gdpr for security professionals
TRANSCRIPT
GDPR for Security ProfessionalsBY SAUMYA VISHNOI
About Me
Target Audience
• Those that are part of GDPR implementation team :• This is not a talk for them as they must already know a lot more then what I am
about to say
• Those that are part of organization under GDPR but not part of implementation team:• You can align your current according to company requirements + that it will tell you
keywords that you can through around and impress your boss ;)
• Those who are complete away from GRPD world:• GDPR can act as an excellent case study for implementing a privacy standard or rules
in your security charter
What is GDPR
General Data Protection Regulation (GDPR)
Law or regulation adopted on 27 April 2017
It will be affected from 25 May 2018 ( After 2 years Implementation time)
A extension to existing DPA standard
Impact – Organizations doing business in EU
Scope: organizations processing personal information wholly or partially
EU “established” Organizations controllers or Non-EU “established” organizations who target or monitor EU data subjects
Why it is important to know ?
50 Countries in European union
What is PII as per GDPR
Data Processors
GDPR requirements
1. Individual Rights
1. The right to be informed
2. The right to access
3. The right of rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights related to automated decision making and profiling
2. Accountability and governance
3. Breach notification
4. Transfer of data
The right to Access
individuals will have the right to obtain:
confirmation that their data is being processed;
access to their personal data; and other supplementary information
No fee can be charged for such request
Request must be processed latest within one month of receipt
The right of Rectification
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
Request must be processed latest within one month of receipt
The right to Erasure/Forgotten
Enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
Accountability & Governance
The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
Records of processing activities
Data protection impact assessments
Appointing Data Protection Officer
DPO (Data Protection Officer)
Under the GDPR, you must appoint a data protection officer (DPO) if you:
If you are a public authority (except for courts acting in their judicial capacity);
If you carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or
If you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Breach Notification
Data Breach means -- breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
Notify Supervisory authority -- Within 72 hours of the organization being aware of it
Notify Individuals – In beach may results in a high risk to the rights & freedom on individuals – as early as possible
Failure to notify --- 10 million Euro or 2% of Global turnover
Must have internal breach reporting procedure that also includes breach detection and investigations
Summery Points
50 Countries
4 % Potential fines as a percentage global turnover as it applies to cross border organizations which have access to EU data s in Europe
72 Hours Breach notification timeline
80+ Requirements
250 Million Cost of 4% fine for a typical FTSE 100company.
190+ Countries potentially in scope of the regulation
881199
PagesChaptersArticles