GDPR: 241 (calendar) days to go CIPS Speaker Prese… · General Data Protection Regulation (GDPR),...
Transcript of GDPR: 241 (calendar) days to go CIPS Speaker Prese… · General Data Protection Regulation (GDPR),...
© CGI Group Inc. CONFIDENTIAL
GDPR: 241 (calendar) days to go
CIPS
Maxine Bulmer
CGI Cyber Security Director
25th September 2017
Agenda
1. Welcome
2. What is the General Data Protection Regulation? Features, nature,
applicability and the challenges
3. What is your information?
4. Are you GDPR ready?
5. Next steps
6. Case Study / CGIs capability
7. Questions?
2
GDPR awareness is rising
3
UK Government adoption of GDPR
• “A new law will ensure that the United
Kingdom retains its world-class regime
protecting personal data, and proposals for a
new digital charter will be brought forward to
ensure that the United Kingdom is the safest
place to be online”. Queen‟s Speech 21st June
2017
• “The Government will also make use of all
available levers, including the forthcoming
General Data Protection Regulation (GDPR),
to drive up standards of cyber security
across the economy, including, if required,
through regulation.” National Cyber Security
Strategy 2016-2021
• “In a global economy we need consistency
of law and standards – the GDPR is a strong
law, and once we are out of Europe, we will
still need to be deemed adequate or
essentially equivalent.” Information
Commissioner, 29th September 2016
4
General Data Protection Regulation (GDPR) – the new world
• New features at a glance:
• Common / harmonised approach across Europe (no UK variant – but some local
derogations)
• Fines of up to 4% of global revenue
• Data breaches to be reported “without undue delay”
• Data processing now liable (as well as data handling)
• Data Protection Impact Assessment will be mandatory
• New definitions of personal data – location, IP address, etc.
• “Right to be forgotten” – erasure of personal data
• Right to data portability – changing service provider
• Consent to process data cannot be assumed – it has to be confirmed
• Will apply to non-European companies operating in the EU
5
6
GDPR – essential features Key Items
• Breach notification without “undue delay” in
many cases, within 72 hours
• Applies to all organisations processing
Personally Identifiable Information
• Challenging consent requirements:
• Particularly for marketing
• Active consent confirmation
• Tiers of penalties with Tier 1 fines set at 4%
global turnover or EUR20m, for:
• Breach
• Non-compliance
• Data subject rights to:
• be informed (fair processing info)
• have access (confirmation data is
processed) and portability
• rectification (accuracy)
• be forgotten (i.e. deletion)
• object
Some Specifics
• Full force – 25th May 2018
• Based on risk to data, applied via Data Protection
Impact Assessments or Privacy Impact
Assessments
• Demonstrable security
• Evidence required of measures and good practise
• Privacy by Design and by Default
• Data profiling and pseudonymisation are key issues
• Restrictions on transfer and processing of data
outside the EU
• Mandatory appointment of data protection office in
many organisations
• Expansion of the scope of personal data: location,
IP address, medical, etc.
• Data Processors and Data Controllers share
responsibilities
• GDPR contracts to be implemented across supply
chains
7
GDPR nature and applicability GDPR
• Regulation =
• No local legislation needed‟
• No scope to interpret
• Transition / deployment period
• Operational – 25th May 2018
• All organisations processing
Personally identifiable Information
• Applicable to non-EU organisations
• Based on Risk to Data
• Small/Micro business exclusion
• National Security & Employment
exclusions
“Extras”
• Demonstrable Security
• Data Processors and Data Controllers
• Privacy by Design and by Default
(pseudonymisation)
• Independent DP Officer
• Greater Penalties
• Breach Notification without delay
8
GDPR – the challenge
Key Items
• Breach Notification without undue delay
72 hours
• All organisations processing Personally
Identifiable Information
• Challenging consent requirements:
• Particularly for marketing
• Consent confirmation
• Penalties @ 4% Global Turnover
• Breach
• Non-compliance
• Data Subject Rights:
• To be forgotten
• Accuracy
• Access and portability
Details
• Operational – 25th May 2018
• Based on risk to data
• Data Protection Impact Assessments
• Demonstrable Security
• Privacy by Design and by Default (pseudonymisation)
• Restrictions on processing of data
outside the EU
• Independent DP Officer
• Expansion of the scope of personal data:
location, IP address, etc.
• Data Processors and Data Controllers
• Compliant contracts
GDPR – business challenges
• Understanding impact of legislation and regulations
• Identifying gaps in current practices
• Understand information assets landscape including risks and threats
• Establishing effective governance, direction and oversight
• Ensuring policies are robust in design and implementation
• Selecting and deploying the right technology
• Data management (including discover, deletion, etc.)
• Consent management
• Access controls
• Web / Office / Operational interface
• Auditing and monitoring
• Monitor the effectiveness of the technical controls
• Accessing the right skills, structures and numbers of staff
• Training, education and awareness across the organisation
• Prioritise funding and investments
9
The realisation of how and where your data is
shared….
10
11
Our methodology for GDPR
12
How can we help? (Our sell !!)
• Understand the impact of GDPR on “As Is” position - Gap Analysis
• Assess GDPR maturity
• Plan for GDPR
• Discover data landscape including discovery and mapping data flows
• Assess risk using Information Commissioner‟s Office methodology
• Execute DPIAs
• Design data management regime.
• Implement Information Classification, Marking and Handling (ICMH)
• Validate GDPR preparations of 3rd party suppliers and partners
• Establish roles – Data Protection Officer and “Data Controller”
• Deliver staff awareness campaigns
• Prepare responses and plan for breaches
• Select and integrate appropriate technology
13
What can you gain from GDPR?
14
1. A „blueprint‟ of your
sensitive data, how and
where it is processed.
2. Touch-points with
senior stakeholders
across the organisation
3. An understanding of
your key corporate risks
4. Understand your
security maturity,
with opportunities to
enhance security
posture
5. Identify any
transformational
opportunities,
including cloud
7. Validate the need for
any endpoint security
solutions
6. Identify need for any
business process change
8. Is there a
need for
managed
security
services?
Things to be aware of
• The clock is ticking to May 2018
• ICO estimates that 43% businesses are not doing anything - despite
knowing about GDPR
• Digital Act 2017 – fines for company Directors – up to £500,000
• If organisations are seen to be taking right steps, penalties may not be
as severe
• This is coming…..Brexit or not!
15
Your next steps? • Discover your data
• Understand all the data held by your organisation
• Understand the data flows (where the data goes)
• Categorise the data
• Identify data that contains personally identifiable attributes
• Determine what the data is being used for
• Establish a Data Management Framework including: • Identifying Data Owners
• Defining Access Policies
• Privacy by Design
• Justifying use (business purpose and/or consent)
• Roll out polices and controls
• Implement technical / procedural controls to implement policy including:
• Privacy by Design
• Data Use Statements
• RBAC, DLP, Encryption
• Access Requests and Right to be Forgotten
• Educate staff on their responsibility to protect personal data
• Prepare for Cyber Security incidents
• Stand up incident management capability
• Define and exercise your security incident processes
• Monitoring • Implement monitoring to enable identification of data loss
• Ensure controls are correctly implemented
• Use with a proven Information Security Management System (ISO 27001)
16
17
Case Study - summary
Our involvement:
• Data Privacy Impact Assessment and
GDPR Data Governance Review - gap
analysis of current state
• Identification and mapping of internal
and external data flows
• Information gathering across 26 UK
Business Units
• Risk Assessment using Information
Commissioner‟s Office methodology
• Identification of 3rd party stakeholders
where personal data is shared
• Health Check score of Data Protection
Act compliance indicating areas for
improvement
• Final report (69 risks / 119
recommendations)
• Presentation to Board members
Recommendations:
• Roll out education, awareness and
training
• Support preparation for responding to a
data breach
• Identify accountable roles
• Identify Data Processors / Data
Controllers and confirm their contracted
roles
• Validate 3rd party stakeholders‟ GDPR
preparations
• Investigate “Right to be Forgotten”
capability
• Consider data portability requirements
• Ensure processes and data retention is
transparent
• Identify data retention options
Our privacy capability
18
Thank you.
Any questions ?
Follow me on Twitter @maxine_bulmer
Connect with me on LinkedIn
19