SlideShare une entreprise Scribd logo

GPDR_Get-Data-Protection-Right

James '​-- Mckinlay
James '​-- Mckinlay

This document discusses preparations for the General Data Protection Regulation (GDPR) which takes effect in May 2018. It begins by outlining how GDPR compliance was previously viewed, with most companies believing they were unprepared. It then discusses key aspects of GDPR including higher fines, strengthened consent requirements, privacy by design, mandatory breach reporting, expanded obligations for processors, and mandatory data protection officers. Finally, it provides recommendations for steps companies can take to prepare such as forming a steering group, training, conducting data discovery and impact assessments, updating policies, and creating breach response plans. The overall message is that early preparation is important to avoid noncompliance under the new, stricter GDPR requirements.

Technologie
1  sur  36
Télécharger pour lire hors ligne
GPDR == get.data.protection.right(!) James Mckinlay – CSO Praetorian Consulting International
#whoami  Electoral Role  Landline  Broadband  Mobile Phone  Gas Electric  TV licence  Passport  Inland Revenue  High Street Bank  Online Retailers  Online webmail  Companies House  Online accountant  Births & Marriages Register  Hospital records / GP records Husband, Father, Son Cyber Consulting <-IT Security <- IT Solutions https://uk.linkedin.com/in/jmck4cybersecurity  Shares / Child ISA  Pension  Car Insurance  House Insurance  Flight Records (ARINC)  Mortgage  Postcode Address File  University Records  Water / Utilities  Council Tax  Driving Licence  Car registration  Equifax Experian Callcredit
Published Agenda * Know what you know * Know what you don't know * Know where your going * Get started @CisoAdvisor We could debate this from now until xmas but we only have 20 minutes so I have revised the agenda “Everything should be as simple as it can be, but not simpler”
@CisoAdvisor Now let’s pick up the pace  Actual Agenda * How it was * Where it is going * What (I suggest) you can do
 (1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same points, they might have very different things that they are looking for.  (2) I am not currently in the GPDR region  (but …...)  (3) I am not a lawyer  {but …..} Disclaimer
* Section 1: How It was Revolution Quote 1: “You will not be able to stay home, brother. You will not be able to plug in, turn on and cop out. You will not be able to lose yourself on skag and Skip out for beer during commercials, Because the revolution will not be televised.” - Gil Scott-Heron (1949 –2011)
AppointaDPO FilloutICOregistration SendICOcheques Updateregistration(e.g.ANPR) Talktolegaldepartment Lookforsomeexternaltraining Hopenothinggoeswrong AddaDPA98moduletoLMS
ISO comments on P7a  The Data Protection Act says that: This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:  design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;  be clear about who in your organisation is responsible for ensuring information security;  make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and  be ready to respond to any breach of security swiftly and effectively. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
ISO comments on P7b  What needs to be protected by information security arrangements?  It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data.  So the security measures you put in place should seek to ensure that:  only authorised people can access, alter, disclose or destroy personal data;  those people only act within the scope of their authority; and  if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned. Credit : https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ Remember: The domain google.com was registered on September 15, 1997. They formally incorporated their company, Google, on September 4, 1998
Any Questions No is a valid answer
* Section 2: Where It is going Revolution quote 2: “The first revolution is when you change your mind about how you look at things, and see there might be another way to look at it that you have not been shown. What you see later on is the results of that, but that revolution, that change that takes place will not be televised.” - Gil Scott-heron (1949 –2011)
Two year count down The two-year countdown to the General Data Protection Regulation (GDPR) is underway, and the consensus seems to be that most companies haven't got a clue how they're going to approach it. Research from Egress found that 87 percent of CIOs believe they would be exposed if the regulations came into force today, while research by YouGov for Netskope found that 80 percent of IT professionals in medium and large organisation were not confident of ensuring compliance by 25 May 2018. "It's 2 years away, but 2 years with any IT project is actually very short," he says. "Most businesses where they are running April to April will have already spent their budget for this year. So you are looking at preparing to spend budget on it next year.“ – Guy Bunker @ Clearswift Credit: http://www.cbronline.com/news/cybersecurity/data/2-years-to-gdpr- how-you-can-prepare-for-the-eu-data-protection-regulation-4903975
How to lie with statistics https://www.amazon.com/How-Lie-Statistics-Darrell-Huff/dp/0393310728 https://en.wikipedia.org/wiki/List_of_cognitive_biases https://blog.osvdb.org/
Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater). Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices). Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers. Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information. Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their personal information from one service provider to another and also when requesting their “right to be forgotten” Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale. Credit: fruition blog Feb 2016
Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater). Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices). Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers. Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information. Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their personal information from one service provider to another and also when requesting their “right to be forgotten” Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale.
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). https://www.visaeurope.com/media/pdf/security%20compromise%20factsheet% 20-%20march%202015.pdf Immediately Bank + PCI-PFI
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf 72hrs Actual or suspected Report sent to Visa
Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/ 24hrs Report sent to ICO
Converge with Information Security Quality Management LegalRecruitment Other disciplines talk about it more than us !
Any Questions No is a valid answer
* Section 3: What You can do Revolution quote 3: “There can't be any large-scale revolution until there's a personal revolution, on an individual level. It's got to happen inside first.” - Jim Morrison (1943 - 1971)
Disclaimer  I haven’t yet tried this next bit ;)
ISO27001 PCIDSSv3.2 AML / TCF TOP20 CC NSA MNP Remember DPA98:Pr7 from part one ISO9001 ISO27002 SOC_I SOC_II
Company CEO Group Security Office
Mubadala Group Injazat CEO Data Protection / Data Security “Tone at the Top” Directive from CEO Data Protection Management Policy Scope of ICO registration Data Governance Forum (Steering Group) - Charter and Minutes GovernanceManagement Data Protection Strategy Paper & sub-plans DPO Measurement Plan Data Quality Management Information Asset Register Privacy Impact Analysis Project (RA) Data Discovery with Business Impact Analysis DPO Annual Objectives 05.Sep.16 b a d c 1 2 3 5 6 7 8 9 Company CEO Group Security Office DPO Annual Audit Plan DPO Communications Plan DSARs/Complaints DPO Data Breach Plan4
Short cycle error correction (F3) Variations, F2T2E : Find, Fix, Target, Track, and Execute F2T2EA : Find, Fix, Track, Target, Engage, Assess F2T2 : Find Fix Track Target F3EAD : Find, Fix, Finish, Exploit, Analyze and Disseminate FIND FIX FINISH If your interested in military tactics that might support Cyber Security look into http://www.pogoarchives.org/straus/shaping-and-adapting-boyd-20150422.pdf And F3EAD paper - http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf
Data Discovery BC / DR Team Vulnerability Scanner IT Ops / ITIL HR / Legal / Finance ICO registration
Information Asset Register Where you are Data Controller Where you outsource https://www.linkedin.com/pulse/25-exciting-things-do-information-asset- register-reynold-leming?trk=hp-feed-article-title-like
Information Asset Register by Reynold Leming  1. Understanding Relationships: A related series of records sharing the same purpose (a "master asset" if you will) might have a variety of constituent entities ("sub assets") in different formats - e.g. physical records, digital content, database records. Identifying these within an IAR will enable an understanding of their relationships and purpose over time.  2. Security Classification: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information.  3. Personal Data: Specifically you can identify confidential personal information to ensure that data protection / privacy obligations are met, for example in terms of security and disposal.  4. Ownership: The ability to know - who owns what? Also to understand who owns both in terms of corporate accountability and ownership of the actual information itself.
Internal Training (1) Does the data enables you to identify directly the person? YES NO It is personal data Does the data enables you to identify the person indirectly? NO YES It is personal data It is not personal data
Internal Training (2) Fair and lawful processing Proportionate processing Accurate and up to date Data retention limitation Data transfers limitation
Privacy Impact Assessment  Name of the processing service  Date of service implementation  Name of the software/ application used  Key contact internal  Key contact external  List of data collected and processed (detailed)  Purpose of the processing (detailed)  Period during which data are stored and processed  Persons who need to have access (detailed R&R)  Does the processing need development or maintenance by a third party?  Does the processing imply transfer out of EU within the company?  Does the processing imply to transfer out of EU to a third party?  How will data transfers be secured to provide adequate level of protection? Are you a Data Controller Are you a Data Processor
Data Breach Planning https://otalliance.org/resources/data-breach-protection
Summary  There are many overlaps in the ISMF and managing Data Protection in the Enterprise  Establish a Data Protection Steering Group  Choose a DPO  Find and Classify the data, assigning a business owner  Prepare internal training  Prepare a holistic Data Breach Plan – not just a technical response  Use this activity to enforce better Information Security Controls  E.g. Data classification, Information Asset Register, Data retention cleanup + evidence
Takeaways  Take it seriously we’ve had 18 years to get this  Get started if you haven’t already  Use what has been learnt from years of ISMS governance and certification  Tailor it to your organisation (size and maturity)  Learn from other disciplines (collaborate or die)  Challenge conference organisers on GPDR agendas  Network with likeminded peers
Time is precious thank you for yours James

