Upload File

3grc approach to gdpr v 0.1

13
Cyber Security & Data Protection Steve Smith– CEO - 3GRC www.3grc.co.uk Considerations for GDPR

Upload: david-clarke-fbcs-citp

Post on 16-Apr-2017

156 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: 3GRC approach to GDPR V 0.1

Cyber Security & Data Protection

Steve Smith– CEO - 3GRC www.3grc.co.uk

Considerations for GDPR

Page 2: 3GRC approach to GDPR V 0.1

Session Agenda

04 03

02 01

GDPR Overview

Ideal Approach

Common Issues

Questions

2018 Looms

Overview of the key aspects of GDPR and how it is going to impact SMEs on a foundational level.

A Better Way We Make Mistakes

Mechanisms for getting the business prepared and developing matured data centric methodologies.

Quiz Me

Opportunity to ask industry specific points and share experiences in GDPR preparation.

Common mistakes experienced by SMEs deploying a data centric methodology to support GDPR compliance.

Page 3: 3GRC approach to GDPR V 0.1

GDPR Overview Key Aspects of GDPR

Penalties

Timescales

Applicability

Scope

Taking effect in May 2018, with an

expectation that businesses have

begun maturing their data centric workflows.

Potential fines locked at up to 4% of global

turnover or €20m, based on due

diligence measures and scale of a data

breach/non compliance.

European Individuals data both internally

and through the supply chain,

leveraging DPIAs for sensitive data or large

scale processing.

Any organisation exposed to personally identifiable material

on a European Individual, irrespective

of location.

Regional authorities have the power to

impose and govern, potentially providing a local revenue stream and local precedents.

Accountability

Page 4: 3GRC approach to GDPR V 0.1

GDPR Overview 1. Lawfulness, Fairness & Diversity Processed data lawfully, fairly and in a transparent manner in relation to the data subject – Opt-in

2. Purpose Limitation Personal data must be collected and leveraged for specific purposes. Processing of PI for archiving purposes in the public interest, or scientific and historical purposes is ok. Article 83(1) outlines safeguards.

3. Data Minimisation Personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.

4. Accuracy PI must be accurate and where necessary, kept up to date. Steps taken to ensure inaccurate PI is erased or rectified without delay.

Scope Doesn’t end at the perimeter and extends to data flows and relationships with third

parties and even fourth parties.

7. Accountability The controller shall be responsible for and

be able to demonstrate compliance with these principles.

6. Integrity & Confidentiality PI must be processed in a manner ensuring appropriate security of personal data, including unlawful processing

and accidental loss, destruction or damage.

5. Storage Limitation PI must be kept in a form which permits

identification of data subject for no longer than necessary based on purposes for processing.

Key Principles

Page 5: 3GRC approach to GDPR V 0.1

Ideal Approach

Visibility

Remediation

Maintenance

Understanding the Gaps Leverage GDPR surveys to identify non-

compliance. Identify disparate business unit as there is likely to be variances in workflows.

Technology can drive efficient visibility. Seek funding from the board for remediation.

Working to Compliance Use standard remediation risk registers to proactively address gaps and schedule remediation timescales. Benchmark business variance where necessary to foster competition and identify stragglers.

Keeping the Consistency Once ‘compliance’ is achieved, schedule

reviews bi-annually with disparate business workflows to identify any lapses as they occur

over time. Continue testing and auditing. Technology assists with this process.

Logical Methodology Many organisations are fixing gaps in time for 2018. Informed data-centric tracking is key and brings wider business benefit through informed security controls rather than a traditional perimeter. Internal data flow visibility is key.

Page 6: 3GRC approach to GDPR V 0.1

Assign Data Protection Officer Not always mandatory, but

recommended for executive buy in

Adjust Contracts Apply contract clauses for all emerging contracts and track

renewals for amendment

Incident Management Assess your IM process to ensure it allows speedy identification, or at

least reaction

Audit Trails Build the data centric audit

trail for future maturity considering right to audit

Employee Awareness Embed a ‘little and often’ training

approach for staff, for both risk and knowledge

Ideal Approach Data Centric Quick Wins

Page 7: 3GRC approach to GDPR V 0.1

Ideal Approach Data Governance

Data Silo Controls

Cross reference data asset

maps against security

mechanisms. Don’t rely on the perimeter and consider

internal access.

