3grc approach to gdpr v 0.1
TRANSCRIPT
Session Agenda
04 03
02 01
GDPR Overview
Ideal Approach
Common Issues
Questions
2018 Looms
Overview of the key aspects of GDPR and how it is going to impact SMEs on a foundational level.
A Better Way We Make Mistakes
Mechanisms for getting the business prepared and developing matured data centric methodologies.
Quiz Me
Opportunity to ask industry specific points and share experiences in GDPR preparation.
Common mistakes experienced by SMEs deploying a data centric methodology to support GDPR compliance.
GDPR Overview Key Aspects of GDPR
Penalties
Timescales
Applicability
Scope
Taking effect in May 2018, with an
expectation that businesses have
begun maturing their data centric workflows.
Potential fines locked at up to 4% of global
turnover or €20m, based on due
diligence measures and scale of a data
breach/non compliance.
European Individuals data both internally
and through the supply chain,
leveraging DPIAs for sensitive data or large
scale processing.
Any organisation exposed to personally identifiable material
on a European Individual, irrespective
of location.
Regional authorities have the power to
impose and govern, potentially providing a local revenue stream and local precedents.
Accountability
GDPR Overview 1. Lawfulness, Fairness & Diversity Processed data lawfully, fairly and in a transparent manner in relation to the data subject – Opt-in
2. Purpose Limitation Personal data must be collected and leveraged for specific purposes. Processing of PI for archiving purposes in the public interest, or scientific and historical purposes is ok. Article 83(1) outlines safeguards.
3. Data Minimisation Personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
4. Accuracy PI must be accurate and where necessary, kept up to date. Steps taken to ensure inaccurate PI is erased or rectified without delay.
Scope Doesn’t end at the perimeter and extends to data flows and relationships with third
parties and even fourth parties.
7. Accountability The controller shall be responsible for and
be able to demonstrate compliance with these principles.
6. Integrity & Confidentiality PI must be processed in a manner ensuring appropriate security of personal data, including unlawful processing
and accidental loss, destruction or damage.
5. Storage Limitation PI must be kept in a form which permits
identification of data subject for no longer than necessary based on purposes for processing.
Key Principles
Ideal Approach
Visibility
Remediation
Maintenance
Understanding the Gaps Leverage GDPR surveys to identify non-
compliance. Identify disparate business unit as there is likely to be variances in workflows.
Technology can drive efficient visibility. Seek funding from the board for remediation.
Working to Compliance Use standard remediation risk registers to proactively address gaps and schedule remediation timescales. Benchmark business variance where necessary to foster competition and identify stragglers.
Keeping the Consistency Once ‘compliance’ is achieved, schedule
reviews bi-annually with disparate business workflows to identify any lapses as they occur
over time. Continue testing and auditing. Technology assists with this process.
Logical Methodology Many organisations are fixing gaps in time for 2018. Informed data-centric tracking is key and brings wider business benefit through informed security controls rather than a traditional perimeter. Internal data flow visibility is key.
Assign Data Protection Officer Not always mandatory, but
recommended for executive buy in
Adjust Contracts Apply contract clauses for all emerging contracts and track
renewals for amendment
Incident Management Assess your IM process to ensure it allows speedy identification, or at
least reaction
Audit Trails Build the data centric audit
trail for future maturity considering right to audit
Employee Awareness Embed a ‘little and often’ training
approach for staff, for both risk and knowledge
Ideal Approach Data Centric Quick Wins
Ideal Approach Data Governance
Data Silo Controls
Cross reference data asset
maps against security
mechanisms. Don’t rely on the perimeter and consider
internal access.
Long term aspirations should include the identification of data, treating PII as a critical data set separate from a standard hardened perimeter. This good practice is largely transferrable to any critical business dataset.
Privacy Impact Assessments
Consider both privacy by
design and right to be forgotten
in any new systems, and develop plans
for legacy systems to
include controls.
Subject Access Requests
Cannot be charged unless
excessive or unfounded. 30
days for delivery,
recommend user ownership
or data discovery tools.
Full Data Mapping
Regularly conduct scheduled
surveys/discovery scans to identify
data flows, creating a live data
asset map of PII attributes. This
includes quantity, transfer, owner, data attributes.
Common Issues
Training and Awareness Emphasis on large scale training for a tick box, then continuing to fight
for business change and widespread adoption. Scare tactics
alone don’t help.
Data Protection Officer Skills Having the wrong role spearheading data
protection. A DPO needs to be onboard and suitably informed on both legislation and
logical good practice.
Data Workflow Identification Keeping visibility static or focusing on structured data solely. Not leveraging
business intelligence for ownership
Registered Regulatory Authority Not considering which regulatory authority will be responsible for the business. Decision making location for infosec/data management can be the locale, rather than majority of data.
Silo Protection Becoming focused on doing too much rather than intelligently applying proportionate controls and processes based on key risk areas. What works for one BU doesn’t always work for another.
Streamlining with Technology 3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content
Streamlining with Technology 3GRC – Define GDPR Surveys
Create GDPR Surveys, Use or Tailor Existing Content
Streamlining with Technology 3GRC – Managed GDPR Risks
Generate risks automatically, manage and discuss with clients and their supply chain
Streamlining with Technology 3GRC – Define GDPR Surveys
Generate risks automatically, manage and discuss with clients and their supply chain