This document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It begins by outlining how GDPR compliance was previously viewed, with most companies believing they were unprepared. It then discusses key aspects of GDPR including higher fines, strengthened consent requirements, privacy by design, mandatory breach reporting, expanded obligations for processors, and mandatory data protection officers. Finally, it provides recommendations for steps companies can take to prepare such as forming a steering group, training, conducting data discovery and impact assessments, updating policies, and creating breach response plans. The overall message is that early preparation is important to avoid noncompliance under the new, stricter GDPR requirements.
2. #whoami
Electoral Role
Landline
Broadband
Mobile Phone
Gas Electric
TV licence
Passport
Inland Revenue
High Street Bank
Online Retailers
Online webmail
Companies House
Online accountant
Births & Marriages Register
Hospital records / GP records
Husband, Father, Son
Cyber Consulting <-IT Security <- IT Solutions
https://uk.linkedin.com/in/jmck4cybersecurity
Shares / Child ISA
Pension
Car Insurance
House Insurance
Flight Records (ARINC)
Mortgage
Postcode Address File
University Records
Water / Utilities
Council Tax
Driving Licence
Car registration
Equifax Experian Callcredit
3. Published Agenda
* Know what you know
* Know what you don't know
* Know where your going
* Get started
@CisoAdvisor
We could debate this
from now until xmas
but we only have 20
minutes so I have
revised the agenda
“Everything should be
as simple as it can be,
but not simpler”
4. @CisoAdvisor
Now let’s pick up
the pace
Actual Agenda
* How it was
* Where it is going
* What (I suggest) you can do
5. (1) Before we go any further, I feel I should first
point out that everything I’m about to say is
obviously just my personal opinion, which you
are of course entitled to take with the
appropriate pinch of salt. I would expect that if
you asked someone else who was considering
the same points, they might have very different
things that they are looking for.
(2) I am not currently in the GPDR region
(but …...)
(3) I am not a lawyer
{but …..}
Disclaimer
6. * Section 1:
How It was
Revolution Quote 1:
“You will not be able to stay
home, brother.
You will not be able to plug in,
turn on and cop out.
You will not be able to lose
yourself on skag and
Skip out for beer during
commercials,
Because the revolution will not
be televised.”
- Gil Scott-Heron (1949 –2011)
8. ISO comments on P7a
The Data Protection Act says that:
This is the seventh data protection principle. In practice, it means you must have appropriate
security to prevent the personal data you hold being accidentally or deliberately
compromised. In particular, you will need to:
design and organise your security to fit the nature of the personal data you hold and the harm
that may result from a security breach;
be clear about who in your organisation is responsible for ensuring information security;
make sure you have the right physical and technical security, backed up by robust policies and
procedures and reliable, well-trained staff; and
be ready to respond to any breach of security swiftly and effectively.
Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data.
9. ISO comments on P7b
What needs to be protected by information security arrangements?
It is important to understand that the requirements of the Data Protection Act go beyond the
way information is stored or transmitted. The seventh data protection principle relates to the
security of every aspect of your processing of personal data.
So the security measures you put in place should seek to ensure that:
only authorised people can access, alter, disclose or destroy personal data;
those people only act within the scope of their authority; and
if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any
damage or distress to the individuals concerned.
Credit : https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/
Remember: The domain google.com was registered on September 15, 1997. They formally
incorporated their company, Google, on September 4, 1998
11. * Section 2:
Where It is going
Revolution quote 2:
“The first revolution is when you
change your mind about how
you look at things, and see there
might be another way to look at
it that you have not been
shown. What you see later on is
the results of that, but that
revolution, that change that
takes place will not be
televised.”
- Gil Scott-heron (1949 –2011)
12. Two year count down
The two-year countdown to the General Data Protection Regulation (GDPR) is
underway, and the consensus seems to be that most companies haven't got a
clue how they're going to approach it.
Research from Egress found that 87 percent of CIOs believe they would be
exposed if the regulations came into force today, while research by YouGov for
Netskope found that 80 percent of IT professionals in medium and large
organisation were not confident of ensuring compliance by 25 May 2018.
"It's 2 years away, but 2 years with any IT project is actually very short," he says.
"Most businesses where they are running April to April will have already spent their
budget for this year. So you are looking at preparing to spend budget on it next
year.“ – Guy Bunker @ Clearswift
Credit: http://www.cbronline.com/news/cybersecurity/data/2-years-to-gdpr-
how-you-can-prepare-for-the-eu-data-protection-regulation-4903975
13. How to lie with statistics
https://www.amazon.com/How-Lie-Statistics-Darrell-Huff/dp/0393310728
https://en.wikipedia.org/wiki/List_of_cognitive_biases
https://blog.osvdb.org/
14. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M
EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any
personal information they collect or process and that they provide very clear information beforehand on
how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively
considered privacy and adequately addressed any associated information security risks and that this is
built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for
looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of
the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic
and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be
forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose
primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a
large scale.
Credit: fruition blog Feb 2016
15. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M
EUR (whichever is greater).
Consent – Businesses will need to be able to demonstrate that active consent has been given for any
personal information they collect or process and that they provide very clear information beforehand on
how this personal information will be stored and used (privacy notices).
Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively
considered privacy and adequately addressed any associated information security risks and that this is
built into the DNA of their organization
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
Data Processors – at present only organisations acting as Data Controllers have legal obligations for
looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of
the direct legal obligations on to Data Processors as well as Data Controllers.
Sensitive personal data – the definition of sensitive personal data has been widened to include genetic
and biometric data and there will be stricter rules for processing this kind of (medical) information.
Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their
personal information from one service provider to another and also when requesting their “right to be
forgotten”
Data Protection Officers – Data Protection Officers will become mandatory for organisations whose
primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a
large scale.
16. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://www.visaeurope.com/media/pdf/security%20compromise%20factsheet%
20-%20march%202015.pdf
Immediately
Bank + PCI-PFI
17. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf
72hrs
Actual or
suspected
Report sent to
Visa
18. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection
breaches that put the rights and freedoms of individuals at risk (within 72 hours).
http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/
24hrs
Report sent to
ICO
19. Converge with Information Security
Quality Management LegalRecruitment
Other
disciplines talk
about it more
than us !
21. * Section 3:
What You can do
Revolution quote 3:
“There can't be any large-scale
revolution until there's a personal
revolution, on an individual
level. It's got to happen inside
first.”
- Jim Morrison (1943 - 1971)
25. Mubadala Group
Injazat CEO
Data Protection / Data Security “Tone at the Top” Directive from CEO
Data Protection Management Policy Scope of ICO registration
Data Governance Forum (Steering Group) - Charter and Minutes
GovernanceManagement
Data Protection Strategy Paper & sub-plans
DPO Measurement Plan
Data Quality Management
Information Asset Register
Privacy Impact Analysis
Project (RA)
Data Discovery with
Business Impact Analysis DPO Annual Objectives
05.Sep.16
b
a
d
c
1
2
3
5
6
7
8
9
Company CEO
Group Security Office
DPO Annual Audit Plan
DPO Communications Plan
DSARs/Complaints DPO Data Breach Plan4
26. Short cycle error correction (F3)
Variations,
F2T2E : Find, Fix, Target, Track, and Execute
F2T2EA : Find, Fix, Track, Target, Engage, Assess
F2T2 : Find Fix Track Target
F3EAD : Find, Fix, Finish, Exploit, Analyze and Disseminate
FIND FIX FINISH
If your interested in military tactics that might support Cyber Security look into
http://www.pogoarchives.org/straus/shaping-and-adapting-boyd-20150422.pdf
And F3EAD paper - http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf
27. Data Discovery
BC / DR Team
Vulnerability
Scanner
IT Ops / ITIL
HR / Legal /
Finance
ICO
registration
28. Information Asset Register
Where you are Data Controller
Where you outsource
https://www.linkedin.com/pulse/25-exciting-things-do-information-asset-
register-reynold-leming?trk=hp-feed-article-title-like
29. Information Asset Register
by
Reynold Leming
1. Understanding Relationships: A related series of records
sharing the same purpose (a "master asset" if you will)
might have a variety of constituent entities ("sub assets")
in different formats - e.g. physical records, digital content,
database records. Identifying these within an IAR will
enable an understanding of their relationships and
purpose over time.
2. Security Classification: Assets can be classified within
the IAR to an approved security classification / protective
marking scheme, with current protective measures
recorded, in order to identify if there are in any risks
relating to the handling of confidential personal or
commercially sensitive information.
3. Personal Data: Specifically you can identify
confidential personal information to ensure that data
protection / privacy obligations are met, for example in
terms of security and disposal.
4. Ownership: The ability to know - who owns what? Also
to understand who owns both in terms of corporate
accountability and ownership of the actual information
itself.
30. Internal Training (1)
Does the data
enables you to
identify
directly the
person?
YES
NO
It is personal
data
Does the data
enables you to
identify the person
indirectly?
NO
YES
It is personal
data
It is not
personal data
31. Internal Training (2)
Fair and lawful processing
Proportionate processing
Accurate and up to date
Data retention limitation
Data transfers limitation
32. Privacy Impact Assessment
Name of the processing service
Date of service implementation
Name of the software/ application used
Key contact internal
Key contact external
List of data collected and processed (detailed)
Purpose of the processing (detailed)
Period during which data are stored and processed
Persons who need to have access (detailed R&R)
Does the processing need development or maintenance by
a third party?
Does the processing imply transfer out of EU within the
company?
Does the processing imply to transfer out of EU to a third
party?
How will data transfers be secured to provide adequate
level of protection?
Are you a Data Controller
Are you a Data Processor
34. Summary
There are many overlaps in the ISMF and managing Data Protection in the Enterprise
Establish a Data Protection Steering Group
Choose a DPO
Find and Classify the data, assigning a business owner
Prepare internal training
Prepare a holistic Data Breach Plan – not just a technical response
Use this activity to enforce better Information Security Controls
E.g. Data classification, Information Asset Register, Data retention cleanup + evidence
35. Takeaways
Take it seriously we’ve had 18 years to get this
Get started if you haven’t already
Use what has been learnt from years of ISMS governance
and certification
Tailor it to your organisation (size and maturity)
Learn from other disciplines (collaborate or die)
Challenge conference organisers on GPDR agendas
Network with likeminded peers