SESSION ID: GRC R02 Charting the Course to GDPR: Setting Sail Cindy E. Compert, CIPT/M CTO Data Security & Privacy IBM Security @CCBigData
Disclaimer Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user s job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. None of the statements contained herein constitutes legal advice it is process advice only. 2 IBM PROPRIETARY 2017 IBM Corporation
A ship in port is safe; but that is not what ships are built for. Sail out to sea and do new things Grace Hopper
Agenda GDPR: A Quick Overview Tips to Help You Get Underway Q&A Nothing in this presentation should be considered Legal guidance or direction. IBM does not provide Legal advice. IBM recommends that your clients consult with the appropriate Legal Counsel as necessary
EU GDPR Privacy Regulations major impact EU Individual Rights enhanced, harmonized and extended globally Inform / access / rectify / erase / object Give or withdraw data specific consent Insight in automatic decision making Transfer personal data to other provider (portability) Broadened scope Personal Data All direct and indirect identifiers Behavioral-, derived- and self-identified data Adds biometric and genetic data Some exemptions where data used by government or for research Organizational Impact Stringent data security & 72 hour breach notification Data controller and data processors liable for breaches Data controllers legally bound to validate data processor s compliance Data Protection Officer obligatory in specific cases Conditions for cross-border data transfer altered Increased cost of noncompliance Fines up to 4% of annual turnover or 20 million Euro Data Privacy Authorities empowered Increased activist and court activity Risk / Cost of reputation loss
IBM s GDPR Framework: 5 phases to readiness Outcome Activity Phase Assess Design Transform Operate Conform Conduct GDPR assessments across privacy, governance, people, processes, data, security Develop GDPR Readiness Roadmap Identify personal data Assessments and roadmap Design governance, training, communication, and processes standards Design privacy, data management and security management standards Defined implementation plan Develop and embed procedures, processes, and tools Deliver GDPR training Develop/embed standards using Privacy by Design, Security by Design, data management policies Process enhancements completed Execute all relevant business processes Monitor security and privacy using TOMs Manage data subject access and consent rights Operational framework in place Monitor, assess, audit, report and evaluate adherence to GDPR standards Ongoing monitoring and reporting Identify GDPR impact and plan Technical and Organisational Measures (TOM) Includes Data Protection controls, processes and solutions to be implemented. TOMs in place: Personal Data discovery, classification and governance in place Begin the new GDPR compliant way of working Monitor TOMs execution; deliver compliance evidence to internal and external stakeholders Copyright IBM Corporation
IBM Security Framework: Key Activities to address GDPR ASSESS DESIGN TRANSFORM Privacy Requirements PREPARE: Conduct GDPR Assessments, assess and document GDPR related policies Assess data subject rights to consent, access, correct, delete, and transfer personal data DISCOVER: Discover and classify personal data assets and affected systems Identify access risks, supporting Privacy by Design ROADMAP: Create GDPR remediation/implementation plan PRIVACY BY DESIGN: Design policies, business processes and supporting technologies Create GDPR Reference Architecture Evaluate Controller/Processor Governance TRANSFORM PROCESSES: Implement and execute policies, processes and technologies Automate data subject access requests Security Requirements PREPARE: Assess security current state, identify gaps, benchmark maturity, establish conformance roadmaps Identify vulnerabilities, supporting Security by Design DISCOVER: Discover and classify personal data assets and affected systems to design Security controls ROADMAP: Create Security remediation/implementation plan SECURITY BY DESIGN: Create Security Reference Architecture Design Technical and Organizational Measures (TOMs) appropriate to risk (encryption, pseudonimization, access control, monitoring, etc.) PROTECT: Implement privacy enhancing controls (e.g. encryption, tokenization, dynamic masking) Implement security controls; mitigate access risks and security vulnerabilities IBM PROPRIETARY 2017 IBM Corporation
IBM Security Framework: Key Activities to address GDPR OPERATE CONFORM Privacy Requirements MANAGE GDPR PROGRAM: Manage GDPR Data Governance Practices such as Information Lifecycle Governance Manage GDPR Enterprise Conformance Programs such as data use, consent activities, data subject requests RUN SERVICES: Monitor personal data access Govern roles and identities DEMONSTRATE: Record personal data access audit trail including data subject rights to access, modify, delete, transfer data Run Data Processor/Controller Governance including providing processor guidance, track data processing activities, provide audit trail, preparing for data subject access requests Document and manage compliance program - Ongoing monitoring, assessment, evaluation and reporting of GDPR activities RESPOND: o Respond to and manage breaches Security Requirements MANAGE SECURITY PROGRAM: Manage and implement Security Program Practices such as risk assessment, roles and responsibilities, program effectiveness RUN SERVICES: Monitor security operations and intelligence: monitor, detect, respond to and mitigate threats Govern data incident response and forensics practices DEMONSTRATE: Demonstrate technical and organizational measures to ensure security appropriate to processing risk Document Security program - Ongoing monitoring, assessment, evaluation and reporting of security controls and activities RESPOND: o Respond to and manage breaches IBM PROPRIETARY 2017 IBM Corporation
Governance Activities PRIVACY REQUIREMENTS Develop data lifecycle management processes Maintain enterprise vocabulary GOVERN Manage Data Subject Quality Govern Risk and Compliance Vendor Management Copyright IBM Corporation
Setting Sail Top Tips
