SlideShare a Scribd company logo

Keep Calm and Comply: 3 Keys to GDPR Success

Sirius
Sirius

Recent surveys benchmarking the status of U.S. companies' efforts to meet the May 25 deadline for the EU Global Data Protection Regulation (GDPR) have revealed a startling lack of preparedness. Companies not yet in compliance are likely to violate the directive if they don’t take immediate action, and fines can amount to 2-4 percent of a company’s annual gross revenue. Do you have the resources and information you need to comply? View to learn: --What GDPR means to your business --Short, medium, and long-term actions you can take to protect regulated data and achieve compliance --How you can streamline incident response and third-party risk management capabilities --How to streamline the resources and technology needed to keep up with the evolving regulatory landscape Don't fall behind on these compliance regulations. Take the steps needed to protect the data you collect.

Related slideshows

Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club Women in STEM for IE Girl Up Club
Women in STEM for IE Girl Up Club
 
The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?The GDPR is here. So do you know what the courts are saying?
The GDPR is here. So do you know what the courts are saying?
 
From GDPR to ePrivacy: what does it mean to the advertising sector?
From GDPR to ePrivacy: what does it mean to the advertising sector?From GDPR to ePrivacy: what does it mean to the advertising sector?
From GDPR to ePrivacy: what does it mean to the advertising sector?
 
1 of 31
KEEP CALM AND COMPLY THREE KEYS TO GDPR SUCCESS
www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses. Sponsored by
COMPANIES AREN’T READY Before 2020, we will have seen a multimillion Euro regulatory sanction for GDPR noncompliance On 25 May 2018, less than 50% of all organizations impacted will fully comply with the GDPR Source: Gartner, GDPR Clarity: 19 Frequently Asked Questions Answered, November 2017
Tough penalties: fines up to 4% of annual global revenue or €20 million whichever is greater. The definition of personal data is now broader and includes identifiers such as genetic economic socialmental cultural The regulation also applies to non-EU companies that process personal data of individuals in the EU. The international transfer of data will continue to be governed under EU GDPR rules. Parental consent required for the processing of personal data of children under age 16. Users may request a copy of personal data in a portable format. Data subjects have the right to be forgotten and erased from records. Obtaining consent for processing personal data must be clear, and must seek an affirmative response. What it means: The appointment of a data protection officer (DPO) will be mandatory for companies processing high volumes of personal data, and a good practice for others.
TIME IS RUNNING OUT! DEADLINE: MAY 25, 2018
Companies that violate certain provisions—such as the basic processing principles or the rules relating to cross-border data transfers—may face fines amounting to four percent of the company’s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule. Fines EU GDPR MANDATES A “right to erasure”, also known as the “right to be forgotten,” gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data “without undue delay” when the data is no longer necessary in relation to the purposes for which it was gathered or processed. Right to be Forgotten A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it. Breach Notification Companies whose “core activities” involve large-scale processing of “special categories” of data—information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health or sexual orientation—need to designate a data protection officer. Companies who collect some of this information strictly for internal human resources purposes may also be subject to this requirement. Data Protection Officer (DPO)
Ask Yourself: HOW PREPARED ARE YOU FOR THE MAY 25 DEADLINE? a) Very prepared b) Somewhat prepared c) Not at all prepared d) Unsure
WHAT CAN WE DO?
PEOPLE Adhere to regulation-specific staffing requirements, such as GDPR’s DPO, and NY’s CISO (drives accountability) Education & awareness Changing behaviors around the collection and use of data Establishing appropriate consent controls Ensure suitable technical (security analysts, IR team) & non-technical (business leadership, legal, PR) staff is in place and is trained appropriately PROCESS Perform risk assessment (utilizing framework like NIST, ISO, etc.) Identify and manage collection of sensitive data Set processing/dissemination rules Ensure means to address inquiries and adhere to 72-hour notification req’s Establish data lifecycle management (inventory, classify, track the movement of, and disposal of, data) Set IR processes (preparation, detection/ reporting, triage/analysis, containment/ neutralization and post-incident activity) Develop third-party risk program TECHNOLOGY Visibility (identify data and its location: endpoint, DB/shares, cloud, structured/unstructured) Analytics (when, where, and how data is moving) Data protection tools (discovery, classification, DLP, encryption, IAM, CASB, and gateway controls) Detection tools (IDS/IPS, NGFW, UEBA) Containment tools: Endpoint Detection and Response, and Forensics tools Third-party risk and security scoring tools
SHORT-TERM
ONE APPOINT A DPO A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
TWO BOOST INCIDENT RESPONSE If you don’t have a well-established IR plan, that’s a problem. Make sure you understand the 72-hour notification requirement, and work with your legal team to get your plans ironed out so that you can comply with it.
MEDIUM-TERM
ONE CLASSIFY DATA Data classification allows organizations to identify the business value of unstructured data at the time of creation, separate valuable information that may be targeted from less valuable information, and make informed decisions about resource allocation to secure data from unauthorized access.
TWO ENABLE CONTROLS Establish baseline cybersecurity measures and define policy-based controls for each data classification label to ensure the appropriate solutions are in place. High-risk data requires more advanced levels of protection while lower-risk data requires less protection.
THREE REPORTING & ALERTING Identify: user trends, training requirements and risky behavior Analyze: policy alerts and usage patterns Control: data flow
Under the GDPR, third parties may be considered regulated “data processors”, and are thereby subject to the directive. For example, if you are a retailer that collects customer information, which you then share with a third-party call center, then under the GDPR you are the data controller, and the call center is the data processor; you both need to maintain compliance. FOUR THIRD PARTY-RISK
3RD PARTY RISK PROGRAM ELEMENTS Map your data. Understand which third parties have access to data, what categories of data they have, and what they are doing with it. Make sure you collect only the minimum amount of personal data required for the product or service, and review legal grounds for collection and processing. Ensure you have appropriate budget and resources allocated for completing assessments of third parties, and for remediation projects. Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains requirements for contracts with data processors, as well as between data controllers), and with your own security policies. Complete assessments of all third parties that have access to, handle or touch your client/personal data to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and organizational measures in place to comply. Ensure third parties are scored based on risk-assessment results and other due diligence. For high-risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation programs and ongoing monitoring requirements.
Ask Yourself: a) Yes b) No c) Not sure DO YOU EVALUATE THE SECURITY PRACTICES OF VENDORS BEFORE STARTING A BUSINESS RELATIONSHIP?
LONG-TERM
It is no longer enough to focus IT security efforts on networks and endpoints. The development of a robust data-centric security program is invaluable not only to the GDPR, but to all data protection and data privacy efforts. A comprehensive data-centric security strategy includes: DATA-CENTRIC SECURITY
CLASSIFICATION Policy Data handling procedures Report/detect/protect IR /forensics Risk-based approach Identify business owners
DATA DISCOVERY Determine where and what type of data is stored Continuous process to provide visibility, outline risk, and validate employee role assignment Confirm awareness level and policy compliance as well as enhancement
ENCRYPTION STRATEGIES Consider SSL decryption at gateway points of access Data-in-motion Data-at-rest Data-in-use
IDENTITY MANAGEMENT Directory unification Access management Federation privileged access Access governance and authentication
WE’RE ALL GOING TO HAVE TO CHANGE THE WAY WE THINK ABOUT DATA PROTECTION. — Elizabeth Denham, UK Information Commissioner
AND KEEP CALM COMPLY WITH GDPR
http://focus.forsythe.com/articles/562/Addressing- the-EU-GDPR-and-New-York-Cybersecurity- Requirements-3-Keys-to-Success CHECK OUT THE ORIGINAL ARTICLE:
http://focus.forsythe.com OR FIND MORE ARTICLES ABOUT BUSINESS AND TECHNOLOGY SOLUTIONS AT FOCUS ONLINE:
Author: Thomas Eck Director, Security Programs & Strategy, Forsythe Doug Snow Vice President, Customer Success, TITUS www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses.
Keep Calm and Comply: 3 Keys to GDPR Success

