Putra
 

What's hot (20)

Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
Implikasi UU PDP terhadap Tata Kelola Data Sektor Kesehatan - Rangkuman UU Pe...
 
GDPR
GDPRGDPR
GDPR
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Data Protection Presentation
Data Protection PresentationData Protection Presentation
Data Protection Presentation
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
General Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) ComplianceGeneral Data Protection Regulation (GDPR) Compliance
General Data Protection Regulation (GDPR) Compliance
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
NQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation GuideNQA ISO 27701 Implementation Guide
NQA ISO 27701 Implementation Guide
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 

Similar to GDPR Overview and Impact in 40 Characters

The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowTerry Gorry
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsWSO2
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsElliot Reeman
 
Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterBrowne Jacobson LLP
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)MRS
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Forums financiers de Wallonie
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization Vishnuvarthanan Moorthy
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
Ready for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyReady for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyRay ABOU
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")Parsons Behle & Latimer
 
Reddico GDPR Presentation
Reddico GDPR PresentationReddico GDPR Presentation
Reddico GDPR PresentationLuke Kyte
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareWinston & Strawn LLP
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Followetouches
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...Harrison Clark Rickerbys
 

Similar to GDPR Overview and Impact in 40 Characters (20)

The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should KnowThe General Data Protection Regulation (GDPR) in Ireland-What You Should Know
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
General Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity ArchitectsGeneral Data Protection Regulation (GDPR) for Identity Architects
General Data Protection Regulation (GDPR) for Identity Architects
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
 
Public sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, ExeterPublic sector breakfast club, October 2016, Exeter
Public sector breakfast club, October 2016, Exeter
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)GDPR master class accountable research organisations (january 2018)
GDPR master class accountable research organisations (january 2018)
 
Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...Protection des données et de la vie privée : nouvelles obligations pour les e...
Protection des données et de la vie privée : nouvelles obligations pour les e...
 
GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization GDPR – Readiness in IT offshore organization
GDPR – Readiness in IT offshore organization
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
Ready for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital EconomyReady for the GDPR, Ready for the Digital Economy
Ready for the GDPR, Ready for the Digital Economy
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")The General Data Protection Regulation ("GDPR")
The General Data Protection Regulation ("GDPR")
 
Reddico GDPR Presentation
Reddico GDPR PresentationReddico GDPR Presentation
Reddico GDPR Presentation
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To Prepare
 
GDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to FollowGDPR: the Steps Event Planners Need to Follow
GDPR: the Steps Event Planners Need to Follow
 
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
GDPR Breakfast Briefing for Business Owners, IT Directors, HR Directors & Ops...
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

