16
GDPR for Security Professionals BY SAUMYA VISHNOI

GDPR for Security Professionals

Embed Size (px)

Citation preview

Page 1: GDPR for Security Professionals

GDPR for Security ProfessionalsBY SAUMYA VISHNOI

Page 2: GDPR for Security Professionals

About Me

Page 3: GDPR for Security Professionals

Target Audience

• Those that are part of GDPR implementation team :• This is not a talk for them as they must already know a lot more then what I am

about to say

• Those that are part of organization under GDPR but not part of implementation team:• You can align your current according to company requirements + that it will tell you

keywords that you can through around and impress your boss ;)

• Those who are complete away from GRPD world:• GDPR can act as an excellent case study for implementing a privacy standard or rules

in your security charter

Page 4: GDPR for Security Professionals

What is GDPR

General Data Protection Regulation (GDPR)

Law or regulation adopted on 27 April 2017

It will be affected from 25 May 2018 ( After 2 years Implementation time)

A extension to existing DPA standard

Impact – Organizations doing business in EU

Scope: organizations processing personal information wholly or partially

EU “established” Organizations controllers or Non-EU “established” organizations who target or monitor EU data subjects

Page 5: GDPR for Security Professionals

Why it is important to know ?

50 Countries in European union

Page 6: GDPR for Security Professionals

What is PII as per GDPR

Page 7: GDPR for Security Professionals

Data Processors

Page 8: GDPR for Security Professionals

GDPR requirements

1. Individual Rights

1. The right to be informed

2. The right to access

3. The right of rectification

4. The right to erasure

5. The right to restrict processing

6. The right to data portability

7. The right to object

8. Rights related to automated decision making and profiling

2. Accountability and governance

3. Breach notification

4. Transfer of data

Page 9: GDPR for Security Professionals

The right to Access

individuals will have the right to obtain:

confirmation that their data is being processed;

access to their personal data; and other supplementary information

No fee can be charged for such request

Request must be processed latest within one month of receipt

Page 10: GDPR for Security Professionals

The right of Rectification

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

Request must be processed latest within one month of receipt

Page 11: GDPR for Security Professionals

The right to Erasure/Forgotten

Enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Page 12: GDPR for Security Professionals

Accountability & Governance

The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

Records of processing activities

Data protection impact assessments

Appointing Data Protection Officer

Page 13: GDPR for Security Professionals

DPO (Data Protection Officer)

Under the GDPR, you must appoint a data protection officer (DPO) if you:

If you are a public authority (except for courts acting in their judicial capacity);

If you carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or

If you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Page 14: GDPR for Security Professionals

Breach Notification

Data Breach means -- breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Notify Supervisory authority -- Within 72 hours of the organization being aware of it

Notify Individuals – In beach may results in a high risk to the rights & freedom on individuals – as early as possible

Failure to notify --- 10 million Euro or 2% of Global turnover

Must have internal breach reporting procedure that also includes breach detection and investigations

Page 15: GDPR for Security Professionals

Summery Points

50 Countries

4 % Potential fines as a percentage global turnover as it applies to cross border organizations which have access to EU data s in Europe

72 Hours Breach notification timeline

80+ Requirements

250 Million Cost of 4% fine for a typical FTSE 100company.

190+ Countries potentially in scope of the regulation

881199

PagesChaptersArticles