More Related Content

Keep Calm and Comply: 3 Keys to GDPR Success

  • 1. KEEP CALM AND COMPLY THREE KEYS TO GDPR SUCCESS
  • 2. www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses. Sponsored by
  • 3. COMPANIES AREN’T READY Before 2020, we will have seen a multimillion Euro regulatory sanction for GDPR noncompliance On 25 May 2018, less than 50% of all organizations impacted will fully comply with the GDPR Source: Gartner, GDPR Clarity: 19 Frequently Asked Questions Answered, November 2017
  • 4. Tough penalties: fines up to 4% of annual global revenue or €20 million whichever is greater. The definition of personal data is now broader and includes identifiers such as genetic economic socialmental cultural The regulation also applies to non-EU companies that process personal data of individuals in the EU. The international transfer of data will continue to be governed under EU GDPR rules. Parental consent required for the processing of personal data of children under age 16. Users may request a copy of personal data in a portable format. Data subjects have the right to be forgotten and erased from records. Obtaining consent for processing personal data must be clear, and must seek an affirmative response. What it means: The appointment of a data protection officer (DPO) will be mandatory for companies processing high volumes of personal data, and a good practice for others.
  • 5. TIME IS RUNNING OUT! DEADLINE: MAY 25, 2018
  • 6. Companies that violate certain provisions—such as the basic processing principles or the rules relating to cross-border data transfers—may face fines amounting to four percent of the company’s annual gross revenue, and up to two percent for violations such as failing to meet the breach notification rule. Fines EU GDPR MANDATES A “right to erasure”, also known as the “right to be forgotten,” gives a data subject the right to order a data controller/organization to erase any of their personal data in certain situations. Data controllers will be required to erase personal data “without undue delay” when the data is no longer necessary in relation to the purposes for which it was gathered or processed. Right to be Forgotten A single data breach notification requirement is applicable across the EU. The rule requires data controllers to notify the appropriate supervisory authority of a personal data breach within 72 hours of learning about it. Breach Notification Companies whose “core activities” involve large-scale processing of “special categories” of data—information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, health or sexual orientation—need to designate a data protection officer. Companies who collect some of this information strictly for internal human resources purposes may also be subject to this requirement. Data Protection Officer (DPO)
  • 7. Ask Yourself: HOW PREPARED ARE YOU FOR THE MAY 25 DEADLINE? a) Very prepared b) Somewhat prepared c) Not at all prepared d) Unsure
  • 9. PEOPLE Adhere to regulation-specific staffing requirements, such as GDPR’s DPO, and NY’s CISO (drives accountability) Education & awareness Changing behaviors around the collection and use of data Establishing appropriate consent controls Ensure suitable technical (security analysts, IR team) & non-technical (business leadership, legal, PR) staff is in place and is trained appropriately PROCESS Perform risk assessment (utilizing framework like NIST, ISO, etc.) Identify and manage collection of sensitive data Set processing/dissemination rules Ensure means to address inquiries and adhere to 72-hour notification req’s Establish data lifecycle management (inventory, classify, track the movement of, and disposal of, data) Set IR processes (preparation, detection/ reporting, triage/analysis, containment/ neutralization and post-incident activity) Develop third-party risk program TECHNOLOGY Visibility (identify data and its location: endpoint, DB/shares, cloud, structured/unstructured) Analytics (when, where, and how data is moving) Data protection tools (discovery, classification, DLP, encryption, IAM, CASB, and gateway controls) Detection tools (IDS/IPS, NGFW, UEBA) Containment tools: Endpoint Detection and Response, and Forensics tools Third-party risk and security scoring tools
  • 11. ONE APPOINT A DPO A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements.
