Preparing for Compliance with GDPR
Background and Solutions
Intracom S.A. Telecom Solutions | 19.7 km Markopoulou Ave., GR 19002 | tel.: +30 2106671000 | fax: +30 2106671001 | www.intracom-telecom.com
Background
• EU Parliament has adopted the new General Data Protection
Regulation (GDPR) on April 14th 2016.
• The primary objectives of the GDPR:
• To give back to citizens and residents the control of their personal
data.
• To simplify the regulatory environment for international business by
unifying the regulation within the EU.
• To address the export of personal data outside the EU.
•
25th May 2018
Personal Data – Regulation’s Application
• “Personal Data is any information relating to an individual”, whether
it relates to his or her private, professional or public life.
• It can be anything from: a name, a home address, a photo, an email
address, bank details, posts on social networking websites, medical
information, or a computer’s IP address.
• The regulation applies if the data controller (organization that
collects data from EU residents) or processor (organization that
processes data on behalf of data controller e.g. cloud service
providers) or the data subject (person) is based in the EU.
• Assessing electronic and physical data security risk to personal
data, including accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data transmitted,
stored or otherwise processed
3
GDPR Key Changes
• Increased Territorial Scope (extra-territorial applicability)
• Penalties
• Consent
• Breach Notification
• Right to Access
• Right to be Forgotten
• Data Portability
• Privacy by Design
• Data Protection Officers
4
GDPR Readiness in West Europe
5
https://info.digitalguardian.com/on-demand-webinar-featuring-idc-a-practical-approach-to-gdpr.html?_ga=2.202180498.268265094.1495741588-1004523761.1495612865
GDPR Framework
• People
• DPO
• CEO/CISO/CIO
• Consultants
• Integrators
• Processes
• Gap Analysis
• Privacy Impact Assessments or Data
Protection Impact Assessments
• Data Privacy Framework
• Technology
• Data Discovery
• Data Classification
• Data Loss Prevention
• Data Base Protection
• e-mail Security
• Encryption/Pseudonymisation/Anonymization
• Other (UTM, FW, SIEM, etc) 6
Basic Dimensions of Our Approach
7
» Implementation of Mitigation & Compliance Plan
» Compliance Attestation, Monitoring & Support
» Perform Environment Mapping
» GAP Analysis
» Private Impact Assessment
Our Approach Step-by-Step
Perform Environment
Mapping
Perform GAP Analysis – PIA
Project Initiation, Team &
Commitment
Definition of the Scope, Objectives, Extend and Resources (Budget) needs of the project. The need for an extended team / budget (e.g. Legal participation, Engineers, insurance) Project Team formation - Awareness & trainings
Understand Controllers, Processors, Personal Data Identify all types of Data Processed/owned (via IT systems, Bus. Processes etc) – Data Discovery/Classification – Identify all security controls in place – Inventory Control Identify all relevant data & information flows. Identify Data subject to PIA. Determine the applicable GDPR requirements
Current status vs GDPR requirements Identify and evaluate existing Controls/ processes (both technical and organizational) Analyze the possible risks and determine the impacts and effects of existing system Initial Mitigation & Compliance Plan Proposal
Our Approach Step-by-Step
9
Solution’s Design/Imple
mentation/Delivery
Compliance Attestation
Governance, Monitoring &
Support
Architectural and Framework design upon mutual agreed measures (controls/processes both technical and organizational) to mitigate potential privacy and security risks Measures’ (technical controls) implementation phase to mitigate potential privacy and security risks
2nd GAP Analysis (review) to check project’s effectiveness and evaluation of the residual risk. Systems Monitoring & Management agreed services. Support phase based on an agreed SLA.
Intermediate Decision Point
Mitigation & Compliance Plan Finalization decision based on the accepted Remaining Risk vs Resources Limitations
Why Us
To cover the needs of this program, we
formed a proven and unique team at field
expert level, consisting of:
• Legal Experts with outstanding
background and long experience in Data
Privacy and Protection
• Governance and Compliance Experts
• Information Security & Resilience Field
Experts and Consultants
• Information Technology Experts with
exceptional background in applications,
data bases, systems, networks,
communications and infrastructure
• Program and Project Managers at
Expert level with outstanding experience
10
Take Aways
• GDPR is a lifecycle project:
• The challenge is not only to be ready on May but to remain compliant
thereafter.
• Select a leader, empower him and start now with the right partner.
• GDPR is a regulation and not a framework. For this reason it doesn’t
contain specific controls nor detailed procedures.
• As a regulation it should be technology agnostic and so, there is a
gap between the regulation and the implementation procedures.
• Furthermore, GDPR itself announces the arrival of new frameworks,
procedures and certifications.
• Intracom-Telecom and its partners are vigilant on the most recent
technological achievements and are kept up to date on every security
framework and its mapping to the GDPR. Thus, we are ready to
address each aspect of the new regulation on behalf of our customers
11
For more information, visit
www.intracom-telecom.com