SlideShare a Scribd company logo

GDPR A Practical Guide with Varonis

A
Angad Dayal

This practical guide outlines the key aspects of the EU General Data Protection Regulation (GDPR), emphasizing its importance for businesses, including compliance requirements, data protection by design, and the rights of individuals. The guide highlights significant principles like the right to be forgotten, breach notification obligations, and the regulation's extraterritorial application to non-EU companies handling data of EU citizens. Varonis offers software solutions to assist organizations in achieving GDPR compliance and recommends steps to mitigate risks associated with personal data processing.

Software
Related topics:
Data Protection Practices Risk AssessmentData Governance Insights Data Security Insider Threats
1 of 13
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
VARONIS GDPRA practical guide
3 INDEX EU GDPR Lesson 1 4 What is the GDPR? Why do we need it? EU GDPR Lesson 2 8 Data Protection by Design and by Default EU GDPR Lesson 3 12 The Right To Be Forgotten EU GDPR Lesson 4 14 Who Does the EU GDPR Apply To? EU GDPR Lesson 5 16 What Happens if I Don’t Comply with the EU GDPR? EU GDPR Lesson 6 18 Next Steps - How to Get There? Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide. Your Risk Assessment report will outline problem areas, prioritize risk, and give you concrete steps to take to improve your data security. www.varonis.com FIND THEFIND THE 3 Get in Touch: US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 www.varonis.com
5 EU GDPR LESSON 1 What is the GDPR? Why do we need it? GDPR concisely summarized by Wikipedia: The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The new GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization. It’s important to note that the EU GDPR covers personal data, or as it is called in the US, personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses. One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.
7 Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. But with the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized. Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation. Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”. Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses. Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”. Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense. What are the new requirements? What are the new requirements? Risk Assessment Overall, the message for companies that fall under the GDPR is that awareness of your data— where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical.
9 Data Protection by Design and by Default Privacy by Design (PbD) is a well-intentioned set of principles to get the C-suite to take consumer data privacy and security more seriously. Overall, PbD is a good idea and you should try to abide by it. But with the General Data Protection Regulation (GDPR), it’s more than that: it’s the law if you do business in the EU zone! PbD has sensible guidelines and practices concerning consumer access to their data, and making privacy policies open and transparent. These are not controversial ideas, except if you are, ahem, a large Internet company that collects lots of consumer data. And PbD also dispenses good general advice on data security that can be summarized in one word: minimize. Minimize collection of consumer data, minimize who you share the data with, and minimize how long you keep it. Less is more: less data for the hacker to take, means a more secure environment. The new GDPR has direct, practical implications. Just as an example, consider the impact it will have on web-based marketing. Businesses are always trying to get information about their customers and looking to bring in new leads using the full digital arsenal — web, email, mobile. And when given half a chance, marketers always want more data —age, income, postal code, last book read, favourite ice cream, favourite food, etc. — even for the simplest consumer interaction. EU GDPR LESSON 2
11 What the EU GDPR says is that marketers should limit data to the purpose for which it is being collected—do I really need postal codes or favourite books? — and not to retain the data beyond the point where it’s no longer relevant. So the data points you collected from that web campaign over five years ago — maybe containing 5000 email addresses along with favourite pet names — and now lives in a spreadsheet no one ever looks at. Well, you should find it and delete it. If a hacker gets hold of it, and uses it for phishing purposes, you’ve created a security risk for your customers. Plus, if the local EU authority can trace the breach back to your company, you can face heavy fines. SO CAN BIG DATA AND PRIVACY LIVE TOGETHER HAPPILY EVER AFTER? PRIVACY BY DESIGN (PBD) SAYS YES – WITH JUST A FEW BASIC STEPS, YOU CAN ACHIEVE THE PBD VISION: PbD is referenced heavily in Article 25 of the GDPR, and in many other places in the new regulation. It’s not too much of a stretch to say that if you implement PbD, you’re well on your way to mastering the GDPR. Minimize data collected (especially PII) from consumers Do not retain personal data beyond its original purpose Give consumers access and ownership of their data
13 This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process! What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still apply: as data processors, the cloud service will also have to erase the personal data when asked to by the controller. Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people! The Right To Be Forgotten The controversial “right to be forgotten” is now law in the EU. For most companies, this is really a right for consumers to erase their data. The GDPR has strengthened the DPD’s existing rules on deletion and then adds the right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third- parties of a request to have information deleted. Discussed in Article 17 of the proposed GDPR, it states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where ... the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ... the data subject withdraws consent on which the processing is based ... the controller has made the personal data public and is obliged ... to erase the personal data”. EU GDPR LESSON 3
15 EU GDPR LESSON 4 Who Does the EU GDPR Apply To? One of the more complex issues with the new GDPR is what’s being called “extraterritoriality.” As proposed by EU Parliament, the GDPR will apply to any data transferred outside the EU zone. So under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there! Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the GDPR’s new strict breach notification requirement — our guesstimate is that the EU regulators will likely target it. Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc. You can map these to your own favourite apps to figure out who would be affected. SHIFTING MEANINGS Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU. The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply. Companies such as Google, Facebook, and other social networking companies were following this approach. NOT SO FAST! Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google last year. The long arm of EU law prevailed: the specific search listing was removed. Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU. The GDPR will apply to any data transferred outside the EU zone.
17 What Happens if I Don’t Comply with the EU GDPR? The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds – and the EU GDPR rules apply to both data controllers and processors, that is “the cloud”… therefore huge cloud providers are not off the hook when it comes to GDPR enforcement. EU GDPR LESSON 5 Non-compliance results in fines of up to 4% of global revenue. This can include violations of basic principles related to data security — especially PbD principles. A company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 33). And keep in mind – the GDPR breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insiders were doing. More serious infringements merit up to a 4% fine. This includes violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law. One way the GDPR is hoping to keep everything in line? By requiring companies to have a Data Protection Officer (DPO). The DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and even creating a good data security policy.
19 EU GDPR LESSON 6 Next Steps - How to Get There? Let’s break down some of the challenges in the new GDPR and how to address them: GDPR Article What does it mean How to address it Article 25: Data Protection by Design and By Default Embrace accountability and privacy by design as a business culture. Safely remediate access controls to least privilege. Article 30: Records of Processing Activities Implement technical and organizational measures to properly process personal data. Create asset register of sensitive files; Understand who has access; know who is accessing it; know when data can and should be deleted. Article 17: Right to Erasure and “to be forgotten” Be able to discover and target specific data and automate removal. Find it, flag it, remove it. GDPR Article What does it mean How to address it Article 32: Security of Processing Ensure least privilege access; implement accountability via data owners; Provide reports that policies and processes are in place and successful. Automate and impose least privileges through entitlement reviews and proactively enforced ethical walls. Article 33: Notification of personal data breach to the supervisory authority Prevent and alert on data breach activity; have an incidence response plan in place. Detect abnormal data breach activity, policy violations and real-time alert on it as it happens. Article 35: Data Protection Impact Assessment Quantify data protection risk profiles. Conduct regular quantified data risk assessments.
21 Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data. Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future. Governance – With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls. EU GDPR LESSON 6 PII Monitoring – The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal data, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues. Varonis helps organizations of all sizes with GDPR projects. Our software suite automates what would otherwise be an extremely arduous and time-consuming task. Take advantage of our free GDPR readiness assessment today to avoid any non-compliance issues down the road. So what should you focus on to meet the EU General Data Protection Regulation?
23 Get your free GDPR Readiness Assessment Our team will do all the heavy-lifting for you: setup, configuration, and analysis with concrete steps to improve your General Data Protection Regulation compliance. YOUR DEDICATED ENGINEER WILL HELP YOU: • Identify in-scope GDPR data • Find and revoke excessive access to personal information • Audit user activity and detect risky behaviour / ransomware • Identify and prioritize gaps in GDPR compliance Schedule your assessment! About Varonis Varonis is a leading provider of software solutions that protect data from insider threats and cyberattacks. Through an innovative software platform, Varonis allows organizations to analyse, secure, manage, and migrate their volumes of unstructured data. Varonis specializes in file and email systems that store valuable spreadsheets, word processing documents, presentations, audio and video files, emails, and text. This rapidly growing data often contains an enterprise’s financial information, product plans, strategic initiatives, intellectual property, and confidential employee, customer or patient records. IT and business personnel deploy Varonis software for a variety of use cases, including data security, governance and compliance, user behaviour analytics, archiving, search, and file synchronization and sharing. DETECT PREVENT SUSTAIN Get in Touch: US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 info.varonis.com/gdpr-risk-assessment
Varonis Headquarters 1250 Broadway, 29th Floor New York, NY, USA 10001 US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 www.varonis.com

