Learn more about the transfer of personal data across borders, including best practices for protecting your information against physical and virtual threats in order to maintain data integrity and confidentiality. To view the on demand version of the webinar click here: https://symc.ly/2uLlDNf.

1. The General Data Protection Regulation:
The Operational Impact of Cross Border Data Transfer
Ken Durbin, CISSP
Sr. Strategist of Global Government
Affairs and Cyber Security,
Symantec

2. Legal Disclaimer
The materials contained in this presentation are not intended to provide, and
do not constitute or comprise, legal advice on any particular matter and are
provided for general information purposes only.
You should not act or refrain from acting on the basis of any material
contained in this presentation, without seeking appropriate legal or other
professional advice.

3. Agenda
GDPR Overview
Transferring Personal Data: Rules, Definitions,
and Fines
Technology Considerations for GDPR
GDPR Resources
1
2
3
4

4. GDPR Overview

5. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
EU General Data Protection Regulation (GDPR)
5
28 Interpretations of the Data Protection
Directive
One Data Protection Regulation
Harmonized across all EU member states
TODAY: 2018:
Right to be forgotten Parental Consent Data Protection Officer
Extra-territoriality of GDPR
Fines and penalties
Joint Liability of Controllers and Processors
Mandatory Breach Notification

6. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Who’s Who in the Protection of Personal Data
6
DATA CONTROLLER DATA SUBJECTDATA PROCESSOR
DATA PROTECTION OFFICER
Data Protection Officers are designated persons responsible for making sure the
organization follows the new regulations.
DATA PROTECTION AUTHORITY

7. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
What is Personal Data Under the GDPR?
Who’s Who in the Protection of Personal Data
7
EU User data belongs to the EU User, not the person who collected it.
You MUST think beyond the US definition of PII
GDPR Examples:
• Every manner of HR data / consumer data
• Business contact information (including email addresses)
• Behavioral information including website visitors’ data (logged in house or stored remotely, e.g. cookies)
• IT network traffic and communication logs
• Any potentially identifiable information even collected from publicly available sources IS personal data.
REMEMBER: You don’t decide what’s personal data is, the GDPR decides

8. Transferring Personal Data:
Rules, Definitions, and
Fines

9. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Transferring Personal Data
GDPR conditionally permits and
regulates data exports out of Europe
GDPR requires data to be secured
when it leaves Europe
Under specific circumstances and ensuring the
appropriate legal and technical controls exist.
Symantec’s solutions can help track personal
data movement and compliance
Data residency is not mandated by the
GDPR. GDPR ensures free flow of personal
data cross the EU/EEA and to ‘adequate’
third countries
Symantec’s solutions can help to provide the
same level of protection to data as it leaves
the EU
EU has defined legal requirements that
must be followed to export data
Symantec follows these requirements to
control export of personal data when
necessary
9
GDPR enables the safe and free flow of
personal data in Europe
ApproachRequirement

10. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Transferring Personal Data
The Regulatory Terms of Reference
Article 4 paragraph 12: THE BREACH
What can happen to data?
“… a breach of security leading to the
accidental or unlawful destruction,
loss, alteration, unauthorized
disclosure of, or access to, personal
data transmitted, stored or otherwise
processed”
Recital 75: THE IMPACT
What can happen to the data subject?
“The risk to the rights and freedoms of
natural persons, of varying likelihood
and severity, may result from personal
data processing which could lead to
physical, material or non-material
damage”
GDPR / DPA REQUIREMENT:
Prevent, Detect, Log, Report, Remedy
GDPR / DPA EXPECTATION:
Anticipate, Avoid, Mitigate, Compensate

11. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Article 32 in GDPR Reads:
Security of processing: Taking into account the state of the art, the costs of implementation and the nature, scope,
context and purposes of processing as well as the risk of varying likelihood and severity for the rights and
freedoms of natural persons, the controller and the processor shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
 The pseudonymisation and encryption of personal data
 The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and
services;
 The ability to restore the availability and access to personal data in a timely manner in the event of a physical or
technical incident;
 A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational
measures for ensuring the security of the processing.
11
Transferring Personal Data
Cybersecurity is a Basic Principle in the GDPR

12. Technology Considerations
for the GDPR

13. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY 13
Know your
Personal data
Process Data
Lawfully
Embed
privacy
Protect
Personal Data
PROTECT PERSONAL INFORMATION THROUGH ITS LIFECYCLE
Technology Considerations for the GDPR

14. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Define and Locate
Personal Data
Secure Technology
that Collects
Personal Data
Record Consent
from Data
Subjects
Detect and Block
Threats to Data in
Use
Privacy Impact
Assessments
Validate Data
Processors
Restrict Processing
of Data YOU have
to Retain
Prevent Data Loss,
Report Breaches
Control Access to
Data
Protect Data at
Rest
Secure Transfer
and Storage of
Collected Data
Risk Management
of Info Lifecycle
Validate Data
Subjects Invoking
Rights
Educate DPOs on
Cyber Risk
Pseudonymisation
and obfuscation
of personal data
Minimise,
Anonymize, Erase
Data
14
Collect Process Retain & Secure Manage
Security
Privacy
Technology Considerations for the GDPR
Data Governance Framework to Manage Privacy

15. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
See Data
Wherever It Lives
Protect Data
from Being Leaked
Control
User Access
Information Centric Security
17

16. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How do I capture organizational knowledge
about data relevant to GDPR?
• Content-aware Data Loss Prevention
(DLP) gives you visibility of sensitive
data across any channel: cloud,
endpoints, email, web, repositories.
• Information Centric Tagging (ICT)
augments DLP allowing users to
classify data as they create it.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT
18

17. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How do I get visibility of Personal Data in the
Cloud?
• DLP integrates with Cloud Access
Security Broker’s (CASB’s) CloudSoc to
extend policies to cloud apps and
managed incidents on a single
console.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT
CloudSOC
19

18. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How do I protect Personal Data when
it’s outside of my control?
• Information Centric Encryption (ICE)
keeps your data safe from unwanted
access where it resides and provides
central management to revoke access to
the file or user.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT
CloudSOC
ICE
20

19. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How can I ensure Personal Data relevant
to GDPR will not be compromised?
• Validation and ID Protection Service
(VIP) Multi-Factor Authentication
(MFA) controls access by protecting
your data from stolen credentials.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT VIP
CloudSOC
ICE
21

20. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
How do I discover malicious
insiders or outsiders?
• Information Centric Analytics
(powered by Bay Dynamics) analyzes
security alerts across multiple
products to identify risky behavior
and unveil malicious users.
Public WiFi Home Office
EVERY LOCATION
Regional Office
ON-PREM
Datacenter Mobile BYO
EVERY DEVICE
USB
DLP
ICT VIP
CloudSOC
ICE
ICA
22

21. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY



The Symantec Data Loss Prevention Platform
Architecture
23

22. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
On-premises
DLP Detection
DLP Enforce
Management Server
The Challenges
26% of Cloud Docs
are Broadly Shared1
• Proliferation of Cloud Apps
• Shadow Data Problem
• Compromised Accounts
Visibility, Protection, & Control in Cloud Apps
24

23. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Extending DLP into cloud
applications
Apply Existing DLP Policies to Cloud
Leverage existing DLP Workflow
Gain Full CASB Functionality
• Inline Blocking and Offline Remediation
• Shadow IT Analysis
• Entity Behavior Analytics
Extend DLP to Cloud Apps
On-premises
DLP Detection
DLP Enforce
Management Server
Visibility, Protection, & Control in Cloud Apps
25

24. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY



The Symantec Data Loss Prevention Platform
Architecture
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
Information Centric Encryption (ICE)
Integrated policy driven encryption and identity access
Information Centric Tagging (ICT)
Increases DLP efficiency with Users driving DLP data classification
Information Centric Analytics (ICA)
Entity Behavior Analytics to find most risky or malicious users
VIP
ICT
ICE
ICA
26

25. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Data Loss Prevention (DLP)
Discovers sensitive data across all channels with central policy controls
Symantec Information Centric Security
Information Centric Encryption (ICE)
Integrated policy driven encryption and identity access
Information Centric Tagging (ICT)
Increases DLP efficiency with Users driving DLP data classification
Information Centric Analytics (ICA)
Entity Behavior Analytics to find most risky or malicious users
DLP
VIP
ICA
ICT
CloudSOC (CASB)
Extends existing DLP policies, workflows and detection to Cloud Apps
Validation and ID Protection Service (VIP)
Secures access to critical data with Multi-Factor Authentication
CloudSOC
ICE
Summary
27

26. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Advanced Breach Detection, Remediation, & Notification
ATP
Analytics
Endpoint
Email
Server
Web /
CASB Cyber Security
Services
DLP
CASB
Web
CDPEncryption
Personal Data Protection Everywhere
PROTECTDETECT
RESPOND
RECOVER
Technology Risk Management
DLP
Data Insight
CASB
Audit
CCS
EPM
Understand
Data Risk
Understand,
Report, and
Remediate
Compliance
Unparalleled Threat
Intelligence
Endpoint
175M
endpoints
protected
Email
2Bm emails
scanned/day
Web
1.2Bn web
requests
secured/day
Physical &
Virtual
Workloads
64K Datacenters
protected
Cloud
Security
12,000 cloud
applications
secured
IDENTIFY
VIP
Technology Considerations for the GDPR
Symantec Supports Across Data Privacy and Security

27. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Located in the Attachments Section of this Presentation
GDPR Resources
IDC GDPR Readiness Assessment
Benchmark your progress to GDPR
compliance
GDPR Compliance: CASB Review
Monitor and Control Shadow IT and
Shadow Data for GDPR Compliance
Information Centric Security (ICS)
Why and ICS model can help you with
GDPR Compliance
Symantec GDPR Website
Visit our website for a complete list of
resources, tools, and onDemand videos

28. Copyright © 2018 Symantec Corporation SYMANTEC PROPRIETARY- LIMITED USE ONLY
Why Symantec
28
World Class
Information protection
Global Leader in
Cyber Security
Leading Breach
detection and
response
Unbiased and
lower operating
costs
Compliance
monitoring &
reporting
State of the Art
Technology

29. Ken Durbin, CISSP
Sr. Strategist of Global Government
Affairs and Cyber Security,
Symantec
Thank you!!
The General Data Protection Regulation:
The Operational Impact of Cross Border Data Transfer