getting started with gdpr compliance
TRANSCRIPT
© 2016 IDERA, Inc. All rights reserved.Proprietary and confidential.© 2017 IDERA, Inc. All rights reserved.
GETTING STARTED WITH GDPR COMPLIANCE
Kim Brushaber, IDERA, Senior Product Manager
2© 2017 IDERA, Inc. All rights reserved.
WHAT IS GDPR?
“
3© 2017 IDERA, Inc. All rights reserved.
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and
processing of personal information of individuals within the European Union (EU).
© 2017 IDERA, Inc. All rights reserved.
MAY 25, 2018The Day that GDPR goes into effect
213 Days from now
5© 2017 IDERA, Inc. All rights reserved.
WHY DO WE NEED GDPR? Let’s Start with Some Data Facts
“
6© 2017 IDERA, Inc. All rights reserved.
Over 5 million data records are lost or stolen every day
http://breachlevelindex.com/
“
7© 2017 IDERA, Inc. All rights reserved.
The median number of days that attackers stay dormant within a network before detection is
200 days
https://swimlane.com/10-hard-hitting-cyber-security-statistics/
“
8© 2017 IDERA, Inc. All rights reserved.
The average cost of a single data breach in 2020 will exceed $150 million, as more business
infrastructure gets connected https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion
9© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 9© 2017 IDERA, Inc. All rights reserved.
EQUIFAX DATA BREACH
The breach affected 145.5 million customers Employees acknowledged a security issue with their web application
(using Apache Struts) 2 months before the breach occurred • The patch came out 4 months beforehand on Mar 8, 2017
It took a full day to respond to the data breach which took the flawed web application offline (July 29 - 30, 2017)
6 weeks after the breach, the public was alerted (Sept 7, 2017) The communication to respond to the breach included a website that
was not owned by Equifax (luckily it was not malicious)
Equifax is not alone – there have been 25 Very High Profile Cyber Attacks in 2017 so far (http://www.wired.co.uk/article/hacks-data-breaches-2017)
10© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 10© 2017 IDERA, Inc. All rights reserved.
INDIVIDUAL CONCERNS IN DATA SECURITY
By 2020 over 30 Billion devices will be connected to the internet
49% of Americans feel that their personal information is less secure than it was five years ago
Over 73% of consumers in America want companies to be transparent about personal data
78% of people claim to be aware of the risks of unknown links in emails, yet click on those links anyway
86% of internet users are actively trying to minimize, anonymize and hide the visibility of their digital footprints
Facts pulled from: Data Privacy Day | National Cyber Security Alliance and Zogby Consumer Poll | Pew Research Center | https://blog.barkly.com/cyber-security-statistics-2017
11© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 11© 2017 IDERA, Inc. All rights reserved.
DATA SECURITY INDUSTRY FACTS
95% of breached data records in 2016 came from: • Government• Retail• Technology
43% of cyber attacks targeted small businesses Over 75% of the health care industry was infected in malware in the
past year 70% of US oil and gas companies were hacked last year
Facts pulled from: http://www.techrepublic.com/article/forrester-what-can-we-learn-from-a-disastrous-year-of-hacks-and-breaches/ | https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html | https://www.scmagazine.com/75-of-healthcare-industry-hit-with-malware-report/article/569614/ | http://www.businesswire.com/news/home/20170216005632/en/Study-Reveals-Cybersecurity-Readiness-Gaps-America%E2%80%99s-Oil
12© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 12© 2017 IDERA, Inc. All rights reserved.
DATA SECURITY EXECUTIVE PERSPECTIVE
90% of CIOs admit to wasting millions on inadequate cybersecurity 90% of CIOs have already been attacked or expect to be attacked by
bad guys hiding in their encryption 87% of CIOs believe their security controls are failing to protect their
businesses 85% of CIOs expect criminal misuse of keys and certificates to get
worse
https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf
13© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 13© 2017 IDERA, Inc. All rights reserved.