More Related Content

PDF
GDPR - A practical guide
Angad Dayal
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PDF
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
PDF
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
PDF
GDPR- Get the facts and prepare your business
Mark Baker
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
PDF
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
PDF
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
GDPR - A practical guide
Angad Dayal
 
Practical Guide to GDPR 2017
Dryden Geary
 
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
GDPR- Get the facts and prepare your business
Mark Baker
 
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 

What's hot (20)

PPTX
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
PDF
GDPR: data needs to be in safe hands
legalandgeneral
 
PDF
GDPR: how IT works
Morris Dorfer
 
PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PDF
How the EU-GDPR May Affect Your Website
SilverTech
 
PPTX
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
PDF
GDPR - Are you ready?
VILT
 
PDF
GDPR: A Threat or Opportunity? www.normanbroadbent.
Steven Salter
 
PPTX
How to get your business GDPR ready
Premier EPOS
 
PDF
Marketing data management | The new way to think about your data
Laurence
 
PDF
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
PDF
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
PDF
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
PDF
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
PPTX
UK GDPR: What New Direction?
David Erdos
 
PPTX
NetSquared London - GDPR for charities
Tech Trust
 
PDF
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
PPTX
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
David Erdos
 
PPTX
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
PPTX
Getting Ready for GDPR
Jessvin Thomas
 
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
GDPR: data needs to be in safe hands
legalandgeneral
 
GDPR: how IT works
Morris Dorfer
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
How the EU-GDPR May Affect Your Website
SilverTech
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
GDPR - Are you ready?
VILT
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
Steven Salter
 
How to get your business GDPR ready
Premier EPOS
 
Marketing data management | The new way to think about your data
Laurence
 
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
UK GDPR: What New Direction?
David Erdos
 
NetSquared London - GDPR for charities
Tech Trust
 
GDPR ASAP: A Seven-Step Guide to Prepare for the General Data Protection Regu...
ObservePoint
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
David Erdos
 
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
Getting Ready for GDPR
Jessvin Thomas
 
Ad

Similar to GDPR A Practical Guide with Varonis (20)

PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
The Definitive GDPR Guide for Event Professionals
Hubilo
 
PDF
All you need to know about GDPR
Hubilo
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PPSX
GDPR for US Companies: A Primer
James C. Roberts III
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PDF
The Countdown to the GDPR Regulations
Elliot Reeman
 
DOCX
The General data protection regulation : Salient clauses
Syed Nazir Razik ACP, CSM, PMP
 
PPTX
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
PDF
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Erwin Otten
 
PPTX
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PDF
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
PPTX
Everything you need to know about the GDPR
Spoon London
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
PPTX
My presentation- Ala about privacy and GDPR
zayadeen2003
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
PDF
Are You Prepared for the GDPR?
PrivacyPolicies.com
 
PDF
GDPR: What It Is and How (and Which) US Companies Are Affected
James C. Roberts III
 
The Essential Guide to GDPR
Tim Hyman LLB
 
The Essential Guide to GDPR
Tim Hyman LLB
 
The Definitive GDPR Guide for Event Professionals
Hubilo
 
All you need to know about GDPR
Hubilo
 
Gdpr presentation
Sudarsan Reddy
 
GDPR for US Companies: A Primer
James C. Roberts III
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
The Countdown to the GDPR Regulations
Elliot Reeman
 
The General data protection regulation : Salient clauses
Syed Nazir Razik ACP, CSM, PMP
 
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Magento checklist AVG / GDPR - Algemene Verordering Gegevensbescherming
Erwin Otten
 
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
Guide to-the-general-data-protection-regulation
N N
 
Webinar: An EU regulation affecting companies worldwide - GDPR
panagenda
 
Everything you need to know about the GDPR
Spoon London
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
My presentation- Ala about privacy and GDPR
zayadeen2003
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Are You Prepared for the GDPR?
PrivacyPolicies.com
 
GDPR: What It Is and How (and Which) US Companies Are Affected
James C. Roberts III
 
Ad

Recently uploaded (20)

PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
AI in Product Development-omnex systems
omnex systems
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
System and Network Administration Chapter 2
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Introduction to Artificial Intelligence
lohedi9363
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 

