Data Breaches and the EU GDPR

Similar documents
The Role of the Data Protection Officer

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

The GDPR: The catalyst for customer July 2017

NIS, GDPR and Cyber Security: Convergence of Cyber Security and Compliance Risk

Conducting a data flow mapping exercise under the GDPR. Presented by: Alan Calder, founder and executive chairman, IT Governance 4 October 2017

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Data Protection Policy

How the GDPR will impact your software delivery processes

Cybersecurity Considerations for GDPR

Eco Web Hosting Security and Data Processing Agreement

Element Finance Solutions Ltd Data Protection Policy

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Creative Funding Solutions Limited Data Protection Policy

General Data Protection Regulation (GDPR)

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Motorola Mobility Binding Corporate Rules (BCRs)

EU General Data Protection Regulation (GDPR) Achieving compliance

PS Mailing Services Ltd Data Protection Policy May 2018

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Data Processing Clauses

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Introductory guide to data sharing. lewissilkin.com

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

CNPD Course: Data Protection Basics

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Getting ready for GDPR

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

GDPR - Are you ready?

Data Protection and GDPR

NEWSFLASH GDPR N 8 - New Data Protection Obligations

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

ADIENT VENDOR SECURITY STANDARD

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Made In Hackney Data Protection Policy Last Updated:

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Islam21c.com Data Protection and Privacy Policy

GDPR Compliance. Clauses

General Data Protection Regulation (GDPR) Key Facts & FAQ s

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

Our agenda. The basics

GDPR: A QUICK OVERVIEW

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Stopsley Community Primary School. Data Breach Policy

Requirements for a Managed System

DATA PROCESSING TERMS

Data Processing Agreement

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

UWC International Data Protection Policy

GDPR: A technical perspective from Arkivum

Privacy Breach Policy

Data Processing Agreement for Oracle Cloud Services

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

SCHOOL SUPPLIERS. What schools should be asking!

DATA PROTECTION POLICY THE HOLST GROUP

DATA SECURITY - DATA PROTECTION ACT

DATA PROTECTION BY DESIGN

Prohire Software Systems Limited ("Prohire")

Data Protection Privacy Notice

L attuale scenario in cyber security all indomani dell adozione di nuovi quadri normativi europei

General Data Protection Regulation for ecommerce. Reach Digital - 18 december 2017

DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

External Supplier Control Obligations. Cyber Security

GDPR compliance: some basics & practical to do list

THE EU GENERAL DATA PROTECTION REGULATION CHECK POINT FOR EFFICIENT AND EFFECTIVE COMPLIANCE WELCOME TO THE FUTURE OF CYBER SECURITY

Data Processing Agreement

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Privacy Notice. General Information Protection Regulation ( GDPR )

Regulating Cyber: the UK s plans for the NIS Directive

Google Cloud & the General Data Protection Regulation (GDPR)

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Data Protection Policy

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

Data Protection Policy

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

PRIVACY POLICY OF.LT DOMAIN

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

European Union Agency for Network and Information Security

Data Sheet The PCI DSS

Jeff Wilbur VP Marketing Iconix

Governance and Compliance Learning from the Private Sector. David Coverdale

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Arkadin Data protection & privacy white paper. Version May 2018

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

ADMA Briefing Summary March

Transcription:

Data Breaches and the EU GDPR Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 30 June 2016 www.itgovernance.co.uk

Introduction Adrian Ross GRC Consultant Infrastructure Services Business Process Re-engineering Business Intelligence Business Architecture Intellectual Property Legal Compliance Data Protection & Information Security Enterprise Risk Management 2

IT Governance Ltd: GRC One-Stop-Shop All verticals, all sectors, all organizational sizes

Agenda TM An overview of the regulatory landscape Territorial scope Remedies, Liabilities and Penalties Principles of the EU GDPR Data Breaches Notification rules Supervisory Authorities EU Data Protection Board 4

The nature of European law Two main types of legislation: Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a Directive º UK Data Protection Act 1998 Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a Regulation

Article 99: Entry into force and application TM This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES On 8 April 2016 the Council adopted the Regulation. On 14 April 2016 the Regulation was adopted by the European Parliament. On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final Text of the Directive: http://data.consilium.europa.eu/doc/document/st- 5419-2016-REV-1/en/pdf

