gdpr is coming!
TRANSCRIPT
ANITIAN
A N I T I AN intelligent information security
intelligent information securityA N I T I AN
MEET THE SPEAKER – ADAM GAYDOSH
• Director of Security Intelligence at Anitian
• 17 years experience in IT Security
• Principal consultant for governance, risk and compliance practices
• PCI QSA since 2008
• Co-author of workbook on PCI compliance in AWS
• Co-developer of RiskNowTM Rapid Risk Assessment Methodology
WHO
HOW
Build great security…
~ Programs ~ Controls
~ Practices ~ Leaders
WHY
We believe security is
essential to growth,
innovation, and prosperity
intelligent information securityA N I T I AN
intelligent information securityA N I T I AN
WHAT
intelligent information securityAN IT IAN
OVERVIEW
My Intent
• Provide a basic overview on GDPR
• Describe strategies for complying with GDPR
Presentation Outline
1. GDPR Basics
2. Significant Requirements
3. Compliance Strategies
4. Final Thoughts
intelligent information securityAN IT IAN
WHAT IS GDPR?
• General Data Protection Regulation (GDPR) (Regulation (EU)
2016/679)
• A privacy regulation that generally applies to the personal
data of EU citizens (data subjects)
• Goes into effect May 25th 2018
• Focus is on the responsibilities of companies to protect
citizens’ data, and citizens rights concerning how their data
is protected and used
intelligent information securityAN IT IAN
AFFECTED ORGANIZATIONS
• Applies to EU companies and those with EU citizens’ data
• Categorizes companies as either Controllers or Processors
• Controllers are responsible for how data is processed, and
are generally the collectors of the personal data, and
therefore ultimately responsible for it
• Processors are entities that handle personal data in some
manner on behalf of the controllers
intelligent information securityAN IT IAN
REGULATED DATA TYPES
• Personal data: Any information relating to an identified or
identifiable natural person (‘data subject’)
o Common personally identifiable information such as
name, address, DOB
o Less common data types including photos, email
addresses, posts on social networking websites and IP
addresses
• Sensitive personal data: Personal data which is, by its
nature, particularly sensitive in relation to fundamental rights
and freedoms
o Private information that includes one’s health, race,
sexual orientation and religion
intelligent information securityAN IT IAN
CERTIFICATION AND ENFORCEMENT
• Penalties are defined in Article 83
• Fines can reach up to €20 million, or 4% of the total
worldwide annual turnover (revenue) of the preceding
financial year, whichever is higher.
• A tiered approach to penalties is defined based on
specific conditions of non-compliance and organization
type
• Certification is defined in Article 42
o Still in progress at the member state level
o Article 43 refers to ISO in a discussion on certification
bodies, and seems a likely model
intelligent information securityAN IT IAN
OTHER IMPORTANT GDPR CONCEPTS
• Article – The 99 sections of the GDPR that define the specific
guidance, organized by chapters
• Recitals – Officially documented guidance, interpretation
and implementation information supporting the GDPR
• Supervisory Authority – Member states’ public authority
responsible for overseeing GDPR
• Pseudonymization – Sanitized personal data that can no
longer be attributed to a specific data subject without the
use of additional information
intelligent information securityAN IT IAN
NOTABLE REQUIREMENTS
• Article 25 – Data Protection by Design and Default
• Article 37 – Designation of the Data Protection Officer
• Article 17 – Right to erasure (‘right to be forgotten’)
• Articles 33 & 34 – Breach Notification
• Article 30 – Records of processing activities
intelligent information securityAN IT IAN
ARTICLE 25 – DATA PROTECTION BY DESIGN
• Requirement to inventory and classify all personal data
• Likely to be the highest effort task
• Start with business process inventory and analysis, then map
data flow
• Don’t forget to identify vendors and other 3rd parties with
whom personal data is shared
intelligent information securityAN IT IAN
ARTICLE 37 - DATA PROTECTION OFFICER (DPO)
• The DPO is responsible for overseeing GDPR compliance
• The DPO must report to the highest level of management
o For this reason it is often outsourced
• Primary tasks defined in Article 38:
o Advising the organization on data privacy obligations
o Monitoring compliance with data privacy obligations
o Overseeing the Data Privacy Impact Assessment (DPIA)
o Coordinating with supervisory authorities as appropriate
intelligent information securityAN IT IAN
ARTICLE 17 - RIGHT TO ERASURE
• Also referred to as the “right to be forgotten”
• At the request of a data subject, all instances of their
personal data must be deleted within 72 hours
• Includes provisions to allow data subjects to stop further
sharing and processing of data
• Controllers are required to assess if there is not a
superseding reason to deny the request
intelligent information securityAN IT IAN
ARTICLES 33 & 34 – BREACH NOTIFICATION
• Breaches must be disclosed to the supervisory authority
within 72 hours of discovery
• Breaches must be disclosed to data subjects under certain
conditions without “undue delay,” including to Controllers
by Processors
• Personal data breaches are broadly defined:
“a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or
access to, personal data transmitted, stored or otherwise
processed”
intelligent information securityAN IT IAN
ARTICLE 30 - RECORDS OF PROCESSING ACTIVITIES
• The following information must be documented for all data
processing:
o Record type
o DPO contract information
o Purpose for processing
o Data categories
o Recipients
o Cross-border transfers
o Retention period
o Security controls
intelligent information securityAN IT IAN
GDPR COMPLIANCE STRATEGIES
• GDPR Compliance Program Roadmap
• GDPR Compliance Program Priorities and Pain
Points
• GDPR and ISO 27001
intelligent information securityAN IT IAN
COMPLIANCE PROGRAM ROADMAP
• Formalize Program and Responsibilities
o Assign a DPO
• Assess Risk
o Inventory and classify data
o Conduct a risk assessment
• Mitigate Risk
o Reduce scope
o Design and implement control framework
• Evaluate and Optimize
o Conduct DPIA
o Enhance controls
o Document and certify
intelligent information securityAN IT IAN
PRIORITIES AND PAIN POINTS
• Priorities
o Data Inventory and Classification
o Risk Assessment and DPIAs
• Pain Points
o Consent
o Cross-border transfers
o Profiling
intelligent information securityAN IT IAN
DATA INVENTORY AND CLASSIFICATION
• Start with identifying data in expected locations by mapping
the data flow of business processes
• Classifying data should not only designate data as personal
or one of the special categories, but also potentially identify
the member state of the data subject
• After the initial inventory, implement processes for
discovering data that is located where it shouldn’t be, and
deciding what to do with it
intelligent information securityAN IT IAN
RISK ASSESSMENTS
• There are many aspects of GDPR that require a risk-based
determination of applicability
• Performing a risk assessment to determine appropriate
controls is a critical aspect of establishing a GDPR
compliance program
• Risk-based approaches are critical when having to
demonstrate due diligence for a decision based on
uncertainty
intelligent information securityAN IT IAN
DATA PROTECTION IMPACT ASSESSMENT (DPIA)
• The purpose is to help validate that the organization is
taking the correct actions to ensure compliance with GDPR
on an ongoing basis.
o Focus on determining if processing risk is high
• Required for Controllers
• Often used by Processors to demonstrate sufficiency of
GDPR compliance to Controllers
• Should be performed after an initial risk assessment and
implementation of baseline controls
intelligent information securityAN IT IAN
PAIN POINTS - CONSENT
• “Consent” is an agreement with the data subject to allow the
processing of their personal data
• Can no longer be implicit, or opt-out
• How personal data and consent are captured must be
tracked
• Consent must be revoked at the request of data subjects at
any time
• Parental consent is required for children, which will impact
many services, such as social media
intelligent information securityAN IT IAN
PAIN POINTS - CROSS-BORDER TRANSFERS
• Data transfers are allowed amongst member states and
outside of the EU
• There are a cascading series of requirements depending on
the level of data protections the receiving entity provides
• The easiest condition is if the country has been deemed
adequate by the European Commission
o The US has not!
o Cost and complexity of demonstrating adequacy
increases from there
intelligent information securityAN IT IAN
PAIN POINTS - PROFILING
• Automated processing of data for making decisions about
the data subjects
o Most of the focus is on the decision itself, such as an
automatic rejection of a credit request
• When data is collected that will be profiled (and on request),
you have to notify the subject of this, along with the logic
and consequences behind this data profiling
• Subjects have the right to object to profiling
intelligent information securityAN IT IAN
GDPR AND ISO 27001
• Components of an ISO 27001 compliant Information
Security Management System (ISMS) can be leveraged to
meet aspects of GDPR, including:
o Data Inventory
o Risk-based approach
o Vendor management
o Breach notification
o Continuous Improvement
o Certification
• Companies doing business internationally already widely use
ISO 27001
intelligent information securityAN IT IAN
FINAL THOUGHTS & PRIORITIES
• Appoint a DPO and formalize your program
• Inventory your data, including vendors
• Adopt a risk-based approach
• Publish and iterate
intelligent information securityAN IT IAN
EMAIL: [email protected]
TWITTER: @adam_gaydosh
@AnitianSecurity
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN