An overview of GDPR data privacy and the impact on traditional information security practices, which was presented at SecureWorld Dallas, October, 2017
2. 2
2000's Growing need to prevent terrorism but concerns with Surveillance1990's Growth of the
Internet & Databases
1980's Growth of
Federal Privacy Regulations
1970's Growth of
Government
Surveillance
2020
OCT 2017
1970 1976 1982 1988 1994 2000 2006 2012 2018
Fair Credit Reporting Act - 1970
Bank Secrecy Act - 1970
US Health & Human Services - Code of Fair
Information Principles - 1971
Sweden's National Privacy Law - 1973
Privacy Act of 1974
Foreign Intelligence Surveillance Act - 1978
Right to Financial Privacy Act - 1978
OECD (US, EU, Japan) - 1981
Cable Communications Policy Act - 1984
Electronic Communications
Privacy Act - 1986
Computer Matching and Privacy Protection Act - 1988
Employee Polygraph Protection Act - 1988
Video Privacy Protection Act - 1988
Do Not Call Registry - 1991
Driver's Privacy Protection Act - 1994
HIPAA - 1996
COPPA - 1998
GLBA - 1999
US - EU Safe Harbor - 2000
USA PATRIOT Act - 2001
Homeland Security Act - 2002
California SB 1386 - 2003
FACTA - 2003
Asia Pacific (APEC) Privacy Framework - 2004
PCI Standard - 2004
Edward Snowden NSA Revelations - 2013
Canada Anti-Spam (CASL) - 2014
Equifax Data Breach - 2017
7/29/2017
Family Educational Rights & Privacy Act - 1974
Privacy Protection Act - 1980
Convention of Europe (COE) - 1981 EU Directive - 1995
CAN-SPAM Act - 2003
Real ID Act - 2005
US - EU Safe Harbor Invalidated - 2015
General Data Protection
Regulation (GDPR)
05/25/2018
Privacy/dataprotectionregulationsandevents
2
3. 3
GDPRisanupdate
When May 25, 2018
Why Twenty five year
evolution
• Directive 95/46/EC – 1995
• GDPR Proposal - 2012
• Two CJEU cases in 2015
o Weltimmo – one-stop shop on regulations
o Shrems – collapse of EU-US Safe Harbor
program
• Adopted April, 2016 (173 reasons/recitals)
Scope Regardless of physical
company or
processing location
1. Processing EU citizen data
2. Offer goods/services
3. Monitor behavior in EU
Primary
changes
1. Extra-territorial applicability
2. Penalties
3. Consent
4. Data Subject rights (including damages)
5. Unexpected design and security impacts for most
2 year advance notice
4. 4
GDPRScope
Expanded definition of Personal Data (PD)
“…an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such
as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity
of that natural person…”
• Enforcement
• Applies equally to data controllers and processors
• No minimum number of subjects
• Not limited to digital data
4
5. 5
Specificpenalties
• The higher of €10m or 2% annual global
revenue onTOMs and breach notification)1
• The higher of €20m or 4% annual global
revenue for violations of2
• Basic principles
• Data subject rights
• Transfers third countries or internal organization
• Member state laws
1 Articles 8, 11, 25 – 39 , 42 – 43
2 Articles 5 – 7, 9, 12 – 22, 44-49,
6. 6
Impact#1-Protections
• AppropriateTOM
• State of the art
• Cost
• Nature, scope, context and purpose
• Risk and severity for data subject rights
• Requires data controller and data processor
• Pseudonymization and encryption of personal data
• Ensure ongoingCIA and system resilience
• Timely restoration of availability and access after incidents
• Regularly test effectiveness ofTOMs
• Ensures those authorized to access do not process except on
instructions from the controller
• Encourages certifications recognized by DPAs
7. 7
Impact#2-DataSubjectrights
Rights Operational Impact
Transparency Data collected, purpose, protections in place, retention, recipients
Information Where collected from data subject
Where obtained by third parties if combined
Access Design new user interfaces (online)
Extracting all data (offline)
Rectification New user interfaces (online)
Written procedures completed with 30 days (offline)
Restrict processing Flag data /hold future processing (other than storage)
Erasure
(Right to be Forgotten)
No overriding legitimate interests, unlawfully processed, legal purpose
Reasonable steps to remove links to publically available data and inform
data recipients to delete
Portability Where applicable, extract of all data
Object Object to processing, and for direct marketing – default isOpt-out
Restrict automated
decisions
Restrict profiling & automated decisions
In particular special categories of data require suitable safeguards
8. 8
Impact#2–supportingDataSubjectrights
• Identification/verification for access
• Response w/in 30 days (explain if/when it will
be > 30 days)
• Address 1:1 vs. 1:many
• Free (unless excessive or unfounded)
• Additional technical/customer staff access
• Cross compliance challenges (PCI, HIPAA)
• Higher insider risk
9. 9
Impact#3–Processingrecords
• Processing records (registers)
• Name/contact of controllers/co-controllers
• Purpose of processing
• Categories of data subjects
• Data elements (flag sensitive data)
• Recipients
• If applicable
Transfers to third country or international
organization (named)
Documented safeguards
• Retention for different categories or data
• TOMs
• Available upon DPA request
• Likely required for breach notification
10. 10
Impact#4-breachnotification
• Authorizes class action lawsuits against large data
controllers and processors
• Controllers & processor records must show processing
conforms to the GDPR
• Required notification to DPA
• Nature of breach
• Numbers/categories of data subjects & records
• DPO contact
• Likely consequence for data subjects
• Plans to address issue &/or mitigation
• Proof of limited data risk for data subjects
• Data processors must inform the controllers ASAP
72 Hours
11. 11
Impact#4–EUvsU.Sbreachlaws
GDPR U.S. state laws (examples)
“ A breach of security leading to the
accidental or unlawful destruction,
loss, alteration, unauthorized
disclosure of, or access to, personal
data transmitted, stored or otherwise
processed”
TX “ unauthorized acquisition of computerized
data that compromises the security,
confidentiality, or integrity of sensitive personal
information maintained by a person, including
data that is encrypted if the person accessing
the data has the key required to decrypt the
data”
Notification to a DPA within 72 hrs. Notification to state government
• Only 29 states requireAG or agency notice
• Only 10 states have prescribed notification period ranging
from 5 to 90 days and most are to citizens
Controller may have to prove absence
of risk to DPA to avoid citizen notice
Most states specify conditions that eliminate
citizen notice
All citizens have private right of action
• Actions can be taken against the
controller or processors (whichever
may be in country)
Only 16 states allow citizens a private right of
action
• Actions are limited to the company
collecting/owning the data
12. 12
Impact#5–Newsystemsorapplications
• Security and privacy options enabled by default
• Data lifecycle use cases/ stories for all SaaS products
• New functionality
• Data subject identification, access, and request processes
(technical/operational support)
• Data retention and erasure throughout
Databases and data warehouses
Logs
Backups and archives
• Data portability options (where applicable)
• Tokenization and encryption at rest
Genuine design
prowess
required!
13. 13
Summary
GDPR > Data protection > compliance
• Evidence based accountability
• Data subject rights b4 business wants
• Data breach notification by default
• Protection & Privacy by Design – PPbD
• Don’t retain data
• Encryption &/or pseudonymization expected