gdpr data security and breaches
play

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds - PowerPoint PPT Presentation

Oct 11, 2023 •166 likes •929 views

GDPR Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester 2 What we will look at today Technical and Organisational Security Handling data breaches Case law Newcastle | Leeds | Manchester 3 Data

  1. GDPR – Data Security and Breaches 10 December 2019 Newcastle | Leeds | Manchester

  2. 2 What we will look at today • Technical and Organisational Security • Handling data breaches • Case law Newcastle | Leeds | Manchester

  3. 3 Data security? Elizabeth Denham (Information Commissioner) "cyber security is not an IT issue, it is a boardroom issue. Companies must be diligent and vigilant. They must do this not only because they have a duty under the law, but because they have a duty to their customers”. Newcastle | Leeds | Manchester

  4. 4 Why does data protection matter? • Legal obligations • Reputation and goodwill • Fines and enforcement • Other data protection liabilities • Compensation • Criminal penalties • Vicarious liability Newcastle | Leeds | Manchester

  5. 5 Reported Personal Data Breaches in 2018 Newcastle | Leeds | Manchester

  6. 6 Newcastle | Leeds | Manchester

  7. 7 Types of Cyber Security Breach Newcastle | Leeds | Manchester

  8. Data Security Newcastle | Leeds | Manchester

  9. 9 What do we mean by the term data security? • GDPR obligation • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality) • Security should be appropriate to likelihood and severity of risks • Failure to keep data secure leads to personal data breaches Newcastle | Leeds | Manchester

  10. 10 The requirement to use technical and organisational measures…. • GDPR requires;- • Controllers to ensure a level of security appropriate to risk • Risk analysis • Proportionality test Newcastle | Leeds | Manchester

  11. 11 What is risk? • Confidentiality/Integrity/Availability • Confidentiality • Processed by those authorised to do so (and act within that authority) • Integrity • Accurate and complete • Availability • Accessible and usable Newcastle | Leeds | Manchester

  12. 12 Security Aims (ICO and NCSC) • Analyse risk by looking at your security aims: • Managing security risk • Protecting personal data (against cyber attack) • Detecting security events • Minimising the impact Newcastle | Leeds | Manchester

  13. 13 Identify Key Risks • GDPR encourages a risk based approach to compliance • Need to identify high risks • Classify information from risk perspective • Identify and locate sensitive data and mark it • Develop and maintain a risk register • Describe/rate risks • Risk management Newcastle | Leeds | Manchester

  14. 14 Identify Key Risks 5 4 Impact of risk 3 2 1 0 1 2 3 4 5 Likelihood of risk Newcastle | Leeds | Manchester

  15. 15 Rate the risks – HR Team • You are aware individuals are conducting work business on private email accounts • You have premises with swipe card access but are aware cabinets containing HR records are not locked • HR have received only standard GDPR training • HR data stored in bespoke software system which IT department maintains itself • HR holiday and sickness forms are still manual (i.e. paper based) Newcastle | Leeds | Manchester

  16. 16 Identify Key Risks • What are the biggest risks in your organisation? Newcastle | Leeds | Manchester

  17. 17 What are appropriate measures? • What does appropriate mean? • What measures are appropriate? • What factors should take into account? • Record measures you take Newcastle | Leeds | Manchester

  18. 18 Appropriate measures • Appropriate to achieve the intended purpose • Appropriateness linked to effectiveness • i.e. measure is appropriate to implement data security effectively • Ensure any safeguards operate through the project lifecycle Newcastle | Leeds | Manchester

  19. 19 Appropriate measures: Factors to take into account • Take into account • State of the art • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks Newcastle | Leeds | Manchester

  20. 20 What do we mean by “organisational security”? Newcastle | Leeds | Manchester

  21. 21 What do we mean by “organisational security”? • Governance • Contracts and data sharing • Training and awareness Newcastle | Leeds | Manchester

  22. 22 What is “Governance”? • Management structures • Policies, procedures and documentation • Compliance and assurance • Identify and manage risks • Use of data protection impact assessments • Data protection by design and default Newcastle | Leeds | Manchester

  23. 23 Management Structures • Appointment of senior officer/director • Executive level • Responsibility for reporting data protection issues to executive • DPO/senior data protection manager • Supporting roles • IAO/DP Champions etc • Information security/information governance group • Accountability • Ensure evidence exists of roles and responsibilities Newcastle | Leeds | Manchester

  24. 24 Policies, Procedures and Documentation • Art 24 GDPR • Obligation to implement appropriate measures to ensure and demonstrate compliance (accountability) • Includes implementation of appropriate data protection policies • Ensure clear endorsement of policies by board/ executive • Policies should indicate how risks assessed and escalated Newcastle | Leeds | Manchester

  25. 25 Policies and Procedures • What policies do you have? Newcastle | Leeds | Manchester

  26. 26 Policies and Procedures • What policies do you have? • Do you have:- • A complaint policy? • A data security policy? • A security breach policy/protocol? • A training and awareness policy? • IT Use Policy/BYOD policy? • Physical security policy • Remote working policy? • Data retention policy Newcastle | Leeds | Manchester

  27. 27 Documentation (1) • You need to keep a full set of documentation to demonstrate your commitment to accountability • Processing record (Article 30) • Date breach log (Article 33(5)) • Fair processing record (Article 5(1)(a) and 5 (1)(b)) • Date protection impact assessments (Article 35) • Contracts (Article 28) • Record of data sharing agreements • Record of consent (Article 7(1)) • Risk register Newcastle | Leeds | Manchester

  28. 28 Documentation (2) • Information required for processing special category or criminal conviction and offence data • Policies and procedures • General obligation to have a data protection policy (Article 24(2)) • Data minimisation policy (Article 5(1)(c)) • Data accuracy policy (Article 5(1)(d)) • Data retention policy (Article 5(1)(e)) • Data security policy (Article 5(1)(f)) • Ability to demonstrate compliance Newcastle | Leeds | Manchester

  29. 29 Compliance and Assurance • Data protection audit – mapping, document analysis and risk identification • Part of compliance with Art 24 but also:- • Deal with changes to processing presented by GDPR • Ensure accountability principle is satisfied • Reduce risk of data protection breaches occurring • Minimise consequences of data breaches • Reduce risk of being fined if breach occurs and restrict the amount of fine if one is levied • Rate your risks Newcastle | Leeds | Manchester

  30. 30 Organisational security – data protection by design and default • Part of accountability principle • General obligation to show you have considered and integrated data protection considerations into processing activities from the start • Benefits • Identify and address privacy problems at an early stage (save cost) • Raise awareness of privacy and data protection • More likely to meet and exceed legal obligations/less likely to breach GDPR • Actions less likely to be privacy intrusive Newcastle | Leeds | Manchester

  31. 31 Organisational security – Data protection by design • Take into account • Cost • Nature, scope, context and purposes of processing • Likelihood and severity of risks arising from processing • Implement appropriate technical and organisational measures to implement the data protection principles • Integrate safeguards into processing/throughout project lifecycle • Privacy embedded • Privacy integral to design without diminished functionality Newcastle | Leeds | Manchester

  32. 32 Organisational security - Data protection by default • Implement appropriate technical and organisational measures by default • Only personal data processed when necessary for a specific purpose • Data protection by default to be considered • When collect personal data • Extent of processing • Period of storage • Accessibility Newcastle | Leeds | Manchester

  33. 33 Organisational security - Data protection impact assessments • An assessment of processing operations to identify privacy impacts and implications • Review processing operations • Analyse purpose of processing • Assess risk • Find ways to minimise risk • Mandatory for high risk projects that started after 25 May 2018 • Consult with ICO/supervisory authority where DPIA identifies risk cannot be managed and remains high Newcastle | Leeds | Manchester

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester 2 What

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester 2 What

GDPR Update 3 October 2019 Phil Tompkins and Dean Murray Newcastle | Leeds | Manchester 2 What we will look at today GDPR to date How to handle data subject access requests Data security and handling data breaches Whats

808 views • 49 slides
GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB GDPR TIMELINE Definitions GDPR is a set of EU laws that come into affect on May 25th 2018. GDPR rules are designed to give more control over

587 views • 30 slides
GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches &

Developments in CyberSecurity Law presented by www.udalllaw.com Security Breaches & Security Requirements Security Breaches Criminal Conduct -computer viruses (ransomware) -physical theft -server, laptops, flash drives -electronic

668 views • 31 slides
General Data Protection Regulation and the UT System GDPRs Intent The aim of the GDPR

General Data Protection Regulation and the UT System GDPRs Intent The aim of the GDPR

General Data Protection Regulation and the UT System GDPRs Intent The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the

199 views • 9 slides
GDPR General Data Protection Regulations Members briefing 9 May 2019 Comparison DPA 1998

GDPR General Data Protection Regulations Members briefing 9 May 2019 Comparison DPA 1998

GDPR General Data Protection Regulations Members briefing 9 May 2019 Comparison DPA 1998 GDPR Fines up to 500K Fines up to 20M SARs 10 SARS Free SARs 40 days SARs up to a month Data breaches reported

251 views • 6 slides
Neutralize Data Breaches Using data-centric security on NonStop Prashanth Kamath U Sr. Product

Neutralize Data Breaches Using data-centric security on NonStop Prashanth Kamath U Sr. Product

Neutralize Data Breaches Using data-centric security on NonStop Prashanth Kamath U Sr. Product Manager NonStop Enterprise Division Forward-looking statements This is a rolling (up to three year) Roadmap and is subject to change without

400 views • 26 slides
Data Security Breaches: Problems And Solutions Steven C. Bennett With a combination of risk

Data Security Breaches: Problems And Solutions Steven C. Bennett With a combination of risk

Data Security Breaches: Problems And Solutions Steven C. Bennett With a combination of risk assessment, technical solutions, and stafg training, it is possible to keep data secure. InformatIon Is the new currency of commerce. Sensitive data,

380 views • 6 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May

Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May

womblebonddickinson.com Beyond Breaches: Affirmative State Law Duties to Protect Data Philip Gura Dominic Panakal May 14, 2019 Agenda Potential State Data Protection Laws Affirmative Obligations GDPR CCPA In the Law Existing State

433 views • 24 slides
Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett

garjoh_canuck Data minimization & concentration: Intended and unintended consequences of the GDPR Garrett Johnson (Boston U) Scott Shriver (U Colorado Boulder) GDPR Impact GDPR General Data Protection Regulation EU EEA Brexit GDPR

833 views • 27 slides
Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top organizational

610 views • 20 slides
Enterprise Security with Expanded Network Boundaries Dr. Zhijun (William) Zhang Lead Security

Enterprise Security with Expanded Network Boundaries Dr. Zhijun (William) Zhang Lead Security

Enterprise Security with Expanded Network Boundaries Dr. Zhijun (William) Zhang Lead Security Architect at The World Bank Group Data Breaches in the News Large-scale breaches are now a regular occurrence across industry and geography

221 views • 18 slides
David Sumner EU GDPR P CISM General Data Protection Regulation (GDPR) Why Supports a

David Sumner EU GDPR P CISM General Data Protection Regulation (GDPR) Why Supports a

General Data Protection Regulation David Sumner EU GDPR P CISM General Data Protection Regulation (GDPR) Why Supports a single digital market place Protect privacy & security of EU citizens in the digital age When

231 views • 8 slides
GDPR General Data Protection Regulation (EU) 2016/679 Gen eneral Data a Prot otectio ion Reg

GDPR General Data Protection Regulation (EU) 2016/679 Gen eneral Data a Prot otectio ion Reg

Security & Knowledge Management a.a. 2019/20 GDPR General Data Protection Regulation (EU) 2016/679 Gen eneral Data a Prot otectio ion Reg egulatio ion (1) (1) GDPR is: a regulation (not a directive) proposed by the

617 views • 22 slides
Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This

Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This

Web Security Erik Poll Digital Security group Radboud University Nijmegen websec 1 This course The web is a endless source of security problems. Why? The web is very widely used, so its interesting to attack The web is very complex

1.11k views • 61 slides
1 User Datagram Protocol (UDP) User Datagram Protocol (UDP) Services Provided Services

1 User Datagram Protocol (UDP) User Datagram Protocol (UDP) Services Provided Services

The primary primary (in (in principle principle unique unique) ) The role of Internet of Internet transport transport protocols protocols role

780 views • 6 slides
The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter

The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter

The plan Intro: LOCAL model, synchronicity, Bellman- Ford Network Algorithms Subdiameter algorithms: independent sets and matchings CONGEST model: pipelining, more matching, Boaz Patt-Shamir lower bounds Tel Aviv University 1 2

312 views • 16 slides
Device connection and startup 1 computer startup startup via network bootp

Device connection and startup 1 computer startup startup via network bootp

Device connection and startup 1 computer startup startup via network bootp connection to the network 2 when powered on the CPU sets the PC (program counter) on a predefined value challenge: what value is the PC set to on an

590 views • 41 slides
Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia,

Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia,

Clst 181SK Ancient Greece and the Origins of Western Culture Homers Iliad Books 2, 3 Italy, Egypt, Mediterranean Sea, Black Sea, Aegean Sea, Phoenicia, Greece, Peloponnesus, Ionia, Crete, Cyprus, Delphi, Mycenae, Troy, Aulis, Hellespont Aulis

613 views • 27 slides
Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers

Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers

CS 166: Information Security Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers and Defenders Play 1971 "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU

1.11k views • 82 slides
From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre

From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre

IOTA/FAST Workshop, 2018-05-10 Bernhard Hidding From spatiotemporal plasma-based diagnostics to high rep-rate PWFA at IOTA/FAST Scottish Centre for the Application of Plasma-Based Accelerators SCAPA, Department of Physics, University of

415 views • 20 slides
Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research

Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research

Decentralized Information Flow Control RK Shyamasundar Tata Institute of Fundamental Research Mumbai shyam@tifr.res.in Confidentiality Example (Contd) Principal Preparer distributor of WebTax-may have privacy interests WebTax

673 views • 38 slides

More recommend