GDPR The GDPR has eleven chapters: TM Chapter I General Provisions: Articles 1-4 1 Chapter II Principles: Articles 5-11 2 Chapter III Rights of the Data Subject: Articles 12-23 3 Chapter IV Controller and Processor: Articles 24-43 4 Chapter V Transfer of Personal Data to Third Countries: Articles 44-50 5 Chapter VI Independent Supervisory Authorities: Articles 51-59 6 Chapter VII Cooperation and Consistency: Articles 60-76 7 Chapter VIII Remedies Liabilities and Penalties: Articles 77-84 8 Chapter IX Provisions Relating to Specific Processing Situations: Articles 85-91 9

Data protection model under GDPR European Data Protection Board Information Commissioner s Office (ICO) (supervising authority) Assessment Enforcement Data processor Security? Data controller (organisations) Duties Rights Data subject (individuals) Inform? Third countries Guarantees? Disclosure? Third parties

Articles 1 3: Who, and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data The protection of the processing personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means; Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. It applies to controllers not in the EU

Remedies, liabilities and penalties TM Article 79: Right to an effective judicial remedy against a controller or processor Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. Article 82: Right to compensation and liability Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. Controller involved in processing shall be liable for damage caused by processing. Article 83: General conditions for imposing administrative fines Imposition of administrative fines will in each case be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher) Module I

Article 5: Principles - Personal data shall be: 1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security Accountability 7.

Article 5 & 6: Lawfulness Secure against accidental loss, destruction or damage Processing must be lawful which means, inter alia: Data subject must give consent for specific purposes Other specific circumstances where consent is not required º So that controller can comply with legal obligations etc One month to respond to Subject Access Requests & no charges Controllers and processors clearly distinguished Clearly identified obligations Controllers responsible for ensuring processors comply with contractual terms for processing information Processors must operate under a legally binding contract º And note issues around extra-territoriality

Article 32: Security of Personal Data A requirement for data controllers and data processors to implement a level of security appropriate to the risk, including: pseudonymisation and encryption of personal data; ensure the ongoing confidentiality, integrity and availability of systems; a process for regularly testing, assessing and evaluating the effectiveness of security measures; security measures taken need to comply with the concept of privacy by design;

Key facts about cyber breaches Which organisations suffered data breaches in 2015? 69 % of large organisations 38 % of small organisation What was the median number of breaches per company? Large organisations: 14 Small organisations: 4 What was the average cost of the worst single breach? Large organisations: 1.46-3.14m Small organisations: 75k - 311k What will happen next year? 59% of respondents expect more breaches this year than last PwC and BIS: 2015 ISBS Survey 14 60% of breached small organisations close down within 6 months National Cyber Security Alliance

What sorts of breaches? Of Large Organisations: External attack 69% Malware or viruses 84% Denial of Service 37% Network penetration (detected) 37% (if you don t think you ve been breached, you re not looking hard enough) Know they ve suffered IP theft 19% Staff-related security breaches 75% Breaches caused by inadvertent human error 50% PwC and BIS: 2015 ISBS Survey 15

Cyber crime: widespread TM Source: BusinessWeek/Symantec

Breach Landscape TM Not if, but when Being prepared is key Develop the resilience to respond Don t wait until after the event 72 hour window to respond How and when you respond goes towards mitigation Incident response mandated in ISO27001, ISO 22301, PCI DSS

CREST - Three Phases of a Cyber Attack Stage 1 Reconnaissance Identify target Look for vulnerabilities Countermeasures: Monitoring and logging Situational awareness Collaboration

CREST - Three Phases of Cyber Attack Stage 2 Attack target Exploit vulnerabilities Defeat remaining controls Countermeasures: Architectural system design Standard controls (i.e. ISO 27001) Penetration testing

CREST - Three Phases of Cyber Attack Stage 3 Achieve objectives Disruption of systems Extraction of data Manipulation of information Countermeasures: Cyber security incident response planning Business continuity and disaster recovery plans Cyber security insurance

The Top Ten Challenges Facing Organisations TM Organisations can have significant difficulty in responding to cyber security incidents, particularly sophisticated cyber security attacks. The top ten challenges organisations face in responding to a cyber security incident in a fast, effective and consistent manner are: Identifying a suspected cyber security incident; Establishing the objectives of an investigation and a clean-up operation; Analysing all available information related to the potential cyber security incident; Determining what has actually happened; Identifying what systems, networks and information (assets) have been compromised; Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted; Finding out who did it and why; Working out how it happened; Determining the potential business impact of the cyber security incident; Conducting sufficient investigation using forensics to identify those responsible.

CREST Cyber Incident Response Approach Prepare: Conduct a criticality assessment; Carry out a cyber security threat analysis; Consider the implications of people, process, technology and information; Create an appropriate control framework; Review your state of readiness in cyber security incident response

CREST Cyber Incident Response Approach Respond: Identify cyber security incident/s; Define objectives and investigate the situation; Take appropriate action; Recover systems, data and connectivity.

