Protecting Your Integrity and Getting Value from GDPR 2 June 2017
AGENDA 9.30am Arrival 10.00am Karen Patterson, BBC Journalist, Host Introduction 10.05am Shauna Dunlop, Regional Manager Northern Ireland, Information Commissioner’s Office GDPR Accountability – Privacy and Innovation 10.25am David Kemp, GDPR Business Consultant, HPE Exposing the technology challenges of GDPR for defence as well as business advancement 11.00am Coffee Break 11.20am Bill McCluggage, Digital Leader and CIO/CTO Using GDPR as a platform for change 11.45am Judith Millar, Business Development Manager, CSIT The evolving cyber threat landscape 12.10pm Panel Session 12.45pm Q & As 13.00pm Karen Patterson, BBC Journalist Close 13.05pm Lunch
Introduction Karen Patterson Journalist, BBC
GDPR Accountability – Privacy and Innovation Shauna Dunlop, Regional Manager Northern Ireland, Information Commissioners Office
GDPR Accountability: Privacy and Innovation Shauna Dunlop Information Commissioner’s Office
Privacy and Innovation
The protection of natural persons in relation to the processing of personal data is a fundamental right
Accountability
Fair, Lawful and Transparent Processing . . .
Individuals' rights : The right to be informed The right of access The right to rectification The right to erasure The right to restrict processing The right to data portability The right to object Rights related to automated decision- making and profiling
GDPR Consent at a glance Higher standard Genuine choice & control Positive opt-in Clear and specific Easy to withdraw Evidence of consent
Right to be forgotten. . .
Breach notification in a digital world
Children’s Privacy
Accountability
Privacy and Innovation
ico.org.uk https://ico.org.uk/for- organisations/data- protection-reform/
Exposing the technology challenges of GDPR for defence as well as business advancement David Kemp, GDPR Business Consultant, HPE
Exposing the real technology challenges of GDPR for defence as well as business advancement David Kemp EMEA Specialist Business Consultant June 2017
Why does GDPR matter to Business? 28
What is GDPR? “General Data Protection Regulation” • GDPR replaces previous Data Protection Directive • Data Protection Directive created to regulate control of Personally Identifiable Information (PII) • GDPR will harmonize data protection laws across 27 EU member states • Clearer rules for data transfer across borders • Better control over individual’s data
GDPR enacted to help protect EU citizen data from risk New pan European Reduces complexity for Regulation designed organizations dealing to protect the privacy with Personally Identifiable of EU citizens Information (PII) Applies also to Introduces companies requirements of outside the EU privacy by design and the ‘right to that deal with EU citizens’ data be forgotten’ Enterprises must start The risk of non-compliance preparing for the − Fines of up to 4% of parent company annual enforcement data of revenue (max. 20 million Euros) May 2018 − Mandatory breach notification within 72 hours Some exceptions for enterprise unless the PII was encrypted with less than 250 employees 30
EU General Data Protection Regulation (GDPR) Key Changes • Data Protection Officer (DPO) • Increased responsibility around security breach notification • Heavy non-compliance sanctions – 2- 4% of Global Sales • Privacy by design and privacy by default • Right to erasure and data portability • A single set of rules and a single data protection authority • EU Regulation will apply across borders • Greater compliance requirements
What technical delivery does GDPR compliance require for effectiveness? • Corporate Governance monitoring and enforcement • Social media monitoring - internal & external where permitted • Ability to freeze data across a complex IT legacy architecture • Cross-media visibility and comprehension • De-duplication, clustering and synthesis of mass data • Necessity to respect national and international data privacy standards • Fast and effective response to the Business
How does one get the Senior Management “on board” for GDPR compliance – and in which verticals? 33
How ready is the World for GDPR? Globally – Gartner - January 61% of corporates have no strategy 51% think Security is Compliance Italy – Osservatore Polytechnica di Milano – from 136 CISOs and DPOs - February 23% Don’t know of GDPR 22% Know but no action 55% Understand the requirements 9% Have started a project UK – Financial Times - February 55% of corporates will wait till May 2018 Norway – Top Management Survey - March 33% Don’t know of GDPR 50% Know but unaware how to start an effectiveness programme 17% Addressing the issue with planning
Compelling Business Logic for GDPR Compliance • • Fine Strategic records • Reputation hit management • • Government contract Cloud accelerator • pre-requisite M & A accelerator • • Enforcement action Due diligence • Client Audit GDPR Revenue Generation Brand Loyalty & Data Mining & Data Exploitation 35
Which “Entities” should be most engaged in GDPR preparation? B2C corporates Those acquiring personally identifiable information from private citizens in the normal course of business e.g. a. Retailers - supermarkets b. Gaming, Tourism & hotels c. FSI: Personal insurance & retail banks d. Mass Transport & logistics – rail / air / ferry e. Healthcare / Pharma / Hospitals f. Telcos B2B corporates a. Those with a large workforce where the PII is employee data b. Those which have agents who are B2C Government agencies Those who acquire PII due to their engagement with the public e.g. a. National Hospitals b. Municipal Authorities AND OUTSOURCEES!
Engaging Personas Persona Key Challenges CISO • Internal surveillance and monitoring to avoid employee negative impact on PII • Automate application of policy to security VP/Director of Security Operations • Comprehensive view of all existing data and applications • Monitoring and insight into enterprise-wide threat landscape CIO/IT • Determine what information is subject to GDPR requirements • Ensure backup and recovery is aligned to GDPR requirements CDO/CIGO • Defensibly delete information that has no value to the organization – aligns to “right to be forgotten” • Manage information based on policy throughout its lifecycle • Determine what information is subject to GDPR requirements Legal & Compliance • Proactively prepare for litigation and investigations by consolidating information in a centralized repository • Comply with policy-based management requirements of in-scope information throughout the Risk Management information lifecycle • Supervise employee communication Data Protection Officer • Alerting facility to enable early breach identification • Synchronization with legal / compliance / risk / business / security to enable compliance + HR, Communications, Audit, Finance? 37
HPE GDPR Programme 38
What challenges / business outcomes does GDPR create? RECORDS MANAGEMENT • What PII do I have, what format and where in my IT real estate? • How do I isolate and classify it? • How do I manage it in a form which enables me to execute PII tasks? SECURITY • Externally: How effective is my outer cyber defence shield? • Internally: How can I prevent accidental or deliberate misuse of PII?
1. Identification of Key GDPR Programme steps • AWARENESS: Brief the board so they are aware of the risks to the business and what needs to happen over the next 16 months to get GDPR effective. • STAFFING: Appoint / train a Data Protection Officer – 28,000 still to be appointed in EU. * LEGAL OPINION: Translating the GDPR into deliverables & functionalities + local law • DATA DISCOVERY: Conduct a PII location / format / security assessment vs. Opinion • PROGRAMME PREPAREDNESS: Assessment of exposure & potential mitigants • POLICY GAP ANALYSIS: Review and update existing data protection policies, training, privacy notices etc • TECHNICAL GAP ANALYSIS: Where can IT solutions accelerate GDPR “effectiveness”? • IMPLEMENTATION: Acquiring & installing IT solutions and services • PRIORITISED SEQUENTIAL SOLUTIONING: Or “Farming”
Recommend
More recommend
