GDPR Overview

1. GDPR Overview Carlin Dornbusch, CISSP American Cyber Security Management http://americancsm.com/

2. ●EU Privacy History ●GDPR Outline & Terms ●GDPR Principles ●Subject Rights ●Controller and Processor Responsibilities - Privacy by Design and Privacy by Default ●Governance - Data Protection Officer, DPIA ●GDPR 2016-2018 Timeline ●GDPR vs Privacy Shield ●Projects vs Strategy Overview

3. EU Privacy History

4. Privacy Shield & GDPR Timing

5. GDPR Summary New Data Subject Rights: • Right to Access • Right to Rectify • Right to Erasure • Right to Restriction • Data Portability • Right to Object Are you ready for May 25th 2018? New Scope New Rights New REGULATION New Penalties New Scope: • PII of Data Subject • Processors • Controllers • Any Location • Goods & Services • Monitoring New Penalties: • 4% or €20M • 2% - No Docs, DPIA • Processors • Controllers

7. GDPR Outline (1 of 3) Chapter 1 General Provisions Objective, Scope, Definitions (Article 1-4) Chapter 2 Principles Lawfulness, Consent, Special Categories, no ID Required (Article 5-11) Chapter 3 Right of the Data Subjects Section 1 – Transparency & modalities (Article 12) Section 2 – Information & access to personal data (Article 13 – 15) Section 3 – Rectification & erasure (Article 16 – 20) Section 4 - Right to object & automation (Article 21 – 22) Section 5 – Restrictions (Article 23)

8. GDPR Outline (2 of 3) Chapter 4 Controller & Processor Section 1 – General obligations (Article 24-31) Section 2 – Security of personal data (Article 32- 34) Section 3 – DPIA & prior consultation (Article 35 – 36) Section 4 – DPO (Article 37 - 39) Section 5 – Code of Conduct & certs (Article 40-43) Chapter 5 Transfers of personal data to 3rd countries or Int’l org’s General principles for transfer (Article 44-50) Chapter 6 Independent Supervisory Authorities Section 1 Independent status (Article 51-54) Section 2 Competence, task and powers (Article 55 -59)

9. GDPR Outline (3 of 3) Chapter 7 Cooperation & Consistency Section 1 Cooperation (Article 60-62) Section 2 Consistency (Article 63 – 67) Section 3 European data protection board (Article 68 - 76) Chapter 8 Remedies, Liability, and penalties Complaints, Representation, Fines (Article 77-84) Chapter 9 Provisions relating to specific processing situations Freedom of expression, public access, Secrecy, Church (Article 85-91) Chapter 10 Delegated acts and implementing acts Exercise of delegation, committee procedure (Article 92-93) Chapter 11 Final Provisions Chapter 95/46/EC, 2002/58/EC, Prior to May 24, 2016, Commission reports, legal acts, force and application (Article 94-99)

10. GDPR Terminology(1 of 2 ) • Personal Data – any information relating to an identified or identifiable natural person (‘data subject’) • Data Subject – any person who can be identified by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person • Processing – any operation which is performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Article 4

11. GDPR Terminology(2 of 2) • Data Controller – the one who determines the purposes and means of the processing of personal data • Data Processor – the one who processes personal data on behalf of the controller • Personal Data Breach – Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed • Consent – any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her Article 4

13. ● Lawfulness, fairness, and transparency ● Explicit purpose limitation ● Data minimization ● Accuracy ● Storage limitation ● Integrity and confidentiality ● Accountability GDPR Article 5-11 GDPR Principles

14. You can process personal data if one of these is true: ● Data subject gave consent ● Necessary to perform contract with data subject ● Required for compliance ● Required to protect vital interests of data subject ● Required to execute tasks in public interest ● Legitimate interests Article 6 Lawful Processing

16. • Transparency & Modalities - Article 12 • Collection of Data - Article 13 • Obtained from Another Source - Article 14 • Right of Access – Article 15 • Right of Rectification – Article 16 • Right of Erasure – Article 17 • Right of Restricted Processing – Article 18 • Right of 3rd-Party Notification– Article 19 • Right of Data Portability – Article 20 • Right to Object – Article 21 • Automated Processing – Article 22 • Restrictions - Article 23 Data Subjects Rights

17. Data subjects has the right to understand the following: ● Purpose data is being processed ● “Categories” of personal data ● “Recipient” of data (including third countries) ● Period of retention ● Request the deletion or restrict the access to data ● How to lodge a complaint ● The source of the data, when the data is not personal data ● The existence of automated decision making, including profiling ● How to request a copy of the data Article 15 Right of Access

18. Data subjects have the right to: ● Modify inaccurate personal data ● Have incomplete personal data completed Article 16 Right of Rectification

19. Data subjects have the right to have their personal data deleted when: ● The data is no longer relevant to its intended purpose ● Consent is withdrawn by the data subject ● The data subject objects to its use ● The personal data was unlawfully processed ● For compliance reasons ● Related to Article 8 (1) Children’s information Article 17 Right of Erasure (1 of 2)

20. When the controller has made the personal data public: ● The controller may take “reasonable steps” depending on available technology and cost to inform the processor to delete the personal data of the data subject including links and backups. This right doesn’t apply if: ● It violates the right of freedom of expression ● It is carried out in the public interest ● The reason is public interest related to public health ● Scientific or historical research ● Establishment, exercise, or defense of a legal claim Article 17 Right of Erasure (2 of 2)

21. Data subjects have the right to restrict the processing of their data: ● If there is a dispute, during the period it takes to verify it ● If they don’t want their data deleted but would rather have it restricted ● If the data can’t be deleted for legal reasons And be informed when the restriction is lifted Article 18 Right of Restricted Processing

22. The controller must notify the recipient when ● Rectification is carried out (Article 16) ● Erasure of personal data is complete (Article 17) ● or Restriction of Processing is complete (Article 18) Data Subjects may request a list of the recipients. Article 19 Right of 3rd Party Notification

23. The data subject has the right to move their personal data from one controller to another. ● Receive the personal data in a common, easy to use format ● If it is technically feasible, the transfer can be done automatically at the data subject’s request ● This doesn’t apply to processing which is in the public interest ● And this shall not adversely affect others. Article 20 Right of Data Portability

24. The data subject has the right to object to processing! ● Controller must stop, unless for legal reasons ● This includes direct marketing campaigns Unless the processing is for scientific or historical purposes AND it is for reasons of public interest. Article 21 Right to Object

25. The data subject has the right to not be subjected to automated processing, unless it: ● Contractually is necessary for Controller/Processor ● Authorized by the EU ● Explicit consent is given Controllers must ensure data subjects can engage for objections to the automated processing. Article 22 Profiling

27. Controller Responsibilities The controller shall implement appropriate technical and organizational measures and they will be reviewed and updated as necessary. If needed, the controller will also implement appropriate data protection policies. Compliance can be through either an ‘approved’ code of conduct or ‘approved’ certification mechanism. Code of Conduct Article 40 approved by Article 55 Certification Article 42 approved by Article 55/56 Article 24

28. Processor Responsibilities Only use processors with sufficient guarantees of technical and organizational measures. The processor may not use another processor without prior specific or general written authorization. The controller has the opportunity to object to the change. Article 28

29. Secure Processing The Controller/Processor are responsible for: • The pseudonymization and encryption of data • Ensuring ongoing CIA and resilience of systems • Ensuring the recovery of personal data in any incident • Regular testing, assessing, and evaluating of the system • Ensuring accidental or unlawful destruction, loss, alteration, or unauthorized disclosure are minimized. • Ensuring that ‘natural persons’ only act under the authority of the controller. Article 32

30. Breach Notice to Authorities The Controller must notify supervisory authorities in 72hrs with: • nature of breach and volume • contact info of DPO • likely consequences of breach • measures to be taken for mitigation If discovered by the Processor, the Processor must notify the Controller. Controller must control the documentation Article 33

31. Breach Notice to Data Subject The Controller must notify data subjects “without undue delay” with: • contact info of DPO • likely consequences of breach • measures to be taken for mitigation Except in the cases of: • data was encrypted • the high risk will not materialize • disproportionate effort of communication - use public communications Article 34

32. Data Protection – by design & default Privacy By Design Controllers should take appropriate measures for processing including implementing data protection principles: • Pseudonymization • Data minimization Article 25 Technical and Organizational Controls are Required

33. Data Protection – by design & default By Default Ensuring only required data is collected and by default: • The amount of data is limited • The extent of processing and accessibility is limited • The period of storage is defined and limited Article 25 Technical and Organizational Controls are Required

35. Data Protection Officer Data Protection Officer (DPO) – Oversees the data protection responsibilities within the organization and ensures compliance with the privacy regulations and laws • Works independently • Directs and oversees all data protection activities • Creates the policies and procedures around data protection • Ensures staff are trained • Manages third party vendors • Global coordination • Handles public request for personal data • Primary POC for regulatory authorities Article 39

36. DPO Assignment You must assign a DPO if: - You are a public processor - You regularly and systematically monitor data subjects on a large scale - You are processing on a large scale any special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 Article 37

37. DPO Reporting The DPO must: • Be involved in all issues of personal data protection • Be resourced to carry out tasks and maintain knowledge • Not be dismissed or penalized for job execution • Report to the highest level of management • Be available to service data subject requests • Be bound to secrecy or confidentiality • Execute other tasks, as necessary, that do not conflict Article 38

38. Data Protection Impact Assessments (DPIA’s) Controllers must determine if DPIA is required via Risk Analysis • If processing produces a legal effect on subjects • Criminal data types • Large scale monitoring • Review the types of processing governed by the EU Must perform DPIA PRIOR to processing Must involve the DPO Article 35

39. DPIA’s (2 of 2) DPIA’s must contain: • Processing operations descriptions • Assessment of necessity and proportionality • Assessment of Risks to the subject’s rights • Risks mitigation plan DPIA’s must be compliant to codes of conduct DPIA’s shall incorporate Subject feedback DPIA’s must be executed as risk changes Article 35

41. 2016 2017 2018 Program Team Assess Risk Awareness Define Controls Implement Controls Measure Controls Demonstrate Maintain Adoption Transition Assess GDPR Operational Timeline

43. GDPR ● Principles ● Lawfulness, fair, transparent ● Explicit purpose ● Data minimization ● Accuracy ● Storage Limitation ● Integrity and Confidentiality ● Accountability ● Enables Selling to EU ● Auditable ● Enforced by EU Privacy Shield ● Principles: ● Notice ● Choice ● Accountability for Onward Transfer ● Security ● Data Integrity and Purpose Limitation ● Access ● Recourse, Enforcement and Liability ● Allows EU-to-US data transfer ● Self Audit ● Enforced by U.S. GDPR GDPR vs. Privacy Shield

45. • 92% of US multinational companies think compliance with GDPR is a top data protection priority • 68% will spend between $1-10M on GDPR readiness • Fear is a big motivator • Concerns over consumer trust because of data breaches which leads to lost revenue and fines. CID 1-26-17 https://www.cio.com/article/3161920/privacy/article.html GDPR as a Priority

46. If GDPR applies to your company: • When did you last update your Privacy/Cookie Policy? • How do you protect customer PII? • Do you collect explicit consent from your customers? • Can you remove individual data from your systems? • Is your data anonymized and encrypted? • Are your vendor contracts up-to-date? • Is your Incident Response Plan tested? Are You Ready for GDPR?

47. • Organize – Assign a DPO (Data Leader) • Find Your Data • Know your Data Flows • Determine Your Risks • Assess your Controls • Implement Privacy Shield for EU to US data access • Comply to Local, State, Federal and Intern’l Laws • Begin DPIA’s • Document, Document, Document • Improve your Incident Mgmt/Breach Notification GDPR Planning

48. Data Inventory Data Flows Controls Review Questionnaires Risk Analysis Cookie Compliance Recommendations Remediation Member Next Step: GDPR Assessment

49. Thank You Carlin Dornbusch, CISSP Carlin@AmericanCSM.com http://www.americancsm.com https://youtu.be/Dq2CCJ4ruqc

GDPR Overview

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

GDPR Overview

Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à GDPR Overview (20)

Plus par Trish McGinity, CCSK (16)

Plus récents (20)

GDPR Overview