SlideShare a Scribd company logo

GDPR Breach Notification Demystifying What the Regulators Want

Symantec
Symantec

Are you confident you know how to respond to a breach in line with GDPR regulations? If you didn’t get a chance to hear Symantec expert Ilias Chantzos’ Strategy Talk at Infosec 2018, find out more here:

Technology
1 of 22
Download to read offline
Ilias Chantzos Senior Director EMEA & APJ Government Affairs GDPR Breach Notification: Demystifying What the Regulators Want
GDPR Breach Notification: Demystifying What the Regulators Want • Not a finish line, just the start! • A marathon, not a sprint • Security vs Privacy at the strategic level What’s So Important Now That the Deadline Has Passed?
GDPR Breach Notification: Demystifying What the Regulators Want Article 32 in GDPR Reads - Security of processing - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Cybersecurity is a Basic Principle in GDPR
GDPR Breach Notification: Demystifying What the Regulators Want “State of the Art”: Finding the ‘Goldilocks’ Technologies Need to balance innovation with degree of confidence that the technology will be robust enough to deliver on its promises ! “State of the Art” - a term used, but not defined in GDPR… Mature “Goldilocks” zone Bleeding Edge
GDPR Breach Notification: Demystifying What the Regulators Want • How to define risk? • Assessment of risk – Change over time • Likelihood • Consequence • What is the likely threat – Evolution of landscape • Criminal • State • Political • Internal/External • What type of data • What type of processing • Where is the data? • Accept/Transfer/Mitigate? Appropriate to the risk
GDPR Breach Notification: Demystifying What the Regulators Want The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? “… a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” Recital 75: THE IMPACT What can happen to the data subject? “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage” GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy
GDPR Breach Notification: Demystifying What the Regulators Want GDPR and “Internal” Tensions: The Role of Realistic Guidance Security • Cannot rely on consent • Monitoring of the environment • Detection of a breach • Adequate assessment of risk • Adequate conclusions allowing notification • Timely deployment of countermeasures/patches • Encryption Privacy of Employees • Transparency of security measures/monitoring • Minimizing invasiveness of monitoring • Incident response and access to information • Retention duration of records/log files • Consultation/notification of employees • Encryption
GDPR Breach Notification: Demystifying What the Regulators Want Related Articles 4(12), 33(1, 5), 34(1) Types of personal data breaches: • “Confidentiality breach” • “Integrity breach” • “Availability breach” Consequence : The controller will be unable to ensure compliance I. Principles of Breach Notification
GDPR Breach Notification: Demystifying What the Regulators Want Breach detection: • Identify: When does a controller become “aware”? • Speed is of essence to reduce the risk • Assess: (High or Very-High Risk)  Implications • Notify: Who and within which deadlines (e.g. 72h) • Time to establish if personal data have been compromised is crucial. Key DPO role: • Providing data protection advice and information to the controller or processor • Monitoring compliance with the GDPR • Providing advice in relation to DPIAs • Communicate with the DPA II. Notification to the Supervisory Authority
GDPR Breach Notification: Demystifying What the Regulators Want The notification must: a) Describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; b) Recommend measures to mitigate the possible adverse effects of the personal data breach; c) Describe the consequences of the personal data breach; d) Describe the measures proposed or taken by the controller to address the personal data breach. II. What Should Be in the Notification to the DPA?
GDPR Breach Notification: Demystifying What the Regulators Want • Clear and plain language • Nature of the personal data breach • Measures to mitigate its possible adverse effects Communication not required if unlikely high-risk: • Deployed technical and organisational measures • E.g. Personal data unintelligible • If a controller decides not to communicate a breach, or does so with delay: • Should be demonstrably well founded • Failure to do so might cause sanctions (€10M or 2% of global turnover) • The DPA can still require a communication to be issued • Accountability III. Communication to Data Subjects
