Getting Started with GDPR Compliance

© 2016 IDERA, Inc. All rights reserved.Proprietary and confidential.© 2017 IDERA, Inc. All rights reserved.

GETTING STARTED WITH GDPR COMPLIANCE

Kim Brushaber, IDERA, Senior Product Manager

2© 2017 IDERA, Inc. All rights reserved.

WHAT IS GDPR?

“


The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and

processing of personal information of individuals within the European Union (EU).

© 2017 IDERA, Inc. All rights reserved.

MAY 25, 2018The Day that GDPR goes into effect

213 Days from now


WHY DO WE NEED GDPR? Let’s Start with Some Data Facts

“


Over 5 million data records are lost or stolen every day

http://breachlevelindex.com/

http://breachlevelindex.com/

“


The median number of days that attackers stay dormant within a network before detection is

200 days

https://swimlane.com/10-hard-hitting-cyber-security-statistics/


“


The average cost of a single data breach in 2020 will exceed $150 million, as more business

infrastructure gets connected https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion

https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion

9© 2016 IDERA, Inc. All rights reserved. Proprietary and confidential. 9© 2017 IDERA, Inc. All rights reserved.

EQUIFAX DATA BREACH

The breach affected 145.5 million customers Employees acknowledged a security issue with their web application

(using Apache Struts) 2 months before the breach occurred • The patch came out 4 months beforehand on Mar 8, 2017

It took a full day to respond to the data breach which took the flawed web application offline (July 29 - 30, 2017)

6 weeks after the breach, the public was alerted (Sept 7, 2017) The communication to respond to the breach included a website that

was not owned by Equifax (luckily it was not malicious)

Equifax is not alone – there have been 25 Very High Profile Cyber Attacks in 2017 so far (http://www.wired.co.uk/article/hacks-data-breaches-2017)


INDIVIDUAL CONCERNS IN DATA SECURITY

By 2020 over 30 Billion devices will be connected to the internet

49% of Americans feel that their personal information is less secure than it was five years ago

Over 73% of consumers in America want companies to be transparent about personal data

78% of people claim to be aware of the risks of unknown links in emails, yet click on those links anyway

86% of internet users are actively trying to minimize, anonymize and hide the visibility of their digital footprints

Facts pulled from: Data Privacy Day | National Cyber Security Alliance and Zogby Consumer Poll | Pew Research Center | https://blog.barkly.com/cyber-security-statistics-2017

https://blog.barkly.com/cyber-security-statistics-2017


DATA SECURITY INDUSTRY FACTS

95% of breached data records in 2016 came from: • Government• Retail• Technology

43% of cyber attacks targeted small businesses Over 75% of the health care industry was infected in malware in the

past year 70% of US oil and gas companies were hacked last year

Facts pulled from: http://www.techrepublic.com/article/forrester-what-can-we-learn-from-a-disastrous-year-of-hacks-and-breaches/ | https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html | https://www.scmagazine.com/75-of-healthcare-industry-hit-with-malware-report/article/569614/ | http://www.businesswire.com/news/home/20170216005632/en/Study-Reveals-Cybersecurity-Readiness-Gaps-America%E2%80%99s-Oil

http://www.techrepublic.com/article/forrester-what-can-we-learn-from-a-disastrous-year-of-hacks-and-breaches/

https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html

https://www.scmagazine.com/75-of-healthcare-industry-hit-with-malware-report/article/569614/

http://www.businesswire.com/news/home/20170216005632/en/Study-Reveals-Cybersecurity-Readiness-Gaps-America%E2%80%99s-Oil


DATA SECURITY EXECUTIVE PERSPECTIVE

90% of CIOs admit to wasting millions on inadequate cybersecurity 90% of CIOs have already been attacked or expect to be attacked by

bad guys hiding in their encryption 87% of CIOs believe their security controls are failing to protect their

businesses 85% of CIOs expect criminal misuse of keys and certificates to get

worse

https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf

https://www.venafi.com/assets/pdf/wp/Venafi_2016CIO_SurveyReport.pdf


DATA SECURITY PREPAREDNESS

In 2014 70% of Millennials admitted to bringing outside applications into the enterprise in violation of IT policies

52% of organizations that suffered successful cyber attacks in 2016 aren't making any changes to their security in 2017

Only 38% of global organizations claim they are prepared to handle a sophisticated cyberattack

Only 37% of organizations have a cyber incident response plan

Facts pulled from: https://blog.barkly.com/cyber-security-statistics-2017 | https://swimlane.com/10-hard-hitting-cyber-security-statistics/ | PWC Economic Crime Survey | https://www.wired.com/insights/2014/09/millennials-mobile-security/

https://blog.barkly.com/cyber-security-statistics-2017


https://www.wired.com/insights/2014/09/millennials-mobile-security/


HOW DO WE START TO ADDRESS THIS? What does GDPR Cover?


