gdpr for security professionals

Download GDPR for Security Professionals

Post on 23-Jan-2018




0 download

Embed Size (px)


  • GDPR for Security ProfessionalsBY SAUMYA VISHNOI

  • About Me

  • Target Audience

    Those that are part of GDPR implementation team : This is not a talk for them as they must already know a lot more then what I am

    about to say

    Those that are part of organization under GDPR but not part of implementation team: You can align your current according to company requirements + that it will tell you

    keywords that you can through around and impress your boss ;)

    Those who are complete away from GRPD world: GDPR can act as an excellent case study for implementing a privacy standard or rules

    in your security charter

  • What is GDPR

    General Data Protection Regulation (GDPR)

    Law or regulation adopted on 27 April 2017

    It will be affected from 25 May 2018 ( After 2 years Implementation time)

    A extension to existing DPA standard

    Impact Organizations doing business in EU

    Scope: organizations processing personal information wholly or partially

    EU established Organizations controllers or Non-EU established organizations who target or monitor EU data subjects

  • Why it is important to know ?

    50 Countries in European union

  • What is PII as per GDPR

  • Data Processors

  • GDPR requirements

    1. Individual Rights

    1. The right to be informed

    2. The right to access

    3. The right of rectification

    4. The right to erasure

    5. The right to restrict processing

    6. The right to data portability

    7. The right to object

    8. Rights related to automated decision making and profiling

    2. Accountability and governance

    3. Breach notification

    4. Transfer of data

  • The right to Access

    individuals will have the right to obtain:

    confirmation that their data is being processed;

    access to their personal data; and other supplementary information

    No fee can be charged for such request

    Request must be processed latest within one month of receipt

  • The right of Rectification

    Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

    Request must be processed latest within one month of receipt

  • The right to Erasure/Forgotten

    Enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

  • Accountability & Governance

    The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.

    Records of processing activities

    Data protection impact assessments

    Appointing Data Protection Officer

  • DPO (Data Protection Officer)

    Under the GDPR, you must appoint a data protection officer (DPO) if you:

    If you are a public authority (except for courts acting in their judicial capacity);

    If you carry out large scale systematic monitoring of individuals (for example, online behavior tracking); or

    If you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

  • Breach Notification

    Data Breach means -- breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

    Notify Supervisory authority -- Within 72 hours of the organization being aware of it

    Notify Individuals In beach may results in a high risk to the rights & freedom on individuals as early as possible

    Failure to notify --- 10 million Euro or 2% of Global turnover

    Must have internal breach reporting procedure that also includes breach detection and investigations

  • Summery Points

    50 Countries

    4 % Potential fines as a percentage global turnover as it applies to cross border organizations which have access to EU data s in Europe

    72 Hours Breach notification timeline

    80+ Requirements

    250 Million Cost of 4% fine for a typical FTSE 100company.

    190+ Countries potentially in scope of the regulation



  • Thank you