eu gdpr and security compliance for the dba
play

EU GDPR and Security Compliance for the DBA Santa Clara, California - PowerPoint PPT Presentation

Feb 17, 2023 •369 likes •772 views

EU GDPR and Security Compliance for the DBA Santa Clara, California | April 23th 25th, 2018 Meet Your Presenters Tyler Duzan Jeff Sandstrom Product Manager for MySQL Product Manager for MongoDB Software at Percona Software at

  1. EU GDPR and Security Compliance for the DBA Santa Clara, California | April 23th – 25th, 2018

  2. Meet Your Presenters Tyler Duzan Jeff Sandstrom • Product Manager for MySQL • Product Manager for MongoDB Software at Percona Software at Percona • Prior to joining Percona was an • Jeff has been a Product Manager Operations Engineer for more for over ten years, first in the than twelve years contact center space, then enterprise voice, and now open • Background in security and source databases. He's a compliance, specifically PCI, business nerd who loves tech. HIPAA/HITECH, HITRUST, SOC, and FEDRAMP & FISMA. 2

  3. Disclaimer • We are not Attorneys, we are Product Managers • Nothing within this presentation should be construed as legal advice • You should consult with an attorney to understand and mitigate any compliance risk for your organization • This presentation is not all-inclusive, we are discussing specific selected Articles of the GDPR we think are especially relevant 3

  4. Outline 1. General Overview of Compliance 2. GDPR Key Terminology 3. EU GDPR Articles a DBA Should Know • Article Overview • Articles of Particular Interest to DBAs • Deep Dive into Article 17, Article 25, Article 32-35, and Article 44 4. How Does Percona Software Help to Solve This? 5. Open Questions for DBAs to Consider 6. Q&A 4

  5. General Overview of Compliance

  6. Compliance Objectives • Build a secure infrastructure and know where sensitive data resides • Implement consistent security and data-handling standards across the enterprise • Design and implement effective controls for access to sensitive data • Provide a pathway to audit the organization • Reduce risk to the organization from data breaches • Protect your customers and partners who have entrusted you • Protect shareholder value 6

  7. Why Compliance Matters to the DBA • Datastores across the enterprise may likely contain sensitive data • Databases are a primary target for malicious actors attempting a data breach • Most compliance regulations specifically prescribe methods and techniques that must be used for datastores • The DBA is often the primary responsible party for implementing compliance controls and technical measures for protecting data 7

  8. How Has Compliance Changed? • Compliance regulations began by targeting specific industry verticals such as healthcare, finance, and government. • The focus of early compliance was really on mitigating broad organizational risk, typically when handling data that had large financial risk implications or national security implications • Later compliance regulations began focusing on the safety of consumer data as technology became integral to our daily existence • Many of these regulations limited coverage to situations where the consumer might be directly financially impacted by a breach and where a clear and direct customer relationship existed 8

  9. How Has Compliance Changed? • Lately compliance regulations have shifted because of a shifting environment both in technology and economics. • Current compliance regulations must take into account the existence of cloud providers, the ubiquity of Software-as-a-Service (SaaS) applications for both businesses and consumers, and the rise of sophisticated attacks. • We now exist in a world where great harm can be caused at scale using data that was previously thought to be innocuous. Many of these are first of their kind attacks. • EU GDPR seeks to address many of these concerns by emphasizing that fundamental ownership of data resides with the person whom that data is about. 9

  10. GDPR Key Terminology

  11. Terminology • Data Controller • The entity that is determining the purposes and means of processing the data. - Example: A social media application collecting user information, a manufacturing company collecting personal data about employees, etc. • Data Processor • The entity that processes data on behalf of the Data Controller. - Example: A payroll company that is issuing paychecks for a manufacturing company’s employees, a cloud service provider storing personal data • Data Processing • Any automated or partially automated operation performed on personal data 11

  12. Terminology • Data Subject • A natural person whose personal data is processed by a Controller or Processor • Personal Data • Any information that can directly or indirectly identify the Data Subject - Examples: • Biometric data • Health data • Online identifiers • Geolocation data • PII (name, address, government ID number, etc) • Profiling • Any data processing intended to evaluate, analyze, or predict the behavior of a Data Subject 12

  13. GDPR Articles DBAs Should Know

  14. GDPR Articles Overview • Chapter 1: General Provisions • Chapter 5: Transfer of personal data to third countries of • Article 1-4 international organizations • Chapter 2: Principles • Article 44-50 • Article 5-11 • Chapter 6: Independent • Chapter 3: Rights of the Data Supervisory Authorities Subject • Article 51-59 • Article 12-23 • Chapter 7: Cooperation and • Chapter 4: Controller and Consistency Processor • Article 60-76 • Article 24-43 14

