general data protection regulation - cisco · •data protection, and compliance with the general...
TRANSCRIPT
Business Development, Manager, GSSO EMEAR
Philippe Roggeband
General Data Protection Regulation
• Data Protection, and compliance with the General Data Protection regulation, is NOT an option. It becomes mandatory in May 2018
• Not being compliant may result in huge fines (up to 20M€ or 4% of the WW turnover)
• Demonstrating compliance ahead of time will be an important business differentiator
Why should you care ?
• GDPR took over three years for an agreement to be reached
• It has 173 “Whereas” elements defining the context
• It has 99 articles stating obligations
• It will come into effect in May 2018
• Fun fact : It has 20,000 more words than Shakespeare’s “Hamlet”
Some background
• Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States.
• Directives lay down certain results that must be achieved but each Member State is free to decide how to transpose directives into national laws.
• Decisions are EU laws relating to specific cases and directed to individual or several Member States, companies or private individuals. They are binding upon those to whom they are directed.
Some basic terminology
• Regulation 2016/679
• On the protection of natural persons with regard to the processing of personal data and on the free movement of such data
• Repealing Directive 95/46/EC
• Directive 2016/680
• On the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
• Repealing Decision 2008/977/JHA
What was voted on 27th April 2016?
• Regulation 2016/679 applies to all organisations which control or process personal data
• Directive 2016/680 applies to law enforcement bodies : Police, Ministry of Interior, state investigation organisations etc.
In other words
This deck is about REGULATION 2016/679 and how it may affect your organisation
• Whenever you open a bank account, join a social networking website or book a flight on-line, you hand over vital personal information : Name, Address, Credit card number, etc.
• Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose
• Persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners
• Public authorities and individuals transfer vast amounts of personal data across borders. Common EU rules ensure that personal data enjoys a high standard of protection everywhere in the EU.
• The EU Data Protection regulation also foresees specific rules for the transfer of personal data outside the EU
Introduction
• ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Personal Data definition
• ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data Processing definition
• ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Data Controller definition
What has changed with the new Regulation?
• GDPR defines new rights for consumers (Data subjects)
• The GDPR will apply not only to companies established in the EU, but to all companies that target EU markets or consumers.
• Penalties for non-compliance will reach unprecedented heights with new maximum fines of EUR 20 million or 4% of annual worldwide revenue.
• EU legislators have introduced significant compliance burdens such as recordkeeping obligations and mandatory privacy impact assessments (PIAs) and, under the accountability principle, companies will have to be able to demonstrate compliance upon request.
Key changes vs Directive 95/46/EC
• Unambiguous consent
• Right to withdraw consent
• Right to data portability
• Right to be forgotten
• Right to be informed when data is compromised
• Right to compensation
• One-stop shop
Consumer / individual rights
• Legal Basis for Processing (or legitimate reason) :
• Necessity to perform a contract ; compliance ; legitimate interest which outweighs privacy right
• Fraud prevention
• Consent
• “Freely given, specific, informed and unambiguous indication”
• Can be withdrawn
• Right to be forgotten
• Right to request that individual data be erased. Exemptions may apply if the processing is deemed necessary for the exercise of freedom of expression , compliance with a legal obligation, public interest
Individual Rights : Conditions for Collection and Use
• Right to Data Portability
• Provides a way for consumers to take their data from one service provider to another.
• Individual will be able to request a copy of their personal information in a structured and commonly used electronic format.
• Only applies to information obtained on the basis of consent or as necessary to perform a contract
Individual Rights (ctd)
• Data Controller or Processor is based in EU
• Data Subject is based in EU, even if the holding / processing organisation is based outside the EU
• This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR. This is not the case currently.
Scope of the Regulation
• Data Subjects can exercise rights to
• Lodge complaints
• Effective judicial remedy against controllers or processors
• Compensation and liability in the case of infringement of the Regulation
• Administrative fines can be imposed
• Infringements to obligations of the controller, processor, certification body or monitoring body : 10M€ or up to 2% of total WW turnover
• Infringements to basic principles, data subject’s rights, transfer of personal data to non-compliant third parties : 20M€ or up to 4% of total WW turnover
Remedies, Liability and Penalties(Articles 77 to 84)
Accountability : companies must be able to demonstrate their compliance to regulators on request.
• Documentation and Recordkeeping
• Companies must register data processing activities with their DPA
• Data controllers and processors must maintain a record detailing purposes of data processing ; potential data recipients ; appropriate safeguards ; security measures.
Compliance and Governance
Privacy Impact Assessments
• Companies will be required to conduct PIA’s for processing activities which are likely to result in “high risk for the rights and freedom of individual”, e.g.
• Use of sensitive data
• Systematic monitoring of public areas..
• PIA will include
• Risk Assessment
• Analysis of safeguards and accountability measures
Compliance and Governance (ctd)
Privacy by Design and by Default
• Requires that companies put in place technical and organisational measures to implement data protection principles
• GDPR mentions pseudonymization as an example of such measures
• Other measures include :
• Key coding techniques
• Limiting access (“need to know”)
• Data minimization
• Limiting data retention
Compliance and Governance (ctd)
Data Privacy Officer
• GDPR introduces a requirement to appoint a DPO, but only in limited circumstances
• Company’s core activities require regular and systematic monitoring of individuals on a large scale
• Activities include large-scale processing of sensitive data
• Data processed relates to criminal offences
• DPO may be appointed for a group of companies
• DPO must have expert knowledge of privacy and data protection law and practice
Compliance and Governance (ctd)
• EU data protection law prohibits transfers of personal data to non-EU countries that do not provide for an “adequate level of personal data protection” without individuals’ explicit consent, unless “appropriate safeguards” are in place.
