SESSION ID: GPS-R09 General Data Protection Regulation (GDPR) The impact of doing business in Asia Ilias Chantzos Senior Director EMEA & APJ Government Affairs Symantec Corporation @ichantzos
Typical Customer Timeline for the GDPR Awareness Phase What is it and does it really impact me? Thought Leadership Awareness Education Discovery & Planning What do I need to do and when by? 96% Do not fully understand GDPR Risk Assessments / Gap Analysis Advisory Services Information Governance Plans Budgeting / Hiring Key Staff Implementation Making Changes to Prepare Policy and Organisational Updates Addressing Technology Gaps Purchasing of Software and Technology 9 in 10 Have concerns about ability to become compliant 22% Consider compliance at top priority in the next two years 25 th May 2016 Formal EU Approval of GDPR 2H 2016 2017 2018 May 2017 25 th May 2018 GDPR comes into force across all EU states (including the UK)
Why does EU law matter for Asia?
The evolution of GDPR TODAY: 2018: 28 Interpretations of the Data Protection Directive One Data Protection Regulation Harmonized across all EU member states Right to be forgotten Extra-Territoriality Consent Access Fines to law and enforcement penalties Fines Accountability and penalties Joint Liability of Controllers and Processors Mandatory Breach Notification 4
Business Concerns With the GDPR Accountability Information Security Cloud and International Data Transfer Penalties for Breaking the Law
What is GDPR All About? Not Just Privacy. Principles of data collection Fairly and lawfully Receiving consent Relevance Proportionality Types of data Collect Process Permission applies to: Specific data Specific purpose Notify of changes Privacy Security Management of: Access Right to rectify data Data destruction policy Data transfers Applicable rules Manage Information Lifecycle Retain & Secure Retain Duration Types of data Secure People Process Technology Data loss
Privacy & Security Privacy = Strategy Outcomes Requirements How to process data Security = Operationalisation Capabilities Controls Practical implementation You can have security without privacy, but you can t have privacy without security
GDPR Eight Big Questions Can you determine what your risk profile is? What personal data is out there and where is it? Can we control what personal data is accessible and who can access it? Can we control where data resides? Can we use obfuscate data and enhance privacy? Can we detect unauthorised access or breaches of personal data? Can we quickly and thoroughly notify in the event of a breach? Can you continuously evaluate the effectiveness of your security?
What is the Difference Between On-Premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?
Understanding the Cloud Data Challenge 26% of Cloud Docs are Broadly Shared 1 New Challenges Proliferation of Cloud Apps DLP Enforce Management Server Shadow Data Problem Compromised Accounts On-premises DLP Detection
Data Transfers and Adequacy In most cases by definition cloud will involve some form of international data transfer To the US Standard model clauses Binding Corporate Rules (BCR) Privacy Shield The Safe Harbour story To third countries Standard model clauses Binding Corporate Rules (BCR) Certification/codes of conducts
What is accountability? Demonstrate Compliance Appropriate Policy, Process and Technology Data Protection Officers Privacy Impact Assessments Privacy by Design and by Default Effective, enforced & documented Policies Accountability cannot be transferred or outsourced
Shadow IT, Shadow Data: What Do We Mean? Shadow IT: Unsanctioned apps / services in use Shadow Data: Unmanaged content that users put into: Sanctioned apps / services not meant for that Unsanctioned apps / services In GDPR terms: Shadow IT = data processors in the wild Shadow Data in sanctioned apps / services may be processed out of policy Shadow Data in unsanctioned apps / services cannot be accounted for
Where Might GDPR Compliance Be Impacted? Purpose Limitation, Storage Limitation, Confidentiality and Integrity (Article 5) Transparency And Information To Data Subjects (Articles 12-14) Exercise Of Data Subject Rights (Articles 15-22) Privacy By Design and By Default (Article 25) Risk Of Joint Controllership (Article 26) Processor Obligations And Sub-Processing (Article 28) Controller-Processor Relationship (Article 29) Documentation Of Processing Operations (Article 30) Security Of Processing (Article 32) Data Breach Detection And Notification (Article 33 and 34) Risk Assessment, DPIA Accuracy, Prior Consultation (Articles 35-36) International Transfers (Chapter V) Compensation And Liability (Article 82) Overall Accountability (Articles 5 & 24) Sanctions (Article 83)
Information Security Improved Security Requirements Encryption and ID management Requirement to Secure Private Data Effective Detection and Response
The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed Recital 75: THE IMPACT What can happen to the data subject? The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate
Penalties under GDPR Number of victims Territory 72 hours to notify of a breach once aware 2% or 10 mil 4% or 20mil Types of data What triggers investigation? RISK SURFACE Complaint by consumer, employee, competitor Own initiative Security incident Enforcement by national Data Protection Authorities
What about BREXIT? Any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
Starting Questions for the GDPR How ready are you? Count your No answers! Do you know what personal data you process? Yes No Do you know where it is and how it flows in the organisation? Yes No Do you consider privacy at every level? Yes No Do you think user first in security? Yes No Have you reviewed your information risk management process for data Yes No privacy? Have you reviewed your security controls against privacy requirements? Yes No Do you have robust detection and monitoring processes? Yes No Have you tested and implemented your response plans including notification and external communication? Yes No
Recommendations Use this year wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy through your security program Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Understand and tackle your big data privacy and security risks Document what personal data you hold and ensure lawful use Identify where technology can help you achieve compliance: PREPARE Understand IT (and data) environment and risks PROTECT DETECT RESPOND Secure Personal Data everywhere Breach monitoring and detection Incident Response planning
Apply what you have learned today Immediate Understand whether you process European data either because you are doing business in Europe or as part of the supply chain Try to answer for yourself the 8 GDPR questions Next 3 months Understand the level of maturity and awareness within your own organisation Talk to key stakeholders, there may be already a GDPR project in preparation Next 6 months Start or participate in a GDPR compliance program Understand the impact it will have to IT infrastructure and prepare for it Prepare an investment strategy for key technologies that will facilitate compliance 21
THANK YOU!!! Ilias_chantzos@symantec.com