vmtn6642e - gdpr slide deck
TRANSCRIPT
GDPR:BATTEN THE HATCHES ITS
COMING!Kyle Davies – Solutions Architect
VMWORLD EU 2017 - VMTN6642E
WHO AM I?
• Kyle Davies
• CDW - Solutions Architect
• Twitter: @kdavies1988
• Blog: www.kyle-davies.com
• Experience: 10 Years+
• Accreds: vExpert 2016-2017, Citrix CTA, Former Atlantis ACE, Cisco Spark Ambassador…
VMWARE DISCLAIMER
• This presentation may contain product features or functionality that are currently under development
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind
• Technical feasibility and market demand will affect final delivery
• Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined
• This information is confidential
MY DISCLAIMER
• I am not a lawyer
• Technology is an enabler / helping hand for GDPR and not the answer
• Thoughts are my own, and not necessarily the thoughts of CDW
• The session is to get you thinking about GDPR if you haven't already
AREAS COVERED IN 30 MINUTES
• Timeframes
• Directive vs regulation
• Definitions
• Why the need for GDPR
• The high level differences between DPD & GDPR
• Key GDPR features / impact points
• GDPR myths
• Fines
• The structure
• The ICO advised approach
• My advised approach
• Where VMware can help
• Closing statement
QUESTION
HANDS UP….
WHO IS CURRENTLY DOING SOMETHING FOR THE GDPR?
QUESTION
HANDS UP….
WHO HAS NO IDEA ABOUT THE GDPR OR HASN’T EVEN LOOKED AT IT YET?
QUESTION
HANDS UP….
WHO THINKS THE GDPR DOESN’T APPLY TO THEM?
TIMEFRAMES
• 8 april 2016 - european council adopted the regulation
• 14 april 2016 - regulation was adopted by the european parliament
• 4 may 2016 - published in the EU official journal in all the official languages
• 24 may 2016 - the regulation entered into force
• 25 may 2018 – applies from this date
This regulation shall be binding in its entirety and directly applicable in all member states
DIRECTIVE vs REGULATION
DIRECTIVE
Instrument passed at EU level
National implementation
Local variations
REGULATION
Instrument passed at EU level
No need for national implementation
One ring to rule them all
SOME DEFINITIONSDefinition Definition Description
Personal Data
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Profiling
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or movements;
SOME DEFINITIONS
Definition Definition Description
Pseudonymisation
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject
to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Controller
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Processor‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
SOME DEFINITIONSDefinition Definition Description
Consent‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal Data Breach
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Enterprise‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
Supervisory Authority
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
International Organisation
‘international organisation’ means an organisation and its subordinate bodies governed by public international
law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
WHY THE NEED FOR GDPR & THE CHANGE?
2003
2004
2006
EU DPD – 1995
UK released DPA - 1998
1998
1998
1995
19951998
1996 2016
WHY THE NEED FOR GDPR & THE CHANGE?Percentage of households with home computers in the United Kingdom
https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/
2015/2016 – 88%
1996/1997 – 27% 2001/2002 – 49%1990 – 17%
2007/2008 – 72%
WHY THE NEED FOR GDPR & THE CHANGE?Percentage of households with home computers in the United Kingdom
https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/
2015/2016 – 88%
1996/1997 – 27% 2001/2002 – 49%1990 – 17%
2007/2008 – 72%
1998/1999 – 9%
Percentage of households with internet connection in the United Kingdom
2001/2002 – 39%
2008 – 66% 2014 – 84%
https://www.statista.com/statistics/289201/household-internet-connection-in-the-uk/
HIGH LEVEL CHANGES FROM DPD TO GDPRDPD GDPR
34 Articles 99 Articles
72 Recitals 173 Recitals
No Detail on provisions of consent Details valid conditions for consent
No detail on children data processingDetails an age limit for making processing lawful against children
Right to be forgotten only in limited circumstances (unlawful processing or incomplete/inaccurate) Lists conditions under which the right can be exercised
No obligations for maintaining records of processing activities
Lists out obligations of controllers and processors to be able to demonstrate and become accountable for processing
No enforcement of accountabilityEnforcement of accountability and conditions for imposing fines
https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive
HIGH LEVEL CHANGES FROM DPD TO GDPRGDPR
Regulation not a Directive
Personal Data Redefined (including online unique identifiers)
Mandatory Breach Notification
Financial Repercussions / PenaltiesOne Stop Shop (kind of)
Information Governance:Track how and where data is used, captured etc
Transparency:Controller must provide clear information on data subjects rights
Explain how data will be processedAny communication must be clear, plain language that will be understood by target audience
Data Portability:Structured and machine readable
Controller to Controller transmission upon request of data subjectRight to be forgotten (if no legitimate ground for retain)Data Processors liable to same level as Data Controllers
Global Impact for Multi National Businesses that Deal in the EU
GDPR MYTHS
BIGGEST THREAT IS EYE WATERING FINES
"Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.“
"While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective"
Elizabeth Denham, ICO
https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/
GDPR MYTHS
EVERY ORGANISATION NEEDS A DATA PROTECTION OFFICER!
