gdpr is coming!

ANITIAN

A N I T I AN intelligent information security

intelligent information securityA N I T I AN

MEET THE SPEAKER – ADAM GAYDOSH

• Director of Security Intelligence at Anitian

• 17 years experience in IT Security

• Principal consultant for governance, risk and compliance practices

• PCI QSA since 2008

• Co-author of workbook on PCI compliance in AWS

• Co-developer of RiskNowTM Rapid Risk Assessment Methodology

WHO

HOW

Build great security…

~ Programs ~ Controls

~ Practices ~ Leaders

WHY

We believe security is

essential to growth,

innovation, and prosperity



WHAT

intelligent information securityAN IT IAN

OVERVIEW

My Intent

• Provide a basic overview on GDPR

• Describe strategies for complying with GDPR

Presentation Outline

1. GDPR Basics

2. Significant Requirements

3. Compliance Strategies

4. Final Thoughts


WHAT IS GDPR?

• General Data Protection Regulation (GDPR) (Regulation (EU)

2016/679)

• A privacy regulation that generally applies to the personal

data of EU citizens (data subjects)

• Goes into effect May 25th 2018

• Focus is on the responsibilities of companies to protect

citizens’ data, and citizens rights concerning how their data

is protected and used


AFFECTED ORGANIZATIONS

• Applies to EU companies and those with EU citizens’ data

• Categorizes companies as either Controllers or Processors

• Controllers are responsible for how data is processed, and

are generally the collectors of the personal data, and

therefore ultimately responsible for it

• Processors are entities that handle personal data in some

manner on behalf of the controllers


REGULATED DATA TYPES

• Personal data: Any information relating to an identified or

identifiable natural person (‘data subject’)

o Common personally identifiable information such as

name, address, DOB

o Less common data types including photos, email

addresses, posts on social networking websites and IP

addresses

• Sensitive personal data: Personal data which is, by its

nature, particularly sensitive in relation to fundamental rights

and freedoms

o Private information that includes one’s health, race,

sexual orientation and religion


CERTIFICATION AND ENFORCEMENT

• Penalties are defined in Article 83

• Fines can reach up to €20 million, or 4% of the total

worldwide annual turnover (revenue) of the preceding

financial year, whichever is higher.

• A tiered approach to penalties is defined based on

specific conditions of non-compliance and organization

type

• Certification is defined in Article 42

o Still in progress at the member state level

o Article 43 refers to ISO in a discussion on certification

bodies, and seems a likely model


OTHER IMPORTANT GDPR CONCEPTS

• Article – The 99 sections of the GDPR that define the specific

guidance, organized by chapters

• Recitals – Officially documented guidance, interpretation

and implementation information supporting the GDPR

• Supervisory Authority – Member states’ public authority

responsible for overseeing GDPR

• Pseudonymization – Sanitized personal data that can no

longer be attributed to a specific data subject without the

use of additional information


NOTABLE REQUIREMENTS

• Article 25 – Data Protection by Design and Default

• Article 37 – Designation of the Data Protection Officer

• Article 17 – Right to erasure (‘right to be forgotten’)

• Articles 33 & 34 – Breach Notification

• Article 30 – Records of processing activities


ARTICLE 25 – DATA PROTECTION BY DESIGN

• Requirement to inventory and classify all personal data

• Likely to be the highest effort task

• Start with business process inventory and analysis, then map

data flow

• Don’t forget to identify vendors and other 3rd parties with

whom personal data is shared


ARTICLE 37 - DATA PROTECTION OFFICER (DPO)

• The DPO is responsible for overseeing GDPR compliance

• The DPO must report to the highest level of management

o For this reason it is often outsourced

• Primary tasks defined in Article 38:

o Advising the organization on data privacy obligations

o Monitoring compliance with data privacy obligations

o Overseeing the Data Privacy Impact Assessment (DPIA)

o Coordinating with supervisory authorities as appropriate


ARTICLE 17 - RIGHT TO ERASURE

• Also referred to as the “right to be forgotten”

• At the request of a data subject, all instances of their

personal data must be deleted within 72 hours

• Includes provisions to allow data subjects to stop further

sharing and processing of data

• Controllers are required to assess if there is not a

superseding reason to deny the request


ARTICLES 33 & 34 – BREACH NOTIFICATION

• Breaches must be disclosed to the supervisory authority

within 72 hours of discovery

• Breaches must be disclosed to data subjects under certain

conditions without “undue delay,” including to Controllers

by Processors

• Personal data breaches are broadly defined:

“a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or

access to, personal data transmitted, stored or otherwise

processed”


ARTICLE 30 - RECORDS OF PROCESSING ACTIVITIES

• The following information must be documented for all data

processing:

o Record type

o DPO contract information

o Purpose for processing

o Data categories

o Recipients

o Cross-border transfers

o Retention period

o Security controls


GDPR COMPLIANCE STRATEGIES

• GDPR Compliance Program Roadmap

• GDPR Compliance Program Priorities and Pain

Points

• GDPR and ISO 27001


COMPLIANCE PROGRAM ROADMAP

• Formalize Program and Responsibilities

o Assign a DPO

• Assess Risk

o Inventory and classify data

o Conduct a risk assessment

• Mitigate Risk

o Reduce scope

o Design and implement control framework

• Evaluate and Optimize

o Conduct DPIA

o Enhance controls

o Document and certify


PRIORITIES AND PAIN POINTS

• Priorities

o Data Inventory and Classification

o Risk Assessment and DPIAs

• Pain Points

o Consent

o Cross-border transfers

o Profiling


DATA INVENTORY AND CLASSIFICATION

• Start with identifying data in expected locations by mapping

the data flow of business processes

• Classifying data should not only designate data as personal

or one of the special categories, but also potentially identify

the member state of the data subject

• After the initial inventory, implement processes for

discovering data that is located where it shouldn’t be, and

deciding what to do with it


RISK ASSESSMENTS

• There are many aspects of GDPR that require a risk-based

determination of applicability

• Performing a risk assessment to determine appropriate

controls is a critical aspect of establishing a GDPR

compliance program

• Risk-based approaches are critical when having to

demonstrate due diligence for a decision based on

uncertainty


DATA PROTECTION IMPACT ASSESSMENT (DPIA)

• The purpose is to help validate that the organization is

taking the correct actions to ensure compliance with GDPR

on an ongoing basis.

o Focus on determining if processing risk is high

• Required for Controllers

• Often used by Processors to demonstrate sufficiency of

GDPR compliance to Controllers

• Should be performed after an initial risk assessment and

implementation of baseline controls


PAIN POINTS - CONSENT

• “Consent” is an agreement with the data subject to allow the

processing of their personal data

• Can no longer be implicit, or opt-out

• How personal data and consent are captured must be

tracked

• Consent must be revoked at the request of data subjects at

any time

• Parental consent is required for children, which will impact

many services, such as social media


PAIN POINTS - CROSS-BORDER TRANSFERS

• Data transfers are allowed amongst member states and

outside of the EU

• There are a cascading series of requirements depending on

the level of data protections the receiving entity provides

• The easiest condition is if the country has been deemed

adequate by the European Commission

o The US has not!

o Cost and complexity of demonstrating adequacy

increases from there


PAIN POINTS - PROFILING

• Automated processing of data for making decisions about

the data subjects

o Most of the focus is on the decision itself, such as an

automatic rejection of a credit request

• When data is collected that will be profiled (and on request),

you have to notify the subject of this, along with the logic

and consequences behind this data profiling

• Subjects have the right to object to profiling


GDPR AND ISO 27001

• Components of an ISO 27001 compliant Information

Security Management System (ISMS) can be leveraged to

meet aspects of GDPR, including:

o Data Inventory

o Risk-based approach

o Vendor management

o Breach notification

o Continuous Improvement

o Certification

• Companies doing business internationally already widely use

ISO 27001


FINAL THOUGHTS & PRIORITIES

• Appoint a DPO and formalize your program

• Inventory your data, including vendors

• Adopt a risk-based approach

• Publish and iterate


EMAIL: [email protected]

TWITTER: @adam_gaydosh

@AnitianSecurity

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN

gdpr is coming!

Technology