GDPR A Practical Guide with Varonis

  • 2. 3 INDEX EU GDPR Lesson 1 4 What is the GDPR? Why do we need it? EU GDPR Lesson 2 8 Data Protection by Design and by Default EU GDPR Lesson 3 12 The Right To Be Forgotten EU GDPR Lesson 4 14 Who Does the EU GDPR Apply To? EU GDPR Lesson 5 16 What Happens if I Don’t Comply with the EU GDPR? EU GDPR Lesson 6 18 Next Steps - How to Get There? Over the past few years of monitoring the development of the EU General Data Protection Regulation (GDPR) and its effects on technology, we’ve distilled the parts of the regulation that most affect your business into this practical guide. Your Risk Assessment report will outline problem areas, prioritize risk, and give you concrete steps to take to improve your data security. www.varonis.com FIND THEFIND THE 3 Get in Touch: US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 www.varonis.com
  • 3. 5 EU GDPR LESSON 1 What is the GDPR? Why do we need it? GDPR concisely summarized by Wikipedia: The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The new GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization. It’s important to note that the EU GDPR covers personal data, or as it is called in the US, personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses. One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.
  • 4. 7 Privacy by Design – Privacy by Design (PbD) has always played a part in EU data regulations. But with the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized. Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation. Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”. Extraterritoriality – The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses. Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”. Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense. What are the new requirements? What are the new requirements? Risk Assessment Overall, the message for companies that fall under the GDPR is that awareness of your data— where is sensitive data stored, who’s accessing it, and who should be accessing it—will now become even more critical.
  • 5. 9 Data Protection by Design and by Default Privacy by Design (PbD) is a well-intentioned set of principles to get the C-suite to take consumer data privacy and security more seriously. Overall, PbD is a good idea and you should try to abide by it. But with the General Data Protection Regulation (GDPR), it’s more than that: it’s the law if you do business in the EU zone! PbD has sensible guidelines and practices concerning consumer access to their data, and making privacy policies open and transparent. These are not controversial ideas, except if you are, ahem, a large Internet company that collects lots of consumer data. And PbD also dispenses good general advice on data security that can be summarized in one word: minimize. Minimize collection of consumer data, minimize who you share the data with, and minimize how long you keep it. Less is more: less data for the hacker to take, means a more secure environment. The new GDPR has direct, practical implications. Just as an example, consider the impact it will have on web-based marketing. Businesses are always trying to get information about their customers and looking to bring in new leads using the full digital arsenal — web, email, mobile. And when given half a chance, marketers always want more data —age, income, postal code, last book read, favourite ice cream, favourite food, etc. — even for the simplest consumer interaction. EU GDPR LESSON 2
  • 6. 11 What the EU GDPR says is that marketers should limit data to the purpose for which it is being collected—do I really need postal codes or favourite books? — and not to retain the data beyond the point where it’s no longer relevant. So the data points you collected from that web campaign over five years ago — maybe containing 5000 email addresses along with favourite pet names — and now lives in a spreadsheet no one ever looks at. Well, you should find it and delete it. If a hacker gets hold of it, and uses it for phishing purposes, you’ve created a security risk for your customers. Plus, if the local EU authority can trace the breach back to your company, you can face heavy fines. SO CAN BIG DATA AND PRIVACY LIVE TOGETHER HAPPILY EVER AFTER? PRIVACY BY DESIGN (PBD) SAYS YES – WITH JUST A FEW BASIC STEPS, YOU CAN ACHIEVE THE PBD VISION: PbD is referenced heavily in Article 25 of the GDPR, and in many other places in the new regulation. It’s not too much of a stretch to say that if you implement PbD, you’re well on your way to mastering the GDPR. Minimize data collected (especially PII) from consumers Do not retain personal data beyond its original purpose Give consumers access and ownership of their data
  • 7. 13 This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process! What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still apply: as data processors, the cloud service will also have to erase the personal data when asked to by the controller. Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people! The Right To Be Forgotten The controversial “right to be forgotten” is now law in the EU. For most companies, this is really a right for consumers to erase their data. The GDPR has strengthened the DPD’s existing rules on deletion and then adds the right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third- parties of a request to have information deleted. Discussed in Article 17 of the proposed GDPR, it states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where ... the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ... the data subject withdraws consent on which the processing is based ... the controller has made the personal data public and is obliged ... to erase the personal data”. EU GDPR LESSON 3
  • 8. 15 EU GDPR LESSON 4 Who Does the EU GDPR Apply To? One of the more complex issues with the new GDPR is what’s being called “extraterritoriality.” As proposed by EU Parliament, the GDPR will apply to any data transferred outside the EU zone. So under these new rules, if a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there! Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the GDPR’s new strict breach notification requirement — our guesstimate is that the EU regulators will likely target it. Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc. You can map these to your own favourite apps to figure out who would be affected. SHIFTING MEANINGS Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU. The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply. Companies such as Google, Facebook, and other social networking companies were following this approach. NOT SO FAST! Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google last year. The long arm of EU law prevailed: the specific search listing was removed. Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU. The GDPR will apply to any data transferred outside the EU zone.
  • 9. 17 What Happens if I Don’t Comply with the EU GDPR? The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds – and the EU GDPR rules apply to both data controllers and processors, that is “the cloud”… therefore huge cloud providers are not off the hook when it comes to GDPR enforcement. EU GDPR LESSON 5 Non-compliance results in fines of up to 4% of global revenue. This can include violations of basic principles related to data security — especially PbD principles. A company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 33). And keep in mind – the GDPR breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insiders were doing. More serious infringements merit up to a 4% fine. This includes violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law. One way the GDPR is hoping to keep everything in line? By requiring companies to have a Data Protection Officer (DPO). The DPO is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and even creating a good data security policy.
  • 10. 19 EU GDPR LESSON 6 Next Steps - How to Get There? Let’s break down some of the challenges in the new GDPR and how to address them: GDPR Article What does it mean How to address it Article 25: Data Protection by Design and By Default Embrace accountability and privacy by design as a business culture. Safely remediate access controls to least privilege. Article 30: Records of Processing Activities Implement technical and organizational measures to properly process personal data. Create asset register of sensitive files; Understand who has access; know who is accessing it; know when data can and should be deleted. Article 17: Right to Erasure and “to be forgotten” Be able to discover and target specific data and automate removal. Find it, flag it, remove it. GDPR Article What does it mean How to address it Article 32: Security of Processing Ensure least privilege access; implement accountability via data owners; Provide reports that policies and processes are in place and successful. Automate and impose least privileges through entitlement reviews and proactively enforced ethical walls. Article 33: Notification of personal data breach to the supervisory authority Prevent and alert on data breach activity; have an incidence response plan in place. Detect abnormal data breach activity, policy violations and real-time alert on it as it happens. Article 35: Data Protection Impact Assessment Quantify data protection risk profiles. Conduct regular quantified data risk assessments.
  • 11. 21 Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data. Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future. Governance – With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls. EU GDPR LESSON 6 PII Monitoring – The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal data, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues. Varonis helps organizations of all sizes with GDPR projects. Our software suite automates what would otherwise be an extremely arduous and time-consuming task. Take advantage of our free GDPR readiness assessment today to avoid any non-compliance issues down the road. So what should you focus on to meet the EU General Data Protection Regulation?
  • 12. 23 Get your free GDPR Readiness Assessment Our team will do all the heavy-lifting for you: setup, configuration, and analysis with concrete steps to improve your General Data Protection Regulation compliance. YOUR DEDICATED ENGINEER WILL HELP YOU: • Identify in-scope GDPR data • Find and revoke excessive access to personal information • Audit user activity and detect risky behaviour / ransomware • Identify and prioritize gaps in GDPR compliance Schedule your assessment! About Varonis Varonis is a leading provider of software solutions that protect data from insider threats and cyberattacks. Through an innovative software platform, Varonis allows organizations to analyse, secure, manage, and migrate their volumes of unstructured data. Varonis specializes in file and email systems that store valuable spreadsheets, word processing documents, presentations, audio and video files, emails, and text. This rapidly growing data often contains an enterprise’s financial information, product plans, strategic initiatives, intellectual property, and confidential employee, customer or patient records. IT and business personnel deploy Varonis software for a variety of use cases, including data security, governance and compliance, user behaviour analytics, archiving, search, and file synchronization and sharing. DETECT PREVENT SUSTAIN Get in Touch: US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 info.varonis.com/gdpr-risk-assessment
  • 13. Varonis Headquarters 1250 Broadway, 29th Floor New York, NY, USA 10001 US: +1-877-292-8767 UK: +0-800-756-9784 INTL: +1-646-706-7336 www.varonis.com