How the GDPR will impact your software delivery processes

Similar documents
This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation (GDPR) Key Facts & FAQ s

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Element Finance Solutions Ltd Data Protection Policy

Data Protection Policy

The Role of the Data Protection Officer

The isalon GDPR Guide Helping you understand and prepare for the legislation

A Homeopath Registered Homeopath

Creative Funding Solutions Limited Data Protection Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Made In Hackney Data Protection Policy Last Updated:

GDPR - Are you ready?

Data Protection Policy

Data Processing Clauses

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Cybersecurity Considerations for GDPR

PS Mailing Services Ltd Data Protection Policy May 2018

Site Builder Privacy and Data Protection Policy

Contract Services Europe

UWTSD Group Data Protection Policy

Arkadin Data protection & privacy white paper. Version May 2018

Data Protection Policy

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

DATA PROTECTION POLICY THE HOLST GROUP

Eco Web Hosting Security and Data Processing Agreement

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

All you need to know and do to comply with the EU General Data Protection Regulation

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

Technical Requirements of the GDPR

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Data Processing Agreement

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

enter into application on 25 May 2018

Requirements for a Managed System

Data Protection and GDPR

Preparing for the GDPR

General Data Protection Regulation (GDPR)

1. Type of personal data that we collect and process?

DATA PROTECTION POLICY

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

GLOBAL DATA PROTECTION POLICY

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

GDPR Data Protection Policy

Privacy by Design, Security by Design

Data Breaches and the EU GDPR

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

Personal Data Protection Policy

Data Protection Privacy Notice

UWC International Data Protection Policy

Little Blue Studio. Data Protection and Security Policy. Updated May 2018

Data subject ( Customer or Data subject ): individual to whom personal data relates.

Designing GDPR compliant software

General Data Protection Regulation (GDPR) The impact of doing business in Asia

EventLog Analyzer. All you need to know and do to comply with the EU General Data Protection Regulation

GDPR Controls and Netwrix Auditor Mapping

PRIVACY POLICY PRIVACY POLICY

RVC DATA PROTECTION POLICY

GLOBAL DATA PROTECTION POLICY

Privacy Policy Inhouse Manager Ltd

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Introductory guide to data sharing. lewissilkin.com

Data Protection Policy

Subject: Kier Group plc Data Protection Policy

Motorola Mobility Binding Corporate Rules (BCRs)

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

GDPR and the Privacy Shield

GDPR: A QUICK OVERVIEW

GDPR Customer Briefing. How Creditsafe is using GDPR to drive better business

Google Cloud & the General Data Protection Regulation (GDPR)

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

EU data security and privacy trends

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Act CXII of 2011 on the right to information self-determination and freedom of information. Act ;

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

DLB Privacy Policy. Why we require your information

SCHOOL SUPPLIERS. What schools should be asking!

Privacy and Data Protection Policy

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Website Privacy Notice

GDPR: A technical perspective from Arkivum

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Rights of Individuals under the General Data Protection Regulation

How WhereScape Data Automation Ensures You Are GDPR Compliant

Privacy Policy Identity Games

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Data Processing Agreement

DATA SECURITY - DATA PROTECTION ACT

Data Breach Notification Policy

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Transcription:

How the GDPR will impact your software delivery processes

About Redgate 230 17 202,000 2m Redgaters and counting years old customers SQL Server Central and Simple Talk users 91% of the Fortune 100 use our tools 4m website visits each year 1058 product releases last year 68 User Groups sponsored last year

Your Presenter Richard Macaskill Product Manager richard.macaskill@red-gate.com @datamacas

Disclaimer This is NOT legal advice No legal review has been undertaken of this material I am not a lawyer!

We will discuss The principles of data protection Understanding GDPR jargon Steps to consider to ensure compliance building your defensible position under GDPR An introduction to Redgate s Data Privacy and Protection Solution

History

Data Breaches are the New Normal 1800 1600 1579 1400 1200 1093 1000 800 600 400 447 614 783 781 200 0 169 179 92 86 17 37 2012 2013 2014 2015 2016 2017 Data Breaches Millions of Records Exposed Source: Identity Theft Resource Center

The General Data Protection Regulation REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 50,000 word Document

The General Data Protection Regulation The Biggest Legislative Change The Data Industry has Ever Seen There s a lot in the GDPR you ll recognise from the current law but make no mistake, this one s a game changer for everyone Elizabeth Denham, UK Information Commissioner, 17 Jan 2017

The global scope of the GDPR Non-EU organisations will be subject to the GDPR where they process personal data about EU citizens in connection with: The offering of goods or services (payment is not required); or monitoring their behaviour within the EU

What about the U.S.?

GDPR as blueprint Japan: Act on the Protection of Personal Information (GDPR copy) Australia: Privacy Amendment (Notifiable Data Breaches) Bill 2016 UK (post Brexit): Data Protection Bill (GDRP copy) US: NIST Special Publication 800-53 State regulations

Key Changes Increased Territorial Scope Consent Penalties 4% turnover or EUR 20 million, whichever is greater Such penalties shall be effective, proportionate and dissuasive

Roles Controller Processor Data Subject

Categories. Privacy of what? Not all data is private Before GDPR even becomes law, you ll be expected to have audited your data and identified the two categories of personal data that require special handling Standard personal data Special personal data By implication, other and data not yet classified?

Personal data breaches can include: Access by an unauthorised third party Deliberate or accidental action (or inaction) by a controller or processor Sending out personal data to an incorrect recipient Computing devices containing personal data being lost or stolen Alteration of personal data without permission Loss of availability of personal data

Data subjects rights Right to be informed Right to access Right to rectification Right to be erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling.

The principles of GDPR are the principles of good data protection

1) Lawful, fair and transparent Data shall be processed lawfully, fairly and in a transparent manner in relation to individuals What makes processing lawful and transparent?

2) Purpose Limitation Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes How is the data you collect used?

3) Data Minimisation Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed More data = more risk

4) Data Accuracy Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay Are you making decisions based on inaccurate data?

5) Storage Limitation Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

6) Integrity and Confidentiality Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures What are appropriate technical measures?

Understanding GDPR jargon

Data Protection by Design and by Default A general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities Do it early, not as an afterthought

Appropriate Technical Measures Documentation Encryption, pseudonymization, anonymization Oversight of protection Change Control Procedures for out-of-process change

Documentation

Pseudonymization vs Anonymization The principles of data protection should therefore not apply to anonymous information, that is [...] data rendered anonymous in such a way that the data subject is not or no longer identifiable

Most organizations do copy-down live data https://assets.red-gate.com/products/dba/sql-clone/sql-server-database-provisioning-report.pdf

Consented vs non-consented processing

Data Protection Impact Assessment (DPIA) A description of the envisaged processing operations and the purposes of the processing An assessment of the necessity and proportionality of the processing operations An assessment of the risks to the rights and freedoms of the data subjects concerned The measures which will be put in place to address those risks and demonstrate compliance

Data Protection Impact Assessment Is it necessary? 9 criteria; Evaluation or scoring e.g. consulting an AML or fraud prevention database Automated decision taking leading to legal or similarly significant effects Systematic monitoring in publicly accessible areas Processing of sensitive or highly personal data (communications data, location data, financial data) Large scale Matching databases Vulnerable data subjects where there is an imbalance of power children, employees, patients, the elderly Innovative uses of technology the example given is that IoT applications may require a DPIA Processing which could exclude individuals from using a service or contract, or from exercising a right. ARTICLE 29 DATA PROTECTION WORKING PARTY October 2017 revision http://ec.europa.eu/newsroom/document.cfm?doc_id=44137

Data Protection Impact Assessment In practice, this means that controllers must continuously assess the risks created by their processing activities in order to identify when a type of processing is likely to result in a high risk to the rights and freedoms of natural persons ARTICLE 29 DATA PROTECTION WORKING PARTY October 2017 revision http://ec.europa.eu/newsroom/document.cfm?doc_id=44137

Subject access requests in relation to; Right to be informed Right to access Right to rectification Right to be erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling.

Breach notification We have an assessment process We know who is the relevant supervisory authority We have a notification process (within 72 hours of becoming aware of it) We know what information we must give the ICO We have a process to inform affected individuals (if high risk) We know we must inform affected individuals without undue delay. We know what information to provide to individuals We document all breaches

Accountability The controller shall be responsible for, and be able to demonstrate, compliance with the principles 39 of the 99 GDPR Articles require evidence to demonstrate compliance

Demonstrating Compliance In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default

Steps to consider in ensuring compliance 1. Where is your data? 2. What exactly is your data? 3. Who is accessing your data, and for what purpose? 4. How can you demonstrate adequate protection?

How will GDPR impact your software delivery?

The best compliance is deterministic It s not that you did the right thing It s that the right thing is ALWAYS done The use of data should be driven by the consent given and the processing policies agreed to. Behaviours of its use is then driven by its classification.

Redgate s Data Privacy and Protection Solution

What customers get from our solution Redgate helps you protect your business by providing a scalable, and repeatable process for managing personally-identifiable information as it moves through your SQL Server estate. Our solution maps a customer s SQL data estate, then monitors and controls it for protection appropriate to the sensitivity of the data, ensuring compliance during data handling.

1. Discover Save time mapping SQL Server estate, from production servers to copies for development and test Gain insight into where databases live, what data they contain, and who has access to it Tools for the job Provides a window into your SQL Server Estate Auto-discover SQL Servers in your domains See who has access to what, and their permission level

2. Classify Remove the guesswork in understanding which tables or columns contain sensitive data for compliance Give data context by assigning descriptive labels aligned to Microsoft taxonomy The foundation to apply the right security levels to data as it moves around SQL Server estate Tools for the job Label servers, databases, tables, columns to tag which contain PII Using taxonomy aligned to Microsoft: personal, nonpersonal, and special

3. Protect Safeguard against data breaches and unauthorized access by masking and encrypting sensitive data Automatically apply masking rules when provisioning new databases, or refreshing development and test environments with production data Ensure your business critical data is safe by always backing up your SQL Server databases Tools for the job Replace sensitive data with anonymized, yet realistic data Repeatable, transparent, and auditable process for provisioning Protect against accidental loss of user data, database corruption or hardware failures

4. Monitor Prove compliance through ongoing tracking, management and reporting of your data protection policy Be alerted to incidents affecting the ability to restore the availability and access to personal data in a timely manner Tools for the job Automatically generate reports mapping SQL Server estate Track changes with snapshots and receive notifications to e-mail Check user access permissions for servers containing PII Monitor the availability of servers and databases containing PII

Some suggestions Involve the whole organization Start work on your data map(s) Review your oversight of the data estate Review your SDLC Consider re-tooling Practise! (data breach response, DPIA) Show your work! (decisions taken, risk assessments)

and keep learning! What is your defensible position under GDPR? The landscape is changing and case law will soon be here. Regulators websites (e.g. https://ico.org.uk) Industry discussion (e.g. https://www.red-gate.com/hub) Meetups (e.g. https://www.meetup.com)

Question and Answer Session

Need help? Contact Us: sales@red-gate.com richard.macaskill@red-gate.com Discover Redgate s Full Solution Data Privacy and Protection www.red-gate.com/solutions/data-privacy-protection SQL Data Privacy Suite www.red-gate.com/products/dba/sql-data-privacy-suite

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback