GDPR:BATTEN THE HATCHES ITS

COMING!Kyle Davies – Solutions Architect

VMWORLD EU 2017 - VMTN6642E

WHO AM I?

• Kyle Davies

• CDW - Solutions Architect

• Twitter: @kdavies1988

• Blog: www.kyle-davies.com

• Experience: 10 Years+

• Accreds: vExpert 2016-2017, Citrix CTA, Former Atlantis ACE, Cisco Spark Ambassador…

VMWARE DISCLAIMER

• This presentation may contain product features or functionality that are currently under development

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind

• Technical feasibility and market demand will affect final delivery

• Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined

• This information is confidential

MY DISCLAIMER

• I am not a lawyer

• Technology is an enabler / helping hand for GDPR and not the answer

• Thoughts are my own, and not necessarily the thoughts of CDW

• The session is to get you thinking about GDPR if you haven't already

AREAS COVERED IN 30 MINUTES

• Timeframes

• Directive vs regulation

• Definitions

• Why the need for GDPR

• The high level differences between DPD & GDPR

• Key GDPR features / impact points

• GDPR myths

• Fines

• The structure

• The ICO advised approach

• My advised approach

• Where VMware can help

• Closing statement

QUESTION

HANDS UP….

WHO IS CURRENTLY DOING SOMETHING FOR THE GDPR?

QUESTION

HANDS UP….

WHO HAS NO IDEA ABOUT THE GDPR OR HASN’T EVEN LOOKED AT IT YET?

QUESTION

HANDS UP….

WHO THINKS THE GDPR DOESN’T APPLY TO THEM?

TIMEFRAMES

• 8 april 2016 - european council adopted the regulation

• 14 april 2016 - regulation was adopted by the european parliament

• 4 may 2016 - published in the EU official journal in all the official languages

• 24 may 2016 - the regulation entered into force

• 25 may 2018 – applies from this date

This regulation shall be binding in its entirety and directly applicable in all member states

DIRECTIVE vs REGULATION

DIRECTIVE

Instrument passed at EU level

National implementation

Local variations

REGULATION

Instrument passed at EU level

No need for national implementation

One ring to rule them all

SOME DEFINITIONSDefinition Definition Description

Personal Data

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an

identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to

an identifier such as a name, an identification number, location data, an online identifier or to one or more

factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal

data, whether or not by automated means, such as collection, recording, organisation,

structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Profiling

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to

evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation,

health, personal preferences, interests, reliability, behaviour, location or movements;

SOME DEFINITIONS

Definition Definition Description

Pseudonymisation

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject

to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Controller

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly

with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member

State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

Processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

SOME DEFINITIONSDefinition Definition Description

Consent‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear

affirmative action, signifies agreement to the processing of personal data relating to him or her;

Personal Data Breach

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

Enterprise‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

Supervisory Authority

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

International Organisation

‘international organisation’ means an organisation and its subordinate bodies governed by public international

law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

WHY THE NEED FOR GDPR & THE CHANGE?

2003

2004

2006

EU DPD – 1995

UK released DPA - 1998

1998

1998

1995

19951998

1996 2016

WHY THE NEED FOR GDPR & THE CHANGE?Percentage of households with home computers in the United Kingdom

https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/

2015/2016 – 88%

1996/1997 – 27% 2001/2002 – 49%1990 – 17%

2007/2008 – 72%

WHY THE NEED FOR GDPR & THE CHANGE?Percentage of households with home computers in the United Kingdom

https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/

2015/2016 – 88%

1996/1997 – 27% 2001/2002 – 49%1990 – 17%

2007/2008 – 72%

1998/1999 – 9%

Percentage of households with internet connection in the United Kingdom

2001/2002 – 39%

2008 – 66% 2014 – 84%

https://www.statista.com/statistics/289201/household-internet-connection-in-the-uk/

HIGH LEVEL CHANGES FROM DPD TO GDPRDPD GDPR

34 Articles 99 Articles

72 Recitals 173 Recitals

No Detail on provisions of consent Details valid conditions for consent

No detail on children data processingDetails an age limit for making processing lawful against children

Right to be forgotten only in limited circumstances (unlawful processing or incomplete/inaccurate) Lists conditions under which the right can be exercised

No obligations for maintaining records of processing activities

Lists out obligations of controllers and processors to be able to demonstrate and become accountable for processing

No enforcement of accountabilityEnforcement of accountability and conditions for imposing fines

https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive

HIGH LEVEL CHANGES FROM DPD TO GDPRGDPR

Regulation not a Directive

Personal Data Redefined (including online unique identifiers)

Mandatory Breach Notification

Financial Repercussions / PenaltiesOne Stop Shop (kind of)

Information Governance:Track how and where data is used, captured etc

Transparency:Controller must provide clear information on data subjects rights

Explain how data will be processedAny communication must be clear, plain language that will be understood by target audience

Data Portability:Structured and machine readable

Controller to Controller transmission upon request of data subjectRight to be forgotten (if no legitimate ground for retain)Data Processors liable to same level as Data Controllers

Global Impact for Multi National Businesses that Deal in the EU

GDPR MYTHS

BIGGEST THREAT IS EYE WATERING FINES

"Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.“

"While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective"

Elizabeth Denham, ICO

https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/

GDPR MYTHS

EVERY ORGANISATION NEEDS A DATA PROTECTION OFFICER!

DPOs must only be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large

scale processing of sensitive personal data

Read Article 37

GDPR MYTHS

GDPR IS A EUROPE ONLY ISSUE!

GDPR will affect any organisation that offers goods or services to consumers in the EU or monitors the behaviour of people

located in Europe, regardless of where their offices or ad servers are based.

Read REC 20, Article 4

GDPR MYTHS

Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on

processors

Data processing agreements are vital to the controller and processor relationship as it binds both parties to specific terms.

Read Article 28

GDPR MYTHS

Biometric Data Is Sensitive Data Under The GDPR

Read Article 9

GDPR MYTHS

Pseudonymised Data (E.G. Hashed Data) Are Treated Exactly Like Any Other Personal Data Under The GDPR

The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security

appropriate to the risk, including inter alias as appropriate:

(a) the pseudonymisation and encryption of personal data;

Read Article 33 and 11

THE FINESArticle 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings.

2% of total worldwide turnover or 10,000,000EUR* 4% of total worldwide turnover or 20,000,000EUR*Obligations of controller and processor under:• Article 8 - Conditions applicable to child's consent in relation to

information society services• Article 11 - Processing which does not require identification• Art 25 to 39 - General obligations , Security of personal data ,

Data Protection impact assessment and prior consultation• Article 42 - Certification• Article 43 - Certification bodiesObligations of certification body under:• Art 42• Art 43Obligations of monitoring body under:• Art 41(4)

Basic principles for processing and conditions for consent under:• Art 5 - Principles relating to processing of personal data• Art 6 - Lawfulness of processing• Art 7 - Conditions for consent• Art 9 - Processing of special categories of personal data

Data subject's rights under:• Article - 12 to 22

Transfer of personal data to third country or international organization under:• Article - 44 to 49

Non Compliance with supervisory authority's powers under provisions of Article 58:• Imposition of temporary or definitive limitation including ban on

processing (Art 58 (2)(f))• Suspension of data flows to third countries or international

organization (Art 58(2) (j))• Provide access to premises or data processing equipment and means

(Art 58 (1) (f))*Whichever is higher

Record £400,000 Fine (October 2015 Attack)Under GDPR this could of been up to £70m!

Accessed personal data of 156,959 customers including names, addresses, DOB, phone numbers and email

15,656 cases, the attacker obtained bank details

Two early warnings – TELCO unaware!

FINANCIAL IMPACT EXAMPLE

A TELECOMMUNICATIONS PROVIDER

http://cybersecurityinsights.foregenix.com/post/102dpzf/gdpr-fines-to-make-your-eyes-water

ICO’s in-depth investigation found that the attack could have been prevented if TELCO had taken basic steps to protect customers’ information

Technical weaknesses in TELCO systems

Out of date database software

Did not scan infrastructure for possible threats

FINANCIAL IMPACT EXAMPLE

“In spite of its expertise and resources, when it came to the basic principles of

cyber-security, TELCO was found wanting Today’s record fine acts as a warning to others

that cyber security is not an IT issue, it is a boardroom issue. Companies must be

diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers”

UK ICO, Elizabeth Denham

FINANCIAL IMPACT EXAMPLE

LEAD SUPERVISING AUTHORITY(INFORMATION COMMISSIONERS OFFICE – ICO)

DATA PROCESSOR(Service Provider)

EUROPEAN DATA PROTECTION BOARD

3rd COUNTRIES 3rd PARTY

DATA CONTROLLER(Organisation)

DATA SUBJECT(Individuals)

THE ESCALATION STRUCTURE (UK)

12. INTERNATIONALDetermine which data protection supervisory authority you come under

11. DATA PROTECTION OFFICERSDesignate a data protection officer, or someone to take responsibility for compliance. Review where this role will sit in your organisation

10.DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS

Look into providing privacy impact assessments, and when to implement them

9. DATA BREACHESEnsure procedures in place to detect, report and investigate breaches

7. CONSENTReview how you are seeking, obtaining and recording consent for any required changes

1. AWARENESSMake your organisation aware of the changes and impact of GDPR

2. INFORMATION YOU HOLDDocument what personal data you hold, where it came from and who you share it with

3. COMMUNICATING PRIVACY INFOReview current privacy notices, plan for GDPR change requirements

4. INDIVIDUALS’ RIGHTSReview procedures to ensure covers all the rights individuals have, including how you will delete or provide data electronically

5. SUBJECT ACCESS REQUESTSUpdate procedures and plan how you will manage requests within new timescales

8. CHILDRENThink about how you can verify individuals ages and to gather parental/guardian consent for data processing activities

6. LEGAL BASIS FOR PROCESSING PERSONAL DATAReview existing data processing carried out, identify legal basis for carrying it out

ICO ADVISED APPROACH (UK)

WHERE ORGANISATIONS ARE STRUGGLING

• Director level buy in

• Understanding of the impacts and risks to the business

• Lack of budget or resources

• Don’t understand what PII data is held or how it is captured

MY ADVISED STARTING POINT

• Start planning your approach to GDPR compliance NOW

• Secure buy-in from key people (senior execs and board members)

• Evaluate the differences between the current law and the GDPR – concentrate where you have gaps

• Document / understand what PII data you hold and where you obtained it from

• The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate accountability

• Certain parts of the GDPR have more of an operational impact on some organizations than on others

VMware Product and Capabilities Mapped to GDPR

• Micro-segmentation

• Automation, monitoring

• Audit features

• Logging

• Planning and designing network security

• Managing data flow

• Network isolation

• Workload segmentation

• Network monitoring

• Access control

• Protecting sensitive data

• Securing data exports

• Access controls with workloads and geotagging

• Access control with device location

• Multi-country data center design

• Monitoring and exposing network services via API

• Reviewing network architecture

• Data protection including encryption

• Business continuity, visibility

GDPR Article GDPR Description VMware Product and Capabilities

Article 18 Right to restriction of processing

VMware NSX• NSX Distributed Firewall• NSX Service Composer• NSX Logical Switches• NSX Guest Introspection• NSX Network Extensibility

Article 24 Responsibility of the controller

VMware NSX• NSX Application Rule Manager• NSX Endpoint MonitoringvRealize Network InsightvRealize OperationsvRealize Log Insight

Article 25 Data protection by design and by default

VMware NSX • NSX Service Composer• NSX Endpoint Monitoring• NSX Guest IntrospectionvSpherevShield Endpoint

Article 26 Joint controllers VMware NSX, NSX Distributed Firewall, vRealize Network Insight

Article 32 Security of processing

VMware NSX• NSX Service Composer • NSX Edge Services GatewayVMware vSpherevCenterVMware Data ProtectionvSphere ReplicationVMware vRealize Network InsightVMware Site Recovery Manager

Article 35 Data protection impact assessment

VMware NSX• NSX Application Rule ManagervRealize Network InsightNSX vRealize Log Insight

WHERE VMWARE CAN ASSIST

• To learn more on how VMware can assist please visit the VMware booth or attend GRC3109PE and/or GRC3386BES

THANK YOU

VMWORLD EU 2017 - VMTN6642E

Kyle Davies – Solutions Architect

Blog: www.kyle-davies.com

Twitter: @kdavies1988