PERSONAL DATA COVERED BY GDPR

Any information that can be classified as personal details – or that can be used to determine your identity

Name Identification number Email address Online user identifier Social media posts Physical, physiological or genetic information Medical information Location Bank details IP address Cookies


GDPR PRINCIPLES (ARTICLE 5)Personal data shall be:

Processed lawfully, fairly and in a transparent manner• The public wants to know what you are doing with their data

Collected for specified, explicit and legitimate purposes• Bye-bye, Spam! (hopefully)

Adequate, relevant and limited to what is necessary• You can’t collect it and use it somewhere else

Accurate and kept up to date• Give your users ways to update their data

Kept in a form which permits identification of data subjects for no longer than is necessary• Tell people how long you’ll keep their information

Processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage• Time to get really serious about stopping data breaches!


RIGHTS OF INDIVIDUALS VIA GDPR (ARTICLES 12 - 23)

Right to access their personal data Right to rectification

• Users should be able to correct inaccurate info Right to erasure

• Users can request to be “forgotten” Right to restriction of processing

• Users can limit the way their information is processed Right to data portability

• Users should be able to obtain a copy of their data Right to object

• Users can object to the processing of their data Right to not be subjected to a decision based solely on automated

processing or profiling• This has significant impact on B2B Marketing


WHO IS RESPONSIBLE (CHAPTER 4, ARTICLES 24 - 43)

Data Controller – Any organization that collects data from EU residents

Data Processor – Organization that processes data on behalf of the controller (i.e. cloud service providers)

Data Protection Officer – An individual within the organization that is an expert in Data Protection Law


GDPR PENALTIES/SANCTIONS (ARTICLE 83)

Depending on the nature of the infraction:

A warning in writing in cases of first and non-intentional non-compliance Regular periodic data protection audits A fine of up to 10M Euro or 2% of annual worldwide turnover from the

previous year A fine of up to 20M Euro or 4% of annual worldwide turnover from the

previous year


WHAT ELSE IS IN GDPR?


ADDITIONAL ARTICLES TO CONSIDER

Article 15 – Control Exposure to Personal Data Article 30 – Record Processing Activities Article 32 – Security of Processing (encryption) Article 33 – Notification of Personal Data Breach to Supervisory

Authority Article 35 – Data Protection Impact Assessment (handling risks)


ADDITIONAL GDPR CONSIDERATIONS

GDPR is explicit that you can not store data “just in case”• You should have very clear processes that indicate why you are

storing the data GDPR is explicit that users can object to data profiling

• How will you limit data profiling and how do users opt out of profiling?

GDPR states that you must have processes documented to outline:• How and what data is collected?• Where is data stored?• Who has access to the data? And who should be able to access it?• How do you remove the data when the time comes?• How do you alert supervising authorities to a data breach?


HOW AND WHAT DATA IS COLLECTED?

* Business Process Diagram created using ER/Studio Business Architect


WHERE IS DATA STORED?



WHO HAS ACCESS TO THE DATA?



HOW DO YOU REMOVE THE DATA?



WHAT HAPPENS WITH A DATA BREACH?



GDPR COMPLIANCE PREPARATION How do I get started? Clearly-defined Business Processes are ESSENTIAL


GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM



FOR MORE DETAILS ON GDPR PREPARATION

Read the Blog via:

• http://community.idera.com/blog/b/community_blog/posts/getting-prepared-for-gdpr

• Or navigate to community.IDERA.com >Blog > “Getting Prepared for GDPR”

Download the Whitepaper via:

• IDERA.com > Resources > Resource Center> “Whitepaper: Governing GDPR Challenges with Enterprise Data Architecture”

http://community.idera.com/blog/b/community_blog/posts/getting-prepared-for-gdpr


HOW ER/STUDIO BUSINESS ARCHITECT CAN HELP

GDPR is going to require you to have your processes documented –ER/Studio Business Architect allows you to create Business Process Models to document those processes, complete with External Data Objects

The act of creating Business Process Models allows all employees across the organization to identify where they are impacting personal data

Checking these models into the Repository and publishing them to Team Server allows you to post these processes for the whole organization to have visibility


IMPORTANT POINTS TO REMEMBER

Privacy Notices Must Be Transparent• You must communicate in clear and plain language how you intend

to use the personal information that you collect

Customer’s Rights Must Be Upheld and Published Publicly• You must communicate how you intend to uphold rights identified

within the GDPR regulations

Data Breaches Must Be Communicated Within 72 hours• In order to respond quickly, everyone in your organization should

know what their responsibilities are in the case of a breach


IN CONCLUSION

GDPR is going to change the way we handle sensitive personal data in the future (and that’s not a bad thing)

Companies need to review all of the personal data in their systems and understand how they will:• Process it• Encrypt it• Secure it

Large fines can be assessed if you collect data on EU members and do not comply with these regulations

Companies will need to be transparent in their processes and have that information clearly documented for both internal employees as well as the customers they are collecting data on


THANKS!Any questions?

You can find me on Twitter at:

Kim Brushaber@Brushaber_IDERA


ADDITIONAL DETAILS ON GDPR ARTICLES


ARTICLE 15 – CONTROL EXPOSURE TO PERSONAL DATA

Control accessibility - who is accessing data and how Minimize data being processed in terms of:

• Amount of data collected• Extent of data processed• Storage period• Accessibility

Produce safeguards for control management


ARTICLE 30 – RECORDS OF PROCESSING ACTIVITIES

Log and monitor your operations Maintain an audit record of processing activities on personal data Monitor access to processing systems


ARTICLE 32 – SECURITY OF PROCESSING

Security mechanisms to protect personal data

Employ pseudonymization and encryption Ensure ongoing confidentiality, integrity, availability and resilience of

processing systems and services Restore availability and access in the event of an incident Provide a process for regularly testing and assessing effectiveness of

security measures


ARTICLE 33 – NOTIFICATION OF PERSONAL DATA BREACH TO THE SUPERVISORY AUTHORITY

Detect breaches Assess the impact on personal data records Assess whether the personal data is identifiable Describe the nature of the breach Describe your measures to remedy it


ARTICLE 35 – DATA PROTECTION IMPACT ASSESSMENT

Describe processing operations, including why you need them and how big they are

Assess risks that are associated with processing personal data Apply measures to address risks and protect personal data Demonstrate (and document) your compliance with GDPR


GDPR COMPLIANCE PREPARATION


GDPR COMPLIANCE - BUSINESS PROCESS DIAGRAM



SET UP DATA PROTECTION OFFICER(S)

Data Protection Officers have expert knowledge on Data Protection Law They are like Compliance Officers but are experts on:

• IT processes• Data security• Continuity issues regarding holding and processing personal info

They are responsible for cooperating with the supervising authority


CREATE ORGANIZATIONAL AWARENESS AND PRODUCE GUIDELINES

Your organization should be aware of the GDPR regulations and how they impact data

You should produce guidelines or procedures that identify what to do with personal information across your systems

Processes and procedures regarding GDPR regulations and personal information should be available throughout the organization

Engage your employees to help to create your processes if you have not already done so


ANALYZE DATA ACROSS ALL APPLICATIONS, DATA MODELS AND DATABASES

Which servers and/or databases contain personal data? Which columns or rows can be marked as containing personal data? Which systems are involved in storing or moving sensitive data? Who has access to what elements of data in the database system? What elements and features of the database systems can be

accessed and potentially exploited to gain access to those systems? Where does the data go when it leaves your systems?


REVIEW EXISTING PROCEDURES THAT PERTAIN TO GDPR

How can I be more transparent in what activities are taken in regards to personal data?

How do I create evidence that I am in compliance? How do I ensure that all of my processes and procedures are kept up

to date? How do I ensure that all of my processes and procedures are being

followed?


REVIEW DATA PRIVILEGES AND ACCOUNTABILITIES

How can I ensure that the right people are accessing the information? What do I need to do to limit who can access the sensitive data? Who is accountable for the different aspects of personal information? How can I keep track of who has accessed sensitive data?


DOCUMENT AND MANAGE INDIVIDUAL RIGHTS

Step through the Individuals Rights (Articles 12-23) and identify how you plan to address them• Right to access their personal data• Right to rectification • Right to erasure• Right to restriction of processing • Right to data portability • Right to object• Right to not be subjected to a decision based solely on automated

processing or profiling

Keep records of what customers have consented to and when they consented to it


DEFINE DATA BREACH PROCESS

Which security controls are in place to protect the data? What levels of encryption are in place?

• While in transit between systems• While at rest in my system• While in use by my system

When do I need to make my data available? What mechanisms are in place to prevent data loss? How do I detect a breach with my data? How can I respond to a breach that has occurred?


DEVELOP DATA IMPACT ASSESSMENT

What are the impacts of unintended data changes? What are the risks associated with unintended data changes? Where are data elements used across applications and databases? How will you ensure that compliance with these procedures continues? What are the risks of falling behind on compliance?


THANKS!Any questions?

You can find me on Twitter at:

Kim Brushaber@Brushaber_IDERA