Recent surveys benchmarking the status of U.S. companies' efforts to meet the May 25 deadline for the EU Global Data Protection Regulation (GDPR) have revealed a startling lack of preparedness. Companies not yet in compliance are likely to violate the directive if they don’t take immediate action, and fines can amount to 2-4 percent of a company’s annual gross revenue. Do you have the resources and information you need to comply? View to learn: --What GDPR means to your business --Short, medium, and long-term actions you can take to protect regulated data and achieve compliance --How you can streamline incident response and third-party risk management capabilities --How to streamline the resources and technology needed to keep up with the evolving regulatory landscape Don't fall behind on these compliance regulations. Take the steps needed to protect the data you collect.

1. KEEP CALM
AND COMPLY
THREE KEYS TO
GDPR SUCCESS

2. www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.
Sponsored by

3. COMPANIES
AREN’T READY
Before 2020, we will have seen
a multimillion Euro regulatory
sanction for GDPR noncompliance
On 25 May 2018, less than 50% of
all organizations impacted will
fully comply with the GDPR
Source: Gartner, GDPR Clarity: 19 Frequently Asked Questions Answered, November 2017

4. Tough penalties: fines up to
4% of annual global revenue
or €20 million whichever is greater.
The definition of personal data is now
broader and includes identifiers such as
genetic economic socialmental cultural
The regulation also applies to non-EU
companies that process personal data
of individuals in the EU.
The international transfer of data
will continue to be governed under EU
GDPR rules.
Parental consent required for the
processing of personal data of
children under age 16.
Users may request a copy
of personal data in a
portable format.
Data subjects have the
right to be forgotten and
erased from records.
Obtaining consent for processing personal
data must be clear, and must seek an
affirmative response.
What it means:
The appointment of a data protection officer
(DPO) will be mandatory for companies
processing high volumes of personal data,
and a good practice for others.

5. TIME IS RUNNING OUT!
DEADLINE: MAY 25, 2018

6. Companies that violate certain provisions—such as the basic processing principles or the rules
relating to cross-border data transfers—may face fines amounting to four percent of the
company’s annual gross revenue, and up to two percent for violations such as failing to meet
the breach notification rule.
Fines
EU GDPR MANDATES
A “right to erasure”, also known as the “right to be forgotten,” gives a data subject the right to
order a data controller/organization to erase any of their personal data in certain situations.
Data controllers will be required to erase personal data “without undue delay” when the data is
no longer necessary in relation to the purposes for which it was gathered or processed.
Right to be
Forgotten
A single data breach notification requirement is applicable across the EU. The rule requires
data controllers to notify the appropriate supervisory authority of a personal data breach within
72 hours of learning about it.
Breach
Notification
Companies whose “core activities” involve large-scale processing of “special categories” of
data—information that reveals racial or ethnic origin, political opinions, religious or
philosophical beliefs, genetic data, biometric data, health or sexual orientation—need to
designate a data protection officer. Companies who collect some of this information strictly for
internal human resources purposes may also be subject to this requirement.
Data Protection
Officer (DPO)

7. Ask Yourself:
HOW PREPARED ARE YOU FOR
THE MAY 25 DEADLINE?
a) Very prepared
b) Somewhat prepared
c) Not at all prepared
d) Unsure

8. WHAT CAN
WE DO?

9. PEOPLE
Adhere to regulation-specific staffing
requirements, such as GDPR’s DPO,
and NY’s CISO (drives accountability)
Education & awareness
Changing behaviors around
the collection and use of data
Establishing appropriate consent controls
Ensure suitable technical (security analysts,
IR team) & non-technical (business
leadership, legal, PR) staff is
in place and is trained appropriately
PROCESS
Perform risk assessment (utilizing
framework like NIST, ISO, etc.)
Identify and manage collection
of sensitive data
Set processing/dissemination rules
Ensure means to address inquiries and
adhere to 72-hour notification req’s
Establish data lifecycle management
(inventory, classify, track the movement
of, and disposal of, data)
Set IR processes (preparation, detection/
reporting, triage/analysis, containment/
neutralization and post-incident activity)
Develop third-party risk program
TECHNOLOGY
Visibility (identify data and its
location: endpoint, DB/shares,
cloud, structured/unstructured)
Analytics (when, where,
and how data is moving)
Data protection tools (discovery,
classification, DLP, encryption,
IAM, CASB, and gateway controls)
Detection tools (IDS/IPS, NGFW, UEBA)
Containment tools: Endpoint Detection
and Response, and Forensics tools
Third-party risk and security scoring tools

10. SHORT-TERM

11. ONE
APPOINT A DPO
A data protection officer (DPO) is
an enterprise security leadership
role required by the General Data
Protection Regulation (GDPR). Data
protection officers are responsible for
overseeing data protection strategy and
implementation to ensure compliance
with GDPR requirements.

12. TWO
BOOST
INCIDENT
RESPONSE
If you don’t have a well-established IR
plan, that’s a problem. Make sure you
understand the 72-hour notification
requirement, and work with your legal
team to get your plans ironed out so that
you can comply with it.

13. MEDIUM-TERM

14. ONE
CLASSIFY DATA
Data classification allows
organizations to identify the business
value of unstructured data at the time
of creation, separate valuable
information that may be targeted from
less valuable information, and make
informed decisions about resource
allocation to secure data from
unauthorized access.

15. TWO
ENABLE
CONTROLS
Establish baseline cybersecurity
measures and define policy-based
controls for each data classification
label to ensure the appropriate
solutions are in place. High-risk data
requires more advanced levels of
protection while lower-risk data
requires less protection.

16. THREE
REPORTING &
ALERTING
Identify: user trends, training
requirements and risky behavior
Analyze: policy alerts and
usage patterns
Control: data flow

17. Under the GDPR, third parties
may be considered regulated
“data processors”, and are thereby
subject to the directive. For example, if
you are a retailer that collects customer
information, which you then share with a
third-party call center, then under the
GDPR you are the data controller, and
the call center is the data processor; you
both need to maintain compliance.
FOUR
THIRD
PARTY-RISK

18. 3RD PARTY RISK PROGRAM ELEMENTS
Map your data. Understand which third parties have access to data, what categories of data they have,
and what they are doing with it. Make sure you collect only the minimum amount of personal data
required for the product or service, and review legal grounds for collection and processing.
Ensure you have appropriate budget and resources allocated for completing assessments of third
parties, and for remediation projects.
Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains
requirements for contracts with data processors, as well as between data controllers), and with your
own security policies.
Complete assessments of all third parties that have access to, handle or touch your client/personal
data to ascertain their awareness of specific requirements, and to ensure that they have appropriate
technical and organizational measures in place to comply.
Ensure third parties are scored based on risk-assessment results and other due diligence. For
high-risk third parties, identify audit partners for the assessment of processes, and set the scope of
remediation programs and ongoing monitoring requirements.

19. Ask Yourself:
a) Yes
b) No
c) Not sure
DO YOU EVALUATE THE SECURITY
PRACTICES OF VENDORS BEFORE
STARTING A BUSINESS
RELATIONSHIP?

20. LONG-TERM

21. It is no longer enough to focus IT
security efforts on networks and
endpoints. The development of a
robust data-centric security
program is invaluable not only to
the GDPR, but to all data protection
and data privacy efforts. A
comprehensive data-centric
security strategy includes:
DATA-CENTRIC
SECURITY

22. CLASSIFICATION
Policy
Data handling procedures
Report/detect/protect
IR /forensics
Risk-based approach
Identify business owners

23. DATA
DISCOVERY
Determine where and
what type of data is stored
Continuous process to provide
visibility, outline risk, and validate
employee role assignment
Confirm awareness level
and policy compliance as
well as enhancement

24. ENCRYPTION
STRATEGIES
Consider SSL decryption at
gateway points of access
Data-in-motion
Data-at-rest
Data-in-use

25. IDENTITY
MANAGEMENT
Directory unification
Access management
Federation privileged access
Access governance and authentication

26. WE’RE ALL GOING TO HAVE TO
CHANGE THE WAY WE THINK
ABOUT DATA PROTECTION.
— Elizabeth Denham, UK Information Commissioner

27. AND
KEEP
CALM
COMPLY
WITH
GDPR

28. http://focus.forsythe.com/articles/562/Addressing-
the-EU-GDPR-and-New-York-Cybersecurity-
Requirements-3-Keys-to-Success
CHECK OUT THE
ORIGINAL ARTICLE:

29. http://focus.forsythe.com
OR FIND MORE ARTICLES ABOUT
BUSINESS AND TECHNOLOGY
SOLUTIONS AT FOCUS ONLINE:

30. Author:
Thomas Eck
Director, Security Programs & Strategy, Forsythe
Doug Snow
Vice President, Customer Success, TITUS
www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.