GDPR Breach Notification: Demystifying What the Regulators Want • Notification of controller by processor without assessing risk • Partial notification is possible…. • Immediate detection of breach (Recital 87) and technical/organizational consequences • Planned system outage is not a breach • Take into account interest of law enforcement investigation in cases of disclosure to data subjects (Recital 88) – Relevant for non-EU LEA • No retention requirements by GDPR – Incumbent upon the controller to keep data about the incident • Joint controllership should foresee also in a controller taking the lead for notification purposes Some Technical Considerations
GDPR Breach Notification: Demystifying What the Regulators Want “The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement”
GDPR Breach Notification: Demystifying What the Regulators Want What is the Difference Between On-premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?
GDPR Breach Notification: Demystifying What the Regulators Want Brexit UK Government Positions • UK law • Data transfer impact • Subcontractor clause • Direct application of EU law by doing business in Europe • A “UK Privacy Shield” necessitated by the Investigatory Powers Act? • Human Rights convention and adequacy What About BREXIT? Any company that works with information relating to individuals in the EU will have to comply with the requirements of the GDPR
GDPR Breach Notification: Demystifying What the Regulators Want Breaches Across Multiple Locations or Jurisdictions • Data concerning different nationals within the EU • Data within different locations • Data held by different processors / cloud operators • Lead DPA? • National DPA? • Who is your regulator? Different scenarios Who to notify? How is the investigation likely to happen? What is the likely risk?
GDPR Breach Notification: Demystifying What the Regulators Want Use Cases Supporting GDPR Across Data Privacy & Security How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured PROTECTDETECTRESPONDPREPARE
GDPR Breach Notification: Demystifying What the Regulators Want Use Case 3 Minimising Risk in Case of a Breach o General Risk Assessment o Risk of Breach of Sensitive Data, Professional Secrecy o Risk of Identity Theft or Fraud Relevant GDPR Articles: o Article 5(2) o Article 24 o Recitals 74, 77, 78, 82 o Article 32(1d) How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance PROTECTDETECTRESPONDPREPARE Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured
GDPR Breach Notification: Demystifying What the Regulators Want Legislative and Standards Landscape Regulatory Level General Data Protection Regulation (GDPR) All Industries Holding Personal Data Network Information Security Directive (NISD) a.k.a. Cyber Directive Critical National Infrastructure: Financial Services; Energy; Water; Food; Transport; Health; Government; and Emergency Services National LevelDPA 10 Steps Cyber Essentials FTSE 350 Cyber CREST Industry LevelFinancial Services CBEST / FCA / PRA PCI / PSD MAS / Swiss / Lux Energy / Utilities Health and Safety CPNI PCI / DSS Technical Standards ISO 27001 ISO 27005 ISO 27018 COBIT
GDPR Breach Notification: Demystifying What the Regulators Want • Train people • Establish protocols • Exercise • Look at your contracts • Look who you are doing business with • Manage your risk lifecycle properly (threats, risks, technology, organization) • Then consider how your technology investments can help you already and where you need to invest/develop further • GDPR does not start or end with tech but tech can help you start with GDPR It’s Not Just About Technology
GDPR Breach Notification: Demystifying What the Regulators Want Plan wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy via your security program Identify skill & knowledge gaps to determine when to bring in external partners and which ones Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Define a well-documented breach notification process first, and then identify technology that can help with breach detection, resolution, and notification Key Takeaways
GDPR Breach Notification: Demystifying What the Regulators Want THANK YOU

Recommended

How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyGovernment Technology and Services Coalition
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
 

Recommended

How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Kimberly Simon MBA
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredCountdown to CCPA: 48 Days Until Your IBM i Data Needs to Be Secured
Countdown to CCPA: 48 Days Until Your IBM i Data Needs to Be SecuredPrecisely
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyKristina Tanasichuk: Presentation of GTSC/InfraGard Cyber Survey
Kristina Tanasichuk: Presentation of GTSC/InfraGard Cyber SurveyGovernment Technology and Services Coalition
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskShawn Tuma
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEBMEHMET FATIH YALDIZ
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practiceslisaabe
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Federation for Identity and Cross-Credentialing Systems (FiXs)
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferenceBill Despo
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 

More Related Content

What's hot

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers Gary Dodson
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementBlack Duck by Synopsys
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2Flaskdata.io
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data GovernanceDATUM LLC
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practiceslisaabe
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityNetworkCollaborators
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityEQS Group
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferenceBill Despo
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataUlf Mattsson
 

What's hot (20)

GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
CISSP-WEB
CISSP-WEBCISSP-WEB
CISSP-WEB
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Data Security For Compliance 2
Data Security For Compliance 2Data Security For Compliance 2
Data Security For Compliance 2
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance7 Key GDPR Requirements & the Role of Data Governance
7 Key GDPR Requirements & the Role of Data Governance
 
Cloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best PracticesCloud Computing Legal Risks And Best Practices
Cloud Computing Legal Risks And Best Practices
 
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive securityCisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
Cisco Connect 2018 Malaysia - Risk less, achieve more with proactive security
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013Widepoint orc thales webinar 111313d - nov 2013
Widepoint orc thales webinar 111313d - nov 2013
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
Impact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A SecurityImpact of GDPR on Third Party and M&A Security
Impact of GDPR on Third Party and M&A Security
 
Presentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 ConferencePresentation for FPANJ Spring 2015 Conference
Presentation for FPANJ Spring 2015 Conference
 
Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018Six Degrees: Securing your business data - Nov 29 2018
Six Degrees: Securing your business data - Nov 29 2018
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Cross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive dataCross border - off-shoring and outsourcing privacy sensitive data
Cross border - off-shoring and outsourcing privacy sensitive data
 

Similar to GDPR Breach Notification Demystifying What the Regulators Want

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...PECB
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Stephanie Vasey
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? SecurityScorecard
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?David Erdos
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowRachel Roach
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkPECB
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceMongoDB
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion
 

Similar to GDPR Breach Notification Demystifying What the Regulators Want (20)

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...Business impact of new EU General Data Protection Regulation (GDPR) on organi...
Business impact of new EU General Data Protection Regulation (GDPR) on organi...
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
Data Protection Post-Brexit: Can the UK Craft a Credible New Approach?
 
GDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to KnowGDPR & Your Cloud Provider - What You Need to Know
GDPR & Your Cloud Provider - What You Need to Know
 
Symantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year OnSymantec Webinar: GDPR 1 Year On
Symantec Webinar: GDPR 1 Year On
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 

More from Symantec

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec
 
Symantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 WebinarSymantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 WebinarSymantec
 

More from Symantec (20)

Symantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of BroadcomSymantec Enterprise Security Products are now part of Broadcom
Symantec Enterprise Security Products are now part of Broadcom
 
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
Symantec Webinar | National Cyber Security Awareness Month: Fostering a Secur...
 
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect ITSymantec Webinar | National Cyber Security Awareness Month: Protect IT
Symantec Webinar | National Cyber Security Awareness Month: Protect IT
 
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure ITSymantec Webinar | National Cyber Security Awareness Month: Secure IT
Symantec Webinar | National Cyber Security Awareness Month: Secure IT
 
Symantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own ITSymantec Webinar | National Cyber Security Awareness Month - Own IT
Symantec Webinar | National Cyber Security Awareness Month - Own IT
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Symantec Mobile Security Webinar
Symantec Mobile Security WebinarSymantec Mobile Security Webinar
Symantec Mobile Security Webinar
 
Symantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat ReportSymantec Webinar Cloud Security Threat Report
Symantec Webinar Cloud Security Threat Report
 
Symantec Cloud Security Threat Report
Symantec Cloud Security Threat ReportSymantec Cloud Security Threat Report
Symantec Cloud Security Threat Report
 
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
Symantec Webinar | Security Analytics Breached! Next Generation Network Foren...
 
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
Symantec Webinar | Implementing a Zero Trust Framework to Secure Modern Workf...
 
Symantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB ProjectsSymantec Webinar | Tips for Successful CASB Projects
Symantec Webinar | Tips for Successful CASB Projects
 
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
Symantec Webinar: What Cyber Threats Are Lurking in Your Network?
 
Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019Symantec ISTR 24 Webcast 2019
Symantec ISTR 24 Webcast 2019
 
Symantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front LinesSymantec Best Practices for Cloud Security: Insights from the Front Lines
Symantec Best Practices for Cloud Security: Insights from the Front Lines
 
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
Symantec - The Importance of Building Your Zero Trust Program on a Solid Plat...
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy BearSymantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
Symantec Webinar Using Advanced Detection and MITRE ATT&CK to Cage Fancy Bear
 
Symantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 WebinarSymantec Internet Security Threat Report (ISTR) 23 Webinar
Symantec Internet Security Threat Report (ISTR) 23 Webinar
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

GDPR Breach Notification Demystifying What the Regulators Want

  • 1. Ilias Chantzos Senior Director EMEA & APJ Government Affairs GDPR Breach Notification: Demystifying What the Regulators Want
  • 2. GDPR Breach Notification: Demystifying What the Regulators Want • Not a finish line, just the start! • A marathon, not a sprint • Security vs Privacy at the strategic level What’s So Important Now That the Deadline Has Passed?
  • 3. GDPR Breach Notification: Demystifying What the Regulators Want Article 32 in GDPR Reads - Security of processing - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Cybersecurity is a Basic Principle in GDPR
  • 4. GDPR Breach Notification: Demystifying What the Regulators Want “State of the Art”: Finding the ‘Goldilocks’ Technologies Need to balance innovation with degree of confidence that the technology will be robust enough to deliver on its promises ! “State of the Art” - a term used, but not defined in GDPR… Mature “Goldilocks” zone Bleeding Edge
  • 5. GDPR Breach Notification: Demystifying What the Regulators Want • How to define risk? • Assessment of risk – Change over time • Likelihood • Consequence • What is the likely threat – Evolution of landscape • Criminal • State • Political • Internal/External • What type of data • What type of processing • Where is the data? • Accept/Transfer/Mitigate? Appropriate to the risk
  • 6. GDPR Breach Notification: Demystifying What the Regulators Want The Regulatory Terms Of Reference Article 4 Paragraph 12: THE BREACH What can happen to data? “… a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” Recital 75: THE IMPACT What can happen to the data subject? “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage” GDPR / DPA EXPECTATION: Anticipate, Avoid, Mitigate, Compensate GDPR / DPA REQUIREMENT: Prevent, Detect, Log, Report, Remedy
  • 7. GDPR Breach Notification: Demystifying What the Regulators Want GDPR and “Internal” Tensions: The Role of Realistic Guidance Security • Cannot rely on consent • Monitoring of the environment • Detection of a breach • Adequate assessment of risk • Adequate conclusions allowing notification • Timely deployment of countermeasures/patches • Encryption Privacy of Employees • Transparency of security measures/monitoring • Minimizing invasiveness of monitoring • Incident response and access to information • Retention duration of records/log files • Consultation/notification of employees • Encryption
  • 8. GDPR Breach Notification: Demystifying What the Regulators Want Related Articles 4(12), 33(1, 5), 34(1) Types of personal data breaches: • “Confidentiality breach” • “Integrity breach” • “Availability breach” Consequence : The controller will be unable to ensure compliance I. Principles of Breach Notification
  • 9. GDPR Breach Notification: Demystifying What the Regulators Want Breach detection: • Identify: When does a controller become “aware”? • Speed is of essence to reduce the risk • Assess: (High or Very-High Risk)  Implications • Notify: Who and within which deadlines (e.g. 72h) • Time to establish if personal data have been compromised is crucial. Key DPO role: • Providing data protection advice and information to the controller or processor • Monitoring compliance with the GDPR • Providing advice in relation to DPIAs • Communicate with the DPA II. Notification to the Supervisory Authority
  • 10. GDPR Breach Notification: Demystifying What the Regulators Want The notification must: a) Describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; b) Recommend measures to mitigate the possible adverse effects of the personal data breach; c) Describe the consequences of the personal data breach; d) Describe the measures proposed or taken by the controller to address the personal data breach. II. What Should Be in the Notification to the DPA?
  • 11. GDPR Breach Notification: Demystifying What the Regulators Want • Clear and plain language • Nature of the personal data breach • Measures to mitigate its possible adverse effects Communication not required if unlikely high-risk: • Deployed technical and organisational measures • E.g. Personal data unintelligible • If a controller decides not to communicate a breach, or does so with delay: • Should be demonstrably well founded • Failure to do so might cause sanctions (€10M or 2% of global turnover) • The DPA can still require a communication to be issued • Accountability III. Communication to Data Subjects
