The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
2. What is the GDPR?
• The EU General Data Protection Regulation (GDPR) replaces the
Data Protection Directive 95/46/EC and was designed to
harmonize data privacy laws across Europe, to protect and
empower all EU citizens data privacy and to reshape the way
organizations across the region approach data privacy.
• The primary objective of the GDPR is to protect all EU citizens from
privacy and data breaches in an increasingly data-driven world that
is vastly different from the time in which the 1995 directive was
established. Although the key principles of data privacy still hold
true to the previous directive, many changes have been proposed
to the regulatory policies; the key points of the GDPR as well as
information on the impacts it will have on business can be found
below.
• Source: https://www.eugdpr.org/
3. • The GDPR outlines key principles relating to the
processing of personal data. These are the high-level
requirements:
– Lawfulness, fairness and transparency - Personal data shall be
processed lawfully, fairly and in a transparent manner in relation to the data subject.
– Purpose limitation - Personal data shall be collected for specified, explicit and
legitimate purposes and not further processed in a manner that is incompatible with those
purposes.
– Data minimisation - Personal data shall be adequate, relevant and limited to what
is necessary in relation to the purposes for which they are processed.
– Accuracy - Personal data shall be accurate and, where necessary, kept up to date;
every reasonable step must be taken to ensure that personal data that are inaccurate,
having regard to the purposes for which they are processed, are erased or rectified without
delay.
– Storage limitation - Personal data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed.
– Integrity and confidentiality - Personal data shall be processed in a
manner that ensures appropriate security of the personal data, including protection against
unauthorized or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organizational measures.
– Accountability - The controller shall be responsible for, and be able to
demonstrate compliance with, the GDPR.
Key Elements of the GDPR
4. • Although the GDPR will not become enforceable until
May 2018, organisations across the globe are preparing
for changes now.
• It’s not just organisations in the EU that are subject to the
Regulation; organisations based outside the EU that
provide services or goods to the EU (including for free)
are also subject.
• Any organisation that handles the personal data of EU
citizens must comply with the GDPR.
• For example, where the activities relate to: offering goods
or services to EU citizens (irrespective of whether
payment is required) and the monitoring of behaviour that
takes place within the EU.
• Non-EU businesses processing the data of EU citizens
will also have to appoint a representative in the EU.
What Does the GDPR Change?
5. • ARTICLES 39 & 47: Training is required. The article
states that an organisation’s Data Protection Officer is
responsible for “awareness-raising and training of staff
involved in processing operations, and the related audits”
and “appropriate data protection training to personnel
having permanent or regular access to personal data.”
What Does the GDPR Change?
(cont’d)
6. • ARTICLE 33: Organizations have 72 hours to report
data breaches. The article states, “In the case of a
personal data breach, the controller shall without undue
delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data
breach to the supervisory authority competent in
accordance with Article 55, unless the personal data
breach is unlikely to result in a risk to the rights and
freedoms of natural persons.”
What Does the GDPR Change?
(cont’d)
7. • ARTICLE 37: The role of the Data Protection Officer
(DPO) will take on heightened importance.
• The role won’t change, but the visibility of the position will
increase and there will be more pressure on this person
considering the stakes are higher under the GDPR.
• Early reports estimate that the GDPR will require the
creation of at least 75,000 DPO positions globally to
ensure compliance with the EU’s updated data protection
regulations – even if a given organisation doesn’t have
operations in the EU.
• Additional requirements will apply to organisations that
conduct large-scale processing of personal data from the
EU, such as the requirement to have a DPO who is
independent from the organisation.
What Does the GDPR Change?
(cont’d)
8. • ARTICLE 83: There are hefty fines for non-
compliance.
• Organisations will need to be 100% compliant from day
one. Article 83 states, “Non-compliance with an order by
the supervisory authority … shall… be subject to
administrative fines … up to 4% of the total worldwide
annual turnover of the preceding financial year.”
What Does the GDPR Change?
(cont’d)
9. Data Security Breaches
Different types of data security breaches consist of the following:
• Unintended disclosure - Sensitive information posted publicly on a
website, mishandled or sent to the wrong party via email or any
other type of end-user messaging technology.
• Hacking or malware - Electronic entry by an outside party,
malware and spyware.
• Payment Card Fraud - Fraud involving debit and credit cards that
is not accomplished via hacking. For example, skimming devices at
point-of-service terminals.
• Insider - Someone with legitimate access intentionally breaches
information - such as an employee or contractor.
• Physical loss - Lost, discarded or stolen non-electronic records,
such as paper documents
• Portable device - Lost, discarded or stolen laptop, PDA,
smartphone, portable memory device, CD, hard drive, data tape,
etc.
• Stationary device - Lost, discarded or stolen stationary electronic
device such as a computer or server not designed for mobility.
• Unknown - Anything outside of the above listed categories.
10. General Safeguards and Best
Practices
• ARTICLES 32: The controller and the
processor shall implement appropriate
technical and organisational measures to
ensure a level of security appropriate to the
risk, including inter alia as appropriate:
• (a) the pseudonymisation and encryption of
personal data;
• (b) the ability to ensure the ongoing
confidentiality, integrity, availability and
resilience of processing systems and services;
• (c) the ability to restore the availability and
access to personal data in a timely manner in
the event of a physical or technical incident;
(d) a process for regularly testing, assessing
and evaluating the effectiveness of technical
and organisational measures for ensuring the
security of the processing.
• (d) a process for regularly testing, assessing
and evaluating the effectiveness of technical
and organisational measures for ensuring the
security of the processing.
11. • As for all the tools, devices, and protocols utilised for protecting networks - there's an endless list - but for
purposes of gaining a basic understanding of these appliances, the following list is considered vital:
• Network Devices: Firewall, routers, switches, load balancers, intrusion detection systems (IDS), intrusion
prevention systems (IPS), smartcards, biometrics, Network Access Control (NAC) systems etc.
• Malware Solutions: anti-virus and anti-spam software and devices.
• File Integrity Monitoring (FIM) and change detection software, host based intrusion detection and intrusion
prevention devices.
• Secure services – those that are operating system (O/S) and application specific to all major operating
systems (Windows, UNIX, Linux) and applications (web server applications, database applications, internally
developed applications)
• Secure protocols, such as TLS, SSH, VPN, etc.
• Secure ports, such as 443, 22, etc.
• User access principles, such as Role Based Access Controls (RBAC), One-time password (OTP) solutions,
etc.
• Username and password parameters, such as unique user ID’s, password complexity rules, password aging
rules, account lockout thresholds, etc.
• Encryption
• Event monitoring
• Configuration and change monitoring
• Performance and utilisation monitoring
• Logging and reporting
• Appropriate incident response measures
General Safeguards and
Best Practices cont’d
12. Defense-in-Depth
• Some of the best practices to use for ensuring the integrity and confidentiality
is upheld at all times is Defense-in-Depth and Layered security - essentially
utilising various resources for helping protect an organisation's information
systems landscape. Defense-in-Depth security has since been praised as a
highly effective concept, one that employs effective countermeasure for
thwarting attacks on an enterprise’s information systems environment.
Defense-in-Depth includes the following layers, which have been loosely
adopted and agreed upon by industry leading vendors and other noted
organisations:
Data
Application
Host
Internal Network
Perimeter
Physical
Policies, Procedures, Awareness
13. • People are often regarded as the weakest link in the
security chain.
• Almost every company has people who are vulnerable, be
it to strong persuasion and authority or those easily
tricked by good social engineering and malicious links.
• Much is at stake when it comes to complying with the
GDPR. Both in terms of the hefty fines the regulation
includes, and the employee privacy awareness training it
calls for. Affected organisations cannot afford to be found
wanting on the new policies, procedures, and initiatives
they need to have in place, if they’re not in place already.
Data Protection Is Everyone’s
Responsibility
14. Questions
Do you have questions?
Send them to:
Roy Biakpara, MSc., CISA, CISSP, CISM, CRISC, CDPO
(GDPR)
Email: consultant@cryptv-uk.com