GDPR Overview and Impact in 40 Characters

  • 2. 2 Agenda • GDPR Overview • Key Definitions, actors • GDPR and Cybersecurity • GDPR Assessments and Implementation
  • 3. 3 General Data Protection Regulation (EU) – Overview European Union adopted General Data Privacy Regulation (GDPR) in April 2016, to bring in a harmonized approach for data protection across the EU. This marks the EU’s endeavor to bolster the rights of individuals as data subjects and to help increase trust between consumers and organizations when it comes usage of personal data. Coverage of Personal Data – Any data by which an EU resident can be identified: directly or indirectly
  • 4. 4 General Data Protection Regulation (EU) – Overview Continued… Consent all organizations collecting personal data must prove clear and affirmative consent to process that data Data Breach Notification to ensure continuous monitoring for breaches of personal data and provide timely notification to DPA International Transfers Removal of Safe Harbor and safeguards such as Commission or DPA approved contracts Right to be Forgotten / Data Portability For erasure of personal data/ withdraw consent for processing personal data Privacy by Design accountability obligations on data controllers to consider compliance with key principles of data protection. Mandatory Privacy Impact Assessments (PIAs) EU Data Protection Board/ Supervisory Authority / DPO Independent EDPB to be established to provide guidance and ensure consistent application of GDPR Key enhanced considerations under new EU Data Protection Regulations- GDPR EU General Data Protection Regulation (GDPR) enforcement begins from May 2018 Fines up to 4% of annual global turnover or 20 Million Euros for non- compliance Mandatory notification of data breach within 72 hours – unless the PII is encrypted
  • 5. GDPR Key Principles •The GDPR sets out the following six key principles: •These principles should lie at the heart of your approach to processing personal data.
  • 7. 7 Key Definition – Personal Data
  • 9. GDPR Myths Vs Reality
  • 11. Controller, Processor • Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals. • Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor • Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing? • Organizations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services. • Individuals can bring claims for compensation and damages against both controllers and processors. • You should take the time to assess, and document, the status of each organization you work with in respect of all the personal data and processing activities you carry out. • The following checklists set out indicators as to whether you are a controller, a processor or a joint controller. The more boxes you tick, the more likely you are to fall within the relevant category.
  • 12. Controller, Processor • Are we a Controller ? ☐ We decided to collect or process the personal data. ☐ We decided what the purpose or outcome of the processing was to be. ☐ We decided what personal data should be collected. ☐ We decided which individuals to collect personal data about. ☐ We obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller. ☐ We are processing the personal data as a result of a contract between us and the data subject. ☐ The data subjects are our employees. ☐ We make decisions about the individuals concerned as part of or as a result of the processing. ☐ We exercise professional judgement in the processing of the personal data. ☐ We have a direct relationship with the data subjects. ☐ We have complete autonomy as to how the personal data is processed. ☐ We have appointed the processors to process the personal data on our behalf.
  • 13. Controller, Processor • Are we a Joint Controller ? ☐ We have a common objective with others regarding the processing. ☐ We are processing the personal data for the same purpose as another controller. ☐ We are using the same set of personal data (eg one database) for this processing as another controller. ☐ We have designed this process with another controller. ☐ We have common information management rules with another controller.
  • 14. Controller, Processor • Are we a Processor ? ☐ We are following instructions from someone else regarding the processing of personal data. ☐ We were given the personal data by a customer or similar third party, or told what data to collect. ☐ We do not decide to collect personal data from individuals. ☐ We do not decide what personal data should be collected from individuals. ☐ We do not decide the lawful basis for the use of that data. ☐ We do not decide what purpose or purposes the data will be used for. ☐ We do not decide whether to disclose the data, or to whom. ☐ We do not decide how long to retain the data. ☐ We may make some decisions on how data is processed, but implement these decisions under a contract with someone else. ☐ We are not interested in the end result of the processing. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Processors act on behalf of, and only on the instructions of, the relevant controller.
  • 15. 15 Data Protection Impact Assessment (DPIA) • A data protection impact assessment (DPIA) is a process that helps organizations identify and minimize risks that result from data processing. DPIAs are usually undertaken when introducing new data processing processes, systems or technologies. • When should you conduct a DPIA? Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. DPIA must: • Describe the nature, scope, context and purposes of the processing; • assess necessity, proportionality and compliance measures; • identify and assess risks to individuals; and • identify any additional measures to mitigate those risks
  • 16. 16 Data Protection Impact Assessment (DPIA) – Blacklist and Whitelist Organizations subject to the GDPR are required to assess whether they need to undertake a DPIA when undertaking new processing operations. Data protection authorities of many EU member states have published draft lists of data processing activities that would trigger the need for a data protection impact assessment in that country Under GDPR regime, member state data protection authorities are required to publish a “Black List” of processing operations which are always subject to the requirement to undertake a DPIA; and are also permitted to publish a “White List” of processing operations which are not subject to the requirement to undertake a DPIA.
