Do You Have a Roadmap for EU

GDPR Compliance?

Ulf Mattsson,

CTO Security Solutions Atlantic BT

Ulf Mattsson

Inventor of more than 55 Issued US Patents

Industry Involvement:

• PCI DSS - PCI Security Standards CouncilEncryption & Tokenization Task Forces, Cloud &

Virtualization SIGs• IFIP - International Federation for Information Processing• CSA - Cloud Security Alliance• ANSI - American National Standards Institute

ANSI X9 Tokenization Work Group• NIST - National Institute of Standards and Technology

NIST Big Data Working Group • User Groups

Security: ISACA & ISSADatabases: IBM & Oracle

2

33

4

Verizon 2017 Data Breach Investigations Report

Source: Verizon 2017 Data Breach Investigations Report 4

Source: Verizon 2017 Data Breach Investigations Report 5

Source: Verizon

2016 Data

Breach

Investigations

Report

6Source: Verizon 2016 Data Breach Investigations Report

Verizon 2016 Data Breach Investigations Report – Breach Discovery

Source: Verizon

2016 Data Breach

Investigations

Report

7Source: Verizon 2016 Data Breach Investigations Report

Verizon 2016 Data Breach Investigations Report – Malware

Source: BitSight8

Will Your Data Be Sold?

10

Will You Ever Get Your Data

Back? 11

12

13

Ransomware are Getting Worse

• The cyber security solutions that are in place today are somewhat effective

• But a significant proportion of decision makers report that their problems with phishing

• Ransomware are getting worse over time

• For most of the cyber security capabilities that organizations have deployed to combat these threats, the majority of decision makers report they are not highly effective

Source: Osterman Research, Inc., 201714

GDPR Action Plan

A Members Owned Not-for-Profit Organisation15

GDPR = Trust

ENTERPRISE wide Trust

© 2017 - The GDPR Institute - All Rights Reserved 16

Impact

Do you control or process personal data about ANY EU Citizens?

If so you have to be GDPR compliant by 25th May 2018 or manage the implications of the fines and the

reputational damage of any and every Data Breach

– including Customers Employees Suppliers

© 2017 - The GDPR Institute - All Rights Reserved 17

The Institutes’ Purpose

Create a community of Data Privacy, Data Security and Data Governance experts to assist Large, Medium and Small Organisations address the

challenge and maximise the opportunity created by the General Data Protection Regulation

GDPR Challenge

Or

GDPR Opportunity© 2017 - The GDPR Institute - All Rights Reserved 18

The Institutes’ Community

CorporateClients

61 MillionGlobalExperts

GDPRConsultingProviders

GDPRTechnologySolutions

GDPRAudit

Services

GDPRLegal

Advisors

GDPRTraining

ProvidersGDPR

RecruitmentServices

© 2017 - The GDPR Institute - All Rights Reserved

19

Bringing Together to Solve GDPR

GDPRDefensible

Position

GDPRConsultingProviders

GDPRTechnologySolutions

GDPRLegal

Advisors GDPRRecruitment

Services

GDPRTraining

Providers

GDPRAudit

Services

61 MillionGlobalExperts

© 2017 - The GDPR Institute - All Rights Reserved

20

Opportunity or Challenge?

1. Fines2. Loss of Customers

3. Reputational Damage

COST of

Compliance

© 2017 - The GDPR Institute - All Rights Reserved

21

Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change, Change

GDPR = Enterprisewide Change Management

Post Room Board Room

People Process Technology Information

© 2017 - The GDPR Institute - All Rights Reserved

22

Scale of Data Breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/23

You will have a Data Breach

© 2017 - The GDPR Institute - All Rights Reserved

24

Key Questions

1. What Personal Data do you hold – Customer, Employee, Supplier, Contractor, Sub-Contractor, Citizen, Patient etc

2. Where is that Data Located? PC hard drive, Remote Storage or Backup Device, On Premise Database or Content Server, or in The Cloud

3. How are you using that Data?

4. Do you have Explicit or Implied Permission to use

the data in the way you are using it?

© 2017 - The GDPR Institute - All Rights Reserved

25

Compliance

Gap

Analysis

Security

Reviews

Use Case

Management

Consent

Management

Technology

Assessments

Business

Process

Management

The GDPR Roadmap

Privacy

Impact

Assessment

Legal

Advice

Detailed

Readiness

Assessment

Educate

&

Train

Subject Access

ManagementThreat

Detection

Case

Management

GDPR

Defensible

Position

Annual

GDPR

Audits

© 2017 - The GDPR Institute - All Rights Reserved

26

Immediate Action Plan

1. Seek Legal Advice

2. Conduct a Privacy Impact Assessment

3. Complete a Readiness Assessment to address the key questions

4. Secure Executive Sponsorship and a meaningful budget

5. Develop a Consent Management Strategy

6. Build a Data Subject Access Request process before you get swamped

7. Ensure you have all your Breach Detection technology in place –Database, Content Repositories, Network Traffic, Dark Web

8. Prepare for the worst, and breathe a sigh of relief if it doesn’t happen

© 2017 - The GDPR Institute - All Rights Reserved

27

The GDPR Institute

Helping you resolve YOUR GDPR Challenge& Maximise the GDPR Opportunity

A Members Owned Not-for-Profit Organisation

www.gdpr.institute

28

GDPR Legal Issues

29

30

31

32

34

35

36

GDPR Already a Reality

37

GDPR Already a Reality

Source: Cordery Legal Compliance, UK, 2017 38

GDPR Rules Requires Data Protection Technology

Source: Imperva, 2017 39

Case Studies

GDPR Case Studies

41

• US and Spain – customer data• Italy, Germany and more – financial data • Germany – outsourcing• Sweden – PII data

GDPR Simplified into 12 blocks

1. Legitimate basis for data: organizations must know and be able to prove that processing has a legitimate purpose.

2. Information you hold: organization should keep data only in so far as necessary.

3. Individuals rights: individuals (customer…) have the right to ask questions about their personal data.

4. Consent: there should be explicit and clear consent for processing of personal data.

5. Children´s data: explicit consent of the child’s parents (or guardian) for minors less than 16 years of age.

6. Privacy notices: Organizations must transparently state their approach to personal data protection in a privacy notice.

7. Data breaches: Organizations must maintain a data breach register and, data subject should be informed within 72 hours.

8. Privacy by design: Mechanisms to protect personal data should be incorporated in design of new systems and processes.

9. Privacy impact assessment: organization must conduct a privacy impact assessment to review the impact and possible risks.

10. Data Protection Officers: organization should assess the need to assign a Data Protection Officer.

11. Third parties: The controller of personal data has the responsibility to ensure that personal data is protect

12. Awareness: To create awareness among your staff about key principles on data protection, conduct regular training.

To know more read my book https://goo.gl/HMDRfk

Webcast title : EU GDPR Details

• Duration : 60 min

• Date & Time : Oct 25 2017 10:00 am

• Timezone : United States - New York

• Webcast URL : https://www.brighttalk.com/webcast/14723/269681

Data Security for Cloud,

Big Data and Containers

Protect Sensitive Cloud Data

Internal Network Administrator

AttackerRemote

User

Internal User

Public Cloud

Examples

Each sensitive

field is protectedEach

authorized

field is in

clear

Cloud Gateway

45

Data Security Agents, including encryption, tokenization or masking of fields or files (at transit

and rest)

SecDevOps

The issue is INTENTIONAL use of

UNSANCTIONED public cloud storage for ease of use for

corporate data

Securing Big Data - Examples of Security Agents

Import de-identified

data

Export identifiable data

Export audit for

reporting

Data protection at

database,

application, file

Or in a

staging area

HDFS (Hadoop Distributed File System)

Pig (Data Flow) Hive (SQL) Sqoop

ETL Tools BI Reporting RDBMS

MapReduce

(Job Scheduling/Execution System)

OS File System

Big Data

Data Security Agents, including encryption, tokenization or

masking of fields or files (at transit and rest)

46

SecDevOps

Virtual Machines

Docker

Data Security Agents, including encryption, tokenization or masking of fields or files (at transit and

rest)

Source: http://www.slideshare.net/GiacomoVacca/docker-from-scratch

SecDevOps

SecDevOps

47

Preparing for GDPR

48

48