Recommandé

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Cyber Hygiene
Cyber HygieneCyber Hygiene
Cyber Hygiene
GAURAV. H .TANDON
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
centralohioissa
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
Eric Vanderburg
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
Lars Hilse Global Thought Leader in #CyberSecurity, #CyberTerrorism, #CyberDefence, #CyberCrime
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 

Recommandé

Good-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speedGood-cyber-hygiene-at-scale-and-speed
Good-cyber-hygiene-at-scale-and-speed
James '​-- Mckinlay
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Cyber Hygiene
Cyber HygieneCyber Hygiene
Cyber Hygiene
GAURAV. H .TANDON
 
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
Heather Enlow & Chris Ingram - Cybersecurity Act of 2015 and Other Hot Privac...
centralohioissa
 
GDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT SymposiumGDPR, Data Privacy and Cybersecurity - MIT Symposium
GDPR, Data Privacy and Cybersecurity - MIT Symposium
Eric Vanderburg
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
Lars Hilse Global Thought Leader in #CyberSecurity, #CyberTerrorism, #CyberDefence, #CyberCrime
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
centralohioissa
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
WPICPE
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
Eric Vanderburg
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
MissMarvel70
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
AIIM International
 
GDPR & digital strategy
GDPR & digital strategyGDPR & digital strategy
GDPR & digital strategy
Prof. Jacques Folon (Ph.D)
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11
Skillspire LLC
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Eric Vanderburg
 
What you will take away from this session
What you will take away from this sessionWhat you will take away from this session
What you will take away from this session
Digital Transformation EXPO Event Series
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
James Nesbitt
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13
Skillspire LLC
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
Graham Mann
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
Dr. Ahmed Al Zaidy
 
"We're all in this together" - educating users on the importance of cyber sec...
"We're all in this together" - educating users on the importance of cyber sec..."We're all in this together" - educating users on the importance of cyber sec...
"We're all in this together" - educating users on the importance of cyber sec...
Jisc
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
Advanced Imaging Solutions & Pinnacle
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06
Skillspire LLC
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Eric Vanderburg
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
Symantec
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 

Contenu connexe

Tendances

[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
AIIM International
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
padler01
 

Tendances (20)

Webinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at HomeWebinar - Cyber Hygiene: Stay Clean at Work and at Home
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
 
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
2017 March ISACA Security Challenges with the Internet of Things - Eric Vande...
 
Keep Calm and GDPR
Keep Calm and GDPRKeep Calm and GDPR
Keep Calm and GDPR
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
 
GDPR & digital strategy
GDPR & digital strategyGDPR & digital strategy
GDPR & digital strategy
 
Funsec3e ppt ch11
Funsec3e ppt ch11Funsec3e ppt ch11
Funsec3e ppt ch11
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
 
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
Cybersecurity Incident Response Strategies and Tactics - RIMS 2017 - Eric Van...
 
What you will take away from this session
What you will take away from this sessionWhat you will take away from this session
What you will take away from this session
 
Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
 
Forensic3e ppt ch13
Forensic3e ppt ch13Forensic3e ppt ch13
Forensic3e ppt ch13
 
Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2Boards' Eye View of Digital Risk & GDPR v2
Boards' Eye View of Digital Risk & GDPR v2
 
Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3Fundamentals of Information Systems Security Chapter 3
Fundamentals of Information Systems Security Chapter 3
 
"We're all in this together" - educating users on the importance of cyber sec...
"We're all in this together" - educating users on the importance of cyber sec..."We're all in this together" - educating users on the importance of cyber sec...
"We're all in this together" - educating users on the importance of cyber sec...
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
A Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for BusinessesA Guide to Disaster Preparedness for Businesses
A Guide to Disaster Preparedness for Businesses
 
