GDPR How to get started?

12/3/2017GDPR is a transformative new data privacy law in the EU
The General Data Protection Regulation (GDPR) is a new law in the European Union (EU)
providing for uniform data protection regulation throughout the EU. When it goes into effect
on May 25, 2018, it will represent one of the highest standards of privacy and data protection
in the world and will provide EU Data Protection Authorities (DPAs) the ability to regulate and
bring enforcement against companies across the globe. It will replace the existing EU Data
Protection Directive, which came into effect almost 20 years ago in 1998.
2018
2012 - 2015 2016 - 2017

12/3/2017
0% 5% 10% 15% 20% 25% 30% 35%
We do not think we will be audited in 2018
We really do not know where to start
Not relevant (the GDPR does not affect our organization)
Don't know
We are awaiting further guidelines
It is largely ready already because we are compliant with the
current data protection regulation
There is a solid plan in place to ensure readiness by May 2018
We will start addressing it this year (2017)
To what extent is your organization preparing for the General Data Protection Regulation (GDPR) to take effect?
Question:
Source: IDC's 01-2017 Benelux CIO Survey (n = 182)

12/3/2017European Data protection law with focus on Personal data
• GDPR applies to every company that collects personal data from EU data subjects,
regardless of where the company is established
• It applies to data processors as well as data controllers
• It applies to companies that offer goods or services in the EU, regardless of whether
payment is required, or monitor the behavior of EU residents
• It broadens the term Personal Data – “any information that directly or indirectly can be
related to an identified or identifiable natural person”
• It may impact other region operations if EU products and business processes can not be
easily carved out or EU data is transferred to/used in the other regions.
Major impact to the collection and/or processing of:
Consumer
Data
Employee
Data
Business
Customer
Data

12/3/2017
Which of the General Data Protection Regulation (GDPR) requirements will pose the greatest challenge to your
organization?
0% 10% 20% 30% 40% 50%
Appointing a data protection officer
Data portability (the need to provide data in machine-readable
formats upon request)
Data transfers to countries outside of the EU
To service a person's data access request
Defining data use cases and managing consent
Data minimization principle (collecting only the least amount of
data necessary)
Data breach notification within 72 hours
Encryption and/or pseudonymization of data
Defining what "state of the art" means for our organization in
terms of processes and technologies
Data protection by design and by default
Right to be forgotten (RTBF)/right to erasure
Source: IDC's 01-2017 Benelux CIO Survey (n = 182)
Question:

12/3/2017GDPR sets a high bar for personal privacy protection of digital
data, which poses considerable challenges for organizations.
The high privacy standards set by GDPR poses plenty of challenges to organizations, ranging from process and technology challenges to
organizational and cultural challenges. CIO’s have provided their rankings of GDPR-related challenges:
• Right to be forgotten (RTBF). Unsurprisingly, RTBF poses the biggest challenge of all GDPR requirements. Organizations don't really understand
the data they have amassed over the years, and they wonder how they will be able to identify all the data relating to one individual, let alone
delete all copies of this data. Balancing RTBF with contradicting regulatory demands for data retention adds an additional layer of complexity.
• Data protection by design and by default. Organizations will need to document that they have considered data protection from the onset for
all products, services, campaigns, analytics initiatives, and so on. Documentation of meetings and decision-making processes will be key to
fulfilling this requirement.
• "State of the art." The future-proofing aspect of GDPR keeps organizations on their toes to regularly review process and technology best
practices for privacy protection.
• Encryption and pseudonymization of data. GDPR adds complexity to every Big Data and analytics project. Striking a balance between getting
maximum value from analytics and not violating privacy will be the key to business success. Surprisingly, managing consent ranks much lower.
IDC believes managing consent is a core activity for organizations.
• Data breach notification within 72 hours. This requires technologies to detect data breaches in time as well as to notify the data protection
authority and the public (otherwise, reporters or the media will do the informing for you, with bad implications for your company's reputation).

12/3/2017
Protecting customer
privacy with GDPR
What does GDPR mean for your company data?

12/3/2017GDPR capability model
IDENTIFY
Personal Data
MANAGE
Personal Data
PREVENT
Privacy Violations
DETECT & RESPOND
Data Breach Handling

12/3/2017GDPR mapping

12/3/2017
Given how much work may be involved in preparing,
you should not wait until they begin enforcing the
regulations in May 2018. You need to begin
reviewing your privacy and data governance policies
and procedures now. Many organizations also take
this opportunity to review their data strategy and
modernize infrastructure. We recommend you begin
your journey to compliance with the GDPR by
focusing on four key steps:
{{
Protecting customer privacy
with GDPR
Identify what personal
data you have and
where it resides
Discover
Govern how personal data is used
and accessed
Manage
Establish security
controls to prevent,
detect and respond to
vulnerabilities & data
breaches
Protect
Keep required documentation, manage
data requests & breach notifications
Report
① ②
③④
How do you get started with GDPR
compliance?

