This document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It begins by outlining how GDPR compliance was previously viewed, with most companies believing they were unprepared. It then discusses key aspects of GDPR including higher fines, strengthened consent requirements, privacy by design, mandatory breach reporting, expanded obligations for processors, and mandatory data protection officers. Finally, it provides recommendations for steps companies can take to prepare such as forming a steering group, training, conducting data discovery and impact assessments, updating policies, and creating breach response plans. The overall message is that early preparation is important to avoid noncompliance under the new, stricter GDPR requirements.
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
GDPR, Data Privacy, and Cybersecurity presented by Eric Vanderburg and Stephanie Gruber at the MIT Chief Data Officer Information Quality Symposium on July 20, 2018.
Personal Digital Hygiene is a concept developed by Lars Hilse. It focusses on reducing the risk of high value individuals, and their exposure and footprint on the digital world, making them less susceptible to kidnapping+ransom, and other (cyber) crimes
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
Key legal data security concerns for 2016; Privacy and security preparation; Vendor management; When and how to engage outside counsel & advisors; EU Privacy update; Sample enforcement actions.
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...centralohioissa
This session will provide details on the new law and its requirements, as well as address the current threat landscape, summarize existing data security laws in the U.S., discuss the new EU cyber directive, and continued impact of the Safe Harbor decision. We will disentangle these regulatory changes and challenges and provide tips and tricks for compliance.
GDPR, Data Privacy and Cybersecurity - MIT SymposiumEric Vanderburg
GDPR, Data Privacy, and Cybersecurity presented by Eric Vanderburg and Stephanie Gruber at the MIT Chief Data Officer Information Quality Symposium on July 20, 2018.
Personal Digital Hygiene is a concept developed by Lars Hilse. It focusses on reducing the risk of high value individuals, and their exposure and footprint on the digital world, making them less susceptible to kidnapping+ransom, and other (cyber) crimes
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016centralohioissa
Key legal data security concerns for 2016; Privacy and security preparation; Vendor management; When and how to engage outside counsel & advisors; EU Privacy update; Sample enforcement actions.
Buzz about the General Data Protection Regulation (GDPR) has been around for years, but with the new security rules finally going into play in May 2018, it’s time to take it seriously. Some enterprises have been panicking, some have been preparing, and most have been doing a little of both. The new GDPR law will impact all companies who work with any EU citizens or companies. What does this mean for your business?
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...AIIM International
Generally when we think of these instances, we think of cyber hackers as the cause. But, the threat may actually be closer to home. How do you make sure internal threats aren’t living in your office? How can you share your sensitive data and information to the intended recipients outside your firewalls safely and securely – and in a compliant manner? How can you ensure complete control, which is unique for your business, over shared content? Follow along with these webinar slides for the answers to these questions and more.
Want to follow along with the webinar replay? Download it here for free: http://info.aiim.org/remove-data-privacy-threats
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Eric Vanderburg
Timothy Opsitnick and Eric Vanderburg of TCDI presented at the Risk Management Society's 2017 Northeast Ohio Regional Conference on Cybersecurity incident response strategies and tactics.
What breach response will look like under the GDPR
What tools and processes a data privacy officer will rely on in case of a breach
What departments and entities will be involved beyond IT
What activities are currently happening within organizations to prepare for the GDPR
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cyber Security conference Sacramento California October 6th and 7th, Key Note speakers include DOE, NERC, NIST, SMUD, PG&E, SCE, NCi Security, Codenomicon (Heartbleed presentation).
Pre Conference workshop October 5th
“Effective methodology to protecting the oil and gas critical infrastructures from the emerging cyber threats”
Workshop Leader: Ayman AL-Issa, Digital Oil Fields Cyber Security Advisor
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
Does your business have a disaster preparedness plan? This SlideShare will cover all considerations necessary to formulate a comprehensive plan following the NFPA 1600 Standards followed by the US Department of Homeland Security.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
Buzz about the General Data Protection Regulation (GDPR) has been around for years, but with the new security rules finally going into play in May 2018, it’s time to take it seriously. Some enterprises have been panicking, some have been preparing, and most have been doing a little of both. The new GDPR law will impact all companies who work with any EU citizens or companies. What does this mean for your business?
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...AIIM International
Generally when we think of these instances, we think of cyber hackers as the cause. But, the threat may actually be closer to home. How do you make sure internal threats aren’t living in your office? How can you share your sensitive data and information to the intended recipients outside your firewalls safely and securely – and in a compliant manner? How can you ensure complete control, which is unique for your business, over shared content? Follow along with these webinar slides for the answers to these questions and more.
