GDPR Overview for Compliance

GDPR Overview
Carlin Dornbusch, CISSP
American Cyber Security Management
http://americancsm.com/

●EU Privacy History
●GDPR Outline & Terms
●GDPR Principles
●Subject Rights
●Controller and Processor Responsibilities
- Privacy by Design and Privacy by Default
●Governance - Data Protection Officer, DPIA
●GDPR 2016-2018 Timeline
●GDPR vs Privacy Shield
●Projects vs Strategy
Overview

GDPR Summary
New Data Subject Rights:
• Right to Access
• Right to Rectify
• Right to Erasure
• Right to Restriction
• Data Portability
• Right to Object
Are you ready for May 25th 2018?
New Scope New Rights
New
REGULATION
New Penalties
New Scope:
• PII of Data Subject
• Processors
• Controllers
• Any Location
• Goods & Services
• Monitoring
New Penalties:
• 4% or €20M
• 2% - No Docs, DPIA
• Processors
• Controllers

GDPR Outline (1 of 3)
Chapter 1 General Provisions
Objective, Scope, Definitions (Article 1-4)
Chapter 2 Principles
Lawfulness, Consent, Special Categories, no ID Required (Article 5-11)
Chapter 3 Right of the Data Subjects
Section 1 – Transparency & modalities (Article 12)
Section 2 – Information & access to personal data (Article 13 – 15)
Section 3 – Rectification & erasure (Article 16 – 20)
Section 4 - Right to object & automation (Article 21 – 22)
Section 5 – Restrictions (Article 23)

Chapter 4 Controller & Processor
Section 1 – General obligations (Article 24-31)
Section 2 – Security of personal data (Article 32- 34)
Section 3 – DPIA & prior consultation (Article 35 – 36)
Section 4 – DPO (Article 37 - 39)
Section 5 – Code of Conduct & certs (Article 40-43)
Chapter 5 Transfers of personal data to 3rd countries or Int’l org’s
General principles for transfer (Article 44-50)
Chapter 6 Independent Supervisory Authorities
Section 1 Independent status (Article 51-54)
Section 2 Competence, task and powers (Article 55 -59)

Chapter 7 Cooperation & Consistency
Section 1 Cooperation (Article 60-62)
Section 2 Consistency (Article 63 – 67)
Section 3 European data protection board (Article 68 - 76)
Chapter 8 Remedies, Liability, and penalties
Complaints, Representation, Fines (Article 77-84)
Chapter 9 Provisions relating to specific processing situations
Freedom of expression, public access, Secrecy, Church (Article 85-91)
Chapter 10 Delegated acts and implementing acts
Exercise of delegation, committee procedure (Article 92-93)
Chapter 11 Final Provisions Chapter
95/46/EC, 2002/58/EC, Prior to May 24, 2016, Commission reports,
legal acts, force and application (Article 94-99)

GDPR Terminology(1 of 2 )
• Personal Data – any information relating to an identified or
identifiable natural person (‘data subject’)
• Data Subject – any person who can be identified by
reference to a name, an identification number, location
data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person
• Processing – any operation which is performed on personal
data, such as collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction,
erasure or destruction
Article 4

GDPR Terminology(2 of 2)
• Data Controller – the one who determines the purposes
and means of the processing of personal data
• Data Processor – the one who processes personal data on
behalf of the controller
• Personal Data Breach – Breach of security leading to the
accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed
• Consent – any freely given, specific, informed and
unambiguous indication of the data subject's wishes by
which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal
data relating to him or her
Article 4

● Lawfulness, fairness, and transparency
● Explicit purpose limitation
● Data minimization
● Accuracy
● Storage limitation
● Integrity and confidentiality
● Accountability GDPR
Article 5-11
GDPR Principles

You can process personal data if one of these is true:
● Data subject gave consent
● Necessary to perform contract with data subject
● Required for compliance
● Required to protect vital interests of data subject
● Required to execute tasks in public interest
● Legitimate interests
Article 6
Lawful Processing

• Transparency & Modalities - Article 12
• Collection of Data - Article 13
• Obtained from Another Source - Article 14
• Right of Access – Article 15
• Right of Rectification – Article 16
• Right of Erasure – Article 17
• Right of Restricted Processing – Article 18
• Right of 3rd-Party Notification– Article 19
• Right of Data Portability – Article 20
• Right to Object – Article 21
• Automated Processing – Article 22
• Restrictions - Article 23
Data Subjects Rights

Data subjects has the right to understand the following:
● Purpose data is being processed
● “Categories” of personal data
● “Recipient” of data (including third countries)
● Period of retention
● Request the deletion or restrict the access to data
● How to lodge a complaint
● The source of the data, when the data is not personal data
● The existence of automated decision making, including
profiling
● How to request a copy of the data
Article 15
Right of Access

Data subjects have the right to:
● Modify inaccurate personal data
● Have incomplete personal data completed
Article 16
Right of Rectification

Data subjects have the right to have their personal data
deleted when:
● The data is no longer relevant to its intended
purpose
● Consent is withdrawn by the data subject
● The data subject objects to its use
● The personal data was unlawfully processed
● For compliance reasons
● Related to Article 8 (1) Children’s information
Article 17
Right of Erasure (1 of 2)

When the controller has made the personal data public:
● The controller may take “reasonable steps” depending on
available technology and cost to inform the processor to
delete the personal data of the data subject including links and
backups.
This right doesn’t apply if:
● It violates the right of freedom of expression
● It is carried out in the public interest
● The reason is public interest related to public health
● Scientific or historical research
● Establishment, exercise, or defense of a legal claim
Article 17
Right of Erasure (2 of 2)

Data subjects have the right to restrict the processing
of their data:
● If there is a dispute, during the period it takes to
verify it
● If they don’t want their data deleted but would
rather have it restricted
● If the data can’t be deleted for legal reasons
And be informed when the restriction is lifted
Article 18
Right of Restricted Processing

The controller must notify the recipient when
● Rectification is carried out (Article 16)
● Erasure of personal data is complete (Article 17)
● or Restriction of Processing is complete (Article 18)
Data Subjects may request a list of the recipients.
Article 19
Right of 3rd Party Notification

The data subject has the right to move their personal
data from one controller to another.
● Receive the personal data in a common, easy to
use format
● If it is technically feasible, the transfer can be done
automatically at the data subject’s request
● This doesn’t apply to processing which is in the
public interest
● And this shall not adversely affect others.
Article 20
Right of Data Portability

The data subject has the right to object to processing!
● Controller must stop, unless for legal reasons
● This includes direct marketing campaigns
Unless the processing is for scientific or historical
purposes AND it is for reasons of public interest.
Article 21
Right to Object

The data subject has the right to not be subjected to
automated processing, unless it:
● Contractually is necessary for Controller/Processor
● Authorized by the EU
● Explicit consent is given
Controllers must ensure data subjects can engage for
objections to the automated processing.
Article 22
Profiling

Controller Responsibilities
The controller shall implement appropriate technical and
organizational measures and they will be reviewed and
updated as necessary.
If needed, the controller will also implement appropriate
data protection policies.
Compliance can be through either an ‘approved’ code of
conduct or ‘approved’ certification mechanism.
Code of Conduct Article 40 approved by Article 55
Certification Article 42 approved by Article 55/56
Article 24

Processor Responsibilities
Only use processors with sufficient guarantees of
technical and organizational measures.
The processor may not use another processor without
prior specific or general written authorization.
The controller has the opportunity to object to the
change.
Article 28

Secure Processing
The Controller/Processor are responsible for:
• The pseudonymization and encryption of data
• Ensuring ongoing CIA and resilience of systems
• Ensuring the recovery of personal data in any incident
• Regular testing, assessing, and evaluating of the system
• Ensuring accidental or unlawful destruction, loss,
alteration, or unauthorized disclosure are minimized.
• Ensuring that ‘natural persons’ only act under the
authority of the controller.
Article 32

Breach Notice to Authorities
The Controller must notify supervisory authorities in 72hrs
with:
• nature of breach and volume
• contact info of DPO
• likely consequences of breach
• measures to be taken for mitigation
If discovered by the Processor, the Processor must notify
the Controller.
Controller must control the documentation
Article 33

Breach Notice to Data Subject
The Controller must notify data subjects “without undue
delay” with:
• contact info of DPO
• likely consequences of breach
• measures to be taken for mitigation
Except in the cases of:
• data was encrypted
• the high risk will not materialize
• disproportionate effort of communication - use public
communications
Article 34

Data Protection – by design & default
Privacy By Design
Controllers should take appropriate measures for
processing including implementing data protection
principles:
• Pseudonymization
• Data minimization
Article 25
Technical and Organizational Controls are Required