12/3/2017
• Integrate search for applications to
locate personal data across user-
defined indexes
• Trace and identify personal data
stored in different data sources
Search &
identify
personal data
Protect dataControl access
Detect &
Remediate
threats
Classify
data
Record-
keeping
• Securely manage access to your
data, applications and other
resources
• Enforce separation of duties
• Determine and assign relative
values to your data
• Employ advanced encryption,
cryptography, and monitoring
• Restore data availability with a
variety of recovery and redundant
storage options
• Proactively prevent, detect and
respond quickly to threats
• Deliver verifiable transparency and
delivers tamper-resistant insights
with activity log
• Leverage comprehensive
compliance and privacy
documentation.
Discover Manage Protect Report
4- Step approach to become GDPR compliant
① ② ③ ④

12/3/20174- Step approach
Identify what personal data you have and
where it residesDiscover1
and accessedManage2
Establish security controls to PREVENT, DETECT,
and RESPOND to vulnerabilities & data
breaches
Protect3
Keep required documentation, manage data
requests and breach notificationsReport4

12/3/2017
Discover1
In-Scope: Inventory:

12/3/2017
and accessedManage2
breaches
Protect3
4- Step approach

12/3/2017
Data governance: Data classification:
Manage2

12/3/2017
Protect3
Preventing data attacks: Detecting & responding:

12/3/2017
PROTECT
Across all endpoints,
from sensors to the datacenter
DETECT
Using targeted signals, behavioral
monitoring and machine learning
RESPOND
Closing the gap between
discovery and action
and accessedManage2
breaches
Protect3
4- Step approach

12/3/2017
IDENTIFY PROTECT DETECT RESPOND RECOVER
Cybersecurity Context Framework
Maturity level of your organization
(Based on NIST framework)
DEFENCE IN DEPTH
Multiple Layers
99,9% TTD TTI / TTR
Across all
endpoints, from
sensors to the
datacenter
Using targeted
signals, behavioral
monitoring &
machine learning
Closing the gap
between
discovery and
action

12/3/2017
Record-keeping: Reporting tools:
Report4

12/3/2017
DEVICE
Protection
Device health verification
Device Integrity
Device control
Security Policies
Mobile Device Management
& Mobile App management
to protect corporate apps
and data on any device
THREAT
Resistance
Report phishing & malware
websites
Firewall (Network attacks)
Anti-Malware (Emerging &
New/Unknown)
Zero-day threat & malware
protection thru email
filtering
IDENTITY
Protection
Identity Validation (Natural
biometric) or familiar (PIN)
Isolate HW user’s secrets
(Pass-the-hash)
Single-sign-On
Privileged Identity
Management (Account
Lockdown)
INFORMATION
Protection
Volume Drive Encryption
Information Protection
Data Loss Prevention
Enhanced customer data
access controls
Identity high-risk/abnormal
usage
Intelligent classification,
labeling & encryption to
secure corporate files &
emails
Breach
DETECTION
Investigation &
RESPONS
Conditional access
Behavior based, post-breach
advanced attack
detection/investigation/resp
onse to sophisticated threats
Detect known malicious
attacks, uncover abnormal
activity, Identify Security
issues and risks
SLA TTD TTI/TTR
Pre-Breach Post-Breach
Security Capabilities
Protect your Identity & Data

12/3/2017
 Compliance Manager helps assess and
track data protection and compliance
posture and get actionable insights to
improve. With an intelligent score,
customers can better understand their
compliance posture against regulatory
standards.
 Data Catalog/Register will help discover
data across your applications, tools and
databases.
 Information Rights Management helps
protect data across its lifecycle by
preventing sensitive information from
being printed, forwarded, saved,
edited, or copied by unauthorized
individuals.
Discover Manage Protect Report
 DPA Compliance Program provides
access to compliance documentation
and security experts and auditors
 Existing compliance approaches and
attestations already in alignment
with the GDPR provide a good
foundation to start from.  Identity and Access Management and
Conditional Access can help manage
access to data across platforms,
whether in the cloud, on premise or in
a hybrid environment.
Security Capabilities

GDPR How to get started?

More Related Content

What's hot (19)

Similar to GDPR How to get started? (20)

Recently uploaded (20)

GDPR How to get started?

Editor's Notes