CREST Cyber Incident Response Approach Follow up: Investigate incident more thoroughly; Report incident to relevant stakeholders; Carry out a post incident review; Communicate and build on lessons learned; Update key information, controls and processes; Perform trend analysis. Utilising the CREST Cyber Incident response approach and drawing from ISO 27001 and ISO 27035 standards IT governance can assist you in defining and implementing an effective prepare, respond, and follow up incident response approach

Article 33: Personal Data Breaches TM The definition of a Personal Data Breach in GDPR: A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Article 33: Personal Data Breaches Obligation for data processor to notify data controller Notification without undue delay after becoming aware No exemptions All data breaches have to be reported EDPB to issue clarification with regard to undue delay

Article 33: Personal Data Breaches Obligation for data controller to notify the supervisory authority Notification without undue delay and not later than 72 hours Unnecessary in certain circumstances Description of the nature of the breach Communicate details of the Data Protection Officer No requirement to notify if unlikely to result in a high risk to the rights and freedoms of natural persons Failure to report within 72 hours must be explained EDPB to issue further clarification with regard to undue delay

Article 34: Personal Data Breaches Obligation for data controller to communicate a personal data breach to data subjects Communication to the data subject without undue delay if high risk Communication in clear plain language Supervisory authority may compel communication with data subject Exemptions if appropriate technical and organisational measures taken High risk to data subject will not materialise Communication with data subject would involve disproportionate effort

Independent Supervisory Authorities Member states must create independent supervisory authorities and resource them appropriately Tasks: Monitor and enforce Communicate Promote awareness Powers: To investigate, correct, advise, enforce Leading Supervisory Authority for multi-state controllers

European Data Protection Board (EDPB) Ensure cooperation, communication, consistency and mutual assistance between national supervisory authorities Monitor and ensure correct application of the Regulation Examine any question dealing with its application Ie: Ensure a level playing field

GDPR - Summary TM Complete overhaul of data protection framework Covers all forms of PII, including biometric, genetic and location data Applies across all member states of the European Union Applies to all organizations processing the data of EU citizens wherever those organizations are geographically based Specific requirements around rights of data subjects, obligations on controllers and processors, including privacy by design Administrative penalties for breach up to 4% revenue or 20 million Intended to be dissuasive Data subjects have a right to bring actions (in their home state) and to receive damages if their human rights have been breached ( Right to an effective judicial remedy against a controller or processor ) Fines to take into account the technical and organizational measures implemented

Data Breaches in the UK January to March 2016-448 new cases Data Breaches by Sector Health (184) Local Government (43) Education (36) General Business (36) Finance, Insurance & Credit (25) Legal (25) Charitable & Voluntary (23) Justice (18) Land or Property Services (17) Other (41) Source: UK Information Commissioner s Office

Data Breaches in the UK TM January to March 2016 Data Breaches by type Loss or theft of paperwork (74) Data posted of faxed to wrong recipient (74) Data sent by e-mail to wrong recipient (42) Webpage hacking (39) Failure to redact data (28) Insecure disposal of data (24) Loss or theft of unencrypted device (20) Information uploaded to web page (10) Verbal disclosure (7) Insecure disposal of hardware (2) Other principle 7 failure (128) Source: UK Information Commissioner s Office

Information Security TM Processes People Technology

Cyber Security Assurance GDPR requirement - data controllers must implement: appropriate technical and organizational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation. Must include appropriate data protection policies Organizations may use adherence to approved codes of conduct or management system certifications as an element by which to demonstrate compliance with their obligations ICO and BSI are both developing new GDPR-focused standards ISO 27001 already meets the appropriate technical and organizational measures requirement It provides assurance to the board that data security is being managed in accordance with the regulation It helps manage ALL information assets and all information security within the organization protecting against ALL threats

IT Governance: GDPR One-Stop-Shop Accredited Training 1 Day Foundation Course London OR Cambridge: http://www.itgovernance.co.uk/shop/p-1795-certified-eugeneral-data-protection-regulation-foundation-gdpr-training-course.aspx ONLINE http://www.itgovernance.co.uk/shop/p-1834-certified-eu-general-dataprotection-regulation-foundation-gdpr-online-training-course.aspx Practitioner course, classroom or online www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protectionregulation-practitioner-gdpr-training-course.aspx Pocket Guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx Documentation Toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-dataprotection-regulation-gdpr-documentation-toolkit.aspx Consultancy support Data audit Transition/implementation consultancy www.itgovernance.co.uk/dpa-compliance-consultancy.aspx

Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback