At the Synopsys Security Event Israel, Ram Levi, Founder & CEO, Konfidas presented on GDPR. For more information, please visit our website at www.synopsys.com/software

1. © All Rights Reserved. Konfidas Digital Ltd.
GDPR by Design
Ram Levi, CEO of Konfidas
ram@konfidas.com | ramlevi

2. © All Rights Reserved. Konfidas Digital Ltd.

3. © All Rights Reserved. Konfidas Digital Ltd.
Our GDPR activities include:
Partners with:

4. © All Rights Reserved. Konfidas Digital Ltd.
‫ח‬‫פ‬‫ש‬‫ו‬‫ב‬-Youtube:‫ה‬‫ר‬‫ג‬‫ו‬‫ל‬‫צ‬‫י‬‫ה‬‫ש‬‫מ‬‫ש‬‫נ‬‫ה‬‫א‬‫ת‬‫ח‬‫ו‬‫ק‬‫י‬‫ה‬‫מ‬‫ש‬‫ח‬‫ק‬

5. © All Rights Reserved. Konfidas Digital Ltd.
Introduction
GENERAL DATA PROTECTION REGULATION
on the protection of natural persons with regard
to the processing of personal data and on the
free movement of such data, and repealing
Directive 95/46/EC (General Data Protection
Regulation)

6. © All Rights Reserved. Konfidas Digital Ltd.
Basic Idea
Protect the rights of people
giving you their data
by adopting a risk-based approach and
fostering a data protection culture
to implement essential elements of the GDPR

7. © All Rights Reserved. Konfidas Digital Ltd.
Why is that important to you?
Source: https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/privacy-maturity-benchmark-study-2018.pdf

8. © All Rights Reserved. Konfidas Digital Ltd.
What is personal data?
Personal data means any information relating to an
identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person;
Source: http://ec.europa.eu/justice/smedataprotect/index_en.htm

9. © All Rights Reserved. Konfidas Digital Ltd.
What rights does GDPR provide for individuals?
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated
decision making and profiling.

10. © All Rights Reserved. Konfidas Digital Ltd.
Main principles for processing data under GDPR
● Processed lawfully, fairly and transparently
● Collected for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes
● Processing of data should be adequate, relevant and limited for the purposes
● Accurate and, where necessary, kept up to date
● Identifying which data subjects are no longer necessary for purposes of data processing
● Processing data in a manner that ensures appropriate security of the personal data

11. © All Rights Reserved. Konfidas Digital Ltd.
Meet the controller and the processor
Controller: determines the purposes and
means of the processing of personal data
Processor: processes personal data on behalf
of the controller

12. © All Rights Reserved. Konfidas Digital Ltd.
What are you expected to do?
Consent
Get their clear consent to process the
data.
Collecting from children for social media?
Check age limit for parental consent.
Access and
Transparency and Communication
Use plain language. Tell them who you are
when you request the data. Say why you
are processing their data, how long it will
be stored and who receives it.
Access and portability
Let people access their data and give it to
another company.
Warning
Inform people of data breaches
if there is a serious risk to them.
Profiling
If you use profiling to process applications
for legally-binding agreements like loans
you must: Inform your customers; Make
sure you have a person, not a machine,
checking the process ….
Erase / the right to be forgotten
Give people the ‘right to be forgotten’.
Erase their personal data if they ask,
but only if it doesn’t compromise
freedom of expression or the ability to
research.
Marketing
Give people the right to opt out of direct
marketing that uses their data.
Protecting sensitive data
Use extra safeguards for information on
health, race, sexual orientation,
religion and political beliefs.
Data transfer outside the EU
Make legal arrangements when you
transfer data to countries that have not
been approved by the EU authorities.
Source: http://ec.europa.eu/justice/smedataprotect/index_en.htm

13. © All Rights Reserved. Konfidas Digital Ltd.
Lawful basis for processing (Article 6)
A lawful basis is required in to process personal data
There are six lawful bases for processing.
No single basis is ’better’ or more important than the
others
Processing should be ‘necessary’, so if you can achieve
the same purpose without the processing, you won’t have
a lawful basis.
Consent
Contract
Legal
obligation
Vital
interests
Public task
Legitimate
interests

14. © All Rights Reserved. Konfidas Digital Ltd.
Penalties (Chapter III)

15. © All Rights Reserved. Konfidas Digital Ltd.
Data Minimization
● You must ensure the personal data you are
processing is:
○ adequate – sufficient to properly fulfil your
stated purpose;
○ relevant – has a rational link to that purpose;
and
○ limited to what is necessary – you do not hold
more than you need for that purpose.