DATA SECURITY PREPAREDNESS
In 2014 70% of Millennials admitted to bringing outside applications into the enterprise in violation of IT policies
52% of organizations that suffered successful cyber attacks in 2016 aren't making any changes to their security in 2017
Only 38% of global organizations claim they are prepared to handle a sophisticated cyberattack
Only 37% of organizations have a cyber incident response plan
Facts pulled from: https://blog.barkly.com/cyber-security-statistics-2017 | https://swimlane.com/10-hard-hitting-cyber-security-statistics/ | PWC Economic Crime Survey | https://www.wired.com/insights/2014/09/millennials-mobile-security/
14© 2017 IDERA, Inc. All rights reserved.
HOW DO WE START TO ADDRESS THIS? What does GDPR Cover?
15© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 15© 2017 IDERA, Inc. All rights reserved.
PERSONAL DATA COVERED BY GDPR
Any information that can be classified as personal details – or that can be used to determine your identity
Name Identification number Email address Online user identifier Social media posts Physical, physiological or genetic information Medical information Location Bank details IP address Cookies
16© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 16© 2017 IDERA, Inc. All rights reserved.
GDPR PRINCIPLES (ARTICLE 5)Personal data shall be:
Processed lawfully, fairly and in a transparent manner• The public wants to know what you are doing with their data
Collected for specified, explicit and legitimate purposes• Bye-bye, Spam! (hopefully)
Adequate, relevant and limited to what is necessary• You can’t collect it and use it somewhere else
Accurate and kept up to date• Give your users ways to update their data
Kept in a form which permits identification of data subjects for no longer than is necessary• Tell people how long you’ll keep their information
Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage• Time to get really serious about stopping data breaches!
17© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 17© 2017 IDERA, Inc. All rights reserved.
RIGHTS OF INDIVIDUALS VIA GDPR (ARTICLES 12 - 23)
Right to access their personal data Right to rectification
• Users should be able to correct inaccurate info Right to erasure
• Users can request to be “forgotten” Right to restriction of processing
• Users can limit the way their information is processed Right to data portability
• Users should be able to obtain a copy of their data Right to object
• Users can object to the processing of their data Right to not be subjected to a decision based solely on automated
processing or profiling• This has significant impact on B2B Marketing
18© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 18© 2017 IDERA, Inc. All rights reserved.
WHO IS RESPONSIBLE (CHAPTER 4, ARTICLES 24 - 43)
Data Controller – Any organization that collects data from EU residents
Data Processor – Organization that processes data on behalf of the controller (i.e. cloud service providers)
Data Protection Officer – An individual within the organization that is an expert in Data Protection Law
19© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 19© 2017 IDERA, Inc. All rights reserved.
GDPR PENALTIES/SANCTIONS (ARTICLE 83)
Depending on the nature of the infraction:
A warning in writing in cases of first and non-intentional non-compliance Regular periodic data protection audits A fine of up to 10M Euro or 2% of annual worldwide turnover from the
previous year A fine of up to 20M Euro or 4% of annual worldwide turnover from the
previous year
20© 2017 IDERA, Inc. All rights reserved.
WHAT ELSE IS IN GDPR?
21© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 21© 2017 IDERA, Inc. All rights reserved.
ADDITIONAL ARTICLES TO CONSIDER
Article 15 – Control Exposure to Personal Data Article 30 – Record Processing Activities Article 32 – Security of Processing (encryption) Article 33 – Notification of Personal Data Breach to Supervisory
Authority Article 35 – Data Protection Impact Assessment (handling risks)
22© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 22© 2017 IDERA, Inc. All rights reserved.
ADDITIONAL GDPR CONSIDERATIONS
GDPR is explicit that you can not store data “just in case”• You should have very clear processes that indicate why you are
storing the data GDPR is explicit that users can object to data profiling
• How will you limit data profiling and how do users opt out of profiling?
GDPR states that you must have processes documented to outline:• How and what data is collected?• Where is data stored?• Who has access to the data? And who should be able to access it?• How do you remove the data when the time comes?• How do you alert supervising authorities to a data breach?
23© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 23© 2017 IDERA, Inc. All rights reserved.
HOW AND WHAT DATA IS COLLECTED?
* Business Process Diagram created using ER/Studio Business Architect
24© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 24© 2017 IDERA, Inc. All rights reserved.
WHERE IS DATA STORED?
* Business Process Diagram created using ER/Studio Business Architect
25© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 25© 2017 IDERA, Inc. All rights reserved.
WHO HAS ACCESS TO THE DATA?
* Business Process Diagram created using ER/Studio Business Architect
26© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 26© 2017 IDERA, Inc. All rights reserved.
HOW DO YOU REMOVE THE DATA?
* Business Process Diagram created using ER/Studio Business Architect
27© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 27© 2017 IDERA, Inc. All rights reserved.
WHAT HAPPENS WITH A DATA BREACH?
* Business Process Diagram created using ER/Studio Business Architect
28© 2017 IDERA, Inc. All rights reserved.
GDPR COMPLIANCE PREPARATION How do I get started? Clearly-defined Business Processes are ESSENTIAL
29© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 29© 2017 IDERA, Inc. All rights reserved.
GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM
* Business Process Diagram created using ER/Studio Business Architect
30© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 30© 2017 IDERA, Inc. All rights reserved.
FOR MORE DETAILS ON GDPR PREPARATION
Read the Blog via:
• http://community.idera.com/blog/b/community_blog/posts/getting-prepared-for-gdpr
• Or navigate to community.IDERA.com >Blog > “Getting Prepared for GDPR”
Download the Whitepaper via:
• IDERA.com > Resources > Resource Center> “Whitepaper: Governing GDPR Challenges with Enterprise Data Architecture”
31© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 31© 2017 IDERA, Inc. All rights reserved.
HOW ER/STUDIO BUSINESS ARCHITECT CAN HELP
GDPR is going to require you to have your processes documented –ER/Studio Business Architect allows you to create Business Process Models to document those processes, complete with External Data Objects
The act of creating Business Process Models allows all employees across the organization to identify where they are impacting personal data
Checking these models into the Repository and publishing them to Team Server allows you to post these processes for the whole organization to have visibility
32© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 32© 2017 IDERA, Inc. All rights reserved.
IMPORTANT POINTS TO REMEMBER
Privacy Notices Must Be Transparent• You must communicate in clear and plain language how you intend
to use the personal information that you collect
Customer’s Rights Must Be Upheld and Published Publicly• You must communicate how you intend to uphold rights identified
within the GDPR regulations
Data Breaches Must Be Communicated Within 72 hours• In order to respond quickly, everyone in your organization should
know what their responsibilities are in the case of a breach
33© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 33© 2017 IDERA, Inc. All rights reserved.
IN CONCLUSION
GDPR is going to change the way we handle sensitive personal data in the future (and that’s not a bad thing)
Companies need to review all of the personal data in their systems and understand how they will:• Process it• Encrypt it• Secure it
Large fines can be assessed if you collect data on EU members and do not comply with these regulations
Companies will need to be transparent in their processes and have that information clearly documented for both internal employees as well as the customers they are collecting data on
34© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 34© 2017 IDERA, Inc. All rights reserved.
THANKS!Any questions?
You can find me on Twitter at:
Kim Brushaber@Brushaber_IDERA
35© 2017 IDERA, Inc. All rights reserved.
ADDITIONAL DETAILS ON GDPR ARTICLES
36© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 36© 2017 IDERA, Inc. All rights reserved.
ARTICLE 15 – CONTROL EXPOSURE TO PERSONAL DATA
Control accessibility - who is accessing data and how Minimize data being processed in terms of:
• Amount of data collected• Extent of data processed• Storage period• Accessibility
Produce safeguards for control management
37© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 37© 2017 IDERA, Inc. All rights reserved.
ARTICLE 30 – RECORDS OF PROCESSING ACTIVITIES
Log and monitor your operations Maintain an audit record of processing activities on personal data Monitor access to processing systems
38© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 38© 2017 IDERA, Inc. All rights reserved.
ARTICLE 32 – SECURITY OF PROCESSING
Security mechanisms to protect personal data
Employ pseudonymization and encryption Ensure ongoing confidentiality, integrity, availability and resilience of
processing systems and services Restore availability and access in the event of an incident Provide a process for regularly testing and assessing effectiveness of
security measures
39© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 39© 2017 IDERA, Inc. All rights reserved.
ARTICLE 33 – NOTIFICATION OF PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY
Detect breaches Assess the impact on personal data records Assess whether the personal data is identifiable Describe the nature of the breach Describe your measures to remedy it
40© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 40© 2017 IDERA, Inc. All rights reserved.
ARTICLE 35 – DATA PROTECTION IMPACT ASSESSMENT
Describe processing operations, including why you need them and how big they are
Assess risks that are associated with processing personal data Apply measures to address risks and protect personal data Demonstrate (and document) your compliance with GDPR
41© 2017 IDERA, Inc. All rights reserved.
GDPR COMPLIANCE PREPARATION
42© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 42© 2017 IDERA, Inc. All rights reserved.
GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM
* Business Process Diagram created using ER/Studio Business Architect
43© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 43© 2017 IDERA, Inc. All rights reserved.
SET UP DATA PROTECTION OFFICER(S)
Data Protection Officers have expert knowledge on Data Protection Law They are like Compliance Officers but are experts on:
• IT processes• Data security• Continuity issues regarding holding and processing personal info
They are responsible for cooperating with the supervising authority
44© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 44© 2017 IDERA, Inc. All rights reserved.
CREATE ORGANIZATIONAL AWARENESS AND PRODUCE GUIDELINES
Your organization should be aware of the GDPR regulations and how they impact data
You should produce guidelines or procedures that identify what to do with personal information across your systems
Processes and procedures regarding GDPR regulations and personal information should be available throughout the organization
Engage your employees to help to create your processes if you have not already done so
45© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 45© 2017 IDERA, Inc. All rights reserved.
ANALYZE DATA ACROSS ALL APPLICATIONS, DATA MODELS AND DATABASES
Which servers and/or databases contain personal data? Which columns or rows can be marked as containing personal data? Which systems are involved in storing or moving sensitive data? Who has access to what elements of data in the database system? What elements and features of the database systems can be
accessed and potentially exploited to gain access to those systems? Where does the data go when it leaves your systems?
46© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 46© 2017 IDERA, Inc. All rights reserved.
REVIEW EXISTING PROCEDURES THAT PERTAIN TO GDPR
How can I be more transparent in what activities are taken in regards to personal data?
How do I create evidence that I am in compliance? How do I ensure that all of my processes and procedures are kept up
to date? How do I ensure that all of my processes and procedures are being
followed?
47© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 47© 2017 IDERA, Inc. All rights reserved.
REVIEW DATA PRIVILEGES AND ACCOUNTABILITIES
How can I ensure that the right people are accessing the information? What do I need to do to limit who can access the sensitive data? Who is accountable for the different aspects of personal information? How can I keep track of who has accessed sensitive data?
48© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 48© 2017 IDERA, Inc. All rights reserved.
DOCUMENT AND MANAGE INDIVIDUAL RIGHTS
Step through the Individuals Rights (Articles 12-23) and identify how you plan to address them• Right to access their personal data• Right to rectification • Right to erasure• Right to restriction of processing • Right to data portability • Right to object• Right to not be subjected to a decision based solely on automated
processing or profiling
Keep records of what customers have consented to and when they consented to it
49© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 49© 2017 IDERA, Inc. All rights reserved.
DEFINE DATA BREACH PROCESS
Which security controls are in place to protect the data? What levels of encryption are in place?
• While in transit between systems• While at rest in my system• While in use by my system
When do I need to make my data available? What mechanisms are in place to prevent data loss? How do I detect a breach with my data? How can I respond to a breach that has occurred?
50© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 50© 2017 IDERA, Inc. All rights reserved.
DEVELOP DATA IMPACT ASSESSMENT
What are the impacts of unintended data changes? What are the risks associated with unintended data changes? Where are data elements used across applications and databases? How will you ensure that compliance with these procedures continues? What are the risks of falling behind on compliance?
51© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 51© 2017 IDERA, Inc. All rights reserved.
THANKS!Any questions?
You can find me on Twitter at:
Kim Brushaber@Brushaber_IDERA