Data Protection – by design & default
By Default
Ensuring only required data is collected and by default:
• The amount of data is limited
• The extent of processing and accessibility is
limited
• The period of storage is defined and limited
Article 25
Technical and Organizational Controls are Required

Data Protection Officer
Data Protection Officer (DPO) – Oversees the data
protection responsibilities within the organization and
ensures compliance with the privacy regulations and
laws
• Works independently
• Directs and oversees all data protection activities
• Creates the policies and procedures around data protection
• Ensures staff are trained
• Manages third party vendors
• Global coordination
• Handles public request for personal data
• Primary POC for regulatory authorities
Article 39

DPO Assignment
You must assign a DPO if:
- You are a public processor
- You regularly and systematically monitor data
subjects on a large scale
- You are processing on a large scale any special
categories of data pursuant to Article 9 and
personal data relating to criminal convictions and
offences referred to in Article 10
Article 37

DPO Reporting
The DPO must:
• Be involved in all issues of personal data protection
• Be resourced to carry out tasks and maintain
knowledge
• Not be dismissed or penalized for job execution
• Report to the highest level of management
• Be available to service data subject requests
• Be bound to secrecy or confidentiality
• Execute other tasks, as necessary, that do not
conflict
Article 38

Data Protection Impact Assessments (DPIA’s)
Controllers must determine if DPIA is required via Risk Analysis
• If processing produces a legal effect on subjects
• Criminal data types
• Large scale monitoring
• Review the types of processing governed by the EU
Must perform DPIA PRIOR to processing
Must involve the DPO
Article 35

DPIA’s (2 of 2)
DPIA’s must contain:
• Processing operations descriptions
• Assessment of necessity and proportionality
• Assessment of Risks to the subject’s rights
• Risks mitigation plan
DPIA’s must be compliant to codes of conduct
DPIA’s shall incorporate Subject feedback
DPIA’s must be executed as risk changes
Article 35

2016 2017 2018
Program
Team
Assess
Risk
Awareness
Define
Controls
Implement
Controls
Measure
Controls
Demonstrate
Maintain
Adoption Transition Assess
GDPR Operational Timeline

GDPR
● Principles
● Lawfulness, fair,
transparent
● Explicit purpose
● Data minimization
● Accuracy
● Storage Limitation
● Integrity and Confidentiality
● Accountability
● Enables Selling to EU
● Auditable
● Enforced by EU
Privacy Shield
● Principles:
● Notice
● Choice
● Accountability for Onward Transfer
● Security
● Data Integrity and Purpose
Limitation
● Access
● Recourse, Enforcement and Liability
● Allows EU-to-US data transfer
● Self Audit
● Enforced by U.S.
GDPR
GDPR vs. Privacy Shield

• 92% of US multinational companies think compliance
with GDPR is a top data protection priority
• 68% will spend between $1-10M on GDPR readiness
• Fear is a big motivator
• Concerns over consumer trust because of data
breaches which leads to lost revenue and fines.
CID 1-26-17
https://www.cio.com/article/3161920/privacy/article.html
GDPR as a Priority

If GDPR applies to your company:
• When did you last update your Privacy/Cookie Policy?
• How do you protect customer PII?
• Do you collect explicit consent from your customers?
• Can you remove individual data from your systems?
• Is your data anonymized and encrypted?
• Are your vendor contracts up-to-date?
• Is your Incident Response Plan tested?
Are You Ready for GDPR?

• Organize – Assign a DPO (Data Leader)
• Find Your Data
• Know your Data Flows
• Determine Your Risks
• Assess your Controls
• Implement Privacy Shield for EU to US data access
• Comply to Local, State, Federal and Intern’l Laws
• Begin DPIA’s
• Document, Document, Document
• Improve your Incident Mgmt/Breach Notification
GDPR Planning

Data Inventory
Data Flows
Controls Review
Questionnaires
Risk Analysis
Cookie Compliance
Recommendations
Remediation
Member
Next Step: GDPR Assessment

Thank You
Carlin Dornbusch, CISSP
Carlin@AmericanCSM.com
http://www.americancsm.com
https://youtu.be/Dq2CCJ4ruqc

GDPR Overview for Compliance

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à GDPR Overview for Compliance

Similaire à GDPR Overview for Compliance (20)

Plus de Trish McGinity, CCSK

Plus de Trish McGinity, CCSK (16)

Dernier

Dernier (20)

GDPR Overview for Compliance