  • 12. TWO BOOST INCIDENT RESPONSE If you don’t have a well-established IR plan, that’s a problem. Make sure you understand the 72-hour notification requirement, and work with your legal team to get your plans ironed out so that you can comply with it.
  • 14. ONE CLASSIFY DATA Data classification allows organizations to identify the business value of unstructured data at the time of creation, separate valuable information that may be targeted from less valuable information, and make informed decisions about resource allocation to secure data from unauthorized access.
  • 15. TWO ENABLE CONTROLS Establish baseline cybersecurity measures and define policy-based controls for each data classification label to ensure the appropriate solutions are in place. High-risk data requires more advanced levels of protection while lower-risk data requires less protection.
  • 16. THREE REPORTING & ALERTING Identify: user trends, training requirements and risky behavior Analyze: policy alerts and usage patterns Control: data flow
  • 17. Under the GDPR, third parties may be considered regulated “data processors”, and are thereby subject to the directive. For example, if you are a retailer that collects customer information, which you then share with a third-party call center, then under the GDPR you are the data controller, and the call center is the data processor; you both need to maintain compliance. FOUR THIRD PARTY-RISK
  • 18. 3RD PARTY RISK PROGRAM ELEMENTS Map your data. Understand which third parties have access to data, what categories of data they have, and what they are doing with it. Make sure you collect only the minimum amount of personal data required for the product or service, and review legal grounds for collection and processing. Ensure you have appropriate budget and resources allocated for completing assessments of third parties, and for remediation projects. Review your contracts to ensure they are compliant with both regulatory mandates (GDPR contains requirements for contracts with data processors, as well as between data controllers), and with your own security policies. Complete assessments of all third parties that have access to, handle or touch your client/personal data to ascertain their awareness of specific requirements, and to ensure that they have appropriate technical and organizational measures in place to comply. Ensure third parties are scored based on risk-assessment results and other due diligence. For high-risk third parties, identify audit partners for the assessment of processes, and set the scope of remediation programs and ongoing monitoring requirements.
  • 19. Ask Yourself: a) Yes b) No c) Not sure DO YOU EVALUATE THE SECURITY PRACTICES OF VENDORS BEFORE STARTING A BUSINESS RELATIONSHIP?
  • 21. It is no longer enough to focus IT security efforts on networks and endpoints. The development of a robust data-centric security program is invaluable not only to the GDPR, but to all data protection and data privacy efforts. A comprehensive data-centric security strategy includes: DATA-CENTRIC SECURITY
  • 22. CLASSIFICATION Policy Data handling procedures Report/detect/protect IR /forensics Risk-based approach Identify business owners
  • 23. DATA DISCOVERY Determine where and what type of data is stored Continuous process to provide visibility, outline risk, and validate employee role assignment Confirm awareness level and policy compliance as well as enhancement
  • 24. ENCRYPTION STRATEGIES Consider SSL decryption at gateway points of access Data-in-motion Data-at-rest Data-in-use
  • 25. IDENTITY MANAGEMENT Directory unification Access management Federation privileged access Access governance and authentication
  • 26. WE’RE ALL GOING TO HAVE TO CHANGE THE WAY WE THINK ABOUT DATA PROTECTION. — Elizabeth Denham, UK Information Commissioner
  • 29. http://focus.forsythe.com OR FIND MORE ARTICLES ABOUT BUSINESS AND TECHNOLOGY SOLUTIONS AT FOCUS ONLINE:
  • 30. Author: Thomas Eck Director, Security Programs & Strategy, Forsythe Doug Snow Vice President, Customer Success, TITUS www.forsythe.com Forsythe is a leading enterprise IT company, providing advisory services, security, hosting and technology solutions for Fortune 1000 organizations. Forsythe helps clients optimize, modernize and innovate their IT to become agile, secure, digital businesses.