The document provides an overview of an upcoming presentation on the General Data Protection Regulation (GDPR). It begins with introductions and disclaimers from the presenter and VMware. It then outlines the areas that will be covered in the 30 minute presentation, including timeframes for GDPR compliance, key changes from the previous Data Protection Directive, myths about GDPR requirements, potential fines, and VMware products that can help with GDPR compliance.
3. VMWARE DISCLAIMER
• This presentation may contain product features or functionality that are currently under
development
• This overview of new technology represents no commitment fromVMware to deliver these
features in any generally available product
• Features are subject to change, and must not be included in contracts, purchase orders, or
sales agreements of any kind
• Technical feasibility and market demand will affect final delivery
• Pricing and packaging for any new features/functionality/technology discussed or presented,
have not been determined
• This information is confidential
4. MY DISCLAIMER
• I am not a lawyer
• Technology is an enabler / helping hand for GDPR and not the answer
• Thoughts are my own, and not necessarily the thoughts of CDW
• The session is to get you thinking about GDPR if you haven't already
5. AREAS COVERED IN 30 MINUTES
• Timeframes
• Directive vs regulation
• Definitions
• Why the need for GDPR
• The high level differences between
DPD & GDPR
• Key GDPR features / impact points
• GDPR myths
• Fines
• The structure
• The ICO advised approach
• My advised approach
• WhereVMware can help
• Closing statement
9. TIMEFRAMES
• 8 april 2016 - european council adopted the regulation
• 14 april 2016 - regulation was adopted by the european parliament
• 4 may 2016 - published in the EU official journal in all the official languages
• 24 may 2016 - the regulation entered into force
• 25 may 2018 – applies from this date
This regulation shall be binding in its entirety and directly applicable in all
member states
10. DIRECTIVE vs REGULATION
DIRECTIVE
Instrument passed at EU level
National implementation
Local variations
REGULATION
Instrument passed at EU level
No need for national implementation
One ring to rule them all
11. SOME DEFINITIONS
Definition Definition Description
Personal Data
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person;
Processing
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Profiling
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict
aspects concerning that natural person’s performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or movements;
12. SOME DEFINITIONS
Definition Definition Description
Pseudonymisation
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of
additional information, provided that such additional information is kept separately and is subject
to technical and organisational measures to ensure that the personal data are not attributed to an identified
or identifiable natural person;
Controller
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of
personal data; where the purposes and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may be provided for by Union or Member
State law
Processor
‘processor’ means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller
13. SOME DEFINITIONS
Definition Definition Description
Consent
‘consent’ of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear
affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal Data
Breach
‘personal data breach’ means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed
Enterprise
‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form,
including partnerships or associations regularly engaged in an economic activity;
Supervisory
Authority
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant
to Article 51;
International
Organisation
‘international organisation’ means an organisation and its subordinate bodies governed by public international
law, or any other body which is set up by, or on the basis of, an agreement between two or more
countries.
