Cybersecurity Considerations for GDPR

Similar documents
General Data Protection Regulation (GDPR) Key Facts & FAQ s

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Islam21c.com Data Protection and Privacy Policy

The Role of the Data Protection Officer

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Technical Requirements of the GDPR

EU General Data Protection Regulation (GDPR) Achieving compliance

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Data Protection Policy

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

General Data Protection Regulation (GDPR)

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

How the GDPR will impact your software delivery processes

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

Getting ready for GDPR

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Creative Funding Solutions Limited Data Protection Policy

GLOBAL DATA PROTECTION POLICY

Element Finance Solutions Ltd Data Protection Policy

SOLUTION BRIEF Virtual CISO

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Eco Web Hosting Security and Data Processing Agreement

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

GDPR: A QUICK OVERVIEW

Altitude Software. Data Protection Heading 2018

GLOBAL DATA PROTECTION POLICY

All you need to know and do to comply with the EU General Data Protection Regulation

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Data Management and Security in the GDPR Era

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

General Data Protection Regulation (GDPR)

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Regulating Cyber: the UK s plans for the NIS Directive

HPE DATA PRIVACY AND SECURITY

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Contract Services Europe

Data Breaches and the EU GDPR

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

GDPR - Are you ready?

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

L attuale scenario in cyber security all indomani dell adozione di nuovi quadri normativi europei

Act CXII of 2011 on the right to information self-determination and freedom of information. Act ;

The GDPR Are you ready?

PRINCIPLES OF PROTECTION OF PERSONAL DATA (GDPR) WITH EFFICIENCY FROM

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Managed Endpoint Defense

GDPR Customer Briefing. How Creditsafe is using GDPR to drive better business

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

EventLog Analyzer. All you need to know and do to comply with the EU General Data Protection Regulation

Notification regarding the processing of personal data within ABOGAR SRL Hotel Lido

EU data security and privacy trends

GDPR Controls and Netwrix Auditor Mapping

GDPR Compliance. Clauses

EXAM PREPARATION GUIDE

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Data Processing Agreement

DATA PROTECTION POLICY THE HOLST GROUP

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

Arkadin Data protection & privacy white paper. Version May 2018

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

Introductory guide to data sharing. lewissilkin.com

Information leaflet about processing of personal data (

Data Processing Clauses

Data Protection and GDPR

DATA PROTECTION BY DESIGN

the processing of personal data relating to him or her.

Privacy Policy Hafliger Films SpA

Online Ad-hoc Privacy Notice

Emergency Compliance DG Special Case DAMA INDIANA

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Are You Ready for European Data Protection Reform? What to know. How to comply. Top 5 actions to address reform.

Accelerate GDPR compliance with the Microsoft Cloud

Data Leak Protection legal framework and managing the challenges of a security breach

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

CommuniGator. Your GDPR. Compliance Checklist

EU - GDPR Solution Brief. New York GDPR Cybersecurity. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Wonde may collect personal information directly from You when You:

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

Google Cloud & the General Data Protection Regulation (GDPR)

Transcription:

Cybersecurity Considerations for GDPR

What is the GDPR? The General Data Protection Regulation (GDPR) is a brand new legislation containing updated requirements for how personal data of European Union (EU) citizens is handled. It was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. It is the result of years of preparation and debate, undergoing 4000 revisions. There are two ways the EU legislates: Directives these are passed down to member states and must be ratified by the national Parliaments before they come into effect. An example is the UK Data Protection Act (DPA) 1998, which is an implementation of EU Directive 95/46/EC. The UK DPA will be superseded by the GDPR. Regulations these come into force without ratification and are applicable across all member states. This is the category under which the GDPR will fall. When will it be enforced? The GDPR will come into effect on May 25, 2018. As of this date, organizations in non-compliance will face heavy fines. Who must adhere to the new regulation? The regulation applies to all organizations that handle EU citizens personal data, regardless of sector. This includes all enterprises, public sector entities and service providers that process their information. If you have responsibilities under the DPA, then you will certainly have to adhere to the GDPR. Defined rules for Data Transfer outside the European Economic Area (EEA): The transfer of subject data outside the EEA is allowed if the third country ensures an adequate level of protection due to its domestic law or the international commitments it s entered into. This extends to the following 11 countries: ANDORRA ARGENTINA CANADA (COMMERCIAL ORGANIZATIONS) FAEROE ISLANDS GUERNSEY ISREAL ISLE OF MAN JERSEY NEW ZEALAND SWITZERLAND URUGUAY 2 CYBERSECURITY CONSIDERATIONS FOR GDPR 3

