a practical approach to gdpr - digital guardian · 2020-06-08 · gdpr readiness 0% 5% 10% 15% 20%...
TRANSCRIPT
A Practical Approach To GDPRFeaturing Duncan Brown, IDC
Agenda
Logistics
A Practical Approach to GDPR, Duncan Brown• GDPR Readiness
• The Role of DPO
• Technology Framework
• Recommended Timeline
• Action Plan
The Atos Approach to GDPR, Zeina Zakhour
Q&A
2
Duncan Brown
Leads IDC’s security research program in Europe
Broad security expertise including:• Incident response
• Threat intelligence
• Global privacy
Established and leads IDC coverage:• GDPR
• RPEC
• NIS Directive
3
Duncan BrownAssociate Vice President
IDC
A Practical Approach to GDPR
Duncan Brown
Associate Vice President, European Security
GDPR is a game-changer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 5
*Article 58
GDPR is a game-changer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 6
Fines up to 4% of global revenues• “Effective, proportionate and dissuasive”
GDPR is a game-changer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 7
Fines up to 4% of global revenues• “Effective, proportionate and dissuasive”
Mandatory Breach Notifications• Consequential loss of reputation
GDPR is a game-changer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 8
Fines up to 4% of global revenues• “Effective, proportionate and dissuasive”
Mandatory Breach Notifications• Consequential loss of reputation
Class-action lawsuits
• Brought by activists…?
GDPR is a game-changer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 9
*Article 58
Fines up to 4% of global revenues• “Effective, proportionate and dissuasive”
Mandatory Breach Notifications• Consequential loss of reputation
Class-action lawsuits• Brought by activists…?
Ban on personal data processing*• In extreme cases
GDPR Readiness
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
It is mainly ready nowThere is a solid plan inplace to ensure
readiness by May 2018
We will start addressingit this year (2017)
We are awaiting furtherguidelines
We really do not knowwhere to start
Not relevant, as GDPRdoes not affect our
organization
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 10
Source: IDC EMEA GDPR Survey, March 2017, n=560
GDPR Readiness
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
It is mainly ready nowThere is a solid plan inplace to ensure
readiness by May 2018
We will start addressingit this year (2017)
We are awaiting furtherguidelines
We really do not knowwhere to start
Not relevant, as GDPRdoes not affect our
organization
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 11
Source: IDC EMEA GDPR Survey, March 2017, n=560
43%
GDPR Readiness
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
It is mainly ready nowThere is a solid plan inplace to ensure
readiness by May 2018
We will start addressingit this year (2017)
We are awaiting furtherguidelines
We really do not knowwhere to start
Not relevant, as GDPRdoes not affect our
organization
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 12
Source: IDC EMEA GDPR Survey, March 2017, n=560
43%57%
Who leads GDPR?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 13
Source: IDC EMEA GDPR Survey, March 2017, n=560
Who leads GDPR?
39%
31%
7%
21%
2%Corporate management
IT
Finance and accounting
Legal
Other
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 14
Source: IDC EMEA GDPR Survey, March 2017, n=560
Q. In which division or department is the leader based?
Who leads GDPR?
39%
31%
7%
21%
2%Corporate management
IT
Finance and accounting
Legal
Other
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 15
36%
64%
Yes
No
Source: IDC EMEA GDPR Survey, March 2017, n=560
Q. We have established a cross-functional
compliance taskforce or governance board?
Q. In which division or department is the leader based?
The role of the Data Protection Officer
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 16
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 17
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 18
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
Applies to controllers & processors
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 19
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
Applies to controllers & processors
Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 20
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
Applies to controllers & processors
Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’
In-house or external, full- or part-time
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 21
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and
• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
Applies to controllers & processors
Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’
In-house or external, full- or part-time
No conflict of interest
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 22
IDC does not provide legal advice
The role of the Data Protection Officer
Mandatory for public bodies, and• Processing of ‘large scale’ systematic monitoring
Voluntary DPOs are encouraged as good practice
Applies to controllers & processors
Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’
In-house or external, full- or part-time
No conflict of interest
Can’t be fired for ‘performing their duties’
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 23
IDC does not provide legal advice
Sourcing a DPO
51%
22%
13%
7%
7%
Appoint someone from within the organization
We already have a DPO in place
Appoint a dedicated person from outside the organization
Not appoint a DPO
Use a contract resource
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 24
Source: IDC EMEA GDPR
Survey, March 2017,
n=560
GDPR Technology Framework
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 25
Review State of the Art
Meeting Specific Requirements
Information Governance
GDPR Technology Framework
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 26
Information GovernanceWhat personal data do I have, where is it, how sensitive is it,
why do I have it, do I have consent to use it, can I delete it, etc.
GDPR Technology Framework
Discovery Data visibility assessment
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 27
Information GovernanceWhat personal data do I have, where is it, how sensitive is it,
why do I have it, do I have consent to use it, can I delete it, etc.
GDPR Technology Framework
Discovery Data visibility assessment
Automation is essential
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 28
Information GovernanceWhat personal data do I have, where is it, how sensitive is it,
why do I have it, do I have consent to use it, can I delete it, etc.
GDPR Technology Framework
Discovery Data visibility assessment
Automation is essential
Data loss prevention for real-time classification &
protection of data-in-transit
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 29
Information GovernanceWhat personal data do I have, where is it, how sensitive is it,
why do I have it, do I have consent to use it, can I delete it, etc.
GDPR Technology Framework
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 30
Meeting Specific RequirementsRTBF, Consent, Encryption, Data Loss Prevention, Data Portability,
Access Control, Record keeping, Incident Response, etc.
GDPR Technology Framework
Data Discovery, Classification
and Control
Access Control & Identity
Management
Privileged User Management
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 31
Meeting Specific RequirementsRTBF, Consent, Encryption, Data Loss Prevention, Data Portability,
Access Control, Record keeping, Incident Response, etc.
GDPR Technology Framework
Data Discovery, Classification
and Control
Access Control & Identity
Management
Privileged User Management
Encryption and Pseudonymization
Auditing and Forensics
Breach Detection and Notification
Managed Services
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 32
Meeting Specific RequirementsRTBF, Consent, Encryption, Data Loss Prevention, Data Portability,
Access Control, Record keeping, Incident Response, etc.
GDPR Technology Framework
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 33
Review State of the Art“appropriate technical and organisational measures”
Encryption, backup & restore, testing, and everything else…
GDPR Technology Framework
“Taking into account state of the art…”
Cost
Risk
Context
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 34
Review State of the Art“appropriate technical and organisational measures”
Encryption, backup & restore, testing, and everything else…
When to start?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 35
When to start?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 36
When to start?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 37
When to start?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 38
When to start?
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 42
Manage Discover Assess Review
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 43
Manage
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 44
Manage
Select a leader
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 45
Manage
Select a leader
It’s a program!
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 46
Manage
Select a leader
It’s a program!
Stakeholder
engagement
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 47
Manage Discover
Select a leader
It’s a program!
Stakeholder
engagement
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 48
Manage Discover
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 49
Manage Discover
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 50
Manage Discover
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 51
Manage Discover Assess
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 52
Manage Discover Assess
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 53
Manage Discover Assess
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 54
Manage Discover Assess
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
Behaviour changes
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 55
Manage Discover Assess Review
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
Behaviour changes
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 56
Manage Discover Assess Review
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
Behaviour changes
Access control
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 57
Manage Discover Assess Review
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
Behaviour changes
Access control
Data control
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 58
Manage Discover Assess Review
Select a leader
It’s a program!
Stakeholder
engagement
Visibility
Risk exposure
Scale of effort
Role of Technology
Impact assessments
Behaviour changes
Access control
Data control
Breach response
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 59
Thank you
© IDC Visit us at IDC.com and follow us on Twitter: @IDC 60
Zeina Zakhour
17 years cybersecurity
Manages end-to-end spectrum• Security advisory
• Integration
• Managed security services
• IoT & big data security
CISSP
ISO 27005 certified Risk Manager
61
Zeina ZakhourGlobal CTO Cybersecurity
Atos
Atos approach to GDPR
Journey towards compliance
63
How to get prepared ? The Journey for GDPR compliance
Do you know where the personal data is stored in your organization,Who has access and how data is used/exchanged?
Did you identify none-compliance risks related to personal data processing?
Are you using cloud service for personal data ?
Do your business lines understand the impacts of this regulation? (changes to Data ConsentForms, providing legal forms for access/modification/erasure, running Data Protection ImpactAnalysis (DPIA) for projects processing personal data?)
Do your suppliers mobilize their efforts to implement compliancy procedures to the regulation?How do they demonstrate compliance?
Can you report personal data breaches (stolen personal data) and notify the national authoritieswithin 72 hours?
Did you nominate a DPO (Data Protection Officer) for your organization and does he or she have aclear visibility of all personal data lifecycle?
Can you demonstrate the compliance of your organization to the GDPR?
Businessprocesses
update
GDPRGovernance
Data protection
DPIAPersonal
Data Breach Notification
▶ Personal data mapping▶ GDPR Readiness Assessment ▶ Data classification▶ Data Protection Impact
Assessment
▶ Contractual commitmentupdate (New/old)
▶ Define organisational andtechnical controlsUpdate SLAs for GDPR compliancefollow-up
▶ Auditability and Traceability of access, data flows
▶ Incident management ▶ CERT/CSIRT▶ Data breach notification▶ People, Process &
Information alignment
▶ Agile architecture ▶ Security controls
(Including data encryption Article 33)
▶ 24/7 security monitoring▶ Audit and penetration testing▶ Compliance Reporting
▶ Consent forms update▶ Security by Design &
implementation of DPIA▶ Provide forms for data
access/modification/withdrawal requests
64
How to get prepared ? A structured and continuous improvement approach
Atos & Digital Guardian GDPR Readiness Assessment
▶ 30-day software guided datasecurity consulting assessment
▶ Data at Rest Assessment
▶Discover personal data across network shares, databases and cloud storage
▶ Data in Motion Assessment
▶ Identify sensitive content leavingyour network (web and email)
▶ Detailed report on data protection risks & recommendations
▶ Requires no additional customer resources
65
66
Atos & Digital Guardian Locate Personal Data & Gaps with GDPR
Data processor Technology Catalog
▶ IAM / PAM
▶ Data Encryption
▶ Data Masking
▶ SIEM/TI
▶ CSIRT
▶ Data Breach Notification Process
▶ Data Breach Emergency Process
Data Controller
IT Managed Services data processing
Cu
sto
mer l
eg
al
Resp
on
sib
ilit
y
ag
ain
st
data
priv
acy a
uth
orit
ies
Data Catalogueavailable
Risk Assessment
Define Data Location / Restrictions / Controls / Contractual agreement
Operate Controls and defined services
Monthly Reporting
Monthly discussion, reassessment and adoption of measures (aligned process for change requests and cost impact)
Define Metrics / KPI
GDPR GovernanceShared responsibility on GDPR compliance
Create Data Catalogue
Visibility study to identify personal data
67
GDPR Response
CISO Processes Interface
CISO Processes Interface
DB – Notification readiness
DB – Notification exec
DB – Insurance
DB – Forensics
GDPR Reporting
GDPR KPI setting & reporting automation
GDPR Compliance Dashboard
GDPR Data Protection
GDPR Data Protection ControlsSecurity Service Packages
AHPS (Detection & Monitoring)
Access Control (Privileged Account Management)
Access Control (IAM)
Data Encryption/Masking
Data Loss Prevention
Behavior Analytics
Threat Intelligence
AHPS (Log Management)
68
Intelligence Driven Security ManagementFor GDPR Compliance
CustomerSecurity Interface
Security Reports
Security Dashboard
Change Mgmt.
Security Operations Center Analysts
Incident Mgmt. L1/L2 Ticket Management
Computer Security Incident Response
TeamIncident Mgmt L3 Forensics Services
Threat Intelligence
Global Threat IntelligenceTargeted Threat
Intelligence
Governance Risk and ComplianceCompliance Management Services
Testi
ng
, V
uln
erab
ilit
y a
nd
Rem
ed
iati
on
Secure Data Center Operation and Orchestration
Data
Atos High Performance Security Prescriptive Analytics
Knowledge Base
Data LossPrevention
Malware Scanning
APT Detection & Remediation
Endpoint Protection Services
DDoS Mitigation Services
69
Identity and Access
Management
Microsegmentation
FW & IPSServices
Infrastructure & Network Protection
Think Extended Enterprise
70
You cannot protect what you don’t see
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Think Extended Enterprise
71
You cannot protect what you don’t see
Break the Silos
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Think Extended Enterprise
72
You cannot protect what you don’t see
Break the Silos
Adopt Purpose Driven Data Collection
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Think Extended Enterprise
73
You cannot protect what you don’t see
Break the Silos
Adopt Purpose Driven Data Collection
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Think Extended Enterprise
Think Extended Enterprise
74
You cannot protect what you don’t see
Break the Silos
Adopt Purpose Driven Data Collection
Adopt Auditable & Controlled Data Processing
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Think Extended Enterprise
Think Extended Enterprise
75
You cannot protect what you don’t see
Break the Silos
Adopt Purpose Driven Data Collection
Adopt Auditable & Controlled Data Processing
GDPR compliance is a journey towards a secure & efficient data management lifecycle
Update your Risk Assessment matrix
Think Extended Enterprise
76
You cannot protect what you don’t see
Break the Silos
Adopt Purpose Driven Data Collection
Adopt Auditable & Controlled Data Processing
The challenge is not to be ready on May 25th 2018 but to remain compliant thereafter…
Update your Risk Assessment matrix
Think Extended Enterprise
Questions & Answers
Thank You
Atos, the Atos logo, Atos Codex, Atos Consulting, Atos Worldgrid, Worldline, BlueKiwi, Bull, Canopy the Open Cloud Company, Unify, Yunano, Zero Email, Zero Email Certified and The Zero Email Company are registered trademarks of the Atos group. May 2017. © 2017 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos.
Thank YouFor more information please contact:[email protected]