  • 17. 17 Data Protection Impact Assessment (DPIA) – Whitelist sample The White list The White List sets out scenarios where a DPIA is not required. Many of these scenarios are subject to further caveats set out by the recommendation. A DPIA will not be required for the following types of processing: • Processing operations carried out by private organizations which are necessary for compliance with a legal obligation to which the organization is subject, provided that the law sets out the purposes of the processing, the categories of personal data to be processed and provides safeguards to prevent abuse or unlawful access or transfer; • Processing for the purposes of the administration of salaries of people who work for or on behalf of the controller; • Processing exclusively for the purposes of administration of personnel who work for or on behalf of the controller, where that administration is required by law or regulation, but only to the extent that the processing does not involve health data, special categories of personal data, data concerning criminal convictions or infractions, or data to be used to evaluate data subjects; • Processing exclusively for the purposes of the controller’s accountancy practices. The processing must be limited to the data subjects, and the data categories which are necessary for the controller’s accountancy practice; • Processing in relation to the administration of shareholders and associates. The processing must be limited to the data subjects, and the data categories which are necessary for that administration; • Processing undertaken by a foundation, association or any other non-profit organization carrying out its day-to-day activities, but only where the data was not obtained from third party databases and where the processing concerns: • personal data about its own members; • people with whom the controller regularly interacts; and • the beneficiaries of the organization. • Processing in relation to the registration of visitors for the purposes of a sign-in or check in procedure; although data must be limited to certain information such as the name and professional address of the visitor and information identifying their vehicle; • Processing by educational institutions for the management of their relationship with their own pupils or students (past, present or potential) in the context of their educational duties; and • Processing exclusively in relation to the management of an organization's clients or suppliers (past or present), as long as the processing does not involve data such as ‘special category personal data’, or data concerning criminal convictions or infraction
  • 18. 18 Data Protection Impact Assessment (DPIA) – Whitelist sample The Black list • Where the processing involves the use of biometric data to uniquely identify individuals in a public space or in a private space accessible to the public; • Where the personal data is collected from a third party in order to make a decision to refuse or to terminate a given services contract with an individual; • Where special category of personal data is used for a purpose (or for purposes) other than that for which they were originally collected, except where the processing is based on the data subject’s consent, or where necessary for the controller to meet its legal obligations; • Where the processing is carried out using an medical implant and a personal data breach could compromise the physical health of the data subject; • In the case of large-scale processing of personal data concerning vulnerable people, particularly children, for a purpose (or for purposes) other than that for which they were originally collected; • Where the data is collected on a large scale from third parties in order to analyse or predict the economic situation, health, personal preferences or interests, reliability or behaviour, or location or movements of individuals; • Where special categories of personal data or data of a very personal nature (such as data on poverty, unemployment, involvement in children’s services or social services, data about domestic and private activities, or location data) are systematically shared between multiple controllers; • In the context of large-scale Internet of Things processing of data (i.e., generated using devices which have sensors and which send data via the internet or other means such as smart televisions, smart kitchen appliances, connected toys, smart cities, smart meters), and the purpose of the processing is to analyse or predict the economic situation, the health, the personal preferences or interests, the reliability or behaviour, or the location or movements of individuals; • In the context of large-scale, and/or systematic processing of telephony data, internet data, or other communication data, metadata, location data of natural persons, or data which permits the organisation to find natural persons (such as wifi tracking or location data of those travelling via public transport) where the processing is not strictly necessary for a service requested by the data subject; and • In the context of large-scale processing of personal data where the behaviour (for example, viewing habits, listening habits, browsing habits, clicking activity, physical behaviour or shopping habits) of natural persons is observed, collected, established or influenced, including for advertising purposes, in a systematic manner using automated processing.
  • 19. 19 Data Protection Impact Assessment (DPIA) - Infographic
  • 20. 20 GDPR and Cybersecurity Article 5(1)(f) of the GDPR concerns the ‘integrity and confidentiality’ of personal data. It says that personal data shall be: 'Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures' This is referred as the GDPR’s ‘security principle’. It concerns the broad concept of information security. We need to consider the security principle alongside Article 32 of the GDPR, which provides more specifics on the security of our processing. Article 32(1) states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” This means that we must have appropriate security measures to prevent the personal data we hold being accidentally or deliberately compromised. Please keep in mind that while information security is sometimes considered as cybersecurity (the protection of your networks and information systems from attack), it also covers other things like physical and organizational security measures.
  • 21. Role of a CISO in GDPR Regime The DPO role is referred to under the entire GDPR text and specifically described under its Section 4 – articles 37, 38, and 39 detailing: • HOW the DPO should be designated by the company/entity • WHAT shall be the position within the corporate structure • WHICH specific tasks must a DPO assure and be responsible for To understand whether a CISO may assume the role of DPO in the same organization, we must understand the tasks and duties of both profiles and assess if there are conflicts of interest that may jeopardize the required assurance of Personal Data Protection Article 38(6) allows DPOs to ‘fulfil other tasks and duties’. It requires, however, that the organization ensure that ‘any such tasks and duties do not result in a conflict of interests’ Typically, the CISO bears the responsibility for defining the overall corporate Information Security / Cyber Security / Digital Security Policy and aims mainly to safeguard the Organization's Assets.. However, being the DPO means he/she would also be assessing / auditing such corporate guidelines to ensure compliance towards GDPR and any Privacy Regulation intended to ensure data subjects’ personal data protection. Most of the time, these goals represent conflicting interests However many small, medium organizations have the CISO function’s as a DPO given the operational nature and the ability of a CISO to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • 22. 22 Solution Mapping to GDPR Requirements (Representative) GDPR Key Principles Translated Requirements Recommended Measures and Solutions Governance & Legal & Finance • Sensitive personal information for disposition – Right to be forgotten • Respond to data subjects – legal inquiries, audits & reporting • Contractual Obligations for data transfers • Governance solutions (DPO Dashboard) • Sensitive data definition and mapping across systems • Policy and Procedures Framework Redefinition • Process Definition • Fines and Obligations Management • Reporting Internal and External Data and Content Governance and Processing • Consent> Capture > Transform > Process > Archive> Erase • Content and Information Management, • Consent Management and Subject Rights Management, • Application Impact & Transformation Data Security (Integrity & Confidentiality – Secure sensitive data throughout data lifecycle) Key GDPR articles addressed: Article 5, Article 13a, Article 23, Article 25, Article 30, Article 32a, Article 32, Article 34, Article 35 • Personal Data Assessment – identifying sensitive information that will fall under GDPR regulations • Data Classification, Identification, and Discovery • Vendor Risk Assessments • Data Protection Impact Assessments • Application Security Scans and Secure Code Reviews • Ensure the protection of identified sensitive data (PII, PHI, PCI) • Privacy by Design Data Level Security Controls: • Data De-identification, Pseudonymization, Data Level Encryption, Disk/ Storage Encryption, Tokenization, Key Management, Database Activity Monitoring • Device Encryption, • Digital Rights Management, • Data Leak Prevention IT Security – Avoid/ Report Breaches Key GDPR articles addressed: Article 31, Article 33 • Data breach notification • Security breach response and reporting • Continuous monitoring • Incident Management • SIEM & Event Correlation (Monitor & Control), • Incident Response Management • Network & Information Systems Security • Infrastructure Design • Data Storage KeySecurityFocusArea
  • 23. High Level Milestones for a successful GDPR Implementation
  • 24. Typical GDPR Implementation Lifecycle • GDPR readiness Assessment • Data classification • Data Inventory • Privacy Impact Assessment • Technology Assessment • Overall GDPR road map & recommendations • Design & Architecting • Security architecture design • Privacy architecture design • Technology Implementation • Vulnerability management • Data Leak Prevention and Digital Rights Management • SIEM / UBA • Identity and Access Management • Data Governance solutions • Encryption and pseudonymization • Perimeter and Application and database Security • etc. • Process frameworks Implementation • GDPR aware Security Operation Center • SIEM & UEBA monitoring and management • Data Leak Monitoring and Management via DLP / DRM • Vulnerability & Patch Management • Database Activity Monitoring • Compliance monitoring and Management • Data encryption & Key management • Identity and Access Management Services • Email & Gateway Security monitoring • Applications security monitoring and Management (WAF) • Breach / Incident monitoring, management and reporting Assessment Design & Implementation Monitor & Manage
  • 25. 25 Assessment Services Solution Description Delivery eco system Technology/ Tools Responsibility GDPR readiness Assessment Quick Assessment identifies the current state and readiness of your organization privacy polices and status inline with GDPR. Data Mapping and Classification Understand the business model and data sources and data flow. Classify them inline with GDPR(PI, SPI) based on data flow map. Data Inventory Data discovery scans for sensitive data elements like PI, SPI in various data sources and systems and provides a view of where sensitive data resides, thus enabling organizations to align appropriate data protection controls Privacy Impact Assessment Identify and assess impact or PI and SPI data in the particulate environment . Outcome of the exercise will be detailed PI / SPI data risk/impact heat map Technology & Infrastructure Assessment Key management solution provides the necessary ability to generate, distribute, store, rotate, and revoke encryption keys as required to protect the sensitive information in databases/file systems GDPR roadmap and recommendations Create and suggest the GDPR road map based on the inputs from above activities and provide recommendations. This will help the customer to continue to move to design/implement and Manage/Monitor phases
  • 26. 26 Design & Implementation Services Solution Description Delivery eco system Technology /Framework Responsibility Privacy architecture design Design the organization process and technology architecture keeping privacy in mind inline with GDPR Security architecture design Design the organization security process and technology architecture inline with GDPR to protect PI and SPI data Implementation of technology components / tools In order to prevent / manage data breaches and protect PI and SPI , organization needs to implement / upgrade various security controls. Cognizant team will help to evaluate , design and implement those tools as per industry best practices Process framework implementation Develop and enhance various privacy policies and processes. Process redesign if required and controls implementation
  • 27. 27 Data Security Centric Services Solution Description Delivery eco system Technology Responsibility Data Discovery Data discovery scans for sensitive elements in various data sources and systems and provides a view of where sensitive data resides, thus enabling organizations to align appropriate data protection controls Data Anonymization Data Anonymization (Static Data Masking) ensures protection of sensitive production data such as PII in the non-production environments to avoid exposure to testers/ developers Dynamic data masking – Provides real-time masking of sensitive production data. Structured Data Encryption (at Database Level) Database encryption protects sensitive data residing in the production databases. This can be done either by leveraging native TDE techniques such as Oracle TDE, SQL Server TDE or by leveraging third party solutions Data Encryption – File/ Folder level Encryption File/ folder level encryption protects unstructured data (PII) on servers and file systems such as word documents, PDFs, Database files, etc. Key Management Key management solution provides the necessary ability to generate, distribute, store, rotate, and revoke encryption keys as required to protect the sensitive information in databases/file systems Digital Rights Management (DRM) DRM enables organizations to control usage of information wherever it goes, both within and outside of the organization’s boundaries. Data Loss Prevention (DLP) DLP provides visibility into what data leaves the network and how sensitive information is being used. It enables users to monitor and control end point activities thus reducing the risk of a data breach. Database activity monitoring DAM prevents data leaks from Application databases and files to ensure the integrity of information deployed across various customer environment. It ensures continuous monitoring of Application databases and enforces policies for sensitive data access towards compliance.
  • 28. 28 Incident/Breach monitoring, Management and Reporting Services Solution Description Delivery eco system Technology/Tools Responsibility SIEM & UBA Monitoring and Management Monitor cyber attacks that may lead to data breach via SIEM and UBA monitoring and management. Anomalous patterns and behavior at people, network, data level are monitored and required remedial actions are taken Data leakage monitoring and prevention Data leakage via files, emails and gateway level is monitored and managed using Data Leak Prevention(DLP) and protected via Digital Rights Management System on a continuous basis Vulnerability (Infra and Application) and Patch Management In order to prevent data breaches the first step is to identity the vulnerabilities that exist in your network, servers, user computers, applications and database. Cognizant’s state of the art vulnerability and patch management program of Cognizant helps you to protect your infrastructure by protectively identifying and fixing them on time before the exploitation leads to breaches. Also secure SDLC helps to identify vulnerabilities at early stage during development stage. Identity and Access Management solutions The solution enable organizations to apply necessary access controls at various levels to different user groups in order to avoid unauthorized access to sensitive data - Entitlement/ Role/Profile/Group based access control, On a Need to know or least privileges, SOD and port based access control. Also this helps to address Erasure , Subject access requests etc. Web Application Firewall WAF is a security control to protect Web applications against attacks and vulnerabilities. It provides real-time monitoring of traffic before it reaches the web application to identify potential data breaches. Email Security & Web Gateways Email Security protects sensitive data which is sent over emails by leveraging access control and encryption techniques. Web gateways prevent accidental and intentional data leakages by inspecting web traffic Breach / Incident monitoring, management and reporting Incident Response Management technology and helps to detect any incidents, risks, data breaches/ attacks, and remediate or mitigate their impact. Incident response service may help to fulfill organization to address 72 hours breach notification of GDPR.
  • 29. Third Party Assessment for GDPR Compliance
  • 30. GDPR – Summary Heavy Penalties for non adherence 4% of annual global or revenue or Euro 20 million Applies to non-EU companies too If your company process Personal data of subjects in EU. Wide scope of Personal data definition Includes Social identity, economic, cultural, Mental, genetic data 72 hours breach notification Report the breach within 72 hours of breach identification 72 Data Protection Officer High volume / Sensitive /Government personal data handles need to appoint DPO Data Protection Impact Assessment For the projects with high privacy risks Data Subject rights Consent , Right to be forgotten, Portable format data request and parental consent for children Privacy by Design Adopt privacy by design concept at organization, People, Technology and process levels Data controllers must ensure Contracts and processors also directly liable for security Of personal data Controllers & Processors