SlideShare une entreprise Scribd logo
1  sur  34
Télécharger pour lire hors ligne
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
The GDPR and NIS Directive: Risk-based
security measures and incident
notification requirements
Adrian Ross LLB (Hons), MBA
GRC Consultant
IT Governance Ltd
4 May 2017
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Introduction
• Adrian Ross
• GRC consultant
– Infrastructure services
– Business process re-engineering
– Business intelligence
– Business architecture
– Intellectual property
– Legal compliance
– Data protection and information security
– Enterprise risk management
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
IT Governance Ltd: GRC one-stop shop
All verticals, all sectors, all organisational sizes
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Agenda
• An overview of the regulatory landscape
• Subject matter, material and territorial scope
• Remedies, liabilities and penalties
• Personal data breaches under the GDPR
• The NIS Directive
• Operators of essential services
• Digital service providers
• GDPR vs NIS Directive
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
The nature of European law
 Directives
º Require individual
implementation in each member
state
º Implemented by the creation of
national laws approved by the
parliaments of each member
state
º Directive on security of network
and information systems
(Directive (EU) 2016/1148)
 Regulations
º Immediately applicable in each
member state
º Requires no local laws to
implement
º General Data Protection
Regulation (Regulation (EU)
2016/679)
Two main types of legal instrument:
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
The General Data Protection
Regulation (GDPR)
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 99: Entry into force and application
“This Regulation shall be binding in its entirety and directly
applicable in all Member States.”
KEY DATES
• On 8 April 2016, the European Council adopted the Regulation.
• On 14 April 2016, the European Parliament adopted the Regulation
• On 4 May 2016, the official text of the Regulation was published in the EU Official
Journal in all the official languages.
• The Regulation entered into force on 24 May 2016, and will apply from 25 May 2018.
• http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Articles 1 – 3: Who, and where?
• Natural persons have rights
associated with:
– The protection of personal
data
– The protection of the
processing personal data
– The unrestricted movement of
personal data within the EU
• In material scope:
– Personal data that is
processed wholly or partly by
automated means;
– Personal data that is part of a
filing system, or intended to
be.
– The Regulation applies to
controllers and processors in
the EU irrespective of where
processing takes place.
Natural person = a living individual
The GDPR applies to controllers not in the EU
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Remedies and liabilities
– Judicial remedy where their rights have been infringed
as a result of the processing of personal data.
º In the courts of the Member State where the
controller or processor has an establishment.
º In the courts of the Member State where the data
subject habitually resides.
– Any person who has suffered material, or non-material,
damage shall have the right to receive compensation
from the controller or processor.
– Controller involved in processing shall be liable for
damage caused by processing.
Natural Persons have rights
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Penalties
– In each case will be effective, proportionate, and
dissuasive
º taking into account technical and organisational
measures implemented;
– € 10,000,000 or, in the case of an undertaking, up
to 2% of the total worldwide annual turnover of the
preceding financial year.
– € 20,000,000 or, in case of an undertaking, 4%
total worldwide annual turnover in the preceding
financial year.
Administrative fines
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Data breaches in the UK
• Data breaches by sector
– Health (184)
– Local government (43)
– Education (36)
– General business (36)
– Finance, insurance and credit (25)
– Legal (25)
– Charitable and voluntary (23)
– Justice (18)
– Land or property services (17)
– Other (41)
Source: UK Information Commissioner’s Office
January to March 2016 – 448 new cases
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Key facts about cyber breaches
• Large organisations: Mean - £50k Highest - £3m
• Small organisations: Mean - £5k Highest - £100k
IPSOS Mori: 2016 Cyber Security
Breaches Survey
Number of data breaches detected in 2016
Median number of breaches per company
Costs associated with the most disruptive breaches
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Types of breach occurrence
IPSOS Mori: 2016 Cyber Security
Breaches Survey
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 32: Security of processing
• A requirement for data controllers and data processors to
implement a level of security appropriate to the risk,
including:
– pseudonymisation and encryption of personal data
– ensure the ongoing confidentiality, integrity and availability of
systems
– a process for regularly testing, assessing and evaluating the
effectiveness of security measures
– security measures taken need to comply with the concept of
privacy by design
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 33: Personal data breaches
Obligations
Data processor
• Notify data controller
without delay
• No exemptions
• All data breaches have to
be reported
• European Data Protection
Board (EDPB) to issue
clarification with regard to
‘undue delay’
Data controller
• Notify supervisory authority no
later than 72 hours
• Unnecessary in certain
circumstances
• Description of the nature of the
breach
• No requirement to notify if no risk
to rights and freedoms of natural
persons
• Failure to report within 72 hours
requires explanation
A 'personal data breach' means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.
