Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

VMTN6642E - GDPR Slide Deck


Eche un vistazo a continuación

1 de 37 Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)


Similares a VMTN6642E - GDPR Slide Deck (20)

Más reciente (20)


VMTN6642E - GDPR Slide Deck

  1. 1. GDPR: BATTENTHE HATCHES ITS COMING! Kyle Davies – Solutions Architect VMWORLD EU 2017 -VMTN6642E
  2. 2. WHO AM I? • Kyle Davies • CDW - Solutions Architect • Twitter: @kdavies1988 • Blog: • Experience: 10Years+ • Accreds: vExpert 2016-2017, Citrix CTA, FormerAtlantis ACE, Cisco Spark Ambassador…
  3. 3. VMWARE DISCLAIMER • This presentation may contain product features or functionality that are currently under development • This overview of new technology represents no commitment fromVMware to deliver these features in any generally available product • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind • Technical feasibility and market demand will affect final delivery • Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined • This information is confidential
  4. 4. MY DISCLAIMER • I am not a lawyer • Technology is an enabler / helping hand for GDPR and not the answer • Thoughts are my own, and not necessarily the thoughts of CDW • The session is to get you thinking about GDPR if you haven't already
  5. 5. AREAS COVERED IN 30 MINUTES • Timeframes • Directive vs regulation • Definitions • Why the need for GDPR • The high level differences between DPD & GDPR • Key GDPR features / impact points • GDPR myths • Fines • The structure • The ICO advised approach • My advised approach • WhereVMware can help • Closing statement
  9. 9. TIMEFRAMES • 8 april 2016 - european council adopted the regulation • 14 april 2016 - regulation was adopted by the european parliament • 4 may 2016 - published in the EU official journal in all the official languages • 24 may 2016 - the regulation entered into force • 25 may 2018 – applies from this date This regulation shall be binding in its entirety and directly applicable in all member states
  10. 10. DIRECTIVE vs REGULATION DIRECTIVE Instrument passed at EU level National implementation Local variations REGULATION Instrument passed at EU level No need for national implementation One ring to rule them all
  11. 11. SOME DEFINITIONS Definition Definition Description Personal Data ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Processing ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Profiling ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  12. 12. SOME DEFINITIONS Definition Definition Description Pseudonymisation ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; Controller ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law Processor ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
  13. 13. SOME DEFINITIONS Definition Definition Description Consent ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; Personal Data Breach ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed Enterprise ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; Supervisory Authority ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51; International Organisation ‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
  14. 14. WHYTHE NEED FOR GDPR &THE CHANGE? 2003 2004 2006 EU DPD – 1995 UK released DPA - 1998 1998 1998 1995 1995 1998 1996 2016
  15. 15. WHYTHE NEED FOR GDPR &THE CHANGE? Percentage of households with home computers in the United Kingdom 2015/2016 – 88% 1996/1997 – 27% 2001/2002 – 49%1990 – 17% 2007/2008 – 72%
  16. 16. WHYTHE NEED FOR GDPR &THE CHANGE? Percentage of households with home computers in the United Kingdom 2015/2016 – 88% 1996/1997 – 27% 2001/2002 – 49%1990 – 17% 2007/2008 – 72% 1998/1999 – 9% Percentage of households with internet connection in the United Kingdom 2001/2002 – 39% 2008 – 66% 2014 – 84%
  17. 17. HIGH LEVEL CHANGES FROM DPDTO GDPR DPD GDPR 34 Articles 99 Articles 72 Recitals 173 Recitals No Detail on provisions of consent Details valid conditions for consent No detail on children data processing Details an age limit for making processing lawful against children Right to be forgotten only in limited circumstances (unlawful processing or incomplete/inaccurate) Lists conditions under which the right can be exercised No obligations for maintaining records of processing activities Lists out obligations of controllers and processors to be able to demonstrate and become accountable for processing No enforcement of accountability Enforcement of accountability and conditions for imposing fines