Long term aspirations should include the identification of data, treating PII as a critical data set separate from a standard hardened perimeter. This good practice is largely transferrable to any critical business dataset.

Privacy Impact Assessments

Consider both privacy by

design and right to be forgotten

in any new systems, and develop plans

for legacy systems to

include controls.

Subject Access Requests

Cannot be charged unless

excessive or unfounded. 30

days for delivery,

recommend user ownership

or data discovery tools.

Full Data Mapping

Regularly conduct scheduled

surveys/discovery scans to identify

data flows, creating a live data

asset map of PII attributes. This

includes quantity, transfer, owner, data attributes.

Page 8: 3GRC approach to GDPR V 0.1

Common Issues

Training and Awareness Emphasis on large scale training for a tick box, then continuing to fight

for business change and widespread adoption. Scare tactics

alone don’t help.

Data Protection Officer Skills Having the wrong role spearheading data

protection. A DPO needs to be onboard and suitably informed on both legislation and

logical good practice.

Data Workflow Identification Keeping visibility static or focusing on structured data solely. Not leveraging

business intelligence for ownership

Registered Regulatory Authority Not considering which regulatory authority will be responsible for the business. Decision making location for infosec/data management can be the locale, rather than majority of data.

Silo Protection Becoming focused on doing too much rather than intelligently applying proportionate controls and processes based on key risk areas. What works for one BU doesn’t always work for another.

Page 9: 3GRC approach to GDPR V 0.1

Streamlining with Technology 3GRC – Define GDPR Surveys

Create GDPR Surveys, Use or Tailor Existing Content

Page 10: 3GRC approach to GDPR V 0.1

Streamlining with Technology 3GRC – Define GDPR Surveys

Create GDPR Surveys, Use or Tailor Existing Content

Page 11: 3GRC approach to GDPR V 0.1

Streamlining with Technology 3GRC – Managed GDPR Risks

Generate risks automatically, manage and discuss with clients and their supply chain

Page 12: 3GRC approach to GDPR V 0.1

Streamlining with Technology 3GRC – Define GDPR Surveys

Generate risks automatically, manage and discuss with clients and their supply chain

Page 13: 3GRC approach to GDPR V 0.1

Streamlining with Technology 3GRC – Monitor and Measure GDPR Risks

Monitor and measure risk remediation progress


SYMPHONY’S GDPR COMPLIANCE STRATEGYs GDPR Compliance Strategy.pdfSYMPHONY’S ROLE UNDER THE GDPR The GDPR distinguishes two roles that organisations can play: controllers and processors

BVMS - GDPR

Test-driven Approach Towards GDPR Compliance€¦ · Test-driven Approach Towards GDPR Compliance This paper has been accepted for publication at SEMANTiCS 2019. Preprint shared under

GDPR Best Practices Implementation Guide news items/GDPR... · 2020. 3. 30. · This GDPR Best Practices Guide puts forward a GDPR implementation methodology designed to: • Engage

COMPLIANCE, THE ‘PRIVACY BY DESIGN’ APPROACH TO … › MediaLibrary › Catalog › web › ... · COMPLIANCE, THE ‘PRIVACY BY DESIGN’ APPROACH TO PROTECT PERSONAL DATA (GDPR)

Deloitte NWE Privacy Services Vision and Approach · Deloitte Vision on GDPR Deloitte Risk Advisory –NWE GDPR Brochure 3 ... to improve, risk-based, the state of privacy compliance

Accelerate GDPR compliance with the Microsoft Cloudazurebootcampdk.azurewebsites.net/Slides/Accelerate GDPR compliance...Accelerate GDPR compliance with the Microsoft Cloud ... Enterprise

Retail Approach to Implementing Critical Elements of the GDPR · Retail Approach to Implementing Critical Elements of the GDPR GDPR Discussion Document for the Global Retail Industry

GDPR and Public Consultation. Are you ready?nakedlaw.typepad.com/files/gdpr--pc_20180126.pdf · 26/1/2018 · GDPR and Public Consultation The EU GDPR (“General Data Protection

A Structured Approach to GDPR Compliance and ... Pages/GDPR Toolkit/Getting... · When getting started with GDPR compliance, ... throughout the organisation resulting in the ability

