General Data Protection Regulation (GDPR Regine Bonneau - RB Advisory LLC August 3, 2017

Agenda What is it? Deadline Why GDPR? & Scope General Accountability Controllers Processors Governance Part 1 Part 2 Part 3 GDPR Individual Rights Key Consideration for Security Professionals Reporting Data Breaches Checklist Data protection by design Penalties Questions Quickly explain Agenda and ask if anyone they have questions (maybe) If no-one has questions, explain you will be open to questions after the presentation

General Data Protection Regulation (GDPR) What is it? The General Data Protection Regulation (GDPR) will harmonize data protection laws in the EU to help bring better transparency for support of individuals’ rights It consists of 99 Articles with sub definitions Deadline It was revised from its 1995 form to keep up with technology of today and the way information is being obtained, processed, shared and retained. Adopted on April 27, 2016 and will become law on May 25, 2018. Very short window to start complying.

Why GDPR? & Scope The General Data Protection Regulation will help with: The checks and balances of the massive global exchange of personal data. Unifying each country’s laws to endorse the free cross-border of data sharing, including non-EU territories. Forcing a far-reaching consideration of privacy rights The significant shift of the international privacy landscape SCOPE Covers data processors (organizations) and data subjects (individuals) within the EU GDPR applies to any organization processing the details of EU individuals If you do business in the EU or EU individuals, or a company that does business with the EU, you are subject to the GDPR

GDPR Accountability Accountability is one of the centerpiece concepts found in the new framework It will be expected of both Data controllers and processors to draft formal policies to document an organization’s data privacy and protection posture and how it addresses the precepts of the GDPR Policies will need to be created based on the following: The nature, scope, context, and purposes of processing personal data And outline foreseeable risks to the rights of individuals

GDPR Accountability - Controllers Detail must be kept at high standards: The name and contact information of the controller and Data Protection Officer Purposes of processing personal data Categories of data subjects, data, and recipients International data transfers and related safeguards for those transfers Data retention periods, and Data security measures employed

GDPR Accountability - Processors Have to formally keep similar materials that outline as the Controller: The name and contact details of the processor and all engaged controllers Categories of processing for each controller International data transfers and related safeguards for those transfers, and Data security measures employed

Governance Article 28 Chapter 4 of the GDPR (one of the most important provisions) is mainly the section that outlines the responsibilities of controllers when engaging processors Part 1 Controllers looking to delegate service involving personal data processing must only work with vendors who will comply with the GDPR obligations Part 2 Controllers must formally authorize and approve processors leveraging processors

Governance – Part 3 The following must be stipulated in processor contracts: The nature of the relationship with the processor The length of the contract What the processor will actually be doing as part of their service or product The types of personal data that will be handled by the processor What general or specific GDPR requirements will be inherited by the processor

GDPR Individual Rights The GDPR grants all users the rights over their personal data, which are presented in legal text Those rights are: Portability Individual can request the transfer of personal data to another controller Erasure Referred to as the “right to be forgotten Data subject has the right to request a complete deletion of their personal data when the following are evident: Consent is withdrawn Personal data is no longer needed for the purpose it was originally collected Personal data was unlawfully collected

Key Points for Security Professionals Article 4, definition 12 –defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” Articles 33 – “as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it…”

Reporting Data Breaches Article 4, definition 12 and Articles 33 - requires a controller to notify the personal data breach to the supervisory authority without undue delay Data breaches must be reported within 72 hours of being detected Data processors are liable for any breaches

Reporting data breaches checklist: The GDPR will require companies to develop or update internal breach notification procedures to meet the 72-hour reporting requirement: Timely detection of breaches Reporting and alarms Mitigation through automation Investigation capabilities (case management and forensics)

Data protection by design The GDPR requires data protection and processing safeguards to become part of all systems and processes. Data protection by design is based on 7 foundational principles Proactive not reactive Privacy as the ‘default’ setting Privacy embedded into design Full functionality: positive sum, not zero sum End-to-End security: full lifecycle protection Visibility and transparency : keep it open Respect for user privacy: keep it user-centric

Data Protection by Design checklist: The GDPR is making companies rethink how data protection and privacy are met and managed by the organization: Analyze the gap between current and mandated position Assign required budget and resources Assign a data protection officer if criteria met Align with best-practice mandates Review and update data-handling procedures Develop a workplace education program

Penalties Penalties are calculated on Global Annual Revenue This could mean bankruptcy for some companies A maximum of $21 million or four percent of global annual revenue – whichever is greater 2% allocated for a Notification breach 4% data subject information breach

Resources http://www.eugdpr.org http://www.eugdpr.org/the-regulation.html www.forcepoint.com/GDPR www.logrhythm.com https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-1-data-security-and-breach-notification/

Questions Contact: Regine Bonneau RB Advisory LLC rbonneau@rbadvisoryllc.com 407.796.8079 www.rbadvisoryllc.com