Tip 1: Know your risks and vulnerabilities
Tip 1: Identify and mitigate risks and vulnerabilities What is it? Article 35- Data Protection Impact Assessments (DPIA) enable organizations to identify and mitigate risks of proposed data processing activities before those activities start. Data Protection includes Privacy and Security. Why it matters: Article.35(7)(d)- The Data Protection Impact Assessments include assessing risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this regulation
People Data Applications: Where are your risks? People Risks Application Risks Use Identity Governance Simplify to identify and mitigate access risks Automate user and identity lifecycle processes Application inventory Identify and mitigate vulnerabilities Data Layer Risks Find and mitigate known vulnerabilities RDBMS, NoSQL, HADOOP Identify entitlements and activity Remediate user access policy violations
Tip 1: Set Sail: Sample Risk Dashboard Visibility into residency of Information Assets and associated data. Inventory of data controllers and processors Key stakeholders view for accountability
Tip 2: Create a (good) map
Tip 2: To create a good map, you need to discover and classify Personal Data What & where is it? Understand and document where Personal Data is stored and processed, including with/by 3 rd parties Why it matters: Organizations need to understand what data they hold and process to assess risk and design adequate controls Personal data is the foundation of GDPR Classification and Data Mapping are necessary to support Data Portability, Right of Access, Right of Erasure.
Tip 2: Automation makes discovery and classification easier Discover database instances on the network Catalog Search: Search the database catalog for table or column name Search for Data: Match specific values or patterns in the data Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba) Classify Data: Put data in actionable groups, automatically or manually
Jump start your efforts with a Critical Data Protection framework DEFINE DISCOVER BASELINE SECURE MONITOR What is the personal data? Where are they? How are they used? What is required to protect critical data? How to plan, design and implement? How to manage critical data protection? Understand overall data security strategy Determine data protection objectives Develop organizational data model / taxonomy Understand data environment, infrastructure and lifecycle Perform iterative discovery, analysis and classification Establish baseline security requirements for personal data Assess current data security processes and controls Determine gaps and identify solutions Plan and prioritize technical and business process transformations Design and implement solutions that protect critical data, enable access and align to business growth objectives Develop governance framework, risk metrics and monitoring processes Periodically validate data protection strategy and methodology Program Governance
Tip 2: Find identifiers first, since personal data must be identifiable
Tip 3: Data Processor/Controller Governance: Track where data is processed What is it? Data Controllers and Processors need to implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the Regulation. Why it matters: GDPR requires demonstrating compliance. How will you document and manage data processing audit trails?
Tip 3: Track where data is processed: Audit local and remote activity GDPR Personal Data Activity Report
Tip 3: Design a scalable audit trail Watch sensitive data & data access all the time Monitor it everywhere it lives Protect data at rest and in motion Easily review results and monitor your data security heartbeat
Tip 4 I am thankful the most important key in history was invented. It's not the key to your house, your car, your boat, your safety deposit box, your bike lock or your private community. It's the key to order, sanity, and peace of mind. The key is 'Delete. - Elayne Boosler
Tip 4: Track data subject s right to access, modify, delete, transfer data What is it? Individuals can request organizations produce information held about them as well as the right to rectify (correct), delete, or transfer data. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests. Why it matters: GDPR s highest fines (4%) are for violating data subject rights such as failing to respond and failure to provide adequate information Data subjects also have the right to recover monetary damages
Tip 4 at work: Automating the audit compliance workflow
Tip 5: Scramble!
Tip 5: Encrypt/ Obfuscate (Pseudonimize*) data before processing What is it? GDPR Article 32, Security of processing the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the pseudonymisation and encryption of personal data; Why it matters: Article 33- Clients may not need to notify data subjects about a breach if the personal data has been rendered unintelligible to any person who is not authorised to access it, such as encryption. The only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying data with a mechanism to re-identify if necessary) Pseudonimize: pronounced Soo DON ih mize : Replacing identifying characteristics of data with a value which does not allow the data subject to be directly identified without additional information.
Tip 5: Encryption Examples Database Encryption Usage: Encrypt Tablespace, Log, and other Database files Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL Unstructured Data Encryption Usage: Encrypt and Control access to any type of data used by LUW server Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc Cloud Encryption Usage: Encrypt and Control Access to data used by Cloud Instances Common Cloud Providers: Amazon EC2, Rackspace, MS Azure
Tip 5: A Safe Harbor
Tip 6: You need to support breach management and notification including incident forensics What is it? GDPR Article 33, In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. Why it matters: Both processors and controllers have responsibilities to report breaches in a timely manner, or risk substantial fines. EU has never had mandated breach reporting. Organizations will struggle with coordinating the people, process, and information needed to report and respond to a breach within the 72 hour window.
Tip 6: Automate your Incident Response
Summary
Apply What You ve Learned.. Conduct a Readiness Assessment Identify impacted business areas Evaluate current practices against the new requirements focus on process development, best practices and organizational need. Define a maturity model and gap/remediation plan to help develop and implement your compliance roadmap Appoint GDPR Czars in business units to coordinate activities This should not be considered Legal advice it is process advice only. Reach out to the appropriate Legal Counsel for guidance as necessary
Thank You
Reference
Links and further reading GDPR Full Regulations: http://ec.europa.eu/justice/dataprotection/reform/files/regulation_oj_en.pdf IAPP Top 10 Operational Impacts of GDPR: https://iapp.org/resources/article/top 10 operational impacts of the gdpr/ IBM GDPR Webinar recordings (5): http://ibm.biz/gdprwebinars GDPR Blog Learn, Think, Prepare: http://ibm.biz/bdsaye IBM Security GDPR: http://www 03.ibm.com/security/campaign/gdpr.html
The new General Data Protection Regulation.. The clock is ticking! Three primary objectives of the GDPR To create a unified data protection law for all 28 European Countries. To enhance the level of data protection for EU data subjects To modernize the law in line with existing and emerging technologies Caveat: The GDPR is still a work in progress and the details for its implementation have not yet been finalized GDPR will fundamentally change the way companies must manage their data 38
Terminology Data Protection Data Protection in the EU = Data Privacy Data Protection in the US = Data Security Data Protection in the EU covers both Data Privacy requirements and Data Security Requirements Data processing Any handling of Personal Data throughout its entire life cycle, from collection to deletion, is considered processing. Even remote access is considered processing. Personal Data Data Controllers, Data Processors, Data Subjects GDPR Glossary: http://www.eugdpr.org/glossary-of-terms.html 39
Key aspects of the Regulation GDPR came into force in May 2016 and will be applicable as of May 25, 2018 It also has international reach applying to any organization that processes data of EU data subjects. Fines for non-compliance will increase substantially up to a maximum fine of 20 million or 4% of global annual turnover per incident, whichever is higher The majority of US and EU companies are not ready for the new Privacy requirements of the 40 GDPR
Enhanced level of protection for data subjects Definition of Personal Data now explicitly includes online identifiers, location data and biometric/genetic data Higher standards for privacy notices and for obtaining consent Easier access to personal data by a data subject Enhanced right to request the erasure of their personal data Right to transfer personal data to another organization (portability) Right to object to processing now explicitly includes profiling. 41
Enhanced obligations on data controllers and processors Operationalization of a Data Protection by Design and by Default Process Requirement to conduct risk analysis and Data Protection Impact Assessments (DPIA) Appointment of a Data Protection Officer (DPO) Implementation of technical and organizational security measures appropriate to the risks presented Breach notification obligations Increased obligations for data processors 42
GDPR Readiness: Activities your company should be performing Understand how the new GDPR obligations will impact your business Determine what personal data you have, where it is located,and how it flows within the organization Determine how the personal data are secured Appoint a Data Protection Officer where necessary Review all privacy notices Review data subject consent and choice mechanisms Review processes addressing data subjects access, correction and erasure requests Review data retention schedules Assess external contracts, both as a controller and/or as a processor Review all cross-border data transfers 43
GDPR Readiness: Embark on organizational change Implement a Data Protection By Design approach to new systems, services and products Conduct a Data Protection Impact Assessment (DPIA) where required Document privacy compliance activities Implement and document appropriate security measures Create breach response and notification protocols Develop audit capabilities and processes Train employees Make sure the appropriate budgets are in place to support the changes Collaboration is key! 44
Don t stop now: There s more to Tip 1 Take the next step & identify additional risks There are many types of risks Unauthorized Users Anyone that can connect to the database to see the cardholder data Unauthorized IP Addresses Only certain servers are allowed to communicate together Unauthorized Programs Access by other programs bypasses other security controls Monitoring Database Objects Only certain tables contain sensitive data 10.10.9.27 MS Excel Joe ----- ---- ------ However, to simplify these risks, let s call it an unauthorized connection 45
Sample Database Vulnerability Assessment Report Overall Score Summary Test Results Detailed Scoring Matrix Filter control for easy use Result History Shows Trends Detailed Test Results External Reference Detailed Remediation Suggestions
and record and audit policy violations and quarantine connections for unauthorized access
Tip 4: Enhance your tracking using Privileged Identity Management credentials for data subject requests
Tip 5: Consider centralized key management to support all encryption environments