• In addition to continuing to recognize approved Standard Contractual Clauses, the GDPR now formally recognizes the use of BCRs
• Binding Corporate Rules ("BCR") are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.
• Putting in place BCRs entails implementing a comprehensive privacy program which is then subject to the approval of European data protection authorities (DPAs).
Cross-border Transfers and Binding Corporate Rules
• Companies must notify the competent DPA (Data Protection Authority) within 72 hours
• DPA’s have new task and powers
• Imposing fines for non-compliance
• Handling complaints
• Co-operation with other authorities
• Drafting standard contracts for data transfers
Mandatory Breach Notification & DPA’s
• Binding Corporate Rules (BCRs) are formally recognized as an international transfer mechanism.
• Mandatory breach notification will be established for all of the EU Member States.
Key changes (ctd)
High-level roadmap to compliance
Data
UsersPolicies
Processes
Technology
• Do they include Compliance elements ? With what ?
• Are roles defined ?
• Do they include “need-to-know” & Separation of Duties ?
• Are Access control rules defined and implemented ?
• Are they role-based ?
• Are they context aware ?
• Are they granular ? To what level ?
• Do they meet GDPR requirements ?
Are there existing Policies?
• Are processes defined to align new initiatives / projects with policies ?
• Is there a SOC ?
• Are processes defined to deal with incidents ?
• Is there an Incident Response Team ?
• Do currently installed technologies allow these processes to be effective ?
• Access control
• Incident / breach of policy detection
• Incident response
What is the status of operational capabilities?
How can Cisco help?
Cisco’s Approach to Managing Privacy
GovernDevelopPrioritizeUnderstand
Privacy Program - Assessment and Strategy Development• Comprehensive assessment of requirements and development of a program roadmap
Privacy Compliance Program Support• Accelerate development and implementation
• Transform compliance requirements into a practical program
Privacy Impact Analysis• Kickstart a program
• Periodic review of capability evolution
Scope & Impact Analysis Program Assessment
& Development Compliance &
Certification Support
Address GDPR requirements Assess applicability of your organisation’s
data, partners and entities to GDPR
compliance
Understand the current state of your
compliance program and the steps to
create an effective data protection
program
Perform a review of your GDPR program
to adjust for changes in business
services, new markets, adoption of
technologies, use of partners and
changed regulations
Identify other privacy obligations
anticipated by your business plans
Develop a custom GDPR programme Perform an evaluation of GDPR
requirements and obligations
Understand specific business needs,
information lifecycle, growth plans and
use of technology
Perform a Data Protection Impact
Assessment to discover PII that is being
collected, why it is being collected and
how it will be used, secured, shared and
stored.
Assess existing program against a
custom set of relevant process maturity
goals
Development of a comprehensive
program roadmap to meet the needs of
the business and GDPR compliance
Accelerate implementation of existing
GDPR programme Provide independent and experienced
advice on how to meet GDPR mandates
Transform GDPR compliance
requirements into a practical program and
implementation plan
Review governance mechanisms of your
current GDPR compliance program and
assess readiness for certification
*Assuming large enterprise, local.
MNC will be multiple derivative, depending on # of business lines.
Service Description
Cisco Technology solutionsNAME SHORT DESCRIPTION
Secure Data
Centre
Obviously, Data Centres will be the location of choice to store personal data, and as such, will be the primary target for attacks on confidentiality.
The Cisco Secure Data Centre for the Enterprise Solution Portfolio provides design and implementation guidance for enterprises that want to
deploy physical and virtualized workloads in their data centres. Using our solutions can provide exceptional protection to address today's
advanced data security threats.
Associated technologies:
NGFW, NGIPS
ACI
Stealthwatch
Advanced Threat Analytics
Network
Segmentation
& Access
Control
One of the key elements of GDPR compliance is controlling access to the resources where the personal data is stored and processed. Cisco ‘s
Access control and network segmentation capabilities help customers gain awareness of everything hitting their network, and provide access
consistently and efficiently. This relieves the stress of complex access management, as security policies are updated and distributed dynamically.
Associated technologies:
Identity Services Engine
TrustSec
Breach
detection and
notification
Major news organisations, analyst reports, and companies have all confirmed a new era of intrusions, theft, and malicious attacks. A major
challenge facing organisations seeking GDPR compliance will be detecting these advanced threats, then analysing and blocking them. Cisco
offers a full portfolio of solutions, combining combines static and dynamic malware analysis with threat intelligence into one unified solution.
Associated technologies:
OpenDNS
Advanced Malware Protection, ThreatGrid
Stealthwatch (Network as a Sensor)
Active Threat Analytics
• As the GDPR seeks to strengthen privacy compliance and organisational accountability while driving consistency and interoperability throughout the EU— and the world—Cisco is committed to full compliance with the GDPR requirements by May 2018.
• From our developers and engineers to our legal and HR programs, we look at data protection and privacy from all angles. We devote significant resources to data protection and privacy and have a rigorous compliance program that has been driving toward robust privacy protection for years
What about Cisco ? Will we be compliant ?
Do you need more information ?http://ec.europa.eu/justice/data-protection/reform/index_en.htm
• Prepare for data security breaches
• Establish a framework for accountability
• Embrace privacy by design
• Analyse the legal basis on which you use personal data
• Check your privacy notices and policies
• Bear in mind the rights of the data subjects
• If you are a supplier to others, consider whether you have new obligations as a processor
• Consider BCR to facilitate cross-border data transfers
8 Recommendations
Closing thought
Being Compliant does not make
you secure
Being Secure helps you to be
compliant