1

THE RSA® ARCHER®

SUITE & GDPR

Are we ready for GDPR?

@RSAsecurity

@RSA_Archer

2

STEP #1Engage your legal and compliance teams.

This is a significant compliance initiative and requires

interpretation and counsel…

3

CURRENT SITUATION

GDPR IN A NUTSHELL

4

The basics

The General Data Protection Regulation (GDPR) is a new law which establishes a single set of rules for every EU Member State to protect personal data. It builds upon and updates the current EU data protection framework.

Effective date

It will come into force on 25 May 2018.

WHAT IS GDPR?C O M PA N I E S P R O C E S S I N G P E R S O N A L D ATA M U S T C O N T I N U E TO E N S U R E T H E Y H AV E P R O P E R C O N T R O L S O V E R T H E P R O C E S S I N G A N D S E C U R I T Y O F P E R S O N A L D ATA , A C C O R D I N G TO T H E D ATA P R O T E C T I O N P R I N C I P L E S I N T H E G D P R .

T H E Y M U S T C O N T I N U E TO C O N T R O L H O W D ATA I S S TO R E D , K E P T U P TO D AT E , A C C E S S E D , T R A N S F E R R E D A N D D E L E T E D .

Personal data is widely defined to mean any information relating to an identified or identifiable

individual (known as a “data subject” under the GDPR). Personal data may include name, physical

address, email address, identification number, location data, online identifier, credit card number, or

health information.

5

WHAT DOES IT CHANGE?

Establishing more comprehensive data protection standards (e.g. companies must build

privacy into projects, products and systems that will process personal data);

Requiring companies to keep detailed internal records of their processing activities;

Strengthening the enforcement powers of supervisory authorities and giving them the right to impose substantial fines;

Requiring companies to notify the relevant supervisory authority about serious personal data

breaches within 72 hours and to notify affected individuals if there is a high risk of harm to

them as a result of the breach.

1

2

3

4

The GDPR goes beyond current EU law by:

6

Comply with requests from

individuals to stop using their

personal data for marketing

Tell individuals how

their personal data will

be used

Make sure staff are appropriately trained in the care and handling of personal data

Keep personal data secure

Notify regulators and/or

affected individuals in the

event of a serious data

breach (usually within 72

hours)

Grant individuals access to correct

or erase their personal data upon

request

Limit transfers of personal data out of the European Economic Area to only those that comply with EU international data transfer rules

Put data processing agreements in place to ensure third party vendors follow the same protective rules

Build privacy compliance into product, software and services design, processing tools and system development

1

4

7 8

32

5 6

9

COMPANIES MUST ALSO…

7

Fines are calculated on the type of obligation that has been breached, the seriousness of

that breach, its effect on individuals and the behavior of the company.

OR

10 million Euros or

2% of total global annual turnover (whichever is greater)

If a company fails to comply with the GDPR, an EU supervisory authority can issue:

Warnings, reprimands, suspensions of data transfers, bans on processing and

orders to correct infringement; and

Substantial fines of up to:

20 million Euros or

4% of total global annual turnover (whichever is greater)

WHAT IS THE PENALTY FOR NOT COMPLYING?

8

GDPR “GAME CHANGERS”

• Data Protection Officer (DPO) (when required) will become a key security stakeholder.

• Data Breaches get costlier and more difficult to manage and prepare for.

• Privacy-by-design is built into GDPR.

• Extraterritorial reach of GDPR will make it a global mandate.

• Providing evidence of risk mitigation counts as much as securing data.

• EU Resident rights adds considerable operational complexity.

9

GDPR AND ITS IMPACT

10

THE WHEELS ARE IN MOTION

Teams are being

established.

Cross functional involvement is

underway.

Leadership is

key.

11

IT’S NOT JUST AN EU ISSUE…

A recent PwC pulse survey asked C-suite

executives from large American multinationals

about the state of their plans for GDPR. The

“pulse” revealed:

• Over half of US multinationals say GDPR is

their top data-protection priority

• Information security enhancement is a top

GDPR initiative

• 77% of survey respondents plan to spend

$1M or more on GDPR

From “GDPR Prepardness Pulse Survey” published by PwC – January 2017From Gartner’s 2016 Security Buying Survey

12

AND IMPROVING PRIVACY IS NOT JUST A RISK MANAGEMENT REQUIREMENT.

PRIVACY

as a

COMPETITIVE

DIFFERENTIATOR

13

Keep andSecure

Duration and

type of data

Data

Integrity

Technology

Data loss &

Breach

Management

Third Parties

Resiliency

Manage

Access

Right to

rectify

Data

destruction

Data

transfers

Right to Inquire

Right to be forgotten

Notify of

changes

Process

Specific data

Specific purpose

Physical &

Electronic

THE DATA LIFECYCLE

Collect

Consent

Relevance

Type of data

Amount of data

Sensitivity

Fairly and lawfully

Identify

Assess

EvaluateTreat

Monitor

Risk

Assessment

DA

TA

SU

BJ

EC

T R

IGH

TS

DA

TA

PR

OT

EC

TIO

N

14

Primary objective:

Know where data is in the

enterprise and who has access

and implement controls in data

processing activities.

Primary objective:

Establish a risk assessment

process to ensure controls are

appropriately designed and

implemented.

Primary objective:

Establish a compliance program

to ensure controls are effective

and operational.

Primary objective:

Detect and respond to the threat

before a breach occurs but if a

breach does occur, you need to

know the details and exact

impact.

FOUR KEYS TO GDPR PLANNING

Breach

Response

Data

Governance

Compliance

Management

Risk

Assessment

15

DECISION TREE: WORKING YOUR WAY TO A PLANDoes your organization

process, store or

handle personally

identifiable information

(PII)/Personal Data

(OR plan to)?

Have you initiated a

project around

GDPR?

No

Are you

affected?

Educate on

GDPR

YesYes

No

Stop

(maybe)

Does any of this PII

include EU residents

including customers

and/or employees?

Have you performed

a risk assessment or

analysis with regards

to GDPR?

Which area(s)

concern you the

most?

Breach Response

Defined as: The

ability to detect and

respond to security

incidents, escalate

and handle data

breaches of any type

What is your strategy

for identifying and

responding to data

breaches?

What steps towards

automation have you

taken to reduce “breach

exposure time?

How do you manage

your risk of

advanced cyber

threats and attacks?

Data Governance

Defined as: The

ability to monitor and

control access to

data

What is your strategy to

ensure access to

personal information is

proper and controlled?

How do you establish

policies around data

governance?

Do you have an

accurate data

processing catalog?

Risk Assessment

Defined as: The

ability to implement

consistent and

sustainable risk

management

processes

Do you have an

overarching risk

management strategy in

place?

Where does data privacy

fit into your risk

management strategy?

How does your

organization handle

risk assessments in

general?

Compliance

Management

Defined as: The

ability to define

policies and

demonstrate

adherence to

regulatory &

corporate obligations

How do you identify,

prioritize and track

compliance issues?

How do you catalog data

and associated

custodians & regulatory

requirements?

How does your

organization handle

compliance in

general?

Yes

Build

your

plan.

DON’T FORGET ABOUT THIRD PARTIES…

16

WHAT’S NEEDED TO CLOSE THE GAP?

17

WHERE DO YOU START?

• Understand what personal data you process

• Where is it and how is it used

• User should always be first

• Privacy at every level

• Mitigation plan

• Risk Management review

• Incident detection and response planning

18

WHO IS RESPONSIBLE FOR PRIVACY?

DATA RISK

MANAGEMENT

DATA

PRIVACY

• Privacy combines elements of Security, Compliance, and broader Data Risk Management considerations.