14. WHYTHE NEED FOR GDPR &THE CHANGE?
2003
2004
2006
EU DPD – 1995
UK released DPA - 1998
1998
1998
1995
1995
1998
1996 2016
15. WHYTHE NEED FOR GDPR &THE CHANGE?
Percentage of households with home computers in the United Kingdom
https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/
2015/2016 – 88%
1996/1997 – 27% 2001/2002 – 49%1990 – 17%
2007/2008 – 72%
16. WHYTHE NEED FOR GDPR &THE CHANGE?
Percentage of households with home computers in the United Kingdom
https://www.statista.com/statistics/289191/household-penetration-of-home-computers-in-the-uk/
2015/2016 – 88%
1996/1997 – 27% 2001/2002 – 49%1990 – 17%
2007/2008 – 72%
1998/1999 – 9%
Percentage of households with internet connection in the United Kingdom
2001/2002 – 39%
2008 – 66% 2014 – 84%
https://www.statista.com/statistics/289201/household-internet-connection-in-the-uk/
17. HIGH LEVEL CHANGES FROM DPDTO GDPR
DPD GDPR
34 Articles 99 Articles
72 Recitals 173 Recitals
No Detail on provisions of consent Details valid conditions for consent
No detail on children data processing
Details an age limit for making processing lawful against
children
Right to be forgotten only in limited circumstances
(unlawful processing or incomplete/inaccurate) Lists conditions under which the right can be exercised
No obligations for maintaining records of processing
activities
Lists out obligations of controllers and processors to be
able to demonstrate and become accountable for
processing
No enforcement of accountability
Enforcement of accountability and conditions for
imposing fines
https://cis-india.org/internet-governance/blog/comparison-of-general-data-protection-regulation-and-data-protection-directive
18. HIGH LEVEL CHANGES FROM DPDTO GDPR
GDPR
Regulation not a Directive
Personal Data Redefined (including online unique identifiers)
Mandatory Breach Notification
Financial Repercussions / Penalties
One Stop Shop (kind of)
Information Governance:
Track how and where data is used, captured etc
Transparency:
Controller must provide clear information on data subjects rights
Explain how data will be processed
Any communication must be clear, plain language that will be understood by target audience
Data Portability:
Structured and machine readable
Controller to Controller transmission upon request of data subject
Right to be forgotten (if no legitimate ground for retain)
Data Processors liable to same level as Data Controllers
Global Impact for Multi National Businesses that Deal in the EU
19. GDPR MYTHS
BIGGESTTHREAT IS EYE WATERING FINES
"Issuing fines has always been, and will continue to be, a last resort. Last
year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them
resulted in fines for the organisations concerned.“
"While fines may be the sledgehammer in our toolbox, we have access to
lots of other tools that are well suited to the task at hand and just as
effective"
Elizabeth Denham, ICO
https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/
20. GDPR MYTHS
EVERY ORGANISATION NEEDS A DATA PROTECTION OFFICER!
DPOs must only be appointed in the case of: (a) public authorities, (b) organizations that
engage in large scale systematic monitoring, or (c) organizations that engage in large
scale processing of sensitive personal data
Read Article 37
21. GDPR MYTHS
GDPR IS A EUROPE ONLY ISSUE!
GDPR will affect any organisation that offers goods or services
to consumers in the EU or monitors the behaviour of people
located in Europe, regardless of where their offices or ad
servers are based.
Read REC 20, Article 4
22. GDPR MYTHS
Controllers don’t need data processing agreements with
processors because the GDPR imposes direct obligations on
processors
Data processing agreements are vital to the controller and processor
relationship as it binds both parties to specific terms.
Read Article 28
24. GDPR MYTHS
Pseudonymised Data (E.G. Hashed Data) AreTreated Exactly Like
Any Other Personal Data UnderThe GDPR
The controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk, including inter alias as appropriate:
(a) the pseudonymisation and encryption of personal data;
Read Article 33 and 11
25. THE FINES
Article 83 splits the amount of administrative fines according to obligations infringed by
controllers, processors or undertakings.
2% of total worldwide turnover or 10,000,000EUR* 4% of total worldwide turnover or 20,000,000EUR*
Obligations of controller and processor under:
• Article 8 - Conditions applicable to child's consent in relation to
information society services
• Article 11 - Processing which does not require identification
• Art 25 to 39 - General obligations , Security of personal data ,
Data Protection impact assessment and prior consultation
• Article 42 - Certification
• Article 43 - Certification bodies
Obligations of certification body under:
• Art 42
• Art 43
Obligations of monitoring body under:
• Art 41(4)
Basic principles for processing and conditions for consent under:
• Art 5 - Principles relating to processing of personal data
• Art 6 - Lawfulness of processing
• Art 7 - Conditions for consent
• Art 9 - Processing of special categories of personal data
Data subject's rights under:
• Article - 12 to 22
Transfer of personal data to third country or international organization
under:
• Article - 44 to 49
Non Compliance with supervisory authority's powers under provisions of
Article 58:
• Imposition of temporary or definitive limitation including ban on
processing (Art 58 (2)(f))
• Suspension of data flows to third countries or international
organization (Art 58(2) (j))
• Provide access to premises or data processing equipment and means
(Art 58 (1) (f))
*Whichever is higher
26. Record £400,000 Fine (October 2015 Attack)
Under GDPR this could of been up to £70m!
Accessed personal data of 156,959 customers including names,
addresses, DOB, phone numbers and email
15,656 cases, the attacker obtained bank details
Two early warnings –TELCO unaware!
FINANCIAL IMPACT EXAMPLE
ATELECOMMUNICATIONS PROVIDER
http://cybersecurityinsights.foregenix.com/post/102dpzf/gdpr-fines-to-make-your-eyes-water
27. ICO’s in-depth investigation found that the attack could have been prevented if
TELCO had taken basic steps to protect customers’ information
Technical weaknesses inTELCO systems
Out of date database software
Did not scan infrastructure for possible threats
FINANCIAL IMPACT EXAMPLE
28. “In spite of its expertise and resources, when it came to the basic principles of
cyber-security,TELCO was found wantingToday’s record fine acts as a warning to others
that cyber security is not an IT issue, it is a boardroom issue. Companies must be
diligent and vigilant.They must do this not only because they have a duty under law, but
because they have a duty to their customers”
UK ICO, Elizabeth Denham
FINANCIAL IMPACT EXAMPLE
29. LEAD SUPERVISING AUTHORITY
(INFORMATION COMMISSIONERS OFFICE – ICO)
DATA PROCESSOR
(Service Provider)
EUROPEAN DATA PROTECTION BOARD
3rd COUNTRIES 3rd PARTY
DATA CONTROLLER
(Organisation)
DATA SUBJECT
(Individuals)
THE ESCALATION STRUCTURE (UK)
30. 12. INTERNATIONAL
Determine which data protection supervisory
authority you come under
11. DATA PROTECTION OFFICERS
Designate a data protection officer, or someone to
take responsibility for compliance. Review where
this role will sit in your organisation
10.DATA PROTECTION BY DESIGN
AND DATA PROTECTION IMPACT
ASSESSMENTS
Look into providing privacy impact assessments,
and when to implement them
9. DATA BREACHES
Ensure procedures in place to detect, report and
investigate breaches
7. CONSENT
Review how you are seeking, obtaining and
recording consent for any required changes
1. AWARENESS
Make your organisation aware of the changes and
impact of GDPR
2. INFORMATIONYOU HOLD
Document what personal data you hold, where it
came from and who you share it with
3. COMMUNICATING PRIVACY INFO
Review current privacy notices, plan for GDPR
change requirements
4. INDIVIDUALS’ RIGHTS
Review procedures to ensure covers all the rights
individuals have, including how you will delete or
provide data electronically
5. SUBJECT ACCESS REQUESTS
Update procedures and plan how you will manage
requests within new timescales
8. CHILDREN
Think about how you can verify individuals ages and
to gather parental/guardian consent for data
processing activities
6. LEGAL BASIS FOR PROCESSING
PERSONAL DATA
Review existing data processing carried out,
identify legal basis for carrying it out
ICO ADVISED APPROACH (UK)
31. WHERE ORGANISATIONS ARE STRUGGLING
• Director level buy in
• Understanding of the impacts and risks to the business
• Lack of budget or resources
• Don’t understand what PII data is held or how it is captured
32. MY ADVISED STARTING POINT
• Start planning your approach to GDPR compliance NOW
• Secure buy-in from key people (senior execs and board members)
• Evaluate the differences between the current law and the GDPR – concentrate where you
have gaps
• Document / understand what PII data you hold and where you obtained it from
• The GDPR places greater emphasis on the documentation that data controllers must keep to
demonstrate accountability
• Certain parts of the GDPR have more of an operational impact on some organizations than on
others
33. VMware Product and Capabilities Mapped to
GDPR
• Micro-segmentation
• Automation, monitoring
• Audit features
• Logging
• Planning and designing network security
• Managing data flow
• Network isolation
• Workload segmentation
• Network monitoring
• Access control
• Protecting sensitive data
• Securing data exports
• Access controls with workloads and geotagging
• Access control with device location
• Multi-country data center design
• Monitoring and exposing network services via
API
• Reviewing network architecture
• Data protection including encryption
• Business continuity, visibility
34. GDPR Article GDPR Description VMware Product and Capabilities
Article 18 Right to restriction of processing
VMware NSX
• NSX Distributed Firewall
• NSX Service Composer
• NSX Logical Switches
• NSX Guest Introspection
• NSX Network Extensibility
Article 24 Responsibility of the controller
VMware NSX
• NSX Application Rule Manager
• NSX Endpoint Monitoring
vRealize Network Insight
vRealize Operations
vRealize Log Insight
Article 25 Data protection by design and by default
VMware NSX
• NSX Service Composer
• NSX Endpoint Monitoring
• NSX Guest Introspection
vSphere
vShield Endpoint
Article 26 Joint controllers VMware NSX, NSX Distributed Firewall, vRealize Network Insight
Article 32 Security of processing
VMware NSX
• NSX Service Composer
• NSX Edge ServicesGateway
VMware vSphere
vCenter
VMware Data Protection
vSphere Replication
VMware vRealize Network Insight
VMware Site Recovery Manager
Article 35 Data protection impact assessment
VMware NSX
• NSX Application Rule Manager
vRealize Network Insight
NSX vRealize Log Insight
35. WHEREVMWARE CAN ASSIST
• To learn more on howVMware can assist please visit theVMware booth or
attend GRC3109PE and/or GRC3386BES