16. © All Rights Reserved. Konfidas Digital Ltd.
Data Protection by Design / by Default
Previously known as ‘privacy by design,’ with GDPR it is now a legal requirement:
‘The controller shall implement appropriate TOMs for ensuring
that, by default, only personal data which are necessary for each
specific purpose of the processing are processed [...] In
particular, such measures shall ensure that by default personal
data are not made accessible without the individual's
intervention to an indefinite number of natural persons.’

17. © All Rights Reserved. Konfidas Digital Ltd.
What should you do?
● Data protection should be part of product development life cyber
● Make it a core functionality
● Manage the risks and privacy-invasive events
● Make sure you only process and use the personal data for its purposes(s)
● Protect the personal data
● Adopt a ‘plain language’ policy for any public documents
● Provide individuals with tools to determine how their personal data is used
● Offer privacy defaults, user-friendly options and controls, and respect user preferences.
● Choose processors that provide sufficient data protection guarantees

18. © All Rights Reserved. Konfidas Digital Ltd.
And what about security?
'Processed in a manner that ensures appropriate security of the
personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or
damage, using appropriate technical or organisational
measures’

19. © All Rights Reserved. Konfidas Digital Ltd.
What does it mean?
● An essential principle of the GDPR is that you process personal data securely - ‘security
principle’
● Consider risk analysis, organizational policies, and physical and technical measures
● Use measures such as pseudonymization and encryption
● Ensure the ‘confidentiality, integrity and availability’
● The measures must also enable you to restore access and availability
● GDPR requires explicitly having a process for regularly testing, assessing and evaluating the
effectiveness the security program
● The processing of personal data for ensuring network and information security constitutes a
legitimate interest of the data controller concerned.

20. © All Rights Reserved. Konfidas Digital Ltd.
Pseudonymisation
● Pseudonymisation - the use of fictitious name to anonymize personal data
● Pseudonymisation of personal data can reduce the risks to the data subjects
● GDPR does not concern the processing of anonymous information, including for statistical
or research purposes
● Personal data which have undergone pseudonymisation, which could be attributed to a
natural person by the use of additional information should be considered to be information
on an identifiable natural person

21. © All Rights Reserved. Konfidas Digital Ltd.
Data breaches under GDPR - far wider (Articles 33, 34)
● GDPR only applies where there is a breach of personal data
● All personal data breaches are security incidents, not all security
incidents are necessarily personal data breaches
● In the case of a personal data breach, the controller shall without
undue delay and, where feasible, not later than 72 hours after
having become aware of it
“a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data transmitted,
stored or otherwise processed”

22. © All Rights Reserved. Konfidas Digital Ltd.
Compliance & Accountability (Article 5(2))
● Appoint a data protection officer (DPO)
● Implement TOMs to demonstrate compliance
● Apply internal data protection policies (training,
DPIA, audits of processing, and HR policies)
● Document processing activities;
● Do data protection by design and data
protection by default:
● Allow individuals to monitor processing
● Monitor and improve cybersecurity
● Manage the risk with data protection impact
assessments (DPIA) where required
Know what information
you are processing and
implement the necessary
changes
IT
Know why you are
processing data, do it
lawfully, fairly and
transparently.
Legal
Protect the data and
monitor security
incidents
Cybersecurity
Account
ability

23. © All Rights Reserved. Konfidas Digital Ltd.
Questions?

24. Thank You!
Ram Levi, CEO of Konfidas
ram@konfidas.com | ramlevi