• Each respective area, function, and process has a role in ensuring that sensitive corporate information is appropriately protected.

19

INSPIREEVERYONE

TO OWNRISK

WHO NEEDS TO BE IN THE DISCUSSION?

CIO

Which technology

/ product

strategies are

creating risk? CLO

How does our

compliance

strategy scale?

CRO

Where are our

risks in the big

picture?

CEO

What should the

risk culture of the

organisation be?

CFO

How do we balance

investment vs risk?

21

COMPONENTSPRIVACY MANAGEMENT PROGRAM

• Governance model,

• Audits & Review,

• Education,

• Process & practices,

• Policies

• Data Inventory

• Self-

Assessments &

Compliance

Posture

• Information Security

Practices

• Policies

• Legal – contracts,

indemnities, agreements

• Response & Complaints

Mgt Process

• Data Access Request

Handling Process

• Communications

Governance

recommended

APPROACH

22

A STRATEGY TO MANAGE DATA PRIVACY

Provide business and IT

context to those processes

Manage your Policy on

the processes needed

internally to comply

Automate the process of

PIA and DPIA

assessments

and data breach reporting

to regulators

Provide a central

repository for Privacy

regulations and

remediation activities

23

THE PROVEN PATHTO TAKE COMMANDOF RISK

24

A GRC STRATEGY TO MANAGE DATA PRIVACY

GRC SOLUTION

Manage

regulatory and

corporate

obligations

Co

mp

lian

ce

Manage

vendor and

outsourced

parties

Th

ird P

arty

Ma

na

ge

me

nt

Protect

business

assets

IT S

ec

urity

Manage

breaches /

disruptions

Bu

sin

es

s

Res

ilien

cy

Operational Risk Management

Third

Line of

Defense

Au

dit

Risk Management

Enterprise Risk Management

CISO

LOB

ExecutivesCXO

Board

CAE

Business Operations

3 Lines of Defence Model

25

A GRC STRATEGY TO MANAGE DATA PRIVACY

Compliance

Policy Management

Controls Assurance

Audit

Audit Program

Third Party Governance

Risk Based vendor

Management

3rd Party Compliance monitoring

Risk Management

Catalog of Sensitive

Information Assets and

related devices

Business Hierachy

Risk Assessments and Reporting

Issues Management

Handling of Findings and Exceptions

Remediation planning

Escalation Workflow

Breach Management

Data Breach process

Handling of Data Subject

Rights processes

26

A GRC STRATEGY TO MANAGE DATA PRIVACY

27

RSA ARCHER FOR PRIVACY MANAGEMENT

Breach

Response

Data

Governance

Compliance

Management

Risk

Assessment

Breach Response

Security Incident Management

Security Operations & Breach

Management

Data Governance

Data Governance

Management

Privacy Program Management

Third Party Catalog

Risk Assessment

IT Risk Management

Compliance Management

IT & Security Policy Program

Management

IT Controls Assurance

Issues Management

28

Is this an inappropriate attempt to access

top secret information?

Do we have a compliance issue?

Is this an issue affecting a high risk

business function?

What are the executive concerns?

Is this a coordinated advanced attack?

How does this new vulnerability affect us?

CYBERRISK NOISE…

29

THIRD PARTY NOISE…

Are the third parties we do business with

compliant with laws and regulations?

Which of our 3rd party relationships pose

the most risk?

Who are all of the third parties that support

our business?

Are all of our third parties performing up to

the levels we expect?

Do we have the needed contingency plans

in place around third party risks?

Should we be doing business with this new

third party?

30

Thank You

Leader in the Gartner Magic Quadrant for:

- Operational Risk Management

- IT Risk Management

- IT Vendor Risk Management

- Business Continuity Management & Planning

Archer®

James FongRegional Business Director | RSA Archer |

Governance, Risk & Compliance

james.fong@rsa.com

M (65) 8533 1395