Updates on the proposed General Data Protection Regulation that will unify Data Protection requirements across all 28 EU-member states. This presentation includes some of the most ground-breaking updates that organisations need to be aware of.

1. General Data Protection
Regulation, 2014
Update document
David Prince, CISSP, CISM
Director – Information Security Consulting, Schillings
@RiskObscurity
InfoRisk.io

2. About me…
①Information security evangelist
②On-demand CISO/vCISO
③Industry speaker and socialite
①Director of Information Security Consulting @ Schillings
②Blogger – InfoRisk.io/Schillings.co.uk
③Give01Day Supporter!
④ f

3. What is the General Data
Protection Regulation?
The purpose of the General Data Protection Regulation (“GDPR”) is to replace
existing and incredibly outdated Data Protection legislation in-acted by various
EU member-states with a single, unified regulation for protecting Personal Data.
The Draft GDPR was introduced by the European Commission (“EC”) in January
2012 with the latest version of the draft approved by the European Parliament in
March 2014.
Given the fundamental change in Data Protection at EU-level, there is still much
negotiation to take place and it is suspected that the final form will not be
approved until late next year, with a further 2-year enforcement deadline.
However, with over 4,000 proposed amendments to the original legislation
organizations should be reviewing their current Data Protection and Information
Security posture now in preparation for this significant regulatory change.
This slide-deck will outline just some of the most substantial changes organizations
need to be aware of.
① f

4. Increased fines
Currently, under the Data Protection Act in the UK, the maximum penalty for
non-compliance is £500,000, although the ICO (Information Commissioners
Office), the UK Authority for the Data Protection Act, has only issued a maximum
fine of £250,000.
Many believe that these thresholds are far to low, given the devastation a loss of
data can cause and its potential to cause even greater harm as we adopt
Cloud computing and the Internet of Things (“IoT”)
The new General Data Protection Regulation will come with fines of up to 5% of
annual group-wide revenue, or €100 million, whichever sum is greatest.
This is a substantial change that all organizations should take on board when
allocating budget and priority to Data Protection and Information Security
① f

5. Notification requirements
According to the latest draft of the GDPR, organizations will be required to notify
the National Supervisory Authority of all data breaches without undue delay
within 72 hours, in addition to notifying the affected individuals of data-loss,
similar to certain US federal law on Data Protection. E.g. the state of California.
In instances were data has been encrypted and is unreadable (and therefore
not compromised in terms of its Confidentiality and Integrity) it may not be
necessary to notify.
Currently, one of the biggest reasons for organizations being fine is due to lost or
stolen devices that do not employ encryption.
This requirement to notify means that organizations can no longer brush data-loss
incidents under the rug and increases the likelihood of significant reputation
and financial harm in the event of data loss.

6. Data Privacy Impact
Assessments (DPIA)
Both Data Controllers and Data Processors will be required to perform Data
Privacy Impact Assessments (DPIAs) to identify how data handling procedures
and processes (including what Personal Data is used for) could impact the
safety of information associated to data-subjects, and overall compliance of
that information under the GDPR
This change will put in place greater administrative overhead to ensure
compliance. Additionally, this change enforces Data Processors to become
more responsible in ensuring Data Protection by mandating their compliance
with the GDPR.
This change aims to minimize Data Protection risk in the supply chain, which is
often a cause of vulnerability that results in data-losses, which the Data
Controller is accountable for.

7. Mandatory appointment of
Data Protection Officer (DPO)
Organizations that process the personal information of 5,000 individuals or more
annually, or maintain data processing as a core business function will be
required to hire a Data Protection Officer (DPO) to oversee data processing
operations.
Importantly, to ensure severance from business politics and conflicts of interest,
this individual will be given enhanced employment rights, including a minimum
tenure of 4 years, full time and 2 years for a contractor.
Organizations may hire a single DPO for the entire business. However, they must,
in all cases, have knowledge and experience in Data Protection law.
Public authorities will be required to appoint a DPO regardless of the number of
individuals’ personal data they process.

8. Application to non-EU
organizations
Organizations that are not based within the EU, but target EU citizens with goods
and services will be required to comply with the GDPR.

9. Application to Data Processors
In the current Data Protection Act, Data Controllers are entirely accountable for
the protection of Personal Data, even if some of that data is processed by third-party
organizations acting as Data Processors.
Under the GDPR Data Processors will be required to comply with the GDPR
which means they share the liability of data-loss incidents and non-compliance.

10. Application to Data Processors
In the current Data Protection Act, Data Controllers are entirely accountable for
the protection of Personal Data, even if some of that data is processed by third-party
organizations acting as Data Processors.
Under the GDPR Data Processors will be required to comply with the GDPR
which means they share the liability of data-loss incidents and non-compliance.

11. Thank you.
Other changes to be aware of:
1. Right to be forgotten.
Click here to see Select Committee report in July 2014.
1. Explicit Consent.
Individuals are required to give consent for their data
to be processed.
David Prince, CISSP, CISM
Director – Information Security Consulting, Schillings
@RiskObscurity
InfoRisk.io