This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
2. Jessvin Thomas
CTO
Next Generation SOC,
Orchestration & Analytics
Internal Information Security
Investments in Carbon Black,
Cylance, iSight Partners
Cloud, Automation & Tooling for
Consumer Internet Services
2
3. Agenda
1. What Makes GDPR Different
2. Principles of GDPR
3. GDPR Pyramid
4. Your Responsibilities
5. Data Protection as Part of Security
6. Takeaways & Checklist
4. “We believe that data is the phenomenon of our time. It is the world's
new natural resource. It is the new basis of competitive advantage, and
it is transforming every profession and industry. If all of this is true –
even inevitable – then cyber crime, by definition, is the greatest threat
to every profession, every industry, every company in the world.”
Ginni Rometty, CEO IBM
IBM Security Summit
New York City May 14, 2015
6. What Makes GDPR
DIFFERENT
Personal Data Includes:
Electronic Tracking – IP
Addresses, Emails, etc.
Genetic Data
Cultural Data & Affiliations
Social Identity
9. Who is on the
Hook?
Data Controller
Data Processor
Body which, alone or jointly
with others, determines the
purposes and means of the
processing of personal data
Body which processes
personal data on behalf
of the controller
10. Controller
Responsibilities
Processed lawfully, fairly and in a transparent
manner
For specified, explicit and legitimate purposes
Protected in a manner that ensures appropriate
security
Adequate, relevant and limited to what is necessary
Accurate and, where necessary, kept up-to-date
Kept in a form which permits identification of data
subjects for no longer than is necessary
11. Things You May Have Heard About:
Consent & Opt Out Right to Erasure Portability
Requirements for Processing Vary by:
Reasons for Processing and
Method of Data Acquisition
12. 01 Personal Data
02
03
Processing Purposes
04
Processing Authorization
05
Processing Requirements
Pyramid
of GDPR
Rights to Personal Data
14. 02
Processing Purposes
02
03
Marketing & Profiling
• Monitoring of the behavior of such data
subjects in so far as their behavior takes place
within the Union.
• Profiling a natural person, particularly in order
to take decisions concerning her or him or for
analyzing or predicting her or his personal
preferences, behaviors and attitudes.
Corporate / Employer
Services
Goods or services to such data subjects,
irrespective of whether connected to a payment
Scientific, Research or Statistical
Purposes04
01
16. 03
Processing Authorization
For consent:
• Controller shall be able to demonstrate that
the data subject has consented
• Request presented in a manner which is
clearly distinguishable from the other matters
• Request in an intelligible and easily accessible
form, using clear and plain language
• Data subject shall has right to withdraw his or
her consent at any time
• It shall be as easy to withdraw as to give
consent
• Consent is freely given
• Processing is only for what is needed to
execute the contract
01 Consent
17. Rights to Personal Data
Layman’s Terms
Right to Collection Metadata
Access Data
Fix Accuracy
Erasure
Data Portability
Object & Restrict Processing
Human Intervention
04
19. 05
Processing
Requirements
• Processor shall not engage another
processor without prior specific or general
written authorization of the controller
• Processing by a processor shall be governed
by a binding contract that sets out:
• The subject matter
• Duration of the processing
• Nature of the processing
• Type of personal data and categories of
data subjects
• The obligations and rights of the
controller
• Processor only on documented instructions
from the controller
• Ensures that persons authorized to process
have committed to confidentiality
• Takes all measures required pursuant to
security
• At choice of controller, deletes or returns all
the personal data to the controller after the
end of the provision* deletes existing copies
• Makes available to the controller all
information necessary to demonstrate
compliance with the obligations laid out
01
Controller/Process
Requirements
20. 05
Processing
Requirements
02 Records Management
Each controller and processor shall maintain a
record of processing containing:
• The name and contact details of the
controller/processor and the data protection
officer
• The purposes of the processing
• A description of the categories of data
subjects and of the categories of personal
data
• The categories of recipients to whom the
personal data have been or will be
disclosed
• Transfers to a third country or an
international organization and suitable
safeguards
• Where possible, the envisaged time limits
for erasure of the different categories of
data
• Where possible, a general description
security measures
21. 05
Processing
Requirements
03 Security
Taking existing capability, costs, nature, scope,
context of processing, controller & processor
shall implement security appropriate to the risk
of disclosure impacting rights and freedoms of
natural persons such as:
• The pseudonymisation and encryption of
personal data
• The ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and
services
• The ability to restore the availability and
access to personal data in a timely manner in
the event of a physical or technical incident
• A process for regularly testing, assessing
effectiveness of security of processing
22. 05
Processing
Requirements
04 Breach Notification:
Supervisory Authority
• Controller shall without delay and by 72 hours
notify supervisory authority unless the
personal data breach is unlikely to result in a
risk to the rights and freedoms of natural
persons
• Where the notification to the supervisory
authority is not made within 72 hours, it shall
be accompanied by reasons for the delay
• The processor shall notify the controller
without undue delay after becoming aware of
a personal data breach
• The notification shall at least:
• describe nature of breach including where possible, the
categories and approximate number of data subjects
concerned and the categories and approximate number
of personal data records concerned
• Communicate the name and contact details of the data
protection officer or other contact point where more
information can be obtained;
• describe the likely consequences of the personal data
breach
• Describe the measures taken or proposed to be taken
by the controller to address the personal data breach,
including, where appropriate, measures to mitigate its
possible adverse effects.
23. 05
Processing
Requirements
05
Breach Notification:
Data Subject
• When the personal data breach is likely to
result in a high risk to the rights and
freedoms of natural persons, the controller
shall communicate the personal data
breach to the data subject without undue
delay
27. Data Protection is Still
Part of the Security Program People
ApplicationsInfrastructure
Protect weak links to where
attacks gain a foothold in the
environment
Ensure a incident response plan
is documented and practiced
28. Data Protection Will be Part of the Fabric
U.S. Bancorp hit with fines for poor compliance with
anti-money laundering laws
Federal regulators on Thursday hit U.S. Bancorp, the
nation's biggest regional bank, with more than $800 million
in fines for deficient anti-money laundering practices.
2016 Revenue: $21B
Impact: 3.8%
29. Key Takeaways
01 Data protection is as much about usage as disclosure
02
GDPR is focused on the rights of individuals:
Data analytics and methods of identifying individuals are impacted
03 The purpose you collect the data for impacts the complexity of oversight
04 When consent is required, erasure, accuracy, portability and objections come into play
05 For security pseudonymization, encryption and breach notification are important
06 A documented and followed data privacy design will go a long way
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Transparent information, communication and modalities for the exercise of the rights of the data subject
* Controller shall:
* communicate to data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language,
Information to be provided where personal data are collected from the data subject
* Data acollected from data subject should include
* the identity and the contact details of the controller or representative;
* contact details of the data protection officer, where applicable;
* purposes of the processing as well as the legal basis for the processing;
* where applicable the legitimate interests pursued by the controller or by a third party;
* the recipients or categories of recipients of the personal data, if any;
* where applicable, the fact that the controller intends to transfer personal data to a third country or international organization
Right of access by the data subject
* right to obtain confirmation as to whether or not personal data concerning him or her are being processed,
* right to gain access to the data including:
* where data is processed
* the purposes of the processing;
* the categories of personal data concerned;
* the recipients or categories of recipients
* where possible, the envisaged period for which the personal data will be stored,
* existence of the rights to:
* request rectification
* request erasure
riction ofn processing
* lodge a complaint with a supervisory authority;
* know any available information as to their source;
* know the existence of automated decision-making, including profiling,
* Where transferred to a third country or to an international organisation
## Article 16: right to recertification
* right for data subject to have controller verify/certify data is correct
## Article 17: right to erasure
* data subject has right to erase personal data if
* the personal data are no longer necessary
* if based on consent, consent is withdrawm
* no more legitimate grounds for processing
## Article 18: Right to restriction of processing
* data subject has right to obtain restriction of processing if:
* accuracy is contested by the data subject
* processing is unlawful
* controller no longer needs the personal data
* the data subject has correctly objected to processing
## Article 19: notification obligation regarding rectification or erasure of personal data or restriction of processing
* controller shall communicate any rectification or erasure of personal data or restriction of processing
## Article 20: Right to data portability
* where:
* processing is based on consent
* processing is carried out by automated means.
* data subject has right
* to receive data in a structured, commonly used and machine-readable format
* to transmit those data to another controller without hindrance
# Section 4: Right to object and automated individual decision-making
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
* Processing is allowed if:
* data subject has given consent OR
* processing is necessary for performance of a contract to which the data subject
* processing is necessary for compliance with a legal obligation for which controller is subject;
* processing is necessary to protect the vital interests of the data subject or of another natural person;
* processing is necessary for performance of a task carried out in the public interest
* processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
* Note: Member states: might make it more specific
* Processing is allowed if:
* data subject has given consent OR
* processing is necessary for performance of a contract to which the data subject
* processing is necessary for compliance with a legal obligation for which controller is subject;
* processing is necessary to protect the vital interests of the data subject or of another natural person;
* processing is necessary for performance of a task carried out in the public interest
* processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
* Note: Member states: might make it more specific
## Article 9: Processing of special categories of personal data
* Prohibited processing:
* revealing racial or ethnic origin,
* revelaing political opinions,
* revelaing religious or philosophical beliefs,
* revelaingtrade union membership,
* genetic data,
* biometric data for the purpose of uniquely identifying a natural person,
* data concerning health
* data concerning a natural person's sex life or sexual orientation shall be prohibited.
* expecetions to prohibition:
* for when explict consent is given
* processing is neccessary fro employment, social services, and socila protection
* processing is necessary to protect the vital interests of the data subject
* processing is carried out in the course of its legitimate activities of non-profits in these areas (ex: religious group or union)
* data subjecrt has already made data public
* neccessary for protecting against legal claims
* neccessary for reasons of substantial public interest,
* necessary for the purposes of preventive or occupational medicine
* necessary for reasons of public interest in the area of public health
* necessary for archiving purposes in the public interest, scientific or historical research purposes
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.
Rights to Personal Data
People have the right to data about themselves and collection or loss of that data not impacting their livelihood
Personal Data
Combination of data sources that can uniquely identify a person.
Processing Purposes
The purpose the data is collected for (marketing, legal reasons, profiling) has a significant impact on the regulations that apply.
Processing Entities
Who initially gains access to the data vs who does further processing.
Processing Requirements
Based on all the above requirements from data security, to erasure apply.