An overview of EU GDPR key characteristics, its origins and legal implications of non-compliance. It also provides the initial steps that an organisation needs to follow to operate in compliance with new cyber security regulatory landscape.

1. 7 things you should know
about EU GDPR
Shadi A. Razak
7th October 2016

2. Introduction
• Shadi A. Razak
– Chief Technology Officer
– Head of Compliance and Cyber Security Solutions
– 15 international experience in:
• Cyber security,
• Information compliance
• Business digitalisation
– Private and public Sector
– SMEs and International blue chip corporations

3. Introduction
We do that by providing innovative
cyber security and information
compliance solutions that
encompass people, processes and
technology, enabling organisations
to become more resilient and
effective against threats.
We help organisations improve their
compliance & security posture.

4. Introduction
Fraud Detection
CyNation’s offers the most powerful
yet easy to use analysis tools for
detecting and preventing invisible
internal fraud, external theft and poor
procedural compliance.
Ubiquitous Monitoring
Combining an innovative object persistent database, advanced ubiquitous
data collector with data analytics and high visualisation to proactively
monitor multiple data types in one configurable system.
Secure Communications
CyNation’s Secure Communication
Platform (SCP) protects confidential
information flows between employees
and external parties through a secure
communications application that looks
like email and is as easy to use as the
popular instant messaging clients.
Cyber Security Literacy
Tailor-made workshops and training
sessions for Boards, C-suite
executives & management from cyber
security awareness to cyber crisis
incident response planning and
simulation.
GRC (Compliance Management)
Combining human expertise with advanced
data monitoring, data analytics &
visualisation to proactively manage and
comply with technical, operational, financial
and legal standards and regulations.
Comprehensive Threat Insight
Combining advanced solutions of data
analytics and visualisation to proactively
manage and avert threats.
Ongoing Risk Assessment
Combining business risk
assessments, advanced vulnerability
assessments and penetration testing
with data analytics to proactively
assess and manage cyber risk.

5. Agenda
• The landscape
• EU GDPR
– Structure
– Aim
– Benefits
– Consequences
– Data Security
• 7 things you should know
• 7 Steps to be ready

6. The landscape
$
V.S
Different
legal system
across the
world
Personal
data is
valuable
Contrast
between
Europe & US
legislation

7. The landscape
Source: UNCTD, 2016

8. EU GDPR
European Union General Data Protection Regulation
General Provisions (Articles 1-4)
Principles (Articles 5-11)
Rights of Data Subjects: 5 Sections (Articles 12-23)
Controller and Processors: 5 Section (Articles 24-43)
Transfer of Personal Data (Articles 44-50)
Independent Supervisory Authorities (Articles 51-59)
Cooperation and Consistency (Articles 60-76)
Remedies, Liabilities and Penalties (Articles 77-84)
Processing Situation Provisions (Article 85-91)
Delegation and Implementation Act (Article 92&93)
Final Provisions (Articles 94-99)
1
2
3
4
5
6
7
8
9
10
11
The core of
the regulation
How supervisory
authorities at the
EU are going to
enforce the
regulation

9. EU GDPR
ConsequencesBenefits
Aim

10. EU GDPR - Aim
• One Regulation
• Stronger enforcement body
• Data Protection Impact Assessment (DPIA)
• Include international suppliers in regulation
scope
• Diminish distinction between processor and
controller

11. EU GDPR - Benefits
• For business:
– One market : one law
– One stop shop
– Same rules for all companies
– No general registration requirement

12. EU GDPR - Benefits
• For customers / citizens:
– Better data security
– Better control over your personal data:
• Mandatory consent
• Right to be forgotten
• Right to object to profiling
• Better subject access request (SAR) regime

13. EU GDPR - Consequences
• Fine of €10million or 2% of global turnover, whichever is
greater:
ꟷ 8: Child’s consent
ꟷ 11: Processing not requiring
identification
ꟷ 25: Data protection by design and by
default
ꟷ 26 - 30: Processing
ꟷ 31: Cooperation with the supervisory
authority
ꟷ 32: Data security
ꟷ 33: Notification of breaches to
supervisory authority
ꟷ 34: Communication of breaches to
data subjects
ꟷ 35: Data protection impact
assessment
ꟷ 36: Prior consultation
ꟷ 37 -39: DPOs
ꟷ 41(4): Monitoring approved
codes of conduct
ꟷ 42: Certification
ꟷ 43: Certification bodies

14. EU GDPR - Consequences
• Fine of €20million or 4% of global turnover, whichever is
greater:
– 5: Principles relating to the processing of personal data
– 6: Lawfulness of processing
– 7: Conditions for consent
– 9: Processing special categories of personal data (i.e. sensitive
personal data)
– 12 - 22: Data subject rights
– 44 - 49: Transfers to third countries
– 58(1): Requirement to provide access to supervisory authority
– 58(2): Orders/limitations on processing or the suspension of data
flows

15. EU GDPR - Consequences
Audit failure
Fines &
criminal
charges
Financial loss
Loss of data
confidentiality,
integrity
and/or
availability
Violation of
employee
privacy
Loss of
customer
Trust
Loss of brand
reputation
Loss of
market share
Damaged
reputation
Legal
exposure
CEO CFO/COO CIO CHRO CMO
Greater Reputation
Risk

16. EU GDPR – Data security
• Chapter 4:
– 4 Key articles:
• Section 2: Security of personal data
– Article 32: Security of Processing
– Article 33: Notification of personal data breaches to the supervisory
authority
– Article 34: Communication of personal data breaches to the data
subjects
• Section 3: Data Protection Impact Assessment and Prior
Consultation
– Article 35: Data protection impact assessment

17. EU GDPR – Data security
Organisation must Organisation will
• greatly reduce the
likelihood of being fined
• will not need to notify
affected data subjects of
the breach
• Implement appropriate security
measures to protect personal
data
• Have a clear data protection
policy
• Have named a data protection
officer

18. 7 Thing you should know
EU GDPR is already a reality
It is all about protecting the fundamental rights of natural
person
It applies to every organisation and every type of data
Consent Rules
Accountability and transparency are the organisation
responsibility
Data Protection Officer is needed
Encryption is not the answer
1
2
3
4
5
6
7

19. 7 steps to get ready
1
• Audit your data
2
• Identify who is responsible for this data
3
• Design and implement appropriate measure to protect this data
4
• Develop processes to deal with breaches/incidents
5
• Designate a Data protection Officer (DPO) and supporting team
6
• Understand who is data you are controlling and/or processing
7
• Develop culture of Privacy by design wide across the organisation

20. 7 steps to get ready
1
• Audit your data
2
• Identify who is responsible for this data
3
• Design and implement appropriate measure to protect this data
4
• Develop processes to deal with breaches/incidents
5
• Designate a Data protection Officer (DPO) and supporting team
6
• Understand who is data you are controlling and/or processing
7
• Develop culture of Privacy by design wide across the organisation

21. EU GDPR Readiness
• Get your organisation EU GDPR Readiness report -
December 2016 (contact@cynation.com)

22. © Copyright CyNation Limited 2016. All rights reserved. Without the express prior written consent of the CyNation, the presentation and any information contained within it may not be
(i) reproduced (in whole or in part), (ii) copied at any time, (iii)used for any purpose other than your evaluation of the company or (iv) provided to any other person, except your
employees, and advisors with a need to know who are advised of the confidentiality of the information. The information contained in these materials is provided for informational
purposes only, and is provided as is without warranty of any kind, express or implied. CyNation shall not be responsible for any damages arising out of the use of, or otherwise related
to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from CyNation or its suppliers or
licensors, or altering the terms and conditions of the applicable license agreement governing the use of CyNation solutions and services. Product release dates and / or capabilities
referenced in these materials may change at any time at CyNation’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future
product or feature availability in any way.
We would be delighted to talk to you:
Shadi A. Razak
shadi.razak@cynation.com
T: +44(0)7768 686638