Want to follow along with the webinar replay? Download it here for free: http://info.aiim.org/remove-data-privacy-threats
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Eric Vanderburg
Timothy Opsitnick and Eric Vanderburg of TCDI presented at the Risk Management Society's 2017 Northeast Ohio Regional Conference on Cybersecurity incident response strategies and tactics.
What breach response will look like under the GDPR
What tools and processes a data privacy officer will rely on in case of a breach
What departments and entities will be involved beyond IT
What activities are currently happening within organizations to prepare for the GDPR
Industrial Control Security USA Sacramento California Oct 6/7James Nesbitt
Industrial Control Cyber Security conference Sacramento California October 6th and 7th, Key Note speakers include DOE, NERC, NIST, SMUD, PG&E, SCE, NCi Security, Codenomicon (Heartbleed presentation).
Pre Conference workshop October 5th
“Effective methodology to protecting the oil and gas critical infrastructures from the emerging cyber threats”
Workshop Leader: Ayman AL-Issa, Digital Oil Fields Cyber Security Advisor
Boards' Eye View of Digital Risk & GDPR v2Graham Mann
The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
Does your business have a disaster preparedness plan? This SlideShare will cover all considerations necessary to formulate a comprehensive plan following the NFPA 1600 Standards followed by the US Department of Homeland Security.
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation is designed to update the current legislation which was drafted in a time that was in technology terms, prehistoric.
The Data Protection Directive, drafted back in 1995, harks back to a time when data processing was more about filing
cabinets than data rack enclosures. It’s time to evolve.
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
How GDPR works : companies will be expected to be
fully compliant from 25 May 2018. The regulation
is intended to establish one single set of data
protection rules across Europe
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
The Evolution of Data Privacy: 3 Things You Need To ConsiderSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed
to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
These are the slides used in the presentation I gave alongside Haydn Thomas and Andrew Cross from Lightful.
The presentation was to help charities understand the most pressing implications of GDPR as well from an operational and marketing standpoint.
You can find out more about our organisations here:
https://tech-trust.org/
https://www.lightful.com/
https://www.meetup.com/netsquaredlondon/
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
This course provides an overview of whistleblower protections for employees who blow the whistle on cybersecurity or data privacy concerns. And it offers practical tips and insights for practitioners on how to evaluate potential cybersecurity whistleblower claims and overlapping remedies to maximize damages. In addition, the course addresses the challenging issues that arise when a whistleblower simultaneously prosecutes both whistleblower retaliation and whistleblower rewards claims.
How GDPR will change Personal Data Control and Affect EveryoneThomas Goubau
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
Understanding the EU's new General Data Protection Regulation (GDPR)Acquia
In 2016, the European Union (EU) approved its General Data Protection Regulation (GDPR) to protect European citizens’ data. As a regulation, the GDPR does not require the implementation of legislation, and will immediately become an applicable law as of the 25th of May, 2018.
What is GDPR exactly trying to accomplish? According to the official documents, the goal is the “protection of natural persons with regard to the processing of personal data and on the free movement of such data.”
In short, organizations that conduct business in the EU will need to be compliant with GDPR, and must come to terms with the huge fines that non-compliance can carry. Fines can be up to €20M or 4% of the annual turnover. For companies that experience breaches that result in the loss of personal data (such as Talk Talk, which lost 170,000 people’s data), the fines will be tremendous.