Data Risks In A Digital Age
Data Risks In A Digital Age Data Risks In A Digital Age
Data Risks In A Digital Age
 
Funsec3e ppt ch06
Funsec3e ppt ch06Funsec3e ppt ch06
Funsec3e ppt ch06
 
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric VanderburgCybercrime and Cyber Threats - CBLA - Eric Vanderburg
Cybercrime and Cyber Threats - CBLA - Eric Vanderburg
 

Similaire à GPDR_Get-Data-Protection-Right

Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 

Similaire à GPDR_Get-Data-Protection-Right (20)

The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdpr
 
How GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect EveryoneHow GDPR will change Personal Data Control and Affect Everyone
How GDPR will change Personal Data Control and Affect Everyone
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?GDPR Is Coming – Are Search Marketers Ready?
GDPR Is Coming – Are Search Marketers Ready?
 

Plus de James '​-- Mckinlay

Plus de James '​-- Mckinlay (11)

Cracking for the Blue Team
Cracking for the Blue TeamCracking for the Blue Team
Cracking for the Blue Team
 
Security at the speed of dev ops v3
Security at the speed of dev ops v3Security at the speed of dev ops v3
Security at the speed of dev ops v3
 
40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AI40 things to do before you spend $1 on AI
40 things to do before you spend $1 on AI
 
Securing Smart Cities
Securing Smart CitiesSecuring Smart Cities
Securing Smart Cities
 
cybersecurity-workforce-papers
cybersecurity-workforce-paperscybersecurity-workforce-papers
cybersecurity-workforce-papers
 
BsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devopsBsidesMCR_2016-what-can-infosec-learn-from-devops
BsidesMCR_2016-what-can-infosec-learn-from-devops
 
Metrics evolution breakfast edition
Metrics evolution breakfast editionMetrics evolution breakfast edition
Metrics evolution breakfast edition
 
IGPC Data Breach Planning braindump
IGPC Data Breach Planning braindumpIGPC Data Breach Planning braindump
IGPC Data Breach Planning braindump
 
Living with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI EditionLiving with Determined Attackers MOSI Edition
Living with Determined Attackers MOSI Edition
 
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-AssessmentsELITE.BCS-Cloud-and-Mobile-Risk-Assessments
ELITE.BCS-Cloud-and-Mobile-Risk-Assessments
 
Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214Living with the threat of Determined Attackers - RANT0214
Living with the threat of Determined Attackers - RANT0214
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