  • 12. GDPR Breach Notification: Demystifying What the Regulators Want • Notification of controller by processor without assessing risk • Partial notification is possible…. • Immediate detection of breach (Recital 87) and technical/organizational consequences • Planned system outage is not a breach • Take into account interest of law enforcement investigation in cases of disclosure to data subjects (Recital 88) – Relevant for non-EU LEA • No retention requirements by GDPR – Incumbent upon the controller to keep data about the incident • Joint controllership should foresee also in a controller taking the lead for notification purposes Some Technical Considerations
  • 13. GDPR Breach Notification: Demystifying What the Regulators Want “The occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement”
  • 14. GDPR Breach Notification: Demystifying What the Regulators Want What is the Difference Between On-premise & Cloud? None in terms of the security requirements But do you have the same visibility and control over data in the cloud?
  • 15. GDPR Breach Notification: Demystifying What the Regulators Want Brexit UK Government Positions • UK law • Data transfer impact • Subcontractor clause • Direct application of EU law by doing business in Europe • A “UK Privacy Shield” necessitated by the Investigatory Powers Act? • Human Rights convention and adequacy What About BREXIT? Any company that works with information relating to individuals in the EU will have to comply with the requirements of the GDPR
  • 16. GDPR Breach Notification: Demystifying What the Regulators Want Breaches Across Multiple Locations or Jurisdictions • Data concerning different nationals within the EU • Data within different locations • Data held by different processors / cloud operators • Lead DPA? • National DPA? • Who is your regulator? Different scenarios Who to notify? How is the investigation likely to happen? What is the likely risk?
  • 17. GDPR Breach Notification: Demystifying What the Regulators Want Use Cases Supporting GDPR Across Data Privacy & Security How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured PROTECTDETECTRESPONDPREPARE
  • 18. GDPR Breach Notification: Demystifying What the Regulators Want Use Case 3 Minimising Risk in Case of a Breach o General Risk Assessment o Risk of Breach of Sensitive Data, Professional Secrecy o Risk of Identity Theft or Fraud Relevant GDPR Articles: o Article 5(2) o Article 24 o Recitals 74, 77, 78, 82 o Article 32(1d) How Can Technology Help? Advanced Breach Detection, Remediation, & Notification ATP Analytics Endpoint Email Server Web / CASB Cyber Security Services DLP CASB Web CDPEncryption Personal Data Protection Everywhere VIP Technology Risk Management DLP Data Insight CASB Audit CCS EPM Understand Data Risk Understand, Report, and Remediate Compliance PROTECTDETECTRESPONDPREPARE Unparalleled Threat Intelligence Endpoint 175M endpoints protected Email 2Bm emails scanned/day Web 1.2Bn web requests secured/day Physical & Virtual Workloads 64K Datacenters protected Cloud Security 12,000 cloud applications secured
  • 19. GDPR Breach Notification: Demystifying What the Regulators Want Legislative and Standards Landscape Regulatory Level General Data Protection Regulation (GDPR) All Industries Holding Personal Data Network Information Security Directive (NISD) a.k.a. Cyber Directive Critical National Infrastructure: Financial Services; Energy; Water; Food; Transport; Health; Government; and Emergency Services National LevelDPA 10 Steps Cyber Essentials FTSE 350 Cyber CREST Industry LevelFinancial Services CBEST / FCA / PRA PCI / PSD MAS / Swiss / Lux Energy / Utilities Health and Safety CPNI PCI / DSS Technical Standards ISO 27001 ISO 27005 ISO 27018 COBIT
  • 20. GDPR Breach Notification: Demystifying What the Regulators Want • Train people • Establish protocols • Exercise • Look at your contracts • Look who you are doing business with • Manage your risk lifecycle properly (threats, risks, technology, organization) • Then consider how your technology investments can help you already and where you need to invest/develop further • GDPR does not start or end with tech but tech can help you start with GDPR It’s Not Just About Technology
  • 21. GDPR Breach Notification: Demystifying What the Regulators Want Plan wisely, implementation may take longer than you think Engage with your board, report on progress in addressing data privacy via your security program Identify skill & knowledge gaps to determine when to bring in external partners and which ones Explain the risk and treat it as an opportunity to build the business case and drive the investment you need to mitigate the risk Define a well-documented breach notification process first, and then identify technology that can help with breach detection, resolution, and notification Key Takeaways
  • 22. GDPR Breach Notification: Demystifying What the Regulators Want THANK YOU