Summary of GDPR: Three Key Pillars The GDPR and breach reporting What are the penalties of non-compliance? New Transparency Framework Organizations need to be clear on how personal data is used Tighter consent rules Stronger subject access right to their data Mandatory breach notification New Compliance Journey Privacy by design Privacy assessment on all new projects Accountability document required about how data is used Data Portability and right to be forgotten Enhanced inspection/audit by national authorities New Punishment Regime Tougher powers for national regulators Max 4% of global turnover or 20M Euros (whichever is greater Suspension of the right/ability to process data The GDPR will mean a number of big changes, but one of the most significant is the responsibility of organizations to report any breaches of personal data within 72 hours of a determination of breach. This is an important change, as no such duty of notification of breach has existed before. Knowing this, organizations must ask themselves the following questions: How will I detect that I my infrastructure has been breached? Once I ve detected a breach, how will I minimize the impact? How will I prove what happened? There is a lot of scaremongering on this in the security industry. Unfortunately, until the GDPR comes unto effect, there is no way to know indefinitely how the fine regime will operate. The GDPR states the following: Fines under GDPR vary between 2-4% of the global turnover of the organisation or Euros 20 million (whichever is the greater) depending on severity of the infringement. 1 In the worst case scenario, you may face a suspension of your right to trade. 1. https://www.eugdpr.org/key-changes.html 4 CYBERSECURITY CONSIDERATIONS FOR GDPR 5

Regulations in detail Resources to help prepare for the GDPR Article 4 Definitions: Personal data For the purposes of this regulation, personal data means any information relating to an identified or identifiable natural person ( data subject ). 2 Identifiable information can include a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. A personal data breach therefore, means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. 3 Article 33 Definitions: Notification of a personal data breach to the supervisory authority In the case of a personal data breach, the organization shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. 4 2. http://www.privacy-regulation.eu/en/article-4-definitions-gdpr.htm 3. http://www.privacy-regulation.eu/en/article-4-definitions-gdpr.htm 4. http://www.privacy-regulation.eu/en/article-33-notification-of-a-personal-data-breach-to-the-supervisory-authority-gdpr.htm The GDPR creates additional security and privacy obligations for organizations to comply with. All organizations, including those outside of the EU that hold data on European citizens, need to review their obligations under GDPR. Our GDPR workbook details the framework requirements, enabling you to map your current approach and gain an understanding of your areas of risk. With this workbook, you will: Understand the key requirements of GDPR Determine how GDPR applies to your company Map your current approach to GDPR and evaluate your areas of risk Regardless of industry, scope or scale, all businesses must employ a basic set of cybersecurity considerations to defend against today s growing cyber risk. This essential checklist provides high-level recommendations for basic cybersecurity assurance for easy adoption, implementation, and measurement. This checklist will provide: Actionable measures to better defend your organization against cyber threats Recommendations to ensure the basic building blocks of a cybersecurity strategy are covered 6 CYBERSECURITY CONSIDERATIONS FOR GDPR 7

esentire Workbook Preparing for the General Data Protection Regulation (GDPR) REGULATION (EU) 2016/679 General Data Protection Regulation European Parliament / 27 April 2016 Based on the EU s recommendations, we ve created this workbook to help align your company s cybersecurity practices with the expectations of the GDPR. Filling it out will serve as a gap analysis tool to identify what areas you need to focus on in the near-term as the GDPR approaches. TOPIC GDPR FRAMEWORK DATA CONTROLLER PROFILE ESENTIRE RECOMMENDATION COST / EFFORT CLIENT COMMENTS SEC SUB CATEGORY DESCRIPTION CURRENT TARGETED KEY ACTIVITY PRIORITY SERVICE DAYS BUDGET NEXT STEPS NOTES 01: GDPR AWARENESS 01 A GOVERNANCE Board-level GDPR Awareness Training Security Awareness Training 01 B GOVERNANCE Operational (Executive) GDPR Awareness Training Security Awareness Training 01 C GOVERNANCE Employee GDPR Awareness Training Security Awareness Training 01 D GOVERNANCE Review Corporate Risk Register 01 E GOVERNANCE Identify and Record Compliance Violations/ Omissions/Risks Security Gap Analysis 02: DATA ACCOUNTABILITY 02 A COMPLIANCE Document Personal Data: Type/Source/3P Organizations 02 B COMPLIANCE Identify Inaccurate Data Security Gap Analysis 02 C COMPLIANCE Share Updated Inaccurate Data with 3P Organizations Security Gap Analysis 02 D COMPLIANCE Develop GDPR Accountability Policies and Procedures 03: COMMUNICATING PRIVACY POLICIES 03 A COMPLIANCE Review Existing Privacy Notices 03 B COMPLIANCE Document Legal Requirements 03 C COMPLIANCE Document ICO Complaint Process 03 D COMPLIANCE Identify GDPR Notice Requirements and Gaps 8 CYBERSECURITY CONSIDERATIONS FOR GDPR 9

TOPIC GDPR FRAMEWORK DATA CONTROLLER PROFILE ESENTIRE RECOMMENDATION COST / EFFORT CLIENT COMMENTS SEC SUB CATEGORY DESCRIPTION CURRENT TARGETED KEY ACTIVITY PRIORITY SERVICE DAYS BUDGET NEXT STEPS NOTES 04: INDIVIDUAL RIGHTS MANAGEMENT 04 A COMPLIANCE Procedures to Manage Subject Access 04 B COMPLIANCE Procedures to Manage Inaccuracies Corrections 04 C COMPLIANCE Procedures to Manage Information Erased 04 D COMPLIANCE Procedures to Manage Direct Marketing 04 E COMPLIANCE Procedures to Manage Automated Decision-Making/ Profiling 04 F COMPLIANCE Procedures to Manage Data Portability 05: SUBJECT ACCESS REQUESTS 05 A COMPLIANCE Procedures to Manage Subject Requests (remove fees) 05 B COMPLIANCE Procedures to Respond to SRs in 30 days (from 40) 05 C COMPLIANCE Policies/Procedures to Refuse a Request 05 D COMPLIANCE 06: LEGAL BASIS FOR PROCESSING PERSONAL DATA Documented to Subject Requests (cost/ benefit) 06 A COMPLIANCE Document Legal Basis for Data Processing 06 B COMPLIANCE Notification of Legal Basis of Data Processing (see 03:B) 10 CYBERSECURITY CONSIDERATIONS FOR GDPR 11

TOPIC GDPR FRAMEWORK DATA CONTROLLER PROFILE ESENTIRE RECOMMENDATION COST / EFFORT CLIENT COMMENTS SEC SUB CATEGORY DESCRIPTION CURRENT TARGETED KEY ACTIVITY PRIORITY SERVICE DAYS BUDGET NEXT STEPS NOTES 07: CONSENT 07 A COMPLIANCE Mechanism to Collect Consent 07 B COMPLIANCE Mechanism to Collect Explicit Consent 07 C COMPLIANCE Mechanism to Record and Report Consent 08: CHILDREN 08 A COMPLIANCE Determine Local Definition of Child (eg: under 13) 08 B COMPLIANCE Mechanism to Collect Parental/Guardian Consent 08 C COMPLIANCE Mechanism to Record and Report Parental/Guardian Consent 09: DATA BREACHES 09 A BREACH RESPONSE Documented Incident Plan Incident Planning 09 B BREACH RESPONSE Internal Process for Responding to an Incident Incident Planning 09 C BREACH RESPONSE Determined Goals of IR Plan Incident Planning 09 D BREACH RESPONSE Defined Roles and Responsibilities Incident Planning 09 E BREACH RESPONSE External and Internal Communication Strategy Incident Planning 09 F BREACH RESPONSE Remediation of Vulnerabilities in Systems Incident Planning 09 G BREACH RESPONSE Reporting of Incident and Remediation Activity Incident Planning 09 H BREACH RESPONSE Review of IR Plan following an Incident Incident Planning 12 CYBERSECURITY CONSIDERATIONS FOR GDPR 13

TOPIC GDPR FRAMEWORK DATA CONTROLLER PROFILE ESENTIRE RECOMMENDATION COST / EFFORT CLIENT COMMENTS SEC SUB CATEGORY DESCRIPTION CURRENT TARGETED KEY ACTIVITY PRIORITY SERVICE DAYS BUDGET NEXT STEPS NOTES 10: DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS (PIAs) 10 A COMPLIANCE Conduct DPIA Assessment 10 B COMPLIANCE Build Privacy by Design Policies and Procedures 10 C COMPLIANCE High-Risk Systems DPIA Approval by ICO 10 D DETECTION 10 E DETECTION Aggregating and Correlating Data from Endpoint Sources Aggregating and Correlating Data from Cloud Sources 10 F DETECTION Network Monitoring to Detect Cybersecurity Events 10 G DETECTION Monitoring of Third-Party Activity 10 H DETECTION 10 I DETECTION Monitoring to Detect Unauthorized Users/Devices/ Software Evaluating Remote Requests to Identify Fraudulent Requests 10 J DETECTION Software to Prevent Data Loss 10 K DETECTION Penetration Testing and Vulnerability Scans emdr Detection and Log Sentry Enterprise Vulnerability Assessment 10 L DETECTION Testing Event Detection Processes (Month/Year) Security Awareness Training 10 M DETECTION Analysis of Events to Improve Defensive Measures 11: DATA PROTECTION OFFICER 11 A COMPLIANCE Designated Data Protection Officer (DPO) 11 B COMPLIANCE Designated Role and Budget for DPO 12: INTERNATIONAL CONSIDERATIONS 12 A GOVERNANCE Map International Operations (countries and offices) 12 B GOVERNANCE Determine Governing Data Protection Supervisors 12 C GOVERNANCE Document Investigation Lead and Process 14 CYBERSECURITY CONSIDERATIONS FOR GDPR 15

About esentire esentire is the largest pure-play (MDR) service provider, keeping organizations safe from constantly evolving cyber-attacks that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates, and responds in real time to known and unknown threats before they become business disrupting events. Protecting more than $5 trillion in corporate assets, esentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory requirements. For more information, visit www.esentire.com and follow @esentire.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback