ISC2 Hellenic Chapter 11/1/2017

1. The General Data Protection Regulation:
An Overview of Challenges and Opportunities
Dr. Dimitrios Patsos,
Chief Technology Officer,
ADACOM S.A.

2. How we got here
Technology
• Increase on
breaches
• Cyber Security
Politics
• Safe Harbour
Diminished
• EU Reverses
requirements
EU Framework
• Weakly Enforced
Directive 95/46/EC
• Multiple
constituents

4. The GDPR at a Glance
• Data of EU Citizens residing worldwide,
• Replaces Directive 95/46/EC,
• In full force: Friday, May 25th, 2018,
• Fines Up to 4% of worldwide turnover, or 20M € (whichever is bigger),
• 173 recitals setting the context of the regulation and how it will be
interpreted by the Data Protection Authorities,
• 99 articles describing in detail the content of the regulation,
• 98 of 99 articles are not directly related to technology,
• 1 article (32) talking about technology.

5. Key Facts
GDPR
Fines
Data
Protection
Officer
Breach
Notification
Consent
Data Subject
Rights
Privacy by
Design
Wider
Geographic
Scope
controller:
determines the
purposes and
means of the
processing of
personal data
processor:
processes
personal data on
behalf of the
controller
data subject:
person whose
personal data is
processed

6. Degrees of Change
7
2
7
6
2
8
7
4
5
6
5
9
6
9
9
9
2
2
7
8
9
6
9
2
0 1 2 3 4 5 6 7 8 9 10
Material and Territorial scope
Changed concepts
Data Protection Principles
Lawfulness of processing and further processing
Legitimate interests
Consent
Children
Sensitive Data and lawful processing
information notices
subject access, rectification and portability
rights to object
Right to erasure and right to restriction of processing
Profiling and automated decision-taking
Data Governance
Personal data breaches and notification
Codes of conduct and certifications
Transfers of personal data
Appointment of supervisory authorities
Competence, tasks and powers
Co-operation and consistency between supervisory authorities
European Data Protection Board
Remedies and liabilities
Administrative fines
Delegated acts, implementing acts and final provisions

7. OK, but…What Data ?
• Personal Data: anything related to an identified or identifiable natural person ("data subject"); as
a name, an identification number, location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that
person (Art. 4 (1)),
• Sensitive Personal Data: anything revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership; data concerning health or sex life and sexual
orientation; genetic data or biometric data. (Rec.10, 34, 35, 51; Art.9(1)),
• Data relating to criminal offences: Data relating to criminal offences and convictions may only be
processed by national authorities. National law may provide derogations, subject to suitable
safeguards (Rec. 19, 50, 73, 80, 91, 97; Art.10),
• Anonymous data: The GDPR does not apply to data have been anonymized in a way that an
individual cannot be identified from the original data (Rec.26),
• Pseudonymous data: pseudonymous data are still treated as personal data because they enable
the identification of individuals (via a pseudonymization process). However, the risks are likely to
be lower (Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)).

8. Lawful processing
• Identify a legal basis before you can process personal data
• Processing is necessary for compliance with a legal obligation,
• processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller (Article
6(1)(c),(e)).
• Lawfulness of processing conditions
• Consent of the data subject (Article 6(1)(a)),
• Performance of a contract with the data subject or to take steps to enter into a
contract (Article 6(1)(b)),
• Compliance with a legal obligation (Article 6(1)(c)),
• Protect the vital interests of a data subject or another person (Article 6(1)(d) ),
• Legitimate interests pursued by the controller or a third party, except where such
interests are overridden by the interests, rights or freedoms of the data subject
(Article 6(1)(f )).

9. Consent
• Freely given, specific, informed and an unambiguous indication of the
individual’s wishes,
• Clear affirmative action,
• Silence, pre-ticked boxes or inactivity does not apply (Articles 6-10,
Recitals 38, 40-50, 59),
• Must be verifiable,
• Individuals have a right to withdraw consent at any time.

10. Data Subject Rights
• The right to be informed,
• The right of access,
• The right to rectification,
• The right to erasure (be forgotten),
• The right to restrict processing,
• The right to data portability,
• The right to object,
• Rights in relation to automated decision making and profiling.

11. Privacy by Design
• Demonstration of compliance
• Implement appropriate technical and organizational measures that ensure and demonstrate that you comply.
This may include internal data protection policies such as staff training, internal audits of processing activities,
and reviews of internal HR policies,
• Maintain relevant documentation on processing activities,
• Where appropriate, appoint a data protection officer,
• Implement measures that meet the principles of data protection by design and data protection by default.
• Measures could include:
• Pseudonymisation,
• Transparency,
• Allowing individuals to monitor processing,
• Creating and improving security features on an ongoing basis.
• Use data protection impact assessments where appropriate,
• Adhere to approved codes of conduct and/or certification schemes.
• Article 5(2)

12. Documentation
• Internal records of processing activities, such as:
• Name and details of your organization (and where applicable, of other
controllers, your representative and data protection officer),
• Purposes of the processing,
• Description of the categories of individuals and categories of personal data,
• Categories of recipients of personal data,
• Details of transfers to third countries including documentation of the transfer
mechanism safeguards in place,
• Retention schedules,
• Description of technical and organizational security measures.
• Article 25, Recital 78

