Upload
symantec
View
422
Download
0
Embed Size (px)
Citation preview
Data Privacy as a Business Enabler
Copyright © 2016 Symantec Corporation
2
Copyright © 2015 Symantec Corporation
The Drive for Data Privacy
Lack of Business Ownership
Data Growth
Emerging Technology
Regulations
Lack of Visibility
Evolving Threat landscape
Press Headlines
Reputation
Business Opportunity
Customer Expectations
Drivers Inhibitors
Copyright © 2016 Symantec Corporation3
Privacy most Important when Customers choose products or services
Symantec State of Privacy Report 2015https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf.
Delivering great customer service
Keeping your data safe and secure
Delivering quality products / services
Treating their employees and suppliers fairly
Being environmentally friendly
82%
86%
69%
56%
88%
Not all Organisations have the same level of Consumer Trust for Securing Data
4
https://www.symantec.com/content/en/us/about/presskits/b-state-of-privacy-report-2015.pdf.
Hospitals / medical services
Banks Government Technology companies (i.e. Google, Microsoft)
Retailers (Including online shops)
Social media sites (i.e. Facebook, Twitter)
69% 66%
45%
22% 20%
10%
Organisations whose business models are based on data (tech companies and social media companies) appear less trusted to keep customer data completely secure
Data Trust Chain
Building Trust – Best Practices for Protecting Data in the Cloud
Copyright © 2016 Symantec Corporation 5
European Data Protection RegulationUpdating European Privacy Legislation
EU General Data ProtectionRegulation (GDPR)
28 Interpretations of the Data Protection Directive
One Data Protection Regulation Harmonized across all EU member
states
TODAY: 2018:
Copyright © 2016 Symantec Corporation
6
Copyright © 2016 Symantec Corporation
7
Scope of the GDPR
Defines Personal data
Legal basis for
processing
Embedding privacy Data security
PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
Copyright © 2016 Symantec Corporation
8
Principles of data collection Fairly and lawfullyReceiving consentRelevanceProportionalityTypes of data
Collect
Retain Duration
Types of data
Secure People
Process Technology
Data loss
Permission applies to: Specific data
Specific purpose Notify of changesProcess
Manage Retain & Secure
Informationlifecycle
Management of:
• Access
• Right to rectify data
• Data destruction policy
• Data transfers
• Applicable rules
GDPR is about data governance
Copyright © 2016 Symantec Corporation
9
Copyright © 2015 Symantec Corporation 9
Business Concerns with the GDPR
Accountability
Information Security
Cloud and International Data Transfer
Penalties for Breaking the
Law
PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
Copyright © 2016 Symantec Corporation
10
Copyright © 2015 Symantec Corporation 10
What is accountability?
Demonstrate
Compliance
Appropriate Policy,
Process and Technology
Data Protection
Officers
Privacy Impact
Assessments
Privacy by Design and by Default
Effective, enforced & documented Policies.
Accountability cannot be transferred or outsourced
Copyright © 2016 Symantec Corporation
11
Copyright © 2015 Symantec Corporation 11
Information Security
Improved Security
Requirements
Encryption and ID
management
Requirement to Secure
Private Data
Effective Detection
and Response
Copyright © 2016 Symantec Corporation
12
Myth Reality
12
Cloud & Data Transfer Myth Busters
It’s illegal to send EU data outside the EU
Data can be transferred outside the EU subject to strict conditions. The flow of Personal Data within the EU is in principle “freely allowed”
Organisations need Safe Harbor to transfer EU Personal Data to US
There are several mechanisms to enable the transfer of EU Personal Data to the US
Data Privacy legislation for data residency requires Personal Data to be stored in a specific country.
Storage of EU Personal Data is allowed anywhere within the EU and not limited to a single EU country. There may be restrictions but not from data privacy legislation.
IP addresses & log-files are forms of Personal Data.
Several jurisdictions in Europe treat IP addresses and other log files as Personal Data.
FALSE
FALSE
FALSE
TRUE
Copyright © 2016 Symantec Corporation
13
13
Penalties and Notification
4%Global Annual
Turnover
Enforcement by national Data Protection Authorities
72 hours to notify of a breach once aware
Whichever figure is higher€20mUp to Up to
Copyright © 2016 Symantec Corporation 14
Preparing for the GDPREmbracing Privacy by Design
Copyright © 2016 Symantec Corporation
15
Copyright © 2015 Symantec Corporation 15
Key ImplicationsN
eed
Real
izatio
nIm
plic
ation
GDPR will be enforced by 2018
Fines will be up to 4% Revenue or €20m
Breach notification will be 72 hours
It could take a long time to get ready
GDPR compliance isn’t a tick box exercise
Response investigations can take weeks to months
Build on what you’ve already got so you can
start early
Data Governance and Privacy by Design give
value
Effective Detection and Response to attack is
Critical
Starting Questions for the GDPRDo you know what personal data you process? Yes No
Do you know where it is and how it flows in the organisation?
Yes No
Do you consider privacy at every level? Yes No
Do you think user / data subject first in security? Yes No
Have you reviewed your information risk management process for data privacy?
Yes No
Have you reviewed your security controls against privacy requirements?
Yes No
Do you have robust detection and monitoring processes? Yes No
Have you tested and implemented your response plans including notification and external communication?
Yes No
If you answered No to any of these then you need to start planning for the GDPR
Copyright © 2016 Symantec Corporation
17
Keep it User-Centric
Privacy as the default setting
Privacy Embedded
into the Design
Visibility & Transparency
– Keep it Open
Avoiding False
Dichotomies – e.g. Privacy
vs Security
Full Lifecycle Protection of Information
Proactive not reactiveEmbrace
PrivacyBy
Design=
Copyright © 2016 Symantec Corporation
18
Use a Data Governance Framework to Review your Programme
Collect Process Retain & Secure Manage
Define and Locate Personal Data
Secure Technology that Collects
Personal Data
Record Consent from Data Subjects
Detect and Block Threats to Data in
Use
Privacy Impact Assessments
Validate Data Processors
Restrict Processing of Data YOU have to
Retain
Prevent Data Loss
Control Access to Data
Protect Data at RestSecure Transfer and Storage of Collected
Data
Risk Management of Info Lifecycle
Validate Data Subjects Invoking
Rights
Educate DPOs on Cyber Risk
Pseudonymisation and obfuscation of
personal data
Minimise, Anonymise, Erase
Data
1000
800
600
400
200
0
Data Protection is a Tool for Risk Reduction
Risk Reduction Over Time
Inci
dent
s Per
Wee
k
Visibility
Remediation
Notification
Prevention
19
EU General Data Protection Regulation
What Good Data Governance brings to a company
Reduce CostsBusiness Value from your Information
Be Agile and Innovative
Control Your DataKnow Your Data Agility
20
EU General Data Protection Regulation
Mobile/BYOD/IoT Endpoints
Reducing Risk from Preparation to Response
PREPARE PROTECT DETECT RESPOND
Understand personal data & risk posture
Protect personal data from malicious attack & misuse
Provide rapid detectionUnderstand impact of breach
Respond efficiently & effectively to be compliantMitigate risk
Data Discovery and Privacy Impact Assessments
Data Loss Prevention
Risk Posture Assessment and Remediation
Control Compliance Suite / Endpoint Management
Information Protection and Governance
Data Loss Prevention / Encryption / Authentication
Threat ProtectionSEP / DCS / ATP / Email Security / Web Security
Monitoring, Threat Intelligence and Cyber
ExpertiseCyber Security Services
Advanced Persistent Threat Detection
ATP / Unified Analytics
Crisis Management and Incident Response
Cyber Security Services
Cyber InsuranceUnified Analytics
Cloud Data Risk Posture Assessment
Elastica
Data Encryption & TokenizationProxySG, Cloud Data Protection
Advanced Persistent Threat Detection
SSL Visibility, CAS/MA, Security Analytics
Incident Response and Network Forensics
Security Analytics
Copyright © 2016 Symantec Corporation
22
Copyright © 2015 Symantec Corporation 22
How Can Symantec Help?N
eed
Real
izatio
nIm
plic
ation
Threat Protection
(Keep the Bad Stuff Out)
Information Protection
(Keep the Good Stuff In)
Compliance / IT GRC
(Do the Right Thing)
Breach is Inevitable Information is Now Everywhere
Regulatory scope is expanding
Expand from Protection (only) to Add Detection +
Response
Move Our Protection to Where Ever Information
FlowsEmbed Governance Into
the Security Program
Thank you!
Copyright © 2015 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Presenter’s NamePresenter’s emailPresenter’s phone
Legal Disclaimer: The materials contained in this presentation are not intended to provide, and do not constitute or comprise, legal advice on any particular matter and are provided for general information purposes only. You should not act or refrain from acting on the basis of any material contained in this presentation, without seeking appropriate legal or other professional advice.