  18. 18. HIGH LEVEL CHANGES FROM DPDTO GDPR GDPR Regulation not a Directive Personal Data Redefined (including online unique identifiers) Mandatory Breach Notification Financial Repercussions / Penalties One Stop Shop (kind of) Information Governance: Track how and where data is used, captured etc Transparency: Controller must provide clear information on data subjects rights Explain how data will be processed Any communication must be clear, plain language that will be understood by target audience Data Portability: Structured and machine readable Controller to Controller transmission upon request of data subject Right to be forgotten (if no legitimate ground for retain) Data Processors liable to same level as Data Controllers Global Impact for Multi National Businesses that Deal in the EU
  19. 19. GDPR MYTHS BIGGESTTHREAT IS EYE WATERING FINES "Issuing fines has always been, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.“ "While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well suited to the task at hand and just as effective" Elizabeth Denham, ICO
  20. 20. GDPR MYTHS EVERY ORGANISATION NEEDS A DATA PROTECTION OFFICER! DPOs must only be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data Read Article 37
  21. 21. GDPR MYTHS GDPR IS A EUROPE ONLY ISSUE! GDPR will affect any organisation that offers goods or services to consumers in the EU or monitors the behaviour of people located in Europe, regardless of where their offices or ad servers are based. Read REC 20, Article 4
  22. 22. GDPR MYTHS Controllers don’t need data processing agreements with processors because the GDPR imposes direct obligations on processors Data processing agreements are vital to the controller and processor relationship as it binds both parties to specific terms. Read Article 28
  23. 23. GDPR MYTHS Biometric Data Is Sensitive Data UnderThe GDPR Read Article 9
  24. 24. GDPR MYTHS Pseudonymised Data (E.G. Hashed Data) AreTreated Exactly Like Any Other Personal Data UnderThe GDPR The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alias as appropriate: (a) the pseudonymisation and encryption of personal data; Read Article 33 and 11
  25. 25. THE FINES Article 83 splits the amount of administrative fines according to obligations infringed by controllers, processors or undertakings. 2% of total worldwide turnover or 10,000,000EUR* 4% of total worldwide turnover or 20,000,000EUR* Obligations of controller and processor under: • Article 8 - Conditions applicable to child's consent in relation to information society services • Article 11 - Processing which does not require identification • Art 25 to 39 - General obligations , Security of personal data , Data Protection impact assessment and prior consultation • Article 42 - Certification • Article 43 - Certification bodies Obligations of certification body under: • Art 42 • Art 43 Obligations of monitoring body under: • Art 41(4) Basic principles for processing and conditions for consent under: • Art 5 - Principles relating to processing of personal data • Art 6 - Lawfulness of processing • Art 7 - Conditions for consent • Art 9 - Processing of special categories of personal data Data subject's rights under: • Article - 12 to 22 Transfer of personal data to third country or international organization under: • Article - 44 to 49 Non Compliance with supervisory authority's powers under provisions of Article 58: • Imposition of temporary or definitive limitation including ban on processing (Art 58 (2)(f)) • Suspension of data flows to third countries or international organization (Art 58(2) (j)) • Provide access to premises or data processing equipment and means (Art 58 (1) (f)) *Whichever is higher
  26. 26. Record £400,000 Fine (October 2015 Attack) Under GDPR this could of been up to £70m! Accessed personal data of 156,959 customers including names, addresses, DOB, phone numbers and email 15,656 cases, the attacker obtained bank details Two early warnings –TELCO unaware! FINANCIAL IMPACT EXAMPLE ATELECOMMUNICATIONS PROVIDER
  27. 27. ICO’s in-depth investigation found that the attack could have been prevented if TELCO had taken basic steps to protect customers’ information Technical weaknesses inTELCO systems Out of date database software Did not scan infrastructure for possible threats FINANCIAL IMPACT EXAMPLE
  28. 28. “In spite of its expertise and resources, when it came to the basic principles of cyber-security,TELCO was found wantingToday’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant.They must do this not only because they have a duty under law, but because they have a duty to their customers” UK ICO, Elizabeth Denham FINANCIAL IMPACT EXAMPLE
  30. 30. 12. INTERNATIONAL Determine which data protection supervisory authority you come under 11. DATA PROTECTION OFFICERS Designate a data protection officer, or someone to take responsibility for compliance. Review where this role will sit in your organisation 10.DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS Look into providing privacy impact assessments, and when to implement them 9. DATA BREACHES Ensure procedures in place to detect, report and investigate breaches 7. CONSENT Review how you are seeking, obtaining and recording consent for any required changes 1. AWARENESS Make your organisation aware of the changes and impact of GDPR 2. INFORMATIONYOU HOLD Document what personal data you hold, where it came from and who you share it with 3. COMMUNICATING PRIVACY INFO Review current privacy notices, plan for GDPR change requirements 4. INDIVIDUALS’ RIGHTS Review procedures to ensure covers all the rights individuals have, including how you will delete or provide data electronically 5. SUBJECT ACCESS REQUESTS Update procedures and plan how you will manage requests within new timescales 8. CHILDREN Think about how you can verify individuals ages and to gather parental/guardian consent for data processing activities 6. LEGAL BASIS FOR PROCESSING PERSONAL DATA Review existing data processing carried out, identify legal basis for carrying it out ICO ADVISED APPROACH (UK)
  31. 31. WHERE ORGANISATIONS ARE STRUGGLING • Director level buy in • Understanding of the impacts and risks to the business • Lack of budget or resources • Don’t understand what PII data is held or how it is captured
  32. 32. MY ADVISED STARTING POINT • Start planning your approach to GDPR compliance NOW • Secure buy-in from key people (senior execs and board members) • Evaluate the differences between the current law and the GDPR – concentrate where you have gaps • Document / understand what PII data you hold and where you obtained it from • The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate accountability • Certain parts of the GDPR have more of an operational impact on some organizations than on others
  33. 33. VMware Product and Capabilities Mapped to GDPR • Micro-segmentation • Automation, monitoring • Audit features • Logging • Planning and designing network security • Managing data flow • Network isolation • Workload segmentation • Network monitoring • Access control • Protecting sensitive data • Securing data exports • Access controls with workloads and geotagging • Access control with device location • Multi-country data center design • Monitoring and exposing network services via API • Reviewing network architecture • Data protection including encryption • Business continuity, visibility
  34. 34. GDPR Article GDPR Description VMware Product and Capabilities Article 18 Right to restriction of processing VMware NSX • NSX Distributed Firewall • NSX Service Composer • NSX Logical Switches • NSX Guest Introspection • NSX Network Extensibility Article 24 Responsibility of the controller VMware NSX • NSX Application Rule Manager • NSX Endpoint Monitoring vRealize Network Insight vRealize Operations vRealize Log Insight Article 25 Data protection by design and by default VMware NSX • NSX Service Composer • NSX Endpoint Monitoring • NSX Guest Introspection vSphere vShield Endpoint Article 26 Joint controllers VMware NSX, NSX Distributed Firewall, vRealize Network Insight Article 32 Security of processing VMware NSX • NSX Service Composer • NSX Edge ServicesGateway VMware vSphere vCenter VMware Data Protection vSphere Replication VMware vRealize Network Insight VMware Site Recovery Manager Article 35 Data protection impact assessment VMware NSX • NSX Application Rule Manager vRealize Network Insight NSX vRealize Log Insight
  35. 35. WHEREVMWARE CAN ASSIST • To learn more on howVMware can assist please visit theVMware booth or attend GRC3109PE and/or GRC3386BES
  36. 36. THANKYOU VMWORLD EU 2017 -VMTN6642E Kyle Davies – Solutions Architect Blog: Twitter: @kdavies1988