Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to Know

The General Data Protection Regulation:
What North American Companies Need to Know
Ken Durbin, CISSP
Sr. Strategist of Government Affairs
and Cyber Security, Symantec

Legal Disclaimer
The materials contained in this presentation are not intended to provide, and
do not constitute or comprise, legal advice on any particular matter and are
provided for general information purposes only.
You should not act or refrain from acting on the basis of any material
contained in this presentation, without seeking appropriate legal or other
professional advice.

Agenda
GDPR Overview + North America Impact
Who’s Who in the Protection of Personal Data
Technology Considerations for GDPR
Risk Scenarios
1
2
3
4
How to Get Started5

GDPR Overview +
North America Impact

Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
EU General Data Protection Regulation (GDPR)
5
28 Interpretations of the Data Protection
Directive
One Data Protection Regulation
Harmonized across all EU member states
TODAY: 2018:
Right to be forgotten Parental Consent Data Protection Officer
Extra-territoriality of GDPR
Fines and penalties
Joint Liability of Controllers and Processors
Mandatory Breach Notification

Managing and Demonstration Compliance
6
Provision / Requirement
General principle of accountability of data controllers
Article 32(1d): Customer needs a process for regularly testing, assessing and
evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
GDPR
What Does That Mean?
Controllers must take every technical and organizational measure appropriate
to ensuring and demonstrating compliance.

North America Impact – Why Should I Care?
7
Does any of your revenue come from the EU? Yes No
Do you have any EU based subsidiaries, remote offices / employees? Yes No
Do you offer any goods/services to the EU? Yes No
Do you collect EU Data User information such as: IP’s, Geo Location, online history,
social media posts, POC info, etc. Yes No
If you answered YES to any of these you need to prepare for the GDPR

Who’s Who in the Protection
of Personal Data

9
DATA CONTROLLER DATA SUBJECTDATA PROCESSOR
DATA PROTECTION OFFICER
Data Protection Officers are designated persons responsible for making sure the
organization follows the new regulations.
DATA PROTECTION AUTHORITY

What is Personal Data Under the GDPR?
10
EU User data belongs to the EU User, not the person who collected it.
You MUST think beyond the US definition of PII
GDPR Examples:
• Every manner of HR data / consumer data
• Business contact information (including email addresses)
• Behavioral information including website visitors’ data (logged in house or stored remotely, e.g. cookies)
• IT network traffic and communication logs
• Any potentially identifiable information even collected from publicly available sources IS personal data.
REMEMBER: You don’t decide what’s personal data is, the GDPR decides

GDPR Impacted Organizations
11
Companies who need to care about GDPR:
• Large multi-national companies (Symantec, Financials, Aerospace)
• Companies with EU Based Locations, remote employees
• US based companies that do EU Market Research (Brexit surveys)
• US based companies who subcontract to EU Firms (Process Data)
• Any US based company that markets products/services to the EU
Example:
• Pub owner creates a funny Brexit T-shirt. EU users hears about it and buys one off website.
• No, this will not trigger the GDPR
• Pub owner wants to increase sales and Markets T-Shirt in the EU, maybe sets up a mirror site.
• Yes, this does trigger the GDPR

The Regulatory Terms of Reference
Article 4 paragraph 12: THE BREACH
What can happen to data?
“… a breach of security leading to the
accidental or unlawful destruction,
loss, alteration, unauthorized
disclosure of, or access to, personal
data transmitted, stored or otherwise
processed”
Recital 75: THE IMPACT
What can happen to the data subject?
“The risk to the rights and freedoms of
natural persons, of varying likelihood
and severity, may result from personal
data processing which could lead to
physical, material or non-material
damage”
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report, Remedy
GDPR / DPA EXPECTATION:
Anticipate, Avoid, Mitigate, Compensate

RISK SURFACE
Enforcement by national
Data Protection Authorities
72 hours to notify of a breach once aware
2% or
$10 mil
4% or
$20mil
GDPR Risks to US Companies
What triggers
investigation?
•Complaint by consumer, employee, competitor
•Own initiative
•Security incident

Typical Customer Timeline for the GDPR
14
25th May 2018
GDPR comes into force
across all EU states
(including the UK)
Awareness Phase
What is it and does it really impact me?
25th May 2016
Formal EU Approval of
GDPR
2H 2016 2017 2018
Discovery & Planning
What do I need to do and when by?
• Thought Leadership
• Awareness
• Education
• Risk Assessments / Gap Analysis
• Advisory Services
• Information Governance Plans
• Budgeting / Hiring Key Staff
Implementation
Making Changes to Prepare
• Policy and Organisational Updates
• Addressing Technology Gaps
• Purchasing of Software and
Technology
Have concerns about ability to
become compliant
9 in 10
Do not fully understand GDPR
96%
Consider compliance at top priority
in the next two years
22%
April 2017

Technology Considerations
for the GDPR

Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY 16
Know your
Personal data
Process Data
Lawfully
Embed
privacy
Protect
Personal Data
PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
Technology Considerations for the GDPR