Join us for discussion about GDPR to learn more about:
The principles that organizations that use personal data need to adhere to
The consequences organizations can face if that do not adhere to this new regulation
How your organization can prepare for the future
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
In this session we will generally move through three sections
1) Automation of the lab environment
a) the why
b) the how
2) External audit and password complexity rules
3) Windows password cracking when the minimum length is set at 12 char
Cybersecurity of Smart Cities is a controversial topic today. Researchers and professionals are debating the viability and sustainability of a large complex environment, which heavily relies on the digital infrastructure, especially from a cybersecurity perspective. Smart cities continuously deploy and update information and communication technology (ICT) to enhance the quality of life for citizens.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. #whoami
Electoral Role
Landline
Broadband
Mobile Phone
Gas Electric
TV licence
Passport
Inland Revenue
High Street Bank
Online Retailers
Online webmail
Companies House
Online accountant
Births & Marriages Register
Hospital records / GP records
Husband, Father, Son
Cyber Consulting <-IT Security <- IT Solutions
https://uk.linkedin.com/in/jmck4cybersecurity
Shares / Child ISA
Pension
Car Insurance
House Insurance
Flight Records (ARINC)
Mortgage
Postcode Address File
University Records
Water / Utilities
Council Tax
Driving Licence
Car registration
Equifax Experian Callcredit
3. Published Agenda
* Know what you know
* Know what you don't know
* Know where your going
* Get started
@CisoAdvisor
We could debate this
from now until xmas
but we only have 20
minutes so I have
revised the agenda
“Everything should be
as simple as it can be,
but not simpler”
4. @CisoAdvisor
Now let’s pick up
the pace
Actual Agenda
* How it was
* Where it is going
* What (I suggest) you can do
5. (1) Before we go any further, I feel I should first
point out that everything I’m about to say is
obviously just my personal opinion, which you
are of course entitled to take with the
appropriate pinch of salt. I would expect that if
you asked someone else who was considering
the same points, they might have very different
things that they are looking for.
(2) I am not currently in the GPDR region
(but …...)
(3) I am not a lawyer
{but …..}
Disclaimer
6. * Section 1:
How It was
Revolution Quote 1:
“You will not be able to stay
home, brother.
You will not be able to plug in,
turn on and cop out.
You will not be able to lose
yourself on skag and
Skip out for beer during
commercials,
Because the revolution will not
be televised.”
- Gil Scott-Heron (1949 –2011)
8. ISO comments on P7a
The Data Protection Act says that:
This is the seventh data protection principle. In practice, it means you must have appropriate
security to prevent the personal data you hold being accidentally or deliberately
compromised. In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm
that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies and
procedures and reliable, well-trained staff; and
be ready to respond to any breach of security swiftly and effectively.
Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.
9. ISO comments on P7b
What needs to be protected by information security arrangements?
It is important to understand that the requirements of the Data Protection Act go beyond the
way information is stored or transmitted. The seventh data protection principle relates to the
security of every aspect of your processing of personal data.
So the security measures you put in place should seek to ensure that:
only authorised people can access, alter, disclose or destroy personal data;
those people only act within the scope of their authority; and
if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any
damage or distress to the individuals concerned.
Credit : https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Remember: The domain google.com was registered on September 15, 1997. They formally
incorporated their company, Google, on September 4, 1998
11. * Section 2:
Where It is going
Revolution quote 2:
“The first revolution is when you
change your mind about how
you look at things, and see there
might be another way to look at
it that you have not been
shown. What you see later on is
the results of that, but that
revolution, that change that
takes place will not be
televised.”
- Gil Scott-heron (1949 –2011)
12. Two year count down
The two-year countdown to the General Data Protection Regulation (GDPR) is
underway, and the consensus seems to be that most companies haven't got a
clue how they're going to approach it.
Research from Egress found that 87 percent of CIOs believe they would be
exposed if the regulations came into force today, while research by YouGov for
Netskope found that 80 percent of IT professionals in medium and large
organisation were not confident of ensuring compliance by 25 May 2018.
"It's 2 years away, but 2 years with any IT project is actually very short," he says.
"Most businesses where they are running April to April will have already spent their
budget for this year. So you are looking at preparing to spend budget on it next
year.“ – Guy Bunker @ Clearswift
Credit: http://www.cbronline.com/news/cybersecurity/data/2-years-to-gdpr-
how-you-can-prepare-for-the-eu-data-protection-regulation-4903975
13. How to lie with statistics
https://www.amazon.com/How-Lie-Statistics-Darrell-Huff/dp/0393310728
https://en.wikipedia.org/wiki/List_of_cognitive_biases
https://blog.osvdb.org/
14. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M
EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any
personal information they collect or process and that they provide very clear information beforehand on
how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively
considered privacy and adequately addressed any associated information security risks and that this is
built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for
looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of
the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic
and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be
forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose
primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a
large scale.
Credit: fruition blog Feb 2016
15. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M
EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any
personal information they collect or process and that they provide very clear information beforehand on
how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively
considered privacy and adequately addressed any associated information security risks and that this is
built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for
looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of
the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic
and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be
forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose
primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a
large scale.
16. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://www.visaeurope.com/media/pdf/security%20compromise%20factsheet%
20-%20march%202015.pdf
Immediately
Bank + PCI-PFI
17. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
72hrs
Actual or
suspected
Report sent to
Visa
18. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/
24hrs
Report sent to
ICO
19. Converge with Information Security
Quality Management LegalRecruitment
Other
disciplines talk
about it more
than us !
21. * Section 3:
What You can do
Revolution quote 3:
“There can't be any large-scale
revolution until there's a personal
revolution, on an individual
level. It's got to happen inside
first.”
- Jim Morrison (1943 - 1971)
25. Mubadala Group
Injazat CEO
Data Protection / Data Security “Tone at the Top” Directive from CEO
Data Protection Management Policy Scope of ICO registration
Data Governance Forum (Steering Group) - Charter and Minutes
GovernanceManagement
Data Protection Strategy Paper & sub-plans
DPO Measurement Plan
Data Quality Management
Information Asset Register
Privacy Impact Analysis
Project (RA)
Data Discovery with
Business Impact Analysis DPO Annual Objectives
05.Sep.16
b
a
d
c
1
2
3
5
6
7
8
9
Company CEO
Group Security Office
DPO Annual Audit Plan
DPO Communications Plan
DSARs/Complaints DPO Data Breach Plan4
26. Short cycle error correction (F3)
Variations,
F2T2E : Find, Fix, Target, Track, and Execute
F2T2EA : Find, Fix, Track, Target, Engage, Assess
F2T2 : Find Fix Track Target
F3EAD : Find, Fix, Finish, Exploit, Analyze and Disseminate
FIND FIX FINISH
If your interested in military tactics that might support Cyber Security look into
http://www.pogoarchives.org/straus/shaping-and-adapting-boyd-20150422.pdf
And F3EAD paper - http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf
27. Data Discovery
BC / DR Team
Vulnerability
Scanner
IT Ops / ITIL
HR / Legal /
Finance
ICO
registration
28. Information Asset Register
Where you are Data Controller
Where you outsource
https://www.linkedin.com/pulse/25-exciting-things-do-information-asset-
register-reynold-leming?trk=hp-feed-article-title-like
29. Information Asset Register
by
Reynold Leming
1. Understanding Relationships: A related series of records
sharing the same purpose (a "master asset" if you will)
might have a variety of constituent entities ("sub assets")
in different formats - e.g. physical records, digital content,
database records. Identifying these within an IAR will
enable an understanding of their relationships and
purpose over time.
2. Security Classification: Assets can be classified within
the IAR to an approved security classification / protective
marking scheme, with current protective measures
recorded, in order to identify if there are in any risks
relating to the handling of confidential personal or
commercially sensitive information.
3. Personal Data: Specifically you can identify
confidential personal information to ensure that data
protection / privacy obligations are met, for example in
terms of security and disposal.
4. Ownership: The ability to know - who owns what? Also
to understand who owns both in terms of corporate
accountability and ownership of the actual information
itself.
30. Internal Training (1)
Does the data
enables you to
identify
directly the
person?
YES
NO
It is personal
data
Does the data
enables you to
identify the person
indirectly?
NO
YES
It is personal
data
It is not
personal data
31. Internal Training (2)
Fair and lawful processing
Proportionate processing
Accurate and up to date
Data retention limitation
Data transfers limitation
32. Privacy Impact Assessment
Name of the processing service
Date of service implementation
Name of the software/ application used
Key contact internal
Key contact external
List of data collected and processed (detailed)
Purpose of the processing (detailed)
Period during which data are stored and processed
Persons who need to have access (detailed R&R)
Does the processing need development or maintenance by
a third party?
Does the processing imply transfer out of EU within the
company?
Does the processing imply to transfer out of EU to a third
party?
How will data transfers be secured to provide adequate
level of protection?
Are you a Data Controller
Are you a Data Processor
34. Summary
There are many overlaps in the ISMF and managing Data Protection in the Enterprise
Establish a Data Protection Steering Group
Choose a DPO
Find and Classify the data, assigning a business owner
Prepare internal training
Prepare a holistic Data Breach Plan – not just a technical response
Use this activity to enforce better Information Security Controls
E.g. Data classification, Information Asset Register, Data retention cleanup + evidence
35. Takeaways
Take it seriously we’ve had 18 years to get this
Get started if you haven’t already
Use what has been learnt from years of ISMS governance
and certification
Tailor it to your organisation (size and maturity)
Learn from other disciplines (collaborate or die)
Challenge conference organisers on GPDR agendas
Network with likeminded peers