Data Privacy as a Business Enabler

Data Privacy as a Business Enabler

Copyright © 2016 Symantec Corporation

2


The Drive for Data Privacy

Lack of Business Ownership

Data Growth

Emerging Technology

Regulations

Lack of Visibility

Evolving Threat landscape

Press Headlines

Reputation

Business Opportunity

Customer Expectations

Drivers Inhibitors

Copyright © 2016 Symantec Corporation3

Privacy most Important when Customers choose products or services

Symantec State of Privacy Report 2015https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf.

Delivering great customer service

Keeping your data safe and secure

Delivering quality products / services

Treating their employees and suppliers fairly

Being environmentally friendly

82%

86%

69%

56%

88%

https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf


Not all Organisations have the same level of Consumer Trust for Securing Data

4

https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf.

Hospitals / medical services

Banks Government Technology companies (i.e. Google, Microsoft)

Retailers (Including online shops)

Social media sites (i.e. Facebook, Twitter)

69% 66%

45%

22% 20%

10%

Organisations whose business models are based on data (tech companies and social media companies) appear less trusted to keep customer data completely secure

Data Trust Chain

Building Trust – Best Practices for Protecting Data in the Cloud


Copyright © 2016 Symantec Corporation 5

European Data Protection RegulationUpdating European Privacy Legislation

EU General Data ProtectionRegulation (GDPR)

28 Interpretations of the Data Protection Directive

One Data Protection Regulation Harmonized across all EU member

states

TODAY: 2018:


6


7

Scope of the GDPR

Defines Personal data

Legal basis for

processing

Embedding privacy Data security

PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE


8

Principles of data collection Fairly and lawfullyReceiving consentRelevanceProportionalityTypes of data

Collect

Retain Duration

Types of data

Secure People

Process Technology

Data loss

Permission applies to: Specific data

Specific purpose Notify of changesProcess

Manage Retain & Secure

Informationlifecycle

Management of:

• Access

• Right to rectify data

• Data destruction policy

• Data transfers

• Applicable rules

GDPR is about data governance


9


Business Concerns with the GDPR

Accountability

Information Security

Cloud and International Data Transfer

Penalties for Breaking the

Law

PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE


10


What is accountability?

Demonstrate

Compliance

Appropriate Policy,

Process and Technology

Data Protection

Officers

Privacy Impact

Assessments

Privacy by Design and by Default

Effective, enforced & documented Policies.

Accountability cannot be transferred or outsourced


11


Information Security

Improved Security

Requirements

Encryption and ID

management

Requirement to Secure

Private Data

Effective Detection

and Response


12

Myth Reality

12

Cloud & Data Transfer Myth Busters

It’s illegal to send EU data outside the EU

Data can be transferred outside the EU subject to strict conditions. The flow of Personal Data within the EU is in principle “freely allowed”

Organisations need Safe Harbor to transfer EU Personal Data to US

There are several mechanisms to enable the transfer of EU Personal Data to the US

Data Privacy legislation for data residency requires Personal Data to be stored in a specific country.

Storage of EU Personal Data is allowed anywhere within the EU and not limited to a single EU country. There may be restrictions but not from data privacy legislation.

IP addresses & log-files are forms of Personal Data.

Several jurisdictions in Europe treat IP addresses and other log files as Personal Data.

FALSE

FALSE

FALSE

TRUE


13

13

Penalties and Notification

4%Global Annual

Turnover

Enforcement by national Data Protection Authorities

72 hours to notify of a breach once aware

Whichever figure is higher€20mUp to Up to


Preparing for the GDPREmbracing Privacy by Design


15


Key ImplicationsN

eed

Real

izatio

nIm

plic

ation

GDPR will be enforced by 2018

Fines will be up to 4% Revenue or €20m

Breach notification will be 72 hours

It could take a long time to get ready

GDPR compliance isn’t a tick box exercise

Response investigations can take weeks to months

Build on what you’ve already got so you can

start early

Data Governance and Privacy by Design give

value

Effective Detection and Response to attack is

Critical

Starting Questions for the GDPRDo you know what personal data you process? Yes No

Do you know where it is and how it flows in the organisation?

Yes No

Do you consider privacy at every level? Yes No

Do you think user / data subject first in security? Yes No

Have you reviewed your information risk management process for data privacy?

Yes No

Have you reviewed your security controls against privacy requirements?

Yes No

Do you have robust detection and monitoring processes? Yes No

Have you tested and implemented your response plans including notification and external communication?

Yes No

If you answered No to any of these then you need to start planning for the GDPR


17

Keep it User-Centric

Privacy as the default setting

Privacy Embedded

into the Design

Visibility & Transparency

– Keep it Open

Avoiding False

Dichotomies – e.g. Privacy

vs Security

Full Lifecycle Protection of Information

Proactive not reactiveEmbrace

PrivacyBy

Design=


18

Use a Data Governance Framework to Review your Programme

Collect Process Retain & Secure Manage

Define and Locate Personal Data

Secure Technology that Collects

Personal Data

Record Consent from Data Subjects

Detect and Block Threats to Data in

Use

Privacy Impact Assessments

Validate Data Processors

Restrict Processing of Data YOU have to

Retain

Prevent Data Loss

Control Access to Data

Protect Data at RestSecure Transfer and Storage of Collected

Data

Risk Management of Info Lifecycle

Validate Data Subjects Invoking

Rights

Educate DPOs on Cyber Risk

Pseudonymisation and obfuscation of

personal data

Minimise, Anonymise, Erase

Data

1000

800

600

400

200

0

Data Protection is a Tool for Risk Reduction

Risk Reduction Over Time

Inci

dent

s Per

Wee

k

Visibility

Remediation

Notification

Prevention

19

EU General Data Protection Regulation

What Good Data Governance brings to a company

Reduce CostsBusiness Value from your Information

Be Agile and Innovative

Control Your DataKnow Your Data Agility

20

EU General Data Protection Regulation

Mobile/BYOD/IoT Endpoints

Reducing Risk from Preparation to Response

PREPARE PROTECT DETECT RESPOND

Understand personal data & risk posture

Protect personal data from malicious attack & misuse

Provide rapid detectionUnderstand impact of breach

Respond efficiently & effectively to be compliantMitigate risk

Data Discovery and Privacy Impact Assessments

Data Loss Prevention

Risk Posture Assessment and Remediation

Control Compliance Suite / Endpoint Management

Information Protection and Governance

Data Loss Prevention / Encryption / Authentication

Threat ProtectionSEP / DCS / ATP / Email Security / Web Security

Monitoring, Threat Intelligence and Cyber

ExpertiseCyber Security Services

Advanced Persistent Threat Detection

ATP / Unified Analytics

Crisis Management and Incident Response

Cyber Security Services

Cyber InsuranceUnified Analytics

Cloud Data Risk Posture Assessment

Elastica

Data Encryption & TokenizationProxySG, Cloud Data Protection

Advanced Persistent Threat Detection

SSL Visibility, CAS/MA, Security Analytics

Incident Response and Network Forensics

Security Analytics


22


How Can Symantec Help?N

eed

Real

izatio

nIm

plic

ation

Threat Protection

(Keep the Bad Stuff Out)

Information Protection

(Keep the Good Stuff In)

Compliance / IT GRC

(Do the Right Thing)

Breach is Inevitable Information is Now Everywhere

Regulatory scope is expanding

Expand from Protection (only) to Add Detection +

Response

Move Our Protection to Where Ever Information

FlowsEmbed Governance Into

the Security Program

Thank you!

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Presenter’s NamePresenter’s emailPresenter’s phone

Legal Disclaimer: The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only. You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.