Define and Locate
Personal Data
Secure Technology
that Collects
Personal Data
Record Consent
from Data
Subjects
Detect and Block
Threats to Data in
Use
Privacy Impact
Assessments
Validate Data
Processors
Restrict Processing
of Data YOU have
to Retain
Prevent Data Loss,
Report Breaches
Control Access to
Data
Protect Data at
Rest
Secure Transfer
and Storage of
Collected Data
Risk Management
of Info Lifecycle
Validate Data
Subjects Invoking
Rights
Educate DPOs on
Cyber Risk
Pseudonymisation
and obfuscation
of personal data
Minimise,
Anonymize, Erase
Data
17
Collect Process Retain & Secure Manage
Security
Privacy
Data Governance Framework to Manage Privacy

How do I manage and report on my information risk management practices?
Who can access personal data and who has accessed it?
Can we control what personal data is accessible and who can access it?
Can we encrypt / obfuscate personal data at rest and in motion?
What personal data is out there, where is it, and where is it going?
Can we control where data resides?
Can we detect unauthorised access or breaches of personal data?
Can we quickly and thoroughly notify in the event of a breach?
Can we respond quickly and investigate thoroughly following a breach?
Risk Management
Control Compliance Suite (CCS)
Endpoint Mgmt. (EPM)
Information Centric Security
Data Loss Prevention (DLP)
Cloud Access Security Broker
(CASB)
VIP (2-factor)
Encryption (PGP)
Cloud Data Protection (data
tokenisation)
Breach Response
Monitoring Security Service
(MSS)
Incident Response Service
Security Analytics
How Symantec can Assist with the GDPR?
16

Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Email
Server
Web /
CASB Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
PROTECTDETECT
RESPOND
RECOVER
Technology Risk Management
DLP
Data Insight
CASB
Audit
CCS
EPM
Understand
Data Risk
Understand,
Report, and
Remediate
Compliance
Unparalleled Threat
Intelligence
Endpoint
175M
endpoints
protected
Email
2Bm emails
scanned/day
Web
1.2Bn web
requests
secured/day
Physical &
Virtual
Workloads
64K Datacenters
protected
Cloud
Security
12,000 cloud
applications
secured
IDENTIFY
VIP / MPKI
Symantec Supports Across Data Privacy and Security

Risk Scenarios
Examples of risks/events in GDPR that Controllers
and Processors need to prepare/plan for

Practical Scenario 1
• Data In Motion:
• Data leaving your organization: Is it encrypted?
• Transfer via email: Is the email encrypted?
• Transfer via a platform: Is the platform secure?
• Data At Rest:
• Storage on servers: Is the data center secured?
• Storage at end-points: Are the devices protected?
• Data In Use:
• In house: Is access control in place?
• Outsourced: Are cloud and shadow IT addressed?
• In management: Is data loss prevention in place?
21
DLP
Email Encryption
DCS, DLP, Data
Analytics
PGP, SEP, ATP
VIP, mPKI
DLP
CASB / CDP
FileShare Encryption
How could I protect against personal data loss?

• General Risk Assessment
• Do I track threats affecting my line of business?
• Do I track the risk to the kind of data I handle?
• Do I track the risk posture of the vendors I use?
• Risk Of Breach Of Sensitive Data, Of Professional Secrecy
• Do I classify information based on sensitiveness?
• Do I apply specific policies to specific categories?
• Risk Of Identity Theft Or Fraud:
• Do I segregate directly identifiable information?
• Do I restrict access to re-identification keys?
• Is my certificate and key management robust?
22
DLP
CDP
mPKI
VIP
CSS
Threat Intelligence
CASB
How do I mitigate the risk to data subjects?

• Pseudonymisation (article 32 paragraph 1(a)):
• Have I pseudonymised the data?
• Can I prevent reversal of pseudonymisation?
• Encryption (article 33 paragraph 3(a)):
• Can I prove that the breached data is encrypted?
• Can I prove that the encryption is strong enough?
• Ongoing Testing and Evaluation (Article 32 1(d))
• a process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring the
security of the processing
23
PGP
CDP
IT Management
Suite, Control
Compliance Suite
Minimising Risk In Case Of A Breach

 “Lock down” risks for space to plan
 Ensure security and data basics are right
 Encryption and Endpoint bare minimum
 Review GDPR risks
 Mitigate Shadow IT risk
 Focus on Incident Response capability
(technology / services)
 State of the Art data protection
• Where is all my data?
• Is it covered by GDPR?
• Protection (who has access, encryption etc)
• Breach detection
 As implement better data protection
systems, review whether ‘lock down’
measures can be relaxed
25
How to Get Started
Don’t Panic! Start with a Focus on Data

Located in the Attachments Section of this Presentation
GDPR Resources
IDC GDPR Readiness Assessment
Benchmark your progress to GDPR
compliance
Privacy by Design
Uncover how to adopt this approach to
personal data security
Solving the Security Challenge
A technical review of GDPR and the
recommended solutions
Symantec GDPR Website
Visit our website for a complete list of
resources, tools, and onDemand videos

Why Symantec
27
World Class
Information protection
Global Leader in
Cyber Security
Leading Breach
detection and
response
Unbiased and
lower operating
costs
Compliance
monitoring &
reporting
State of the Art
Technology

The General Data Protection Regulation:
What North American Companies Need to Know
Ken Durbin, CISSP
Sr. Strategist of Government Affairs
and Cyber Security, Symantec
Thank you!!

Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to Know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to Know

Similar to Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to Know (20)

More from Symantec

More from Symantec (20)

Recently uploaded

Recently uploaded (20)

Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to Know