This document provides an overview of the General Data Protection Regulation (GDPR) for being ready to comply with it. It discusses how GDPR is different from previous regulations by focusing on personal data rights. It outlines the key principles of GDPR, including data protection by design. It describes the responsibilities of data controllers and processors. It presents a pyramid structure showing the levels of personal data, processing purposes, authorization for processing, and rights to personal data. It discusses requirements around records management, security, and breach notification. The key takeaways are that data protection involves both usage and disclosure of data, and that GDPR focuses on individual rights related to data analytics and identification.

1. Being Ready for
GDPR
Jessvin Thomas
Jessvin.Thomas@skoutsecure.com
SIM NY
February 21, 2018

2. JessvinThomas
CTO
Selected Background
Next Generation SOC,
Orchestration & Analytics
Internal Information Security
Investments in Carbon Black,
Cylance, iSight Partners
Cloud, Automation & Tooling for
consumer internet services
2

3. Agenda
1. What makes GDPR different
2. Principles of GDPR
3. GDPR Pyramid
4. Your responsibilities
5. Data Protection as part of security
6. Takeaways & Checklist

4. “We believe that data is the phenomenon of our time. It is the world's new
natural resource. It is the new basis of competitive advantage, and it is
transforming every profession and industry. If all of this is true – even
inevitable – then cyber crime, by definition, is the greatest threat to every
profession, every industry, every company in the world.”
Ginni Rometty, CEO IBM
IBM Security Summit
New York City May 14, 2015

5. What males GDPR
DIFFERENT
Data confidentiality as the
only concern.
Perimeter Oriented Protection
Personal Data Rights

6. What males GDPR
DIFFERENT
Personal Data includes:
Electronic tracking – IP addresses,
emails etc.
Genetic data
Cultural Data & Affiliations
Social Identity

7. What males GDPR
DIFFERENT
4%

8. GDPR
Principles
02
03
Free Data Movement
Personal Data Rights
Data Protection by Design
01

9. Who is on the
Hook?
Data Controller
Data Processor
Body which, alone or jointly
with others, determines the
purposes and means of the
processing of personal data;
body which processes
personal data on behalf of
the controller

10. Controller
Responsibilities
processed lawfully, fairly and in a transparent manner
for specified, explicit and legitimate purposes
Protected in a manner that ensures appropriate
security
adequate, relevant and limited to what is necessary
accurate and, where necessary, kept up to date
kept in a form which permits identification of data
subjects for no longer than is necessary

11. Thingsyoumayhaveheardof
Consent & Opt Out Right to Erasure Portability
Requirements for Processing vary by:
reasons for processing
and
method of data acquisition

12. 01 Personal Data
02
03
Processing Purposes
04
Processing Authorization
05
Processing Requirements
Pyramid
of GDPR
Rights to Personal Data

13. 01
Personal Data
02
03
Digital ID
Special Categories
Identifying Data: Direct or Indirect:
01

14. 02
Processing Purposes
02
03
Marketing & Profiling
• Monitoring of the behavior of such data subjects in so
far as their behavior takes place within the Union.
• Profiling a natural person, particularly in order to take
decisions concerning her or him or for analyzing or
predicting her or his personal preferences, behaviors
and attitudes.
Corporate / Employer
Services
• goods or services to such data subjects irrespective of
whether connected to a payment.
Scientific, Research or Statistical Purposes
04
01

15. 03
Processing
Authorization
02
03
Contract Performance
Legal Obligation
Consent
04 Protect Vital Interests
05 Protect Public Interests
06 Protect Controller Interests
01

16. 03
Processing
Authorization
For consent:
• controller shall be able to demonstrate that the
data subject has consented
• request presented in a manner which is clearly
distinguishable from the other matters
• request in an intelligible and easily accessible
form, using clear and plain language.
• data subject shall has right to withdraw his or
her consent at any time.
• It shall be as easy to withdraw as to give
consent.
• consent is freely given
• processing is only for what is needed to execute
the contract
01 Consent

17. Rights to Personal Data
Layman’s Terms
Right to Collection Metadata
Access Data
Fix Accuracy
Erasure
Data Portability
Object & Restrict Processing
Human Intervention
04

18. 05
Processing
Requirements
02
03
Records Management
Security
Controller/Process Requirements
04 Breach Notification:
Supervisory Authority
05 Breach Notification:
Data Subject
01

19. 05
Processing
Requirements
• processor shall not engage another processor
without prior specific or general written
authorization of the controller.
• Processing by a processor shall be governed by a
binding contract that sets out:
• the subject-matter
• duration of the processing
• nature of the processing
• type of personal data and categories of
data subjects
• the obligations and rights of the controller.
• processor only on documented instructions from
the controller
• ensures that persons authorized to process have
committed to confidentiality
• takes all measures required pursuant to security
• at choice of controller, deletes or returns all the
personal data to the controller after the end of
the provision* deletes existing copies
• makes available to the controller all information
necessary to demonstrate compliance with the
obligations laid out
01 Controller/Process Requirements

20. 05
Processing
Requirements
02 Records Management
• Each controller and processor shall maintain a
record of processing containing:
• the name and contact details of the
controller/processor and the data protection
officer
• the purposes of the processing;
• a description of the categories of data subjects
and of the categories of personal data;
• the categories of recipients to whom the
personal data have been or will be disclosed
• transfers to a third country or an international
organization and suitable safeguards
• where possible, the envisaged time limits for
erasure of the different categories of data;
• where possible, a general description security
measures

21. 05
Processing
Requirements
03 Security
• Taking existing capability, costs, nature, scope, context
of processing, controller & processor shall implement
security appropriate to the risk of disclosure impacting
rights and freedoms of natural persons such as:
• the pseudonymisation and encryption of personal data
• the ability to ensure the ongoing confidentiality,
integrity, availability and resilience of processing
systems and services; * the ability to restore the
availability and access to personal data in a timely
manner in the event of a physical or technical incident;
• a process for regularly testing, assessing effectiveness of
security of processing

22. 05
Processing
Requirements
04 Breach Notification:
Supervisory Authority
• Controller shall without delay and by 72 hours
notify supervisory authority unless the personal
data breach is unlikely to result in a risk to the
rights and freedoms of natural persons.
• Where the notification to the supervisory
authority is not made within 72 hours, it shall be
accompanied by reasons for the delay.
• The processor shall notify the controller without
undue delay after becoming aware of a personal
data breach.
• The notification shall at least:
• describe nature of breach including where
possible, the categories and approximate number
of data subjects concerned and the categories and
approximate number of personal data records
concerned;
• communicate the name and contact details of the
data protection officer or other contact point
where more information can be obtained;
• describe the likely consequences of the personal
data breach;
• describe the measures taken or proposed to be
taken by the controller to address the personal
data breach, including, where appropriate,
measures to mitigate its possible adverse effects.

23. 05
Processing
Requirements
05
Breach Notification:
Data Subject
• When the personal data breach is likely to
result in a high risk to the rights and freedoms
of natural persons, the controller shall
communicate the personal data breach to the
data subject without undue delay.

24. 01
02
03
04
Data Protection Officer
Impact Assessment
Code of Conduct
Transfer to Third Countries
05
Specific Situations
Miscellaneous
Conditions

25. Transfers to
Third Countries

26. What
Customers
usually ask for
01
02
03
04
Standard Commission Clauses
Notification in 72 hours or less
Data Protection Officer
Non-transfer or collection of data

27. DataProtectionisstillpartof thesecurityprogram
People
ApplicationsInfrastructure
Protect weak links to where attacks
gain a foothold in the environment
Ensure a incident response plan is
documented and practiced

28. Data Protection will be part of the fabric
U.S. Bancorp hit with fines for poor
compliance with anti-money-laundering laws
Federal regulators on Thursday hit U.S. Bancorp, the nation's
biggest regional bank, with more than $800 million in fines for
deficient anti-money laundering practices.
2016 Revenue: $21B
Impact: 3.8%

29. Key Takeaways
01 Data Protection is as much about usage as disclosure
02
GDPR is focused on the rights of individuals:
Data Analytics and methods of identifying individuals are impacted
03 The purpose you collect the data for impacts the complexity of oversight
04 When consent is required, Erasure, Accuracy, Portability and objections come into play
05 For security pseudonymization, encryption and breach notification are important
06 A documented and followed data privacy design will go a long way

30. Thank You