GPDR_Get-Data-Protection-Right

  • 1. GPDR == get.data.protection.right(!) James Mckinlay – CSO Praetorian Consulting International
  • 2. #whoami  Electoral Role  Landline  Broadband  Mobile Phone  Gas Electric  TV licence  Passport  Inland Revenue  High Street Bank  Online Retailers  Online webmail  Companies House  Online accountant  Births & Marriages Register  Hospital records / GP records Husband, Father, Son Cyber Consulting <-IT Security <- IT Solutions https://uk.linkedin.com/in/jmck4cybersecurity  Shares / Child ISA  Pension  Car Insurance  House Insurance  Flight Records (ARINC)  Mortgage  Postcode Address File  University Records  Water / Utilities  Council Tax  Driving Licence  Car registration  Equifax Experian Callcredit
  • 3. Published Agenda * Know what you know * Know what you don't know * Know where your going * Get started @CisoAdvisor We could debate this from now until xmas but we only have 20 minutes so I have revised the agenda “Everything should be as simple as it can be, but not simpler”
  • 4. @CisoAdvisor Now let’s pick up the pace  Actual Agenda * How it was * Where it is going * What (I suggest) you can do
  • 5.  (1) Before we go any further, I feel I should first point out that everything I’m about to say is obviously just my personal opinion, which you are of course entitled to take with the appropriate pinch of salt. I would expect that if you asked someone else who was considering the same points, they might have very different things that they are looking for.  (2) I am not currently in the GPDR region  (but …...)  (3) I am not a lawyer  {but …..} Disclaimer
  • 6. * Section 1: How It was Revolution Quote 1: “You will not be able to stay home, brother. You will not be able to plug in, turn on and cop out. You will not be able to lose yourself on skag and Skip out for beer during commercials, Because the revolution will not be televised.” - Gil Scott-Heron (1949 –2011)
  • 8. ISO comments on P7a  The Data Protection Act says that: This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:  design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;  be clear about who in your organisation is responsible for ensuring information security;  make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and  be ready to respond to any breach of security swiftly and effectively. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • 9. ISO comments on P7b  What needs to be protected by information security arrangements?  It is important to understand that the requirements of the Data Protection Act go beyond the way information is stored or transmitted. The seventh data protection principle relates to the security of every aspect of your processing of personal data.  So the security measures you put in place should seek to ensure that:  only authorised people can access, alter, disclose or destroy personal data;  those people only act within the scope of their authority; and  if personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned. Credit : https://ico.org.uk/for-organisations/guide-to-data-protection/principle-7-security/ Remember: The domain google.com was registered on September 15, 1997. They formally incorporated their company, Google, on September 4, 1998
  • 10. Any Questions No is a valid answer
  • 11. * Section 2: Where It is going Revolution quote 2: “The first revolution is when you change your mind about how you look at things, and see there might be another way to look at it that you have not been shown. What you see later on is the results of that, but that revolution, that change that takes place will not be televised.” - Gil Scott-heron (1949 –2011)
  • 12. Two year count down The two-year countdown to the General Data Protection Regulation (GDPR) is underway, and the consensus seems to be that most companies haven't got a clue how they're going to approach it. Research from Egress found that 87 percent of CIOs believe they would be exposed if the regulations came into force today, while research by YouGov for Netskope found that 80 percent of IT professionals in medium and large organisation were not confident of ensuring compliance by 25 May 2018. "It's 2 years away, but 2 years with any IT project is actually very short," he says. "Most businesses where they are running April to April will have already spent their budget for this year. So you are looking at preparing to spend budget on it next year.“ – Guy Bunker @ Clearswift Credit: http://www.cbronline.com/news/cybersecurity/data/2-years-to-gdpr- how-you-can-prepare-for-the-eu-data-protection-regulation-4903975
  • 13. How to lie with statistics https://www.amazon.com/How-Lie-Statistics-Darrell-Huff/dp/0393310728 https://en.wikipedia.org/wiki/List_of_cognitive_biases https://blog.osvdb.org/
  • 14. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater). Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices). Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers. Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information. Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their personal information from one service provider to another and also when requesting their “right to be forgotten” Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale. Credit: fruition blog Feb 2016
  • 15. Higher Fines – breaches of the GDPR can result in fines up to 4% of a business’ global turnover or €20M EUR (whichever is greater). Consent – Businesses will need to be able to demonstrate that active consent has been given for any personal information they collect or process and that they provide very clear information beforehand on how this personal information will be stored and used (privacy notices). Privacy by Design – increasingly, Businesses will need to be able to demonstrate that they have actively considered privacy and adequately addressed any associated information security risks and that this is built into the DNA of their organization Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). Data Processors – at present only organisations acting as Data Controllers have legal obligations for looking after personal information under the UK Data Protection Act. The GPDR aims to extend some of the direct legal obligations on to Data Processors as well as Data Controllers. Sensitive personal data – the definition of sensitive personal data has been widened to include genetic and biometric data and there will be stricter rules for processing this kind of (medical) information. Data Subjects Rights – generally, individuals will have stronger rights to request the transfer of their personal information from one service provider to another and also when requesting their “right to be forgotten” Data Protection Officers – Data Protection Officers will become mandatory for organisations whose primary purpose involves processing sensitive personal data or who monitor data subjects regularly on a large scale.
