More Related Content
What's hot (20)
Similar to General Data Protection Regulation (GDPR) (20)
More from Kimberly Simon MBA (20)
Recently uploaded (20)
General Data Protection Regulation (GDPR)
- 1. General Data Protection Regulation (GDPR) Kishor Vaswani, CEO – ControlCase
- 2. Agenda • About GDPR • Non Compliance Consequences • Required Steps › Data Impact Assessment (DIA) › Data Protection Officer • GDPR Articles • GDPR Tactical Compliance › Security › Rights Management › Privacy › Breach notification • ControlCase Solution • Q&A 1
- 4. Key Definitions • Data Processor vs Data Controller A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. • Regulation vs Directive A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive. • DPA Data Protection Authority 3
- 5. Non Compliance Consequences • Lodging complaints with a supervisory authority • Judicial remedy • In case of breach, fines include › Upto 4% of annual revenue, OR › Euro 20 million › Whichever is higher 4
- 6. Required: Data Impact Assessment • Must Carry Out Data Impact Assessment (DIA) as determined by supervisory authorities • Managed by Data Protection Officer (DPO) • Assessment Must Include › Details of processing operations › Purpose of processing › Risks to privacy of individuals › Security assessment • When › Prior to “processing” personal data › After any changes to systems or processing mechanism 5
- 7. Required: Data Protection Officer • Data Protection Officer is required in multiple scenarios including, › Processing by public bodies › Processor includes storage/process/transmission of large amounts of personal information • Multiple entities can combine to have a single DPO • Can be an employee or outsourced • Must be independent and “cannot” be dismissed for doing their job • Tasks include › Monitor compliance to GDPR › Provide advice within the organization for GDPR › Coordinate with supervisory authority/DPA 6
- 8. Key articles of GDPR Principles relating to processing of personal data Rights of individuals Consent Responsibility of the controller/processor Security of data Data processing impact assessment Data protection officer Certification Bodies Transfer of personal data across borders Supervisory authority Remedies, liabilities and penalties 7
- 9. Tactical steps for GDPR • Security of Processing › Asset & Vulnerability Management › Data Management › Logical Access › Physical Access › Risk Assessment › Policy Management › Third Party Management › Incident Management • Rights Management • Privacy • Breach Notification Management 8
- 10. Asset and Vulnerability Management 9 Asset list Management of vulnerabilities and dispositions Training to development and support staff Management reporting if unmitigated vulnerability
- 11. Data Management 10 Identification of personally identifiable data Classification of data Encryption of data Monitoring of data
- 12. Logical Access 11 Username Password Access based on need to know Protection of data
- 13. Physical Security 12 Badges Visitor Access CCTV Biometric Media Inventory Media Destruction
- 14. Risk Management 13 Input of key criterion Numeric algorithms to compute risk Output of risk dashboards
- 15. Policy Management 14 Appropriate update of policies and procedures Link/Mapping to controls and standards Communication, training and attestation Monitoring of compliance to corporate policies
- 16. Vendor/Third Party Management 15 Management of third parties/vendors Self attestation by third parties/vendors Remediation tracking Reg/Standard Coverage area ISO 27001 A.6, A.10 PCI 12 EI3PA 12 HIPAA 164.308b1 FISMA PS-3 FERC/NERC Multiple Requirements
- 17. Incident Management 16 Monitoring Detection Reporting Responding Approving Lost Laptop Changes to firewall rulesets Upgrades to applications Intrusion Alerting
- 18. Rights Management Rights of data subjects: • Right to receive information on data processor • Right to ask for modification of data • Right to ask for deletion of data • Right to ask processor to restrict use of data for certain purposes • Right around movement of data Processor Required to Provide These Details • Requires breach notification to the Controlling Entity • Provide an accounting of disclosures. 17
- 19. Privacy Management Privacy Rule Main Points: • Requires appropriate safeguards to protect the privacy of personal information • Sets limits and conditions on the uses and disclosures that may be made of such information without authorization • Gives individuals rights over their health information, including rights to examine and obtain a copy of their records, and to request erasure or change • Records of processing activities • Right to “be forgotten” For Third Parties • Requires breach notification to the Controlling Entity • Provide an accounting of disclosures. 18
- 20. Breach Notification Management 19 Definition of Breach A breach is, generally, an impermissible use or disclosure that compromises the security or privacy of personal information. Breach Notification Mechanism Notify to Data Protection Authorities (DPA) with 72 hours. Notify individuals without undue delay. Notify volume of breach. Vendors/Third parties to notify the customer without undue delay. Content of Breach Notification Approximate number of records compromised Categories of data compromised Point if contact of data protection officer Likely consequences of data breach Measures takes to address/mitigate the breach
- 21. ControlCase Solution 1: Data Impact Assessment • 48 items in portal questionnaire • 2 week engagement • Assessment Includes › Review of processing operations documents › Risk assessment to privacy of individuals › Security assessment of personal data • Deliverable › DIA Report › GDPR Certificate of Compliance (COC) if no gaps are found (Alternatively iterative methodology until compliant can be deployed) 20
- 22. ControlCase Solution 2: Data Discovery • Identify and pinpoint sensitive data across › File Shares › Servers › Databases › Email › Log files • Types of data › Name › Email › Address › Phone number › Pictures › Credit Card Numbers 21
- 23. Why Choose ControlCase? • Global Reach › Serving more than 400 clients in 40 countries and rapidly growing • Compliance and Certification › HITRUST Assessor › GDPR › PCI DSS Qualified Security Assessor (QSA) › SOC1, SOC2, SOC3 › QSA for Point-to-Point Encryption (QSA P2PE) › Shared Assessments AUP/SIG › ISO 27001 Assessor › HIPAA 22
- 24. To Learn More … 23 Visit www.controlcase.com Email us at [email protected]
- 25. Q & A 24