Reaz Khedarun and Ian Davis EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS bd@gemserv.com
Agenda • Implications and opportunities of GDPR • New obligations and liabilities for suppliers • How GDPR compliance can support risk reduction and alignment with PCI DSS and ISO27001 • Technical Controls and Data Discovery • Timebound GDPR implementation plan • Q&A EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Implications and opportunities of GDPR EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Overview of GDPR Operational Impacts Big Fines (Article 83) Extraterritorial Scope (Article 3) Data Breach Notification – within 72 hours Must implement Security (Article 32,33 & 34) measures (people/IT) (Article 5, 32) Detailed New Individual rights (Portability & Erasure) records of Privacy notices must be redrafted (Article 12 – 22) (Article 12,13) Personal Data Must maintain effective DP New rules on customer consent being Policies (Article 4,7,8,9) (Article 24) processed must DP Officer/Governance Privacy by design must be be maintained embedded into businesses requirements (Article 25) (Article 30) (Article 28 - 29) Mandatory DP Impact New Data Processor obligations Assessments for suppliers (Article 35) (Article 28) EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Accountability Obligations under the GDPR Article 28 of the GDPR codifies the accountability obligation. It requires controllers to: • implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR; and • implement appropriate data protection policies where proportionate in relation to processing activities. EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Compliance with the Accountability Principle • Data Protection policies and notices; • Internal governance structure; • Records of processing activities; • Records of mechanisms for cross-border transfers; • Data breach handling procedures; and more…. EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
New obligations and liabilities for suppliers EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Processor Obligations Data Processors (e.g. CSPs, payroll, HR, IT suppliers) direct obligations for the first time under GDPR: • Security • Record Keeping • Cross Border Transfers of Personal Data Consequences: • Subject to administrative fines • Compensation claims EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Choosing a Processor • Article 24 of the GDPR requires controllers to: • use only processors providing sufficient guarantees to implement appropriate technical and organisational measures • Accountability Obligation - Demonstrate Compliance • Consider undertaking a DPIA before entering into a new processing arrangement • Audit existing suppliers EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
GDPR Processor Contracts Written Agreements – Mandatory • Document subject matter, duration, nature and purpose of processing; • Include details of personal data and data subject categories; • Requirement to report breaches; • Cooperation with Controller obligations (security and subject access rights, portability, erasure); And more… EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
How GDPR compliance can support risk reduction and alignment with PCI DSS and ISO27001 EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Opportunities • Data portability - Start-ups and smaller enterprises to ‘access data markets dominated by digital giants’ • Data Housekeeping/Discovery - Utilise or monetise your data once you know where it is! • Market Share – Maintained or increased through consumer trust • Reducing data footprint – Risk mitigation EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Article 32 – Security of Processing GDPR provides specific suggestions for what kinds of security actions might be considered “appropriate to the risk,” including: • the pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • a process for regularly testing , assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
ISO27001 and GDPR • A.18.1.4 - Privacy and Protection of Personally Identifiable Information • A. 10.1 - Cryptographic Controls A.15 - Supplier Relationships • • A.17 - Business continuity management Additional controls on governance, technical • auditing, access controls, vetting, physical security and incident management EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
PCI and GDPR • PCI DSS & GDPR designed to improve customer data protection. • PCI DSS focuses on payment card data whilst the GDPR focuses on personally identifiable information. • GDPR less prescriptive • Technology for PCI compliance can be extended to protect additional personal data. EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Accountability Obligations under the GDPR • Article 28 of the GDPR requires controllers to: • implement appropriate technical and organisational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR; EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Technical Controls and Data Discovery EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Threat Landscape • External Attackers, Internal Rogues • Administrators • Users (permanent / temporary) • Suppliers • Developers EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Dealing with the Threat ‘Appropriate security measures’ to protect personal data include: • Encryption (at rest and in transit) – best data security measure available; • Keep patches up to date; • Apply multi-layered entry point protection (web, email and malware protection); • Limit dissemination of sensitive data (application/device control/mobile device management, data control); and more… EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Timebound GDPR implementation plan EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Building a GDPR Plan Step 1 – Build consensus – Identify key stakeholders (e.g. IT, Legal, Marketing, Operations, Sales, Customer Services, Compliance) Step 2 – Assess Readiness Step 3 – Define a plan and personal data flow mapping Step 4 – Assess your international transfers Step 5 – Address supply chain EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Q&A EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
Preparing for GDPR Checklist Maintain detailed records of personal data processing Review and update your method to obtain consent to ensure you get specific, informed, and unambiguous opt-in consent. Review, revise (or draft) your written information security policies to ensure appropriate technical, administrative, and physical measures are in place to protect data. Consider privacy by design and privacy by default in new and existing applications. Ensure there are procedures for dealing with data portability and right to be forgotten requests. Check and update your privacy notices. Consider how you manage risk and how data Begin the search for qualified DPO’s. protection is dealt with in your risk assessment framework. Review your insurance for scope and limits of coverage. Ensure staff have adequate and up to date training on data protection and GDPR changes. EU GDPR PRACTICAL IMPLEMENTATION GUIDE - OPPORTUNITIES AND THREATS
For more information contact us on: bd@gemserv.com +44 (0)20 7090 1091
Recommend
More recommend