An overview of EU GDPR key characteristics, its origins and legal implications of non-compliance. It also provides the initial steps that an organisation needs to follow to operate in compliance with new cyber security regulatory landscape.
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
CyNation: 7 Things You Should Know about EU GDPR
1. 7 things you should know
about EU GDPR
Shadi A. Razak
7th October 2016
2. Introduction
• Shadi A. Razak
– Chief Technology Officer
– Head of Compliance and Cyber Security Solutions
– 15 international experience in:
• Cyber security,
• Information compliance
• Business digitalisation
– Private and public Sector
– SMEs and International blue chip corporations
3. Introduction
We do that by providing innovative
cyber security and information
compliance solutions that
encompass people, processes and
technology, enabling organisations
to become more resilient and
effective against threats.
We help organisations improve their
compliance & security posture.
4. Introduction
Fraud Detection
CyNation’s offers the most powerful
yet easy to use analysis tools for
detecting and preventing invisible
internal fraud, external theft and poor
procedural compliance.
Ubiquitous Monitoring
Combining an innovative object persistent database, advanced ubiquitous
data collector with data analytics and high visualisation to proactively
monitor multiple data types in one configurable system.
Secure Communications
CyNation’s Secure Communication
Platform (SCP) protects confidential
information flows between employees
and external parties through a secure
communications application that looks
like email and is as easy to use as the
popular instant messaging clients.
Cyber Security Literacy
Tailor-made workshops and training
sessions for Boards, C-suite
executives & management from cyber
security awareness to cyber crisis
incident response planning and
simulation.
GRC (Compliance Management)
Combining human expertise with advanced
data monitoring, data analytics &
visualisation to proactively manage and
comply with technical, operational, financial
and legal standards and regulations.
Comprehensive Threat Insight
Combining advanced solutions of data
analytics and visualisation to proactively
manage and avert threats.
Ongoing Risk Assessment
Combining business risk
assessments, advanced vulnerability
assessments and penetration testing
with data analytics to proactively
assess and manage cyber risk.
5. Agenda
• The landscape
• EU GDPR
– Structure
– Aim
– Benefits
– Consequences
– Data Security
• 7 things you should know
• 7 Steps to be ready
8. EU GDPR
European Union General Data Protection Regulation
General Provisions (Articles 1-4)
Principles (Articles 5-11)
Rights of Data Subjects: 5 Sections (Articles 12-23)
Controller and Processors: 5 Section (Articles 24-43)
Transfer of Personal Data (Articles 44-50)
Independent Supervisory Authorities (Articles 51-59)
Cooperation and Consistency (Articles 60-76)
Remedies, Liabilities and Penalties (Articles 77-84)
Processing Situation Provisions (Article 85-91)
Delegation and Implementation Act (Article 92&93)
Final Provisions (Articles 94-99)
1
2
3
4
5
6
7
8
9
10
11
The core of
the regulation
How supervisory
authorities at the
EU are going to
enforce the
regulation
10. EU GDPR - Aim
• One Regulation
• Stronger enforcement body
• Data Protection Impact Assessment (DPIA)
• Include international suppliers in regulation
scope
• Diminish distinction between processor and
controller
11. EU GDPR - Benefits
• For business:
– One market : one law
– One stop shop
– Same rules for all companies
– No general registration requirement
12. EU GDPR - Benefits
• For customers / citizens:
– Better data security
– Better control over your personal data:
• Mandatory consent
• Right to be forgotten
• Right to object to profiling
• Better subject access request (SAR) regime
13. EU GDPR - Consequences
• Fine of €10million or 2% of global turnover, whichever is
greater:
ꟷ 8: Child’s consent
ꟷ 11: Processing not requiring
identification
ꟷ 25: Data protection by design and by
default
ꟷ 26 - 30: Processing
ꟷ 31: Cooperation with the supervisory
authority
ꟷ 32: Data security
ꟷ 33: Notification of breaches to
supervisory authority
ꟷ 34: Communication of breaches to
data subjects
ꟷ 35: Data protection impact
assessment
ꟷ 36: Prior consultation
ꟷ 37 -39: DPOs
ꟷ 41(4): Monitoring approved
codes of conduct
ꟷ 42: Certification
ꟷ 43: Certification bodies
14. EU GDPR - Consequences
• Fine of €20million or 4% of global turnover, whichever is
greater:
– 5: Principles relating to the processing of personal data
– 6: Lawfulness of processing
– 7: Conditions for consent
– 9: Processing special categories of personal data (i.e. sensitive
personal data)
– 12 - 22: Data subject rights
– 44 - 49: Transfers to third countries
– 58(1): Requirement to provide access to supervisory authority
– 58(2): Orders/limitations on processing or the suspension of data
flows
15. EU GDPR - Consequences
Audit failure
Fines &
criminal
charges
Financial loss
Loss of data
confidentiality,
integrity
and/or
availability
Violation of
employee
privacy
Loss of
customer
Trust
Loss of brand
reputation
Loss of
market share
Damaged
reputation
Legal
exposure
CEO CFO/COO CIO CHRO CMO
Greater Reputation
Risk
16. EU GDPR – Data security
• Chapter 4:
– 4 Key articles:
• Section 2: Security of personal data
– Article 32: Security of Processing
– Article 33: Notification of personal data breaches to the supervisory
authority
– Article 34: Communication of personal data breaches to the data
subjects
• Section 3: Data Protection Impact Assessment and Prior
Consultation
– Article 35: Data protection impact assessment
17. EU GDPR – Data security
Organisation must Organisation will
• greatly reduce the
likelihood of being fined
• will not need to notify
affected data subjects of
the breach
• Implement appropriate security
measures to protect personal
data
• Have a clear data protection
policy
• Have named a data protection
officer
18. 7 Thing you should know
EU GDPR is already a reality
It is all about protecting the fundamental rights of natural
person
It applies to every organisation and every type of data
Consent Rules
Accountability and transparency are the organisation
responsibility
Data Protection Officer is needed
Encryption is not the answer
1
2
3
4
5
6
7
19. 7 steps to get ready
1
• Audit your data
2
• Identify who is responsible for this data
3
• Design and implement appropriate measure to protect this data
4
• Develop processes to deal with breaches/incidents
5
• Designate a Data protection Officer (DPO) and supporting team
6
• Understand who is data you are controlling and/or processing
7
• Develop culture of Privacy by design wide across the organisation
20. 7 steps to get ready
1
• Audit your data
2
• Identify who is responsible for this data
3
• Design and implement appropriate measure to protect this data
4
• Develop processes to deal with breaches/incidents
5
• Designate a Data protection Officer (DPO) and supporting team
6
• Understand who is data you are controlling and/or processing
7
• Develop culture of Privacy by design wide across the organisation
21. EU GDPR Readiness
• Get your organisation EU GDPR Readiness report -
December 2016 (contact@cynation.com)