Professional Documents
Culture Documents
Introduction To GDPR
Introduction To GDPR
Introduction to GDPR
CS 622 – Session 5
Saturday, Dec 19, 2020
G Krishnamurthy
What is it & why is it important?
What? Why?
• Any data relating to • Covered by the Data
identifiable individuals – Protection Act 1998 which
employees, suppliers, clients sets out legal conditions which
– Names must be satisfied in relation to
– Obtaining
– Addresses
– Handling
– Email addresses
– Processing
– Telephone numbers – Storing
– Sensitive information – Transportation
– Destruction of personal
information
Why do we collect personal data?
Breaches of confidentiality e.g. information being given out inappropriately, lost or overseen
Failing to offer choice e.g. individuals should be free to choose how the company uses data
relating to them
Reputational damage e.g. the company losing data should suffer if hackers successfully gain
access to personal data.
Clients should expect the company having their data to look after their data securely and in a
professional manner, regardless of any regulations!
So what if ?
• Breaches have to be reported
• Potential fines
• Reputational damage, Due Diligence risk
• Potential to strike the company off panels
e.g. Mortgage Panels
• Potential for investigations into company’s
compliance
Future of Personal Data
Data
Protection
Act 1998
GDPR
GDPR- What’s New?
General Data Protection Regulation – Effective from 25th May 2018
Legal Technica
l
Info Security and boards
2017 Security and Privacy Survey by Protiviti
Board members
Senior
managers
Chief compliance
officer Chief risk
officer Chief legal
officer
Chief information
offices
Chief security
information officer
Step 1: Tips to obtain buy in
Educate key stakeholders about GDPR
Explain the privacy risks for their own career
Invite them to conference and training
Communicate the link between GDPR and
cyber risks
Propose a plan adjusted to the
organization culture
Efficient and transparent plan Plan
aligned to available resources
GDPR project linked to strategies
e.g. better use of data, update marketing databases, protect patents and
trade secrets
Share cases about data breaches
“Good privacy is good business”
Step 1: Tips Documentation
• Document all Data processing activities
• Document and Data inventory
• List of consents
• List of data processors and related agreements
• Risk Analyses
• Privacy Impact Assessment (PIA)
• Data Protection Impact Assessment (DPIA)
• Security Policy
• Contingency plans
Why is GDPR important?
Fines!
20M EUR up to 10M EUR up to
4% global revenue 2% global revenue
in the last year in the last year
Failure to implement core Failure to comply with
principles, infringement of technical and organisational
personal rights and the requirements such as impact
transfer of personal data to assessment, breach
countries or organisations communication and
without adequate protection certification
information
Get priorities
Define deadlines in the
roadmap
What is personal information?
Any information
… relating to an
identified or
identifiable …
natural person
the data subject!
How data is identifiable?
A Bulgarian +7 M
How data is identifiable?
A Bulgarian female 3.5M
How data is identifiable?
A Bulgarian female born in 2000 29k
How data is identifiable?
…. born 8th January 1942 comes from the
Rhodope Mountains, born in Arda,
Rhodopean
Smolyan Province,
folk songs
singing 1
How data is identifiable?
1 identifier 1 or +
factors
Name
ID, passport, driver, Physical
social security and Physiological
tax Economic
numbers Cultural
Cookies and online Social
Mental
IDs
Phone numbers Genetic
Location
data
How data is identifiable?
1 identifier 1 or +
factors
Pseudonymous
Coded data linked by
a secure and
separated key to re-
identify a data
subject
What is pseudonymisation?
Name Code
J Hansen Kl23!lsw=
Name Bank
Account A Jensen 45der_f2!
Code Bank
Account
J Hansen DD99234
A Jensen DD99432
Kl23!lsw= DD99234
45der_f2! DD99432
J Hansen DD99234
A Jensen DD99432 Encryption key
Trade
Racial Political
union
Website visitors
Email servers
Marketing databases
Customer loyalty programs
Patient/client databases
Performance reviews
Personnel files
Legal documents
Credit card statements
Cameras and fingerprints for access control
Phone books
End-user apps, downloads, shared folders
Step 3: Compile a data inventory
Where is it?
Recommended chapters
Company privacy vision
Define data categories
Organisation of
applicable policies
Data retention,
information security,
recognise GDPR rights
Define general principles
and roles to limit:
the collection
how the consents are
ensured, when risk
impacts are conducted
the use
how data is secured and
given access to
the disclosing
define circumstances for disclosure, complaints and requests,
notification of breaches
Step 6 : Create a privacy policy
Organisational
data breach incident
Policy on Privacy management
Management duty of disclosure
classification and acceptable
Operational
use of information assets
Hierarchy
Adequate, relevant
Kept for no longer than
and limited to what is
is necessary
necessary
Principles
Updated Minors
Reviewed when the use of data change Parental authorisation for children
When the data controller changes (or bellow the age of 16
the contact details) Reasonable means to verify parental
Being able to demonstrate consent
Review Consents
Focus on ‘explicit consents’ for sensitive data and
international transfers
Link the consents to the personal data inventory
Confirm that the consents are given freely, are
clear and transparent
Update the data subject rights
Audit how the consents are documented and
retained
Audit if the op-outs are processed on time
http://www.copenhagencompliance.com/news/issueXXXVI/Consent-the-GDPR-way-is-free-accurate-informed-and-unambiguous-approval-to-process-personal-data.p
hp
Consent example
• Do you agree to the consent declaration below?
When submitting your information to [The Company] you accept and consent to the
following:
Change
Display
Electronically Manually
GDPR covers personal information processed wholly or partly by automated means
Processing Authority
Controller Processor
When personal
When personal data of EU citizen
data of is processed by
a non-EU
individual living company
in the EU offering goods
(citizens or not) is and services in
the EU (not paid
processed in the EU)
Binding Corporate Rules
Contract between group companies to transfer information,
covering:
specify the purposes of the transfer and affected categories
of data
reflect the requirements of the GDPR
confirm that the EU-based data exporters accept liability on
behalf of the entire group
explain complaint procedures
provide mechanisms for ensuring compliance (e.g., audits)
Model pre-approved clauses to reduce compliance burden
Review contracts
Controller Processor
Data exporter when processing is
outside de EU
Whom to notify
What to notify
Supervising authority
Type and number of data records and Each data subject is likely to result in a
subjects compromised (aprox) high risk for the right of unencrypted
DPO contact info data
Likely consequences and mitigation
measures
How to detect a data breach?
Indication of compromise
notification from public authorities
FBI knocks at the door
from users
oops, I opened a “funny attached file”
alerts from 3rd parties
hosting vendor informed they had a malware
continuous monitoring solutions
this server is transferring out a lot of amount of data
Incident response protocol
Investigate “when” the breach was done
Get the investigation team
Investigate the level of compromise
Data breach scenario planning
Before After
• Managing IT risk
and • What can we
vulnerabilities do to
• How to improve
breach contain the
prevention,
detection and damage
response • How can we
• What to expect
in move on from
the future this breach
Step 5: Data security program
Encryption of personal Security measures
data
Key element in GDPR standard Ongoing review (e.g. access audis)
No always feasible: depending on costs Importance of two-factor
and risks, impact on performance authentication, ISO 27001,
Encryption of stored (eg. hard disk) compartmentalisation and firewalls
and in transit data (e.g. calls) Patches for malware & ransomware
Use
Other factors Causes
Contractual obligations Frequency
Code of conduct Probability
Privacy policy Transfe of occurrence in a
Know vulnerability r defined time horizon
Previous breaches
Destroy
Generic risks and controls
Objective Risk Lifecycle Component Controls
Availability Loss, theft or Processing Data, Redundancy, protection,
authorized removal Transfer systems, repair & back ups
Loss of access rights processes
Customer Failures to Loss of clients High Medium Insurance Action plan Noah Nilsen
personal design policy progress Mkt Director
information privacy in GDPR 100 M EUR 15% in Q3 2017
breached CMS enforcement 3 years Training
applicatio
ns Business Security
interruption scanning
Espionage
Requests to MS
Lack of delete data integrations
maturity in project
privacy Loss of
program commercial
opportunities
Follow-up
Communicate to stakeholders,
bottom-up and top-down