This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.

1. Being Ready for
GDPR

2. Jessvin Thomas
CTO
Next Generation SOC,
Orchestration & Analytics
Internal Information Security
Investments in Carbon Black,
Cylance, iSight Partners
Cloud, Automation & Tooling for
Consumer Internet Services
2

3. Agenda
1. What Makes GDPR Different
2. Principles of GDPR
3. GDPR Pyramid
4. Your Responsibilities
5. Data Protection as Part of Security
6. Takeaways & Checklist

4. “We believe that data is the phenomenon of our time. It is the world's
new natural resource. It is the new basis of competitive advantage, and
it is transforming every profession and industry. If all of this is true –
even inevitable – then cyber crime, by definition, is the greatest threat
to every profession, every industry, every company in the world.”
Ginni Rometty, CEO IBM
IBM Security Summit
New York City May 14, 2015

5. What Makes GDPR
DIFFERENT
Data Confidentiality
as the Only Concern
Perimeter-Oriented Protection
Personal Data Rights

6. What Makes GDPR
DIFFERENT
Personal Data Includes:
Electronic Tracking – IP
Addresses, Emails, etc.
Genetic Data
Cultural Data & Affiliations
Social Identity

7. What Makes GDPR
DIFFERENT

8. GDPR
Principles 02
03
Free Data Movement
Personal Data Rights
Data Protection by Design
01

9. Who is on the
Hook?
Data Controller
Data Processor
Body which, alone or jointly
with others, determines the
purposes and means of the
processing of personal data
Body which processes
personal data on behalf
of the controller

10. Controller
Responsibilities
Processed lawfully, fairly and in a transparent
manner
For specified, explicit and legitimate purposes
Protected in a manner that ensures appropriate
security
Adequate, relevant and limited to what is necessary
Accurate and, where necessary, kept up-to-date
Kept in a form which permits identification of data
subjects for no longer than is necessary

11. Things You May Have Heard About:
Consent & Opt Out Right to Erasure Portability
Requirements for Processing Vary by:
Reasons for Processing and
Method of Data Acquisition

12. 01 Personal Data
02
03
Processing Purposes
04
Processing Authorization
05
Processing Requirements
Pyramid
of GDPR
Rights to Personal Data

13. 01
Personal Data
02
03
Digital ID
Special Categories
Identifying Data: Direct or Indirect
01

14. 02
Processing Purposes
02
03
Marketing & Profiling
• Monitoring of the behavior of such data
subjects in so far as their behavior takes place
within the Union.
• Profiling a natural person, particularly in order
to take decisions concerning her or him or for
analyzing or predicting her or his personal
preferences, behaviors and attitudes.
Corporate / Employer
Services
Goods or services to such data subjects,
irrespective of whether connected to a payment
Scientific, Research or Statistical
Purposes04
01

15. 03
Processing Authorization
02
03
Contract Performance
Legal Obligation
Consent
04 Protect Vital Interests
05 Protect Public Interests
06 Protect Controller Interests
01

16. 03
Processing Authorization
For consent:
• Controller shall be able to demonstrate that
the data subject has consented
• Request presented in a manner which is
clearly distinguishable from the other matters
• Request in an intelligible and easily accessible
form, using clear and plain language
• Data subject shall has right to withdraw his or
her consent at any time
• It shall be as easy to withdraw as to give
consent
• Consent is freely given
• Processing is only for what is needed to
execute the contract
01 Consent

17. Rights to Personal Data
Layman’s Terms
Right to Collection Metadata
Access Data
Fix Accuracy
Erasure
Data Portability
Object & Restrict Processing
Human Intervention
04

18. 05
Processing
Requirements
02
03
Records Management
Security
Controller/Process Requirements
04 Breach Notification:
Supervisory Authority
05 Breach Notification:
Data Subject
01

19. 05
Processing
Requirements
• Processor shall not engage another
processor without prior specific or general
written authorization of the controller
• Processing by a processor shall be governed
by a binding contract that sets out:
• The subject matter
• Duration of the processing
• Nature of the processing
• Type of personal data and categories of
data subjects
• The obligations and rights of the
controller
• Processor only on documented instructions
from the controller
• Ensures that persons authorized to process
have committed to confidentiality
• Takes all measures required pursuant to
security
• At choice of controller, deletes or returns all
the personal data to the controller after the
end of the provision* deletes existing copies
• Makes available to the controller all
information necessary to demonstrate
compliance with the obligations laid out
01
Controller/Process
Requirements

20. 05
Processing
Requirements
02 Records Management
Each controller and processor shall maintain a
record of processing containing:
• The name and contact details of the
controller/processor and the data protection
officer
• The purposes of the processing
• A description of the categories of data
subjects and of the categories of personal
data
• The categories of recipients to whom the
personal data have been or will be
disclosed
• Transfers to a third country or an
international organization and suitable
safeguards
• Where possible, the envisaged time limits
for erasure of the different categories of
data
• Where possible, a general description
security measures

21. 05
Processing
Requirements
03 Security
Taking existing capability, costs, nature, scope,
context of processing, controller & processor
shall implement security appropriate to the risk
of disclosure impacting rights and freedoms of
natural persons such as:
• The pseudonymisation and encryption of
personal data
• The ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and
services
• The ability to restore the availability and
access to personal data in a timely manner in
the event of a physical or technical incident
• A process for regularly testing, assessing
effectiveness of security of processing

22. 05
Processing
Requirements
04 Breach Notification:
Supervisory Authority
• Controller shall without delay and by 72 hours
notify supervisory authority unless the
personal data breach is unlikely to result in a
risk to the rights and freedoms of natural
persons
• Where the notification to the supervisory
authority is not made within 72 hours, it shall
be accompanied by reasons for the delay
• The processor shall notify the controller
without undue delay after becoming aware of
a personal data breach
• The notification shall at least:
• describe nature of breach including where possible, the
categories and approximate number of data subjects
concerned and the categories and approximate number
of personal data records concerned
• Communicate the name and contact details of the data
protection officer or other contact point where more
information can be obtained;
• describe the likely consequences of the personal data
breach
• Describe the measures taken or proposed to be taken
by the controller to address the personal data breach,
including, where appropriate, measures to mitigate its
possible adverse effects.

23. 05
Processing
Requirements
05
Breach Notification:
Data Subject
• When the personal data breach is likely to
result in a high risk to the rights and
freedoms of natural persons, the controller
shall communicate the personal data
breach to the data subject without undue
delay

24. 01
02
03
04
Data Protection Officer
Impact Assessment
Code of Conduct
Transfer to Third Countries
05 Specific Situations
Miscellaneous
Conditions

25. Transfers to
Third Countries

26. What
Customers
Usually Ask For
01
02
03
04
Standard Commission Clauses
Notification in 72 Hours or Less
Data Protection Officer
Non-Transfer or Collection of Data

27. Data Protection is Still
Part of the Security Program People
ApplicationsInfrastructure
Protect weak links to where
attacks gain a foothold in the
environment
Ensure a incident response plan
is documented and practiced

28. Data Protection Will be Part of the Fabric
U.S. Bancorp hit with fines for poor compliance with
anti-money laundering laws
Federal regulators on Thursday hit U.S. Bancorp, the
nation's biggest regional bank, with more than $800 million
in fines for deficient anti-money laundering practices.
2016 Revenue: $21B
Impact: 3.8%

29. Key Takeaways
01 Data protection is as much about usage as disclosure
02
GDPR is focused on the rights of individuals:
Data analytics and methods of identifying individuals are impacted
03 The purpose you collect the data for impacts the complexity of oversight
04 When consent is required, erasure, accuracy, portability and objections come into play
05 For security pseudonymization, encryption and breach notification are important
06 A documented and followed data privacy design will go a long way

30. Thank You