Definition
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Article 34: Personal data breaches
• Communication to the data subject without undue delay if high risk
• Communication in clear, plain language
• Supervisory authority may compel communication with data subject
• if appropriate technical and organisational
measures taken
• if high risk to data subject will not materialise
• if communication with data subject would involve
disproportionate effort
Exemptions:
Obligation for data controller to communicate a personal data breach to data subjects
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Independent supervisory authorities
• Member states must create independent supervisory authorities and
resource them appropriately
– Tasks:
º Monitor and enforce
º Communicate
º Promote awareness
– Powers:
º To investigate, correct, advise, enforce
• Leading supervisory authority for multi-state controllers
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Cyber security assurance
• GDPR requirement – data controllers must implement “appropriate
technical and organisational measures to ensure and to be able to
demonstrate that the processing is performed in accordance with
this Regulation.”
– Must include appropriate data protection policies
– Organisations may use adherence to approved codes of conduct or management
system certifications “as an element by which to demonstrate compliance with
their obligations”
– ICO and BSI are both developing new GDPR-focused standards
• ISO 27001 already meets the “appropriate technical and
organisational measures” requirement
• BS 10012 developed specifically for the GDPR
– It provides assurance to the board that data security is being managed in
accordance with the regulation
– It helps manage ALL information assets and all information security within the
organisation – protecting against ALL threats
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Network and Information
Directive (NIS)
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
“Member States shall adopt and publish, by 9 May 2018, the laws,
regulations and administrative provisions necessary to comply with
this Directive. ”
KEY DATES
• On 6 July 2016, the Directive was adopted by the European Parliament.
• On 19 July 2016, the official text of the Directive was published in the EU Official
Journal in all the official languages.
• The Directive entered into force on 8 August 2016, and applies from 10 May 2018.
• https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-
directive
Final text of the Directive: http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=ENO
Article 26: Entry into force and application
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Network and Information Security Directive
• The NIS Directive is the first comprehensive piece of EU legislation
relating to the 2013 EU Cybersecurity Strategy.
• Its objective is to achieve a high common level of security of network
and information systems across the EU through improved cyber
security capabilities at a national level and increased EU-level
cooperation.
• Processing of personal data to comply with Directive 95/46/EC
2013 Cybersecurity Strategy
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• A high common level of security of network and information systems
within the Union so as to improve the functioning of the internal
market.
– Obligations on member states to adopt a national strategy for security of network
and information systems
– Creates a Cooperation Group in order to support and facilitate strategic
cooperation and the exchange of information among member states
– Creates a computer security incident response teams network (‘CSIRTs
network’) in order to contribute to the development of trust and confidence
between member states
– Establishes security and notification requirements for operators of essential
services and for digital service providers
– Lays down obligations for member states to designate national competent
authorities, single points of contact and CSIRTs with tasks related to the security
of network and information systems.
Network and Information Security Directive
Article 1: Subject matter and Scope
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Operators of essential services
– Operators of critical infrastructures in
industry sectors such as energy,
transport, banking, financial market
infrastructure, health, water, and
digital infrastructure including Internet
exchange points, domain name
system service providers etc.
– Public or private entities set out in
Annex II of the Directive.
• Digital service providers
– Any legal person that provides a
digital service, such as online
marketplaces, online search engines,
Cloud computing services, app stores
etc.
– Does not apply to micro and small
enterprises.
Network and Information Security Directive
Operators of essential services and digital service providers
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Directive does not apply to all operators of essential services or DSPs
– Certain sectors are already sufficiently regulated, or may be in the future
– If this is the case then the NIS Directive has no application
– Sector-specific regimes must supply equivalent protection
Network and Information Security Directive
Article 1: Subject matter and scope
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Each country designates which essential services are within the
scope of the Directive.
– Member states shall identify the operators of essential services with an
establishment on their territory by 9 November 2018;
º Set criteria for the identification of the operators of essential services:
º An entity provides a service which is essential for the maintenance of critical societal and/or
economic activities;
º The provision of that service depends on network and information systems; and
º An incident would have significant disruptive effects on the provision of that service.
– List of operators of essential services subject to revision every two years.
Network and Information Security Directive
Article 5: Identification of operators of essential services
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Member state rules apply to establishment of DSPs
– This follows the approach used by ECJ, case law and the GDPR.
• Recital 65: Directive applies to digital service providers outside the
EU that offer services within the EU
– The use of a language or currency that is generally used in one or more Member
State may indicate that DSPs outside the EU are offering services within the EU.
– DSPs outside the EU that offer services within the EU must designate a
representative to act on their behalf, including in relation to incident reporting.
– Representative contact point for competent authorities and CSIRTs.
Network and Information Security Directive
Recital 57: Directive applies to all digital service providers
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Operators of essential services must:
• Take appropriate technical and organisational measures to manage the
risks to the security of networks and information systems
• Take steps to prevent and minimise the impact of incidents with a view
to ensuring continuity of services.
• Notify the competent authority or the CSIRT without undue delay of
incidents having a significant impact on the continuity of the essential
services.
• In order to determine the significance of the impact of an incident, the
following shall be taken into account:
– The number of users affected by the disruption of the essential service
– The duration of the incident
– The geographical spread with regard to the area affected by the incident.
Network and Information Security Directive
Article 14: Security requirements and incident notification
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Digital service providers must take appropriate and proportionate
technical and organisational measures to manage the risks posed to
the security of network and information systems.
• Including the following elements:
– the security of systems and facilities
– incident handling
– business continuity management
– monitoring, auditing and testing
– compliance with international standards.
• The Commission can further specify the elements above but the
member state cannot impose any further security or notification
requirements on the digital service provider.
• Digital service providers must take steps to prevent and minimise the
impact of incidents affecting the security of their network and
information systems on the services offered within the Union, with a
view to ensuring the continuity of those services.
Network and Information Security Directive
Article 16: Security requirements and incident notification
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
• Must ensure that Digital service providers must ensure they notify
the competent authority or the CSIRT without undue delay of any
incident having a substantial impact on the provision of a services
within the Union.
• When determining whether the impact of an incident is substantial,
the following parameters in particular shall be taken into account:
– the number of users affected by the incident, in particular users relying on the
service for the provision of their own service
– the duration of the incident
– the geographical spread with regard to the area affected by the incident
– the extent of the disruption of the functioning of the service
– the extent of the impact on economic and societal activities
Network and Information Security Directive
Article 16: Security requirements and incident notification
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
– Intention is to have a high level of harmonisation across the member states.
– Subject to variation by member state through method of adoption.
– In France, many of the requirements are already set out in the Military Planning
Act.
– In Germany, the IT Security Act covers many of the requirements of the NIS
Directive.
– Other member states like the UK do not currently have detailed cyber security
laws.
– Possibility of many different sector-based competent authorities.
– Implementation by the combination of new laws and amendment of existing laws.
– This approach is contrary to harmonisation.
Network and Information Security Directive
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
The GDPR
– Intention is the harmonisation of data protection across the member states
– GDPR derogations allow variation between member states
– Mandatory appointment of DPOs in certain circumstances
– Mandatory breach reporting in certain circumstances
– Prior consultation where there is a high risk to data subjects
– Data processors now brought into scope
– Controllers have to demonstrate accountability
– Introduction of administrative fines
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
IT Governance: GDPR one-stop shop
Self-help materials
A Pocket Guide
www.itgovernance.co.uk/shop/P
roduct/eu-gdpr-a-pocket-guide
Implementation manual
www.itgovernance.co.uk/shop/Pr
oduct/eu-general-data-protection-
regulation-gdpr-an-
implementation-and-compliance-
guide
Documentation Toolkit
www.itgovernance.co.uk/shop/P
roduct/eu-general-data-
protection-regulation-gdpr-
documentation-toolkit
Compliance Gap Assessment
Tool
www.itgovernance.co.uk/shop/Pr
oduct/eu-gdpr-compliance-gap-
assessment-tool
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
IT Governance: GDPR one-stop shop
Training courses
1-Day accredited Foundation course (classroom, online, distance
learning
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
4-Day accredited Practitioner course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
1-Day Data Protection Impact Assessment (DPIA) Workshop
(classroom)
www.itgovernance.co.uk/shop/Product/data-protection-impact-
assessment-dpia-workshop
TM
© IT Governance Ltd 2017
Copyright IT Governance Ltd 2017 – v1.0
Questions?
aross@itgovernance.co.uk
0845 070 1750
http://www.itgovernance.co.uk

Contenu connexe

Tendances

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slidesNaomi Holmes
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...Hernan Huwyler, MBA CPA
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsPECB
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...Cvent
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPRDipanjanDey12
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 

Tendances (20)

Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
GDPR
GDPRGDPR
GDPR
 
ISO 27701
ISO 27701ISO 27701
ISO 27701
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
Security audit
Security auditSecurity audit
Security audit
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101  NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
Any Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO StandardsAny Standard is Better Than None: GDPR and the ISO Standards
Any Standard is Better Than None: GDPR and the ISO Standards
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
Presentation on GDPR
Presentation on GDPRPresentation on GDPR
Presentation on GDPR
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 

Similaire à The GDPR and NIS Directive Risk-Based Security Measures and Incident Notification Requirements

Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...Accenture - How Will Policing and Justice Be Affected By the Data Protection ...
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...techUK
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPRMartyn Ripley
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road  " All you need to know about GDPR but are t...Ipswitch and cordery on the road  " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
 
Splunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR ComplianceSplunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR ComplianceMarketingArrowECS_CZ
 
Keep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approachKeep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approachNagib Aouini
 

Similaire à The GDPR and NIS Directive Risk-Based Security Measures and Incident Notification Requirements (20)

Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florerNtxissacsc5 purple 1-eu-gdpr_patrick_florer
Ntxissacsc5 purple 1-eu-gdpr_patrick_florer
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...Accenture - How Will Policing and Justice Be Affected By the Data Protection ...
Accenture - How Will Policing and Justice Be Affected By the Data Protection ...
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road  " All you need to know about GDPR but are t...Ipswitch and cordery on the road  " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
 
Splunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR ComplianceSplunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR Compliance
 
Keep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approachKeep your data safe and be compliant via a 360° approach
Keep your data safe and be compliant via a 360° approach
 

Plus de IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0IT Governance Ltd
 

Plus de IT Governance Ltd (14)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Dernier

NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toumarfarooquejamali32
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyHanna Klim
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakEditores1
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursKaiNexus
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)tazeenaila12
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 

Dernier (20)

NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
WAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdfWAM Corporate Presentation Mar 25 2024.pdf
WAM Corporate Presentation Mar 25 2024.pdf
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
Lecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb toLecture_6.pptx English speaking easyb to
Lecture_6.pptx English speaking easyb to
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 
Anyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agencyAnyhr.io | Presentation HR&Recruiting agency
Anyhr.io | Presentation HR&Recruiting agency
 
Tata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerakTata Kelola Bisnis perushaan yang bergerak
Tata Kelola Bisnis perushaan yang bergerak
 
Developing Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, OursDeveloping Coaching Skills: Mine, Yours, Ours
Developing Coaching Skills: Mine, Yours, Ours
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
Harvard Business Review.pptx | Navigating Labor Unrest (March-April 2024)
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notification Requirements

