General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Recomendado
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Gdpr action plan - ISSA (20)
Más de Ulf Mattsson (20)
Más reciente (20)
Gdpr action plan - ISSA
- 1. Do You Have a Roadmap for EU GDPR Compliance? Ulf Mattsson, CTO Security Solutions Atlantic BT
- 2. Ulf Mattsson Inventor of more than 55 Issued US Patents Industry Involvement: • PCI DSS - PCI Security Standards Council Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs • IFIP - International Federation for Information Processing • CSA - Cloud Security Alliance • ANSI - American National Standards Institute ANSI X9 Tokenization Work Group • NIST - National Institute of Standards and Technology NIST Big Data Working Group • User Groups Security: ISACA & ISSA Databases: IBM & Oracle 2
- 3. 3 3
- 4. 4 Verizon 2017 Data Breach Investigations Report Source: Verizon 2017 Data Breach Investigations Report 4
- 5. Source: Verizon 2017 Data Breach Investigations Report 5
- 6. Source: Verizon 2016 Data Breach Investigations Report 6 Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Breach Discovery
- 7. Source: Verizon 2016 Data Breach Investigations Report 7Source: Verizon 2016 Data Breach Investigations Report Verizon 2016 Data Breach Investigations Report – Malware
- 8. Source: BitSight 8
- 9. Will Your Data Be Sold?
- 10. 10
- 11. Will You Ever Get Your Data 11
- 12. 12
- 13. 13
- 14. Ransomware are Getting Worse • The cyber security solutions that are in place today are somewhat effective • But a significant proportion of decision makers report that their problems with phishing • Ransomware are getting worse over time • For most of the cyber security capabilities that organizations have deployed to combat these threats, the majority of decision makers report they are not highly effective Source: Osterman Research, Inc., 2017 14
- 15. GDPR Action Plan A Members Owned Not-for-Profit Organisation 15
- 16. GDPR = Trust ENTERPRISE wide Trust © 2017 - The GDPR Institute - All Rights Reserved 16
- 17. Impact Do you control or process personal data about ANY EU Citizens? If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the reputational damage of any and every Data Breach – including Customers Employees Suppliers © 2017 - The GDPR Institute - All Rights Reserved 17
- 18. The Institutes’ Purpose Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the challenge and maximise the opportunity created by the General Data Protection Regulation GDPR Challenge Or GDPR Opportunity © 2017 - The GDPR Institute - All Rights Reserved 18
- 19. The Institutes’ Community Corporate Clients 61 Million Global Experts GDPR Consulting Providers GDPR Technology Solutions GDPR Audit Services GDPR Legal Advisors GDPR Training Providers GDPR Recruitment Services © 2017 - The GDPR Institute - All Rights Reserved 19
- 20. Bringing Together to Solve GDPR GDPR Defensible Position GDPR Consulting Providers GDPR Technology Solutions GDPR Legal Advisors GDPR Recruitment Services GDPR Training Providers GDPR Audit Services 61 Million Global Experts © 2017 - The GDPR Institute - All Rights Reserved 20
- 21. Opportunity or Challenge? 1. Fines 2. Loss of Customers 3. Reputational Damage COST of Compliance © 2017 - The GDPR Institute - All Rights Reserved 21
- 22. Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change GDPR = Enterprisewide Change Management Post Room Board Room People Process Technology Information © 2017 - The GDPR Institute - All Rights Reserved 22
- 23. Scale of Data Breaches http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 23
- 24. You will have a Data Breach © 2017 - The GDPR Institute - All Rights Reserved 24
- 25. Key Questions 1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc 2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud 3. How are you using that Data? 4. Do you have Explicit or Implied Permission to use the data in the way you are using it? © 2017 - The GDPR Institute - All Rights Reserved 25
- 26. Compliance Gap Analysis Security Reviews Use Case Management Consent Management Technology Assessments Business Process Management The GDPR Roadmap Privacy Impact Assessment Legal Advice Detailed Readiness Assessment Educate & Train Subject Access Management Threat Detection Case Management GDPR Defensible Position Annual GDPR Audits © 2017 - The GDPR Institute - All Rights Reserved 26
- 27. Immediate Action Plan 1. Seek Legal Advice 2. Conduct a Privacy Impact Assessment 3. Complete a Readiness Assessment to address the key questions 4. Secure Executive Sponsorship and a meaningful budget 5. Develop a Consent Management Strategy 6. Build a Data Subject Access Request process before you get swamped 7. Ensure you have all your Breach Detection technology in place – Database, Content Repositories, Network Traffic, Dark Web 8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen © 2017 - The GDPR Institute - All Rights Reserved 27
- 28. The GDPR Institute Helping you resolve YOUR GDPR Challenge & Maximise the GDPR Opportunity A Members Owned Not-for-Profit Organisation www.gdpr.institute 28
- 29. GDPR Legal Issues 29
- 30. 30
- 31. 31
- 32. 32
- 33. 34
- 34. 35
- 35. 36
- 36. GDPR Already a Reality 37
- 37. GDPR Already a Reality Source: Cordery Legal Compliance, UK, 2017 38
- 38. GDPR Rules Requires Data Protection Technology Source: Imperva, 2017 39
- 39. Case Studies
- 40. GDPR Case Studies 41 • US and Spain – customer data • Italy, Germany and more – financial data • Germany – outsourcing • Sweden – PII data
- 41. GDPR Simplified into 12 blocks 1. Legitimate basis for data: organizations must know and be able to prove that processing has a legitimate purpose. 2. Information you hold: organization should keep data only in so far as necessary. 3. Individuals rights: individuals (customer…) have the right to ask questions about their personal data. 4. Consent: there should be explicit and clear consent for processing of personal data. 5. Children´s data: explicit consent of the child’s parents (or guardian) for minors less than 16 years of age. 6. Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice. 7. Data breaches: Organizations must maintain a data breach register and, data subject should be informed within 72 hours. 8. Privacy by design: Mechanisms to protect personal data should be incorporated in design of new systems and processes. 9. Privacy impact assessment: organization must conduct a privacy impact assessment to review the impact and possible risks. 10. Data Protection Officers: organization should assess the need to assign a Data Protection Officer. 11. Third parties: The controller of personal data has the responsibility to ensure that personal data is protect 12. Awareness: To create awareness among your staff about key principles on data protection, conduct regular training. To know more read my book https://goo.gl/HMDRfk
- 42. Webcast title : EU GDPR Details • Duration : 60 min • Date & Time : Oct 25 2017 10:00 am • Timezone : United States - New York • Webcast URL : https://www.brighttalk.com/webcast/14723/269681
- 43. Data Security for Cloud, Big Data and Containers
- 44. Protect Sensitive Cloud Data Internal Network Administrator Attacker Remote User Internal User Public Cloud Examples Each sensitive field is protectedEach authorized field is in clear Cloud Gateway 45 Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) SecDevOps The issue is INTENTIONAL use of UNSANCTIONED public cloud storage for ease of use for corporate data
- 45. Securing Big Data - Examples of Security Agents Import de-identified data Export identifiable data Export audit for reporting Data protection at database, application, file Or in a staging area HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) 46 SecDevOps
- 46. Virtual Machines Docker Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and rest) Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch SecDevOps SecDevOps 47
- 47. Preparing for GDPR 48 48