13. Privacy Impact Assessment
When ?
• Using new technologies; and processing is likely to result in a high risk, such as:
• systematic and extensive processing activities, including profiling and where decisions that have legal effects –
or similarly significant effects – on individuals,
• large scale processing of special categories of data or personal data relation to criminal convictions or
offences,
• considerable amount of personal data at regional, national or supranational level; that affects a large number
of individuals; and involves a high risk to rights and freedoms.
What ?
• A description of the processing operations and the purposes, including, where applicable, the legitimate
interests pursued by the controller,
• An assessment of the necessity and proportionality of the processing in relation to the purpose.
• An assessment of the risks to individuals,
• The measures in place to address risk, including security and to demonstrate that you comply,
• A PIA can address more than one project.
• Articles 35, 36, 83 and Recitals 84, 89-96

14. How are my data
being used?
Where are my
data?
How are my data
protected ?
Privacy Impact Assessment - How
What are my
data?
guidelinespolicies procedures awareness
integrity quality compliance

15. Data Protection Officer
• Tasks
• Inform and advise the organization and its employees about their obligations to comply with
the GDPR and other data protection laws,
• Monitor compliance with the GDPR and other data protection laws, advise on data protection
impact assessments; train staff and conduct internal audits,
• Point of contact for supervisory authorities and for individuals whose data is processed
(employees, customers etc.).
• Position & Skill Set
• The DPO reports to the highest management level– i.e. board level,
• The DPO operates independently and is not dismissed or penalized for performing their task.
• Adequate resources are provided to enable DPOs to meet their GDPR obligations,
• Can be an internal employee or an external contractor,
• Should have professional experience and knowledge of data protection law.
• (Articles 37-39, 83 and Recital 97)

16. Breach notification
• Data Breach >> Loss of Data
• Data breach == event leading to the destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
• What Should I Report, Where and How Fast ?
• A breach where it is likely to result in a risk to the rights and freedoms of individuals,
• Notify the relevant supervisory authority & those concerned directly*,
• Within 72 Hours from becoming aware of,
• Failing to notify results to fines.
• Exclusions?
• Encrypted Data
• Articles 33, 34, 83 and Recitals 85, 87, 88

17. Technology
• Article 32 (Security of processing) specifies:
• (a) the pseudonymization and encryption of personal data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
• (c) the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident;
• (d) a process for regularly testing, assessing and evaluating the effectiveness
of technical and organizational measures for ensuring the security of the
processing.

18. The Cloud
• Controllers and processors must know the location where the
personal data are stored or otherwise processed,
• Limits the ability of entities covered by the GDPR to transfer data to
recipients outside the EEA,
• In cascaded cloud environments the transfer of personal data must
comply with the data transfer rules of the GDPR,
• Controllers & Processors (incl. sub-processors) should take adequate
security measures to protect the personal data and must supervise
the implementation of security measures by the processor by
conducting regular audits.

19. A Draft Action Plan
Q1/17 Q2/17 Q3/17 Q4/17 Q1/18
Today Deadline
Data
Inventory
Data
Flow
Mapping
PIA &
Consent
Mechanism
Data
Subject
Rights
Assess
Readiness
Identify
DPO
Build a
Plan
Data Breach
Plan
Training and
Awareness
Calculate
Residual Risk

20. A Draft Methodology
Data Collection
• Lawfulness
• Consent
• Relevance
• Types of Data
Data Processing
• Specific Data
• Specific Purpose
• Change Notification
Data Security
• Process
• Technology
• Awareness
Data Management
• Access
• Rules
• Subject Rights

21. Main Challenges
• Reconciliation of multiple mandates (Lawful Processing),
• Collaboration with Stakeholders (Data Subject Rights),
• Accountability,
• Usage of Cloud Providers, BYOD, Consumerization,
• Codes of Conduct, Certifications, Seals and BCRs,
• SMEs and Start-ups,
• Time Restrictions & Tight Budgets.

22. Opportunities
• Skill Shortage (Data Protection Officer),
• The rise of encryption and data security technologies,
• Synergies & Collaborations,
• Additional budgets,
• New and Innovative solutions,
• Market Awareness.

23. Summary
• A demanding, ambitious but fair legislation aiming to the protection
of EU Citizens’ personal data worldwide,
• Applies without further consultation,
• Heavy fines involved,
• Wide manoeuvre room, Article 29 WP trying to provide further
explanations and resolve conflicts (i.e. EU-US Privacy Shield),
• Multiple Challenges and Multiple Opportunities,
• The Clock is Ticking !

24. Questions ?

25. Greece
Athens
25 Kreontos St.,
104 42 Athens
+30 210 5193740
Israel
Tel Aviv
16th Ha’ Melecha St.
48091 Rosh Ha’Ayin
+972 74 7019424
United Kingdom
London
16 Great Queen St.,
WC2B5AH Covent Garden
+44 203 126 4590
Thanks for Watching !