  15. GDPR Articles Overview • Chapter 8: Remedies, Liabilities, • Chapter 11: Final Provisions and Sanctions • Article 94-99 • Article 77-84 • Chapter 9: Provisions relating to specific data processing situations • Article 85-91 • Chapter 10: Delegates Acts and Implementing Acts • Article 92 & 93 15

  16. Articles of Particular Interest to DBAs • Article 17 • Article 32 • “the (…) controller shall have the • Security of data processing obligation to erase personal data • Article 33 & 34 without undue delay, especially in • Notification of a personal data relation to personal data which are breach to the supervisory authority collected when the data subject was a child, and the data subject shall • Communication of a personal data have the right to obtain from the breach to the data subject controller the erasure of personal • Article 35 data concerning him or her without undue delay.” • Data protection impact assessment • Article 25 • Article 44 • Data protection by design and by • General principles for transfers default 16

  17. General Areas of Concern in GDPR • Change Management • Data Discovery and Classification • Environmental Evaluation • Establishing Appropriate Internal Processes • Auditability • Internally defining ethical walls • Tracking location of data by user / Data Mapping 17

  18. Article 17 • Establishes a legislative structure which resides ownership of data with the Data Subject • Establishes the “Right to be Forgotten” as EU Law • “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”. • Expands deletion requirements to now include the obligation for the Data Controller to inform anyone else who has the Personal Data when a deletion request is received, extending to Data Processors or copies of that data 18

  19. Article 25 • Enshrines the concept of data protection by design and default • Requires that controls must be in place to ensure that • Personal Data cannot be attributed to an identified or identifiable Data Subject • Only the Personal Data necessary for a specific purpose can be processed • Only the Personal Data necessary for a specific purpose is collected • Data that is no longer needed should be deleted • Implies strongly specific technical requirements, which in some cases are defined elsewhere • Data minimization, data masking, data pseudonymization • Implementing strict ethical walls and access controls within your organization for seeing Personal Data • Utilizing best practice methods for protecting Personal Data when stored 19

  20. Article 32 • Requires both Data Controllers and Data Processors to implement certain technical and organizational measures • These measures help to prescribe how to handle the philosophical basis of EU GDPR • Technical examples • Encryption for data that is both “at rest” and “in motion” • Monitoring and auditing access to Personal Data • Data masking for applications which access Personal Data • Organizational examples • Maintaining data accessibility and planning for a response to a breach • Testing and evaluating the effectiveness of your controls • Auditability of your environment 20

  21. Article 33 and 34 • Establishes the requirements for informing regulators (Supervisory Authority) and users (Data Subjects) when a breach occurs • Data Controllers must inform the appropriate Supervisory Authority within 72 hours of a data breach occurring or provide a substantial reason for any delay • Data Processors must notify Data Controllers immediately as soon as they become aware of a breach • If a data breach presents risk to users Data Controllers and Data Processors must individually notify affected Data Subjects, without undue delay . • If it’s not possible to provide all required information initially, it can be provided in phases through multiple notifications 21

Recommend

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security

WEBINAR How to Solve CCPA and GDPR's Toughest Compliance Mandates Automating Data Privacy and Security for API-based Services Welcome and Introductions Elias Terman Chandan Golla Shan Zhou VP of Global Marketing Head of Product Management

506 views • 34 slides
IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko

IDD & GDPR Masterclass Branko Bjelobaba FCII Regulation & Compliance Consultant Branko Ltd FCA compliance consultants * BIBA Compliance Manual * Engaging Events * Tailored Solutions Format 1. GDPR (the important bits!) 2. ICOBS

716 views • 67 slides
GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU

GDPR T owards Compliance 25 May 2018 Wha hat t is GDPR? EU Data Protection Directive EU General Data Protection 1995 Regulation 2016 Data Protection Act 1998 Data Protection Bill 2017-19 Fines DPA GDPR Maximum Fine 500k Two

622 views • 17 slides
Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The

Almost one year after the GDPR, where are we now? Click to add title Click to add subtitle Before the GDPR: the great GDPR compliance panic The first year of the GDPR can best be described as "quiet test run. What are the most striking

405 views • 8 slides
Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin

Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR Legal Overview By Erin Aslan Legal Counsel - Sinequa Live Webcast: How Cognitive Search Accelerates GDPR Compliance GDPR takes effect on May 25, 2018 with no further

285 views • 26 slides
On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of

On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of

On Purpose and by Necessity: Compliance under the GDPR Sren Debois, IT University of Copenhagen Joint work with David Basin (ETH) and Thomas Hildebrandt (KU) FC 18, Feb 26, 2018 General Data Protection Regulation May 25, 2018 GDPR

223 views • 20 slides
*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS

*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS

*Funded by the European Commission GDPR Compliance and The International Patient Summary An IPS Workshop Brussels, 13 th September 2018 GDPR Compliance and The International Patient Summary Introduction and Welcome Stephen Kay Vice Chair of

520 views • 33 slides
Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do

Overview What is the GDPR? What are the main changes? Risks? What do you need to do to be compliant? Data Breaches How does the GDPR affect you? Steps to Compliance Summary What is the GDPR? q The EU's General Data

355 views • 17 slides
GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB

GDPR General Data Protection Regulation DR. Rafi us Shan, Chief Cyber Security , KP CERC KPITB GDPR TIMELINE Definitions GDPR is a set of EU laws that come into affect on May 25th 2018. GDPR rules are designed to give more control over

587 views • 30 slides
General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR Accountability measures: GDPR requires compliance and evidence of compliance: documented policies and procedures, records of consents etc.