  • 1. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017
  • 2. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Introduction • Adrian Ross • GRC consultant – Infrastructure services – Business process re-engineering – Business intelligence – Business architecture – Intellectual property – Legal compliance – Data protection and information security – Enterprise risk management
  • 3. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 IT Governance Ltd: GRC one-stop shop All verticals, all sectors, all organisational sizes
  • 4. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Agenda • An overview of the regulatory landscape • Subject matter, material and territorial scope • Remedies, liabilities and penalties • Personal data breaches under the GDPR • The NIS Directive • Operators of essential services • Digital service providers • GDPR vs NIS Directive
  • 5. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 The nature of European law  Directives º Require individual implementation in each member state º Implemented by the creation of national laws approved by the parliaments of each member state º Directive on security of network and information systems (Directive (EU) 2016/1148)  Regulations º Immediately applicable in each member state º Requires no local laws to implement º General Data Protection Regulation (Regulation (EU) 2016/679) Two main types of legal instrument:
  • 6. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 The General Data Protection Regulation (GDPR)
  • 7. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 99: Entry into force and application “This Regulation shall be binding in its entirety and directly applicable in all Member States.” KEY DATES • On 8 April 2016, the European Council adopted the Regulation. • On 14 April 2016, the European Parliament adopted the Regulation • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and will apply from 25 May 2018. • http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
  • 8. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Articles 1 – 3: Who, and where? • Natural persons have rights associated with: – The protection of personal data – The protection of the processing personal data – The unrestricted movement of personal data within the EU • In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. – The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. Natural person = a living individual The GDPR applies to controllers not in the EU
  • 9. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Remedies and liabilities – Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. – Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. – Controller involved in processing shall be liable for damage caused by processing. Natural Persons have rights
  • 10. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Penalties – In each case will be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; – € 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. – € 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year. Administrative fines
  • 11. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Data breaches in the UK • Data breaches by sector – Health (184) – Local government (43) – Education (36) – General business (36) – Finance, insurance and credit (25) – Legal (25) – Charitable and voluntary (23) – Justice (18) – Land or property services (17) – Other (41) Source: UK Information Commissioner’s Office January to March 2016 – 448 new cases
  • 12. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Key facts about cyber breaches • Large organisations: Mean - £50k Highest - £3m • Small organisations: Mean - £5k Highest - £100k IPSOS Mori: 2016 Cyber Security Breaches Survey Number of data breaches detected in 2016 Median number of breaches per company Costs associated with the most disruptive breaches
  • 13. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Types of breach occurrence IPSOS Mori: 2016 Cyber Security Breaches Survey
  • 14. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 32: Security of processing • A requirement for data controllers and data processors to implement a level of security appropriate to the risk, including: – pseudonymisation and encryption of personal data – ensure the ongoing confidentiality, integrity and availability of systems – a process for regularly testing, assessing and evaluating the effectiveness of security measures – security measures taken need to comply with the concept of privacy by design
  • 15. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 33: Personal data breaches Obligations Data processor • Notify data controller without delay • No exemptions • All data breaches have to be reported • European Data Protection Board (EDPB) to issue clarification with regard to ‘undue delay’ Data controller • Notify supervisory authority no later than 72 hours • Unnecessary in certain circumstances • Description of the nature of the breach • No requirement to notify if no risk to rights and freedoms of natural persons • Failure to report within 72 hours requires explanation A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Definition
  • 16. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Article 34: Personal data breaches • Communication to the data subject without undue delay if high risk • Communication in clear, plain language • Supervisory authority may compel communication with data subject • if appropriate technical and organisational measures taken • if high risk to data subject will not materialise • if communication with data subject would involve disproportionate effort Exemptions: Obligation for data controller to communicate a personal data breach to data subjects
  • 17. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Independent supervisory authorities • Member states must create independent supervisory authorities and resource them appropriately – Tasks: º Monitor and enforce º Communicate º Promote awareness – Powers: º To investigate, correct, advise, enforce • Leading supervisory authority for multi-state controllers
  • 18. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Cyber security assurance • GDPR requirement – data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation.” – Must include appropriate data protection policies – Organisations may use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance with their obligations” – ICO and BSI are both developing new GDPR-focused standards • ISO 27001 already meets the “appropriate technical and organisational measures” requirement • BS 10012 developed specifically for the GDPR – It provides assurance to the board that data security is being managed in accordance with the regulation – It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats
  • 19. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Network and Information Directive (NIS)
  • 20. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 “Member States shall adopt and publish, by 9 May 2018, the laws, regulations and administrative provisions necessary to comply with this Directive. ” KEY DATES • On 6 July 2016, the Directive was adopted by the European Parliament. • On 19 July 2016, the official text of the Directive was published in the EU Official Journal in all the official languages. • The Directive entered into force on 8 August 2016, and applies from 10 May 2018. • https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis- directive Final text of the Directive: http://eur-lex.europa.eu/legal- content/EN/TXT/PDF/?uri=CELEX:32016L1148&from=ENO Article 26: Entry into force and application
  • 21. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Network and Information Security Directive • The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. • Its objective is to achieve a high common level of security of network and information systems across the EU through improved cyber security capabilities at a national level and increased EU-level cooperation. • Processing of personal data to comply with Directive 95/46/EC 2013 Cybersecurity Strategy
  • 22. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • A high common level of security of network and information systems within the Union so as to improve the functioning of the internal market. – Obligations on member states to adopt a national strategy for security of network and information systems – Creates a Cooperation Group in order to support and facilitate strategic cooperation and the exchange of information among member states – Creates a computer security incident response teams network (‘CSIRTs network’) in order to contribute to the development of trust and confidence between member states – Establishes security and notification requirements for operators of essential services and for digital service providers – Lays down obligations for member states to designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems. Network and Information Security Directive Article 1: Subject matter and Scope
  • 23. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Operators of essential services – Operators of critical infrastructures in industry sectors such as energy, transport, banking, financial market infrastructure, health, water, and digital infrastructure including Internet exchange points, domain name system service providers etc. – Public or private entities set out in Annex II of the Directive. • Digital service providers – Any legal person that provides a digital service, such as online marketplaces, online search engines, Cloud computing services, app stores etc. – Does not apply to micro and small enterprises. Network and Information Security Directive Operators of essential services and digital service providers
  • 24. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Directive does not apply to all operators of essential services or DSPs – Certain sectors are already sufficiently regulated, or may be in the future – If this is the case then the NIS Directive has no application – Sector-specific regimes must supply equivalent protection Network and Information Security Directive Article 1: Subject matter and scope
  • 25. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Each country designates which essential services are within the scope of the Directive. – Member states shall identify the operators of essential services with an establishment on their territory by 9 November 2018; º Set criteria for the identification of the operators of essential services: º An entity provides a service which is essential for the maintenance of critical societal and/or economic activities; º The provision of that service depends on network and information systems; and º An incident would have significant disruptive effects on the provision of that service. – List of operators of essential services subject to revision every two years. Network and Information Security Directive Article 5: Identification of operators of essential services
  • 26. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Member state rules apply to establishment of DSPs – This follows the approach used by ECJ, case law and the GDPR. • Recital 65: Directive applies to digital service providers outside the EU that offer services within the EU – The use of a language or currency that is generally used in one or more Member State may indicate that DSPs outside the EU are offering services within the EU. – DSPs outside the EU that offer services within the EU must designate a representative to act on their behalf, including in relation to incident reporting. – Representative contact point for competent authorities and CSIRTs. Network and Information Security Directive Recital 57: Directive applies to all digital service providers
  • 27. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Operators of essential services must: • Take appropriate technical and organisational measures to manage the risks to the security of networks and information systems • Take steps to prevent and minimise the impact of incidents with a view to ensuring continuity of services. • Notify the competent authority or the CSIRT without undue delay of incidents having a significant impact on the continuity of the essential services. • In order to determine the significance of the impact of an incident, the following shall be taken into account: – The number of users affected by the disruption of the essential service – The duration of the incident – The geographical spread with regard to the area affected by the incident. Network and Information Security Directive Article 14: Security requirements and incident notification
  • 28. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Digital service providers must take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems. • Including the following elements: – the security of systems and facilities – incident handling – business continuity management – monitoring, auditing and testing – compliance with international standards. • The Commission can further specify the elements above but the member state cannot impose any further security or notification requirements on the digital service provider. • Digital service providers must take steps to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services offered within the Union, with a view to ensuring the continuity of those services. Network and Information Security Directive Article 16: Security requirements and incident notification
  • 29. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 • Must ensure that Digital service providers must ensure they notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of a services within the Union. • When determining whether the impact of an incident is substantial, the following parameters in particular shall be taken into account: – the number of users affected by the incident, in particular users relying on the service for the provision of their own service – the duration of the incident – the geographical spread with regard to the area affected by the incident – the extent of the disruption of the functioning of the service – the extent of the impact on economic and societal activities Network and Information Security Directive Article 16: Security requirements and incident notification
  • 30. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 – Intention is to have a high level of harmonisation across the member states. – Subject to variation by member state through method of adoption. – In France, many of the requirements are already set out in the Military Planning Act. – In Germany, the IT Security Act covers many of the requirements of the NIS Directive. – Other member states like the UK do not currently have detailed cyber security laws. – Possibility of many different sector-based competent authorities. – Implementation by the combination of new laws and amendment of existing laws. – This approach is contrary to harmonisation. Network and Information Security Directive
  • 31. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 The GDPR – Intention is the harmonisation of data protection across the member states – GDPR derogations allow variation between member states – Mandatory appointment of DPOs in certain circumstances – Mandatory breach reporting in certain circumstances – Prior consultation where there is a high risk to data subjects – Data processors now brought into scope – Controllers have to demonstrate accountability – Introduction of administrative fines
  • 32. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 IT Governance: GDPR one-stop shop Self-help materials A Pocket Guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation Toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
  • 33. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 IT Governance: GDPR one-stop shop Training courses 1-Day accredited Foundation course (classroom, online, distance learning www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course 4-Day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course 1-Day Data Protection Impact Assessment (DPIA) Workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
  • 34. TM © IT Governance Ltd 2017 Copyright IT Governance Ltd 2017 – v1.0 Questions? aross@itgovernance.co.uk 0845 070 1750 http://www.itgovernance.co.uk

Notes de l'éditeur

  1. Health Sector: Mandatory Reporting, size of health sector, sensitivity of data caused distress and detriment; Local Government: Large volumes of information, sensitive social care data; Education: Child Data, Pupils, Disciplinary Data; General Business: Driven by an upturn in Cyber Attack; Finance: Customer Financial Data and Fraudulent Activities; Legal Sector; Large amounts of data in transit, sensitive data such as criminal records.