DPOs must only be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large
scale processing of sensitive personal data
Read Article 37
GDPR MYTHS
GDPR IS A EUROPE ONLY ISSUE!
GDPR will affect any organisation that offers goods or services to consumers in the EU or monitors the behaviour of people
located in Europe, regardless of where their offices or ad servers are based.
Read REC 20, Article 4
GDPR MYTHS
Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on
processors
Data processing agreements are vital to the controller and processor relationship as it binds both parties to specific terms.
Read Article 28
GDPR MYTHS
Biometric Data Is Sensitive Data Under The GDPR
Read Article 9
GDPR MYTHS
Pseudonymised Data (E.G. Hashed Data) Are Treated Exactly Like Any Other Personal Data Under The GDPR
The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk, including inter alias as appropriate:
(a) the pseudonymisation and encryption of personal data;
Read Article 33 and 11
THE FINESArticle 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings.
2% of total worldwide turnover or 10,000,000EUR* 4% of total worldwide turnover or 20,000,000EUR*Obligations of controller and processor under:• Article 8 - Conditions applicable to child's consent in relation to
information society services• Article 11 - Processing which does not require identification• Art 25 to 39 - General obligations , Security of personal data ,
Data Protection impact assessment and prior consultation• Article 42 - Certification• Article 43 - Certification bodiesObligations of certification body under:• Art 42• Art 43Obligations of monitoring body under:• Art 41(4)
Basic principles for processing and conditions for consent under:• Art 5 - Principles relating to processing of personal data• Art 6 - Lawfulness of processing• Art 7 - Conditions for consent• Art 9 - Processing of special categories of personal data
Data subject's rights under:• Article - 12 to 22
Transfer of personal data to third country or international organization under:• Article - 44 to 49
Non Compliance with supervisory authority's powers under provisions of Article 58:• Imposition of temporary or definitive limitation including ban on
processing (Art 58 (2)(f))• Suspension of data flows to third countries or international
organization (Art 58(2) (j))• Provide access to premises or data processing equipment and means
(Art 58 (1) (f))*Whichever is higher
Record £400,000 Fine (October 2015 Attack)Under GDPR this could of been up to £70m!
Accessed personal data of 156,959 customers including names, addresses, DOB, phone numbers and email
15,656 cases, the attacker obtained bank details
Two early warnings – TELCO unaware!
FINANCIAL IMPACT EXAMPLE
A TELECOMMUNICATIONS PROVIDER
http://cybersecurityinsights.foregenix.com/post/102dpzf/gdpr-fines-to-make-your-eyes-water
ICO’s in-depth investigation found that the attack could have been prevented if TELCO had taken basic steps to protect customers’ information
Technical weaknesses in TELCO systems
Out of date database software
Did not scan infrastructure for possible threats
FINANCIAL IMPACT EXAMPLE
“In spite of its expertise and resources, when it came to the basic principles of
cyber-security, TELCO was found wanting Today’s record fine acts as a warning to others
that cyber security is not an IT issue, it is a boardroom issue. Companies must be
diligent and vigilant. They must do this not only because they have a duty under law, but because they have a duty to their customers”
UK ICO, Elizabeth Denham
FINANCIAL IMPACT EXAMPLE
LEAD SUPERVISING AUTHORITY(INFORMATION COMMISSIONERS OFFICE – ICO)
DATA PROCESSOR(Service Provider)
EUROPEAN DATA PROTECTION BOARD
3rd COUNTRIES 3rd PARTY
DATA CONTROLLER(Organisation)
DATA SUBJECT(Individuals)
THE ESCALATION STRUCTURE (UK)
12. INTERNATIONALDetermine which data protection supervisory authority you come under
11. DATA PROTECTION OFFICERSDesignate a data protection officer, or someone to take responsibility for compliance. Review where this role will sit in your organisation
10.DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS
Look into providing privacy impact assessments, and when to implement them
9. DATA BREACHESEnsure procedures in place to detect, report and investigate breaches
7. CONSENTReview how you are seeking, obtaining and recording consent for any required changes
1. AWARENESSMake your organisation aware of the changes and impact of GDPR
2. INFORMATION YOU HOLDDocument what personal data you hold, where it came from and who you share it with
3. COMMUNICATING PRIVACY INFOReview current privacy notices, plan for GDPR change requirements
4. INDIVIDUALS’ RIGHTSReview procedures to ensure covers all the rights individuals have, including how you will delete or provide data electronically
5. SUBJECT ACCESS REQUESTSUpdate procedures and plan how you will manage requests within new timescales
8. CHILDRENThink about how you can verify individuals ages and to gather parental/guardian consent for data processing activities
6. LEGAL BASIS FOR PROCESSING PERSONAL DATAReview existing data processing carried out, identify legal basis for carrying it out
ICO ADVISED APPROACH (UK)
WHERE ORGANISATIONS ARE STRUGGLING
• Director level buy in
• Understanding of the impacts and risks to the business
• Lack of budget or resources
• Don’t understand what PII data is held or how it is captured
MY ADVISED STARTING POINT
• Start planning your approach to GDPR compliance NOW
• Secure buy-in from key people (senior execs and board members)
• Evaluate the differences between the current law and the GDPR – concentrate where you have gaps
• Document / understand what PII data you hold and where you obtained it from
• The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate accountability
• Certain parts of the GDPR have more of an operational impact on some organizations than on others
VMware Product and Capabilities Mapped to GDPR
• Micro-segmentation
• Automation, monitoring
• Audit features
• Logging
• Planning and designing network security
• Managing data flow
• Network isolation
• Workload segmentation
• Network monitoring
• Access control
• Protecting sensitive data
• Securing data exports
• Access controls with workloads and geotagging
• Access control with device location
• Multi-country data center design
• Monitoring and exposing network services via API
• Reviewing network architecture
• Data protection including encryption
• Business continuity, visibility
GDPR Article GDPR Description VMware Product and Capabilities
Article 18 Right to restriction of processing
VMware NSX• NSX Distributed Firewall• NSX Service Composer• NSX Logical Switches• NSX Guest Introspection• NSX Network Extensibility
Article 24 Responsibility of the controller
VMware NSX• NSX Application Rule Manager• NSX Endpoint MonitoringvRealize Network InsightvRealize OperationsvRealize Log Insight
Article 25 Data protection by design and by default
VMware NSX • NSX Service Composer• NSX Endpoint Monitoring• NSX Guest IntrospectionvSpherevShield Endpoint
Article 26 Joint controllers VMware NSX, NSX Distributed Firewall, vRealize Network Insight
Article 32 Security of processing
VMware NSX• NSX Service Composer • NSX Edge Services GatewayVMware vSpherevCenterVMware Data ProtectionvSphere ReplicationVMware vRealize Network InsightVMware Site Recovery Manager
Article 35 Data protection impact assessment
VMware NSX• NSX Application Rule ManagervRealize Network InsightNSX vRealize Log Insight
WHERE VMWARE CAN ASSIST
• To learn more on how VMware can assist please visit the VMware booth or attend GRC3109PE and/or GRC3386BES
THANK YOU
VMWORLD EU 2017 - VMTN6642E
Kyle Davies – Solutions Architect
Blog: www.kyle-davies.com
Twitter: @kdavies1988