  • 16. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). https://www.visaeurope.com/media/pdf/security%20compromise%20factsheet% 20-%20march%202015.pdf Immediately Bank + PCI-PFI
  • 17. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf 72hrs Actual or suspected Report sent to Visa
  • 18. Mandatory Notification – there will be a mandatory duty under GPDR to promptly report data protection breaches that put the rights and freedoms of individuals at risk (within 72 hours). http://www.theregister.co.uk/2016/09/01/talktalk_appeal_against_ico_data_breach_fine_dismissed/ 24hrs Report sent to ICO
  • 19. Converge with Information Security Quality Management LegalRecruitment Other disciplines talk about it more than us !
  • 20. Any Questions No is a valid answer
  • 21. * Section 3: What You can do Revolution quote 3: “There can't be any large-scale revolution until there's a personal revolution, on an individual level. It's got to happen inside first.” - Jim Morrison (1943 - 1971)
  • 22. Disclaimer  I haven’t yet tried this next bit ;)
  • 23. ISO27001 PCIDSSv3.2 AML / TCF TOP20 CC NSA MNP Remember DPA98:Pr7 from part one ISO9001 ISO27002 SOC_I SOC_II
  • 25. Mubadala Group Injazat CEO Data Protection / Data Security “Tone at the Top” Directive from CEO Data Protection Management Policy Scope of ICO registration Data Governance Forum (Steering Group) - Charter and Minutes GovernanceManagement Data Protection Strategy Paper & sub-plans DPO Measurement Plan Data Quality Management Information Asset Register Privacy Impact Analysis Project (RA) Data Discovery with Business Impact Analysis DPO Annual Objectives 05.Sep.16 b a d c 1 2 3 5 6 7 8 9 Company CEO Group Security Office DPO Annual Audit Plan DPO Communications Plan DSARs/Complaints DPO Data Breach Plan4
  • 26. Short cycle error correction (F3) Variations, F2T2E : Find, Fix, Target, Track, and Execute F2T2EA : Find, Fix, Track, Target, Engage, Assess F2T2 : Find Fix Track Target F3EAD : Find, Fix, Finish, Exploit, Analyze and Disseminate FIND FIX FINISH If your interested in military tactics that might support Cyber Security look into http://www.pogoarchives.org/straus/shaping-and-adapting-boyd-20150422.pdf And F3EAD paper - http://www.dtic.mil/dtic/tr/fulltext/u2/a547092.pdf
  • 27. Data Discovery BC / DR Team Vulnerability Scanner IT Ops / ITIL HR / Legal / Finance ICO registration
  • 28. Information Asset Register Where you are Data Controller Where you outsource https://www.linkedin.com/pulse/25-exciting-things-do-information-asset- register-reynold-leming?trk=hp-feed-article-title-like
  • 29. Information Asset Register by Reynold Leming  1. Understanding Relationships: A related series of records sharing the same purpose (a "master asset" if you will) might have a variety of constituent entities ("sub assets") in different formats - e.g. physical records, digital content, database records. Identifying these within an IAR will enable an understanding of their relationships and purpose over time.  2. Security Classification: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information.  3. Personal Data: Specifically you can identify confidential personal information to ensure that data protection / privacy obligations are met, for example in terms of security and disposal.  4. Ownership: The ability to know - who owns what? Also to understand who owns both in terms of corporate accountability and ownership of the actual information itself.
  • 30. Internal Training (1) Does the data enables you to identify directly the person? YES NO It is personal data Does the data enables you to identify the person indirectly? NO YES It is personal data It is not personal data
  • 31. Internal Training (2) Fair and lawful processing Proportionate processing Accurate and up to date Data retention limitation Data transfers limitation
  • 32. Privacy Impact Assessment  Name of the processing service  Date of service implementation  Name of the software/ application used  Key contact internal  Key contact external  List of data collected and processed (detailed)  Purpose of the processing (detailed)  Period during which data are stored and processed  Persons who need to have access (detailed R&R)  Does the processing need development or maintenance by a third party?  Does the processing imply transfer out of EU within the company?  Does the processing imply to transfer out of EU to a third party?  How will data transfers be secured to provide adequate level of protection? Are you a Data Controller Are you a Data Processor
  • 34. Summary  There are many overlaps in the ISMF and managing Data Protection in the Enterprise  Establish a Data Protection Steering Group  Choose a DPO  Find and Classify the data, assigning a business owner  Prepare internal training  Prepare a holistic Data Breach Plan – not just a technical response  Use this activity to enforce better Information Security Controls  E.g. Data classification, Information Asset Register, Data retention cleanup + evidence
  • 35. Takeaways  Take it seriously we’ve had 18 years to get this  Get started if you haven’t already  Use what has been learnt from years of ISMS governance and certification  Tailor it to your organisation (size and maturity)  Learn from other disciplines (collaborate or die)  Challenge conference organisers on GPDR agendas  Network with likeminded peers
  • 36. Time is precious thank you for yours James