355 views • 9 slides
Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mnsted Cloud Solutions Architect Microsoft Denmark This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law. 1. Data Privacy and

900 views • 21 slides
Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman,

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman,

Analyzing GDPR Compliance Through the Lens of Privacy Policy Jayashree Mohan , Melissa Wasserman, Vijay Chidambaram General Data Protection Regulation (GDPR) Respect the rights of data owner Personal Gathered legally, Protect it from Data

500 views • 37 slides
Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO:

Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO:

Upcoming events Apr. 10 - GDPR: Are your marketing efforts in compliance? Apr. 30 - Local SEO: Proven tactics to help you rank Sept. 12 - 2018 Moving Marketing Forward Conference GUERILLA RESEARCH Create a Better User Experience with Just

707 views • 38 slides
EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda

EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda

Reaz Khedarun and Ian Davis EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com Agenda Implications and opportunities of GDPR New obligations and liabilities for suppliers How GDPR compliance can

437 views • 24 slides
something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations

Privacy is no longer something to keep quiet about GDPR Compliance Concerns and Its Impacts on Investigations Statistics from EY Surveys Page 2 When is privacy not something to keep quiet about? Data protection and data privacy compliance

884 views • 24 slides
GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data

GDPR How does it apply to me? What is GDPR? It is the LAW! What is GDPR? The General Data Protection Regulation Came into force on May 25 th Replaces the current 1995 Data Protection Directive and Data Protection Act (1998). What is GDPR?

570 views • 18 slides
OSS in the quest for GDPR compliance Pass the Salt 2019 Errata this talk was proposed by

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata this talk was proposed by

OSS in the quest for GDPR compliance Pass the Salt 2019 Errata this talk was proposed by Cristina DeLisle I'm filling in due to a scheduling conflict I Am Not A Lawyer Agenda 1. XWiki & CryptPad, who we are, what we do 2. what we talk

612 views • 30 slides
Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and

Brokers Ireland Compliance Update September 2020 Linda Doyle Items Covered GDPR and outsourcing Brexit Central Bank and Cyber Fraud Consumer Insurance Contracts Act 2019 Covering PCF roles during COVID19 Assessing

666 views • 34 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM & UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Large-scale Research Data Management @ UL HPC Road to GDPR compliance Prof. Pascal Bouvry, Dr.

Large-scale Research Data Management @ UL HPC Road to GDPR compliance Prof. Pascal Bouvry, Dr.

Large-scale Research Data Management @ UL HPC Road to GDPR compliance Prof. Pascal Bouvry, Dr. Sebastien Varrette V. Plugaru, S. Peter, H. Cartiaux & C. Parisot Belval Campus, April 25 th , 2018 University of Luxembourg (UL), Luxembourg S.

591 views • 31 slides
Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What

Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What

Data Protection. IT issues and Solutions Ian Bernhardt Head of Governance & Compliance GDPR: The Journey Today Privacy Notice v What information is being collected? v Who is collecting it? v How is it collected? v Why is it being collected?

198 views • 18 slides
GDPR what is it? A new data protection framework which puts individuals back in control of

GDPR what is it? A new data protection framework which puts individuals back in control of

GDPR what is it? A new data protection framework which puts individuals back in control of their personal data ICO 12 steps to GDPR compliance 7. Consent 1. Awareness 2. Document the personal data you hold 8. Children 3. Communicating

540 views • 28 slides
THE APPLICATION OF GDPR IN SOUTH AFRICA General Data Protection Regulation (EU) 2016/679 The

THE APPLICATION OF GDPR IN SOUTH AFRICA General Data Protection Regulation (EU) 2016/679 The

THE APPLICATION OF GDPR IN SOUTH AFRICA General Data Protection Regulation (EU) 2016/679 The road to GDPR compliance Introduction The General Data Protection Regulation (EU) 2016/679 (" GDPR ") seeks to restructure the existing

248 views • 11 slides
Openstack compliance with GDPR Official Courseware 25th of May 2018 is closer than you think!

Openstack compliance with GDPR Official Courseware 25th of May 2018 is closer than you think!

Openstack compliance with GDPR Official Courseware 25th of May 2018 is closer than you think! Vincenzo Di Somma CISSP vincenzo.di.somma@canonical.com @vds Agenda Introduction Why should we care? What should we do? Introduction

670 views • 43 slides

More recommend