GDPR an Introduction - Community Works · 2017. 11. 15. · GDPR an Introduction Are You ready? GDPR monetary penalties. GDPR an Introduction Are You ready? Paul Hamill - Assurance

EU-GDPR Checks & Test Suites...©AvePoint, Inc. All rights reserved. Confidential and proprietary information of AvePoint, Inc. EU-GDPR Response by AvePoint 1. A Risk-Based Approach

Contents Adobe Experience Cloud and GDPR · Adobe Experience Cloud and GDPR | Implementing the Adobe Experience Cloud GDPR API for streamlined GDPR requests 4 Adobe and data governance

Test-Driven Approach Towards GDPR Compliance · in a test-driven approach for documenting ongoing compliance with the GDPR. We describe our approach towards generating and testing

BRITISH MODEL FLYING ASSOCIATION General Data Protection (GDPR…btckstorage.blob.core.windows.net/site11032/GDPR/BMFA... · 2018-05-11 · 5 GDPR 2018 V1.1 12 Steps to GDPR Compliance

gdpr Compliance Checklist - Global Privacy & Security ... · GDPR Compliance Checklist . GDPR Compliance Checklist This GDPR Compliance Checklist sets out the key requirements that

SIX STEP APPROACH TO GDPR COMPLIANCE - Agile Solutions · Agile Solutions six step approach to GDPR compliance 11 This means the data governance roadmap and strategy can be scaled

GDPR & GDPR - Confindustria Ravenna - Alessandro Rani

Approach to skin problems 29-Jan 2015 - med.mahidol.ac.th · Triamcinolone acetonide ointment 0.1% Triamcinolone acetonide cream 0.1% Triamcinolone acetonide lotion 0.1% Low VI –

GDPR in plain English | Business Data Prospects · 2020. 7. 22. · GDPR in plain English Keywords: GDPR, Business Data Prospects, BDP Agency, GDPR Advice, Advice, GDPR Plain English,

ENTERPRISE-READY COMPLIANCE - GDPR Tech · GDPR delivers an enterprise-ready compliance solution ... arms customers with a confident governance approach. Veritas’ propriety framework

GDPR - Health Check · (GDPR) has changed the European privacy landscape considerably. Are you ready for these changes and how do you continue to approach this privacy law? We will

Article GDPR and CCTV in taxiscommittee.worcester.gov.uk/documents/s42568/GDPR and CCTV... · 2018. 9. 4. · GDPR and CCTV in taxis Article GDPR has many implications for local authorities

How does the General Data Protection Regulation (GDPR) affect … does GDPR affect your business.pdf · • GDPR is intended toharmonize data protection lawacross the EU • GDPR

Risk Management under GDPR• Understanding the references to risk under the GDPR • Understanding a risk based approach to GDPR implementation • An overview of how a robust risk

[GDPR Webinar Slides] Path to GDPR Compliance

GDPR-CERTIFIED ASSURANCE REPORT BASED ......GDPR - Certified Assurance Report based Processing Activities (CARPA) certification mechanism Version 0.1 1 WORKING DRAFT for public consultation

ESSENTIAL GDPR COMPLIANCE - Acumenologyacumenology.co.uk/.../12/ESSENTIAL-GDPR-COMPLIANCE.pdf · 02 Essential GDPR Compliance Roadmap 03 Step-by-step guide to GDPR compliance 04 Maintaining

Deloitte NWE Privacy Services Vision and Approach · General Data Protection Regulation (GDPR) Deloitte NWE Privacy Services –Vision and Approach Deloitte Risk Advisory - 2017

gdpr: Demanding New Privacy Rights And Obligations · 4 GDPR: demanding new privacy rights and obligations GDPR highlights GDPR impacts Organizations will have only 72 hours to report

Payslip Compliance with GDPR · 2020-01-13 · Payslip Compliance with GDPR Payslip Compliance with GDPR Ensuring your Payslips are compliant with GDPR GDPR changes coming in May

GDPR - GAP ANALYSIS SERVICE... · 2017-08-05 · The GDPR Gap Analysis process has a data-centric approach to security and includes the dynamic monitoring of PC's and servers for

GDPR Data Management and Protection · The GDPR requires evidence of a risk-based approach to data management and security All organizations that process personal data of EU individuals

GDPR Compliance

Roadmap to the GDPR - The Extraterritorial Reach of the GDPR