General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Transcription

1 General Data Please note: - This legislation is untested and open to interpretation. - I am not a Privacy or Data Protection Solicitor. - Should you have any concerns or queries please seek legal advice from a qualified person. Protection Regulations MAY 2018 Presentation Micro Minder Ltd 2017 Martin Chapman Head of Ops & Sales Microminder

2 Aim: To deliver an insight into Cyber Crime and GDPR Objectives: - To highlight the scale, methods and impact of Cyber Crime - To offer an introduction to GDPR - To educate attendees on key changes of DP Key Points: - The role of Cyber Crime in GDPR - How will GDPR affect me? - Data Controllers & Processors - What is a DPO? Role & Responsibilities - Exemptions. Do they apply? - GDPR a paradigm shift - Penalties & Sanctions - Where do I start?

3 Cyber threats Open from attacker Will open attachment/link Within 4 minutes 286 days Detect intrusion 80 days Contain damage - some important facts to get started 63% of your team Weak, default or stolen passwords 58% of your team Accidently share sensitive information 80% of your team Non-approved SaaS usage: Shadow IT Data leakage: User mistakes 90% 53 seconds a laptop is stolen 55,000 Estimated devices compromised by Ransomware every MONTH in 2016! 5x increase from 2015 with 4x increase against Android devices. $1 Billion Average earning of a hacker from Ransomware (FBI statistics) Wannacry 152 countries $4B PAID Disruptive Individual(s) - Pranksters Disruptive Groups - Hacktivists Serious & Organised Crime Syndicates Nation State Attackers

4 Intro to GDPR WHAT: - The biggest change to Data Protection legislation since DPA 98 - EU-wide legislation (irrespective of Brexit), worldwide jurisdiction WHY: - Absolute focus on Data Subject Rights - Recognises huge advances in threat, risk and value of data - Places greater obligation on people who want your data - Allows for current technology (e.g. Biometrics, AI, ML) Don t underestimate the implications of GDPR

5 Who s Who within GDPR DATA CONTROLLER: A legal individual, public authority, agency or other body which, alone or jointly with others, determines the purposes and methods of processing personal Data. YOU ARE ALMOST CERTAINLY BOTH! DATA PROCESSOR: A legal individual, public authority, agency or body which processes personal Data on behalf of the controller. DATA PROTECTION OFFICER: An expert on data privacy who works independently to ensure an organisation is adhering to the policies and procedures in the GDPR. DATA SUBJECT: A natural person who can be identified by the data stored whose personal data is processed by a controller or processor. INFORMATION COMMISSIONER S OFFICE (ICO): The UK s DP Authority which enforces the protection of data and privacy and monitors and enforces GDPR within the EU.

6 What s What within GDPR PROCESSING: Any operation performed on personal data, including collection, use, recording, migrating, etc. PERSONAL DATA: Any information related to an identified or identifiable data subject that can be used to directly or indirectly identify the person (inc. images, video, voice, numbers ) PERSONAL DATA BREACH: A breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to, personal data. CONSENT: Informed, unambiguous, freely given, specific, and explicit consent by statement or Action from the data subject to have data relating to them processed. PRIVACY IMPACT ASSESSMENT (PIA): Tool used to identify/reduce privacy risks of a project. A PIA helps identify/reduce potential risk to data and bring about better processes for handling data.

7 Rights & Requirements within GDPR EXEMPTION: MYTH v REALITY..NONE OF YOU ARE EXEMPT FROM ANY PARTS OF GDPR.!!!! Some organisations <250 employees are exempt BUT SPECIAL CATEGORY DATA IS NOT HEALTH! BREACH NOTIFICATIONS: Statutory requirement to report data breaches to ICO within 72 hrs of becoming aware of it. Where client data is at serious risk, individuals concerned MUST be notified. RIGHT TO PORTABILITY: Entitles individuals to obtain their data to move elsewhere. Organisations OBLIGED to comply and provide in a commonly used and readable format. RIGHT TO ERASURE: AKA Right To Be Forgotten. Removal/Deletion of all personal data. This may include Back-Ups, Archives and information shared with 3 rd parties (obvious example, lab/referral) RIGHT TO ACCESS: AKA Subject Access Right. No 10 fee. 30 day response unless certain circumstances prevail. ALL DATA consider CCTV, Phone Recordings, Temp & Cache Storage.

8 Microsoft - taking GDPR seriously Important even if you ve only just heard of Europe

9 Microsoft - taking GDPR seriously

10 GDPR - Deep Dive 1 Discover Identify what personal data you have and where it resides 2 Manage Govern how personal data is used and accessed 3 Protect Establish security controls to prevent, detect and respond to vulnerabilities & data breaches 4 Report Keep required documentation, manage data Requests and breach notifications

11 GDPR - Phase 1 Discover Identify what personal data you have and where it resides What: What Data do you have? Why: Did you OBTAIN it? Do you RETAIN it? How: OBTAIN, STORE, PROTECT, ACCESS, PROCESS, DISPOSE it? (Workflows) Where: Do you STORE the Data? Who: Might you DISCLOSE it to (if any)? May have ACCESS (legitimately)? When: Would you OBTAIN, DISCLOSE, DISPOSE of Data? Review

12 GDPR - Phase 2 Manage Govern how personal data is used and accessed Gather Retain Process Disclose Dispose Why? What? How? Where? Who? When? Desire X Need Obligation Must Be: Reasonable Genuine Justifiable Review DATA MINIMISATION

13 GDPR - Phase 3 Protect Establish security controls to prevent, detect and respond to vulnerabilities & data breaches Physical HW Position; HW Movement; Premises; Mobile; Printing Digital Human Training Indemnity AV; DR; WBC; SM; ; Encryption; Automation PW Policies; DP ID; Staff Turnover Policy; Int/Ext Comms Data Protection; Threat Awareness; Breach Recognition Adult, Child, Employee Consent; Insurance Review

14 GDPR - Phase 4 Report Keep required documentation, manage data Requests and breach notifications Assessments Policies Record Keeping Registers Sanctions Gap Analyses; Vendor; Team; Processes; DPIA in due course Privacy (x2); Breach; Access/Change; Retention/Destruction; Rights (Erasure, Correction, Portability etc); General GDPR Policies; Workflows; Training Logs; Review Logs Consent; Access; RTBF; Workflows; Vendors, Training Upto 17 million; 4% of Global Revenue; Stop Orders Review

15 General Data Protection Regulations 219 DAYS TO GO