The General Data Protection Regulation: Are You Ready? Angela fares, rhia, crm, cisa, cism, cgeit, cRISC November 13, 2018
General Data Protection Regulation Enacted May 25, 2018 Applies to personal information that identifies living people in specific ways and gives individuals greater control over their information Enforceable in all European Union countries and other countries doing business in the European Union
Main Requirements of GDPR Transparency, fairness and lawfulness in the handling and use of personal data (including a lawful basis to process that data) must be demonstrated during its handling and use Limitation of the processing of personal data to specified, explicit, and legitimate purposes (data cannot be re-used or disclosed for purposes for which it was not originally collected) Collection and storage must be minimal and limited to only the information adequate for the intended purpose Data must be accurate and there must be a mechanism in place to erase, rectify or amend information Storage is limited to the amount of time necessary to accomplish the purpose for which it was collected (unless otherwise defined by law) Security, integrity and confidentiality must be ensured through technical and organizational security measures This Photo by Unknown Author is licensed under CC BY-NC This Photo by Unknown Author is licensed under CC BY
Personal Information Personal Information – Includes any data that relates to an identified or identifiable natural living person. Even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual Special Personal Information – Personal Information that includes data related to race, ethnic origin, health, sexual orientation, and geolocation
Definitions Controller: Person, organization or other body that, alone or jointly with others, determines the purposes and means of processing personal data Processor: Person, organization, or other body which processes personal data on behalf of the Controller Data Subject: Person that is the subject of the personal information being collected and processed Processing: Any operation or set of operations, physical or automated, which is performed on personal data Pseudonymization: Processing of personal data in such a manner that the data cannot be associated with a specific data subject without the use of additional information
Organizational Measure GDPR doesn’t mandate exact security measures to use, but requires organizations to base the security on attributes of the personal data such as: Nature of the information Sensitivity Risks associated with handling/processing
Rights of Data Subjects Right to access personal information about themselves Right to correct, amend, or erase information that is not correct Right be forgotten and have data deleted if it is no longer required to be kept by law Right to request that processing of personal data be stopped if consent is withdrawn Right to data portability Right to object to direct marketing
Privacy by “Design” and “Default” Processes must be designed to incorporate privacy features and functionality into the products from the first time that they are designed Processes must, by default, implement measures to ensure that no more data is collected and processed than necessary, and is not retained any longer than necessary
GDPR Record-Keeping Requirements Policies Procedures Classification Categorization Lifecycle Management Data Transfers/Disclosures Data Amendments Audits and Key Performance Indicators
Critical Timelines Data breaches require notice to regulators within 72 hours of the breach Requests by Data Subjects must be fulfilled or enabled within 30 days This Photo by Unknown Author is licensed under CC BY
Step 1 Discover and classify/categorize data Map data flows Conduct a gap analysis
Step 2 Quantify resources for hiring/training people Estimate costs for new products and services Account for professional services
Step 3 Deploy security controls Update processes Review privacy notices and communication
Step 4 Ensure that the incident response plan is tested Analyze your monitoring and audit mechanisms Consider new processes or methods of managing risk
Step 5 Set up training and awareness programs Prepare to demonstrate compliance Develop key performance indicators to measure compliance
Summary Create a culture of security awareness Know where your data is Doesn’t have to be complex Classification enhances the information security and information governance ecosystem Access / Processing / Encryption / Cloud Sharing / Archiving / Reporting Create a culture of security awareness Address the security gap that arises from human behavior