EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS - - PowerPoint PPT Presentation

Reaz Khedarun and Ian Davis

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• Implications and opportunities of GDPR
• New obligations and liabilities for suppliers
• How GDPR compliance can support risk reduction and

alignment with PCI DSS and ISO27001

• Technical Controls and Data Discovery
• Timebound GDPR implementation plan
• Q&A

Agenda

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Implications and opportunities of GDPR

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Overview of GDPR Operational Impacts

Big Fines

(Article 83)

Must implement Security measures (people/IT)

(Article 5, 32)

New Individual rights (Portability & Erasure)

(Article 12 – 22)

Privacy by design must be embedded into businesses

(Article 25)

Mandatory DP Impact Assessments

(Article 35)

Must maintain effective DP Policies

(Article 24)

New Data Processor obligations for suppliers

(Article 28)

New rules on customer consent

(Article 4,7,8,9)

Extraterritorial Scope

(Article 3)

DP Officer/Governance requirements

(Article 28 - 29)

Detailed records of Personal Data being processed must be maintained

(Article 30)

Privacy notices must be redrafted

(Article 12,13)

Data Breach Notification – within 72 hours

(Article 32,33 & 34)

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Article 28 of the GDPR codifies the accountability obligation. It requires controllers to:

• implement appropriate technical and organisational

measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR; and

• implement appropriate data protection policies where

proportionate in relation to processing activities.

Accountability Obligations under the GDPR

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• Data Protection policies and notices;
• Internal governance structure;
• Records of processing activities;
• Records of mechanisms for

cross-border transfers;

• Data breach handling procedures;

and more….

Compliance with the Accountability Principle

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

New obligations and liabilities for suppliers

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Data Processors (e.g. CSPs, payroll, HR, IT suppliers) direct obligations for the first time under GDPR:

• Security
• Record Keeping
• Cross Border Transfers of Personal Data

Consequences:

• Subject to administrative fines
• Compensation claims

Processor Obligations

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• Article 24 of the GDPR requires controllers

to:

• use only processors providing sufficient

guarantees to implement appropriate technical and organisational measures

• Accountability Obligation - Demonstrate

Compliance

• Consider undertaking a DPIA before entering

into a new processing arrangement

• Audit existing suppliers

Choosing a Processor

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Written Agreements – Mandatory

• Document subject matter, duration, nature and

purpose of processing;

• Include details of personal data and data subject

categories;

• Requirement to report breaches;
• Cooperation with Controller obligations (security

and subject access rights, portability, erasure); And more…

GDPR Processor Contracts

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

How GDPR compliance can support risk reduction and alignment with PCI DSS and ISO27001

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• Data portability - Start-ups and smaller enterprises to ‘access data

markets dominated by digital giants’

• Data Housekeeping/Discovery - Utilise or

monetise your data once you know where it is!

• Market Share – Maintained or increased through

consumer trust

• Reducing data footprint – Risk mitigation

Opportunities

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including:

• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and

resilience of processing systems and services;

• the ability to restore the availability and access to personal data in a timely

manner in the event of a physical or technical incident;

• a process for regularly testing, assessing and evaluating the effectiveness of

technical and organisational measures for ensuring the security of the processing.

Article 32 – Security of Processing

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• A.18.1.4 - Privacy and Protection of Personally

Identifiable Information

• A. 10.1 - Cryptographic Controls
• A.15 - Supplier Relationships
• A.17 - Business continuity management
• Additional controls on governance, technical

auditing, access controls, vetting, physical security and incident management

ISO27001 and GDPR

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• PCI DSS & GDPR designed to improve

customer data protection.

• PCI DSS focuses on payment card data

whilst the GDPR focuses on personally identifiable information.

• GDPR less prescriptive
• Technology for PCI compliance can be

extended to protect additional personal data.

PCI and GDPR

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• Article 28 of the GDPR requires

controllers to:

• implement appropriate technical and
• rganisational measures to ensure and be

able to demonstrate that data processing is performed in accordance with the GDPR;

Accountability Obligations under the GDPR

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Technical Controls and Data Discovery

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

• External Attackers, Internal Rogues
• Administrators
• Users (permanent / temporary)
• Suppliers
• Developers

Threat Landscape

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

‘Appropriate security measures’ to protect personal data include:

• Encryption (at rest and in transit) – best data security measure

available;

• Keep patches up to date;
• Apply multi-layered entry point protection (web, email and

malware protection);

• Limit dissemination of sensitive data (application/device

control/mobile device management, data control); and more…

Dealing with the Threat

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Timebound GDPR implementation plan

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Step 1 – Build consensus – Identify key stakeholders (e.g. IT, Legal, Marketing, Operations, Sales, Customer Services, Compliance) Step 2 – Assess Readiness Step 3 – Define a plan and personal data flow mapping Step 4 – Assess your international transfers Step 5 – Address supply chain

Building a GDPR Plan

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Q&A

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS

Preparing for GDPR Checklist

Review and update your method to obtain consent to ensure you get specific, informed, and unambiguous

• pt-in consent.

Consider privacy by design and privacy by default in new and existing applications. Ensure there are procedures for dealing with data portability and right to be forgotten requests. Check and update your privacy notices. Review, revise (or draft) your written information security policies to ensure appropriate technical, administrative, and physical measures are in place to protect data. Begin the search for qualified DPO’s. Consider how you manage risk and how data protection is dealt with in your risk assessment framework. Ensure staff have adequate and up to date training on data protection and GDPR changes. Maintain detailed records of personal data processing Review your insurance for scope and limits of coverage.

For more information contact us on: bd@gemserv.com +44 (0)20 7090 1091