Gdpr brief and controls ver2.0
Download as PPTX, PDF1 like94 views
This document provides an overview and summary of key aspects of the General Data Protection Regulation (GDPR). It begins with an agenda that outlines topics like the purpose of GDPR, its core principles and user rights, definitions of personal and special personal data, responsibilities of different parties, and a 12 step process for compliance. Key details include that GDPR aims to protect personal data and privacy rights of EU individuals, has 91 articles and requires data breaches to be reported within 72 hours. It also outlines the 7 core principles and 8 user rights that are at the heart of GDPR, as well as potential fines of up to 4% of global annual turnover or €20 million for noncompliance.
Gdpr brief and controls ver2.0
- 1. GDPR Compliance Finto Thomas Information Security
- 2. Agenda Purpose of “GDPR” Helicopter view Articles for sample Seven Principles (Heart of GDPR 1) User Rights (Heart of GDPR 2) Personal Data Responsibilities 12 Step Ladder to GDPR GDPR in numbers The fear factor Business Use case Next step Remain Pages - 14
- 3. Protect personal data & Strengthen privacy rights of EU individuals (Who stay in EU, not for EU citizens stay outside of EU) Protection Purpose
- 4. 91 GDPR Articles 72 Hours to reports data breach 8 key Individual Data Rights 4% Global business turnover fine 20 million EURO 82 Pages of text 2% EU companies GDPR complaint on 25th May 2018 Risk Based Controls 12 Step for GDPR from ICO-UK 7 Principles Helicopter view
- 6. Seven Principles Heart of GDPR ⚖ LAWFULNESS, FAIRNESS AND TRANSPARENCY Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data Subject � PURPOSE LIMITATION Personal data shall be collected for specified. Explicit and legitimate purpose and not further processed in a manner that is incompatible with those purposes. � DATA MINIMISATION Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. ✔ ACCURACY Personal data shall be accurate and where necessary, kept up to date. ⏳ STORAGE LIMITATION Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. � INTEGRITY AND CONFIDENTIALITY Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. � ACCOUNTABILITY The controller shall be responsible for, and be able to demonstrate compliance with Data Protection Principles
- 7. Eight User Rights Data Subject have below rights over their personal data � RIGHT TO BE INFORMED About the collection and use of their personal data. This is a key transparency, purpose of data collection. ✍ RIGHT TO ACCESS Information if personal data are processed, the purpose, what data types, the period of storage � RIGHT TO RECTIFICATION Correction of inaccurate personal data concerning the data subject with out any delay. � RIGHT TO ERASURE Right to forgotten, to erase all personal data if no necessary anymore if the users withdraws consent. � RIGHT TO DATA PORTABILITY To receive user’s concerning personal data, in a structured format. ⛔ RIGHT TO RESTRICTION OF PROCESSING If the data accuracy is contested, unlawful or not need anymore. When processing is restricted, you are permitted to store the personal data, but not use it. � RIGHT TO OBJECT Stop processing of personal data on request, unless the controller demonstrates compelling reasons overriding the individuals interests rights. � RIGHTS RELATED TO AUTOMATED DECETION MAKING INCLUDING PROFILING Making a decision solely by automated means without any human involvement. Article 22 need to be followed with individual’s explicit consent.
- 8. • Name • Address • Phone • Bank / Credit cards • Email Address • IP address • Cookies • Online Identifiers Personal Data • Medical records • Biometric data • Cultural Background • Genetic data • Religious Beliefs • Sexual Orientations • Trade union memberships Special Personal Data Data category Personal Data
- 9. Responsibilities Data Subject “ EU Residence “ Make the decision Validate the decision Sub Data Processor Sub Data Processor Data Controller Keep Consent records Analyze data Use for purpose Update decision record Data Processor Platform / Service Vendor Keep record of the decision and pass it over to Controller. Gather and process Subject’s data Update Consent Allow or Deny Use service Ask consent
- 10. 12 Steps ladder for GDPR
- 12. Fear Factors • Business can not grow at Europe or even globally. as we are the DATA PROCESSOR and can not meet the requirements with DATA CONTROLLER • Highest fines if we fail to meet the GDPR criteria’s. “Forget the fear factor, GDPR will be a force for good”
- 13. Business use cases • Transparency : Clients should be informed about the personal data collection, type, purpose and duration while onboarding and wherever any change on this terms. • Client should be able to view their profile online or should able provide on their request to “validate” and update. • Ability to detect, deter, delay, respond and recover on time for any kind data breaches • Risk management and Security by Design “Personal Data should not be breached”
- 14. Patterns and Governance 1) Enterprise Security Framework and Architecture (Patterns) • IT service management (ITSM) by ITIL • Service design , service operations, etc.. • Information Security Management system (ISMS) • Cloud Computing patterns • Public Web Server patterns • Security by Design and default 2) Governance Risk and Compliance (GRC) • Risk Assessment and management program • Risk Acceptance level ( residual risk) • Risk Register • NESA and GDPR definition to Alef by Legal • Security Awareness program for all employee and contractors ( general and technical teams) • Internal and External Security audits process
- 15. Tools and Process - 3/6 1) Infrastructure Protection • Regular Hardening and patching with continues monitoring on all platforms ( server , container , Laptops , network devices , cloud services, etc..) • Continues Vulnerability management process • Malware Protection for all laptops, servers, email and Web • Web Protection on internet access for employee and services ( forward proxy) • Email protection from spam and spear phishing • Wireless security to prevent rouge Access Points (AP), BYOD and Mobiles devices 2) Identity and Access management • Central employee and contractor directory service • Privilege ID management ( admins ,root, network , servers, API, Token, shared Credentials, etc) 3) Application Security • Source code analysis (SAST) and Dynamic software assessments (DAST) • Software Composite Analysis (SCA) with Repository manager and real time code feed back to developer
- 16. Tools and Process - 3/6 4) Data Protection ( PII and Intellectual Properties ) • Data Classification and tagging • Data leakage protection and CASB for cloud services ( G drive, AWS bucket, etc..) 5) Cryptography Service • Encryption for all sensitive data stored in servers ,databases, files, laptops, cloud services ( AWS, G Drive) • Encryption on remote connectivity for laptops and remote offices via VPN • Encryption on data on transfer via SSL for internal and External web services and API • Code signing for Alef platform 6) Security Operation Center • Central event and log collection and real time correlation for anomaly detections across Alef Estate (SIEM) • Security Incident management and Incident response plan
- 17. Q&A Thank you