Post on 12-Apr-2017
7 things you should know
about EU GDPR
Shadi A. Razak
7th October 2016
Introduction
• Shadi A. Razak
– Chief Technology Officer
– Head of Compliance and Cyber Security Solutions
– 15 international experience in:
• Cyber security,
• Information compliance
• Business digitalisation
– Private and public sector
– SMEs and international blue chip corporations
Introduction
We do that by providing innovative
cyber security and information
compliance solutions that
encompass people, processes and
technology, enabling organisations
to become more resilient and
effective against threats.
We help organisations improve their
compliance & security posture.
Introduction
Fraud DetectionCyNation’s offers the most powerful
yet easy to use analysis tools for
detecting and preventing invisible
internal fraud, external theft and poor
procedural compliance.
Ubiquitous MonitoringCombining an innovative object persistent database, advanced ubiquitous
data collector with data analytics and high visualisation to proactively
monitor multiple data types in one configurable system.
Secure CommunicationsCyNation’s Secure Communication
Platform (SCP) protects confidential
information flows between employees
and external parties through a secure
communications application that looks
like email and is as easy to use as the
popular instant messaging clients.
Cyber Security LiteracyTailor-made workshops and training
sessions for Boards, C-suite
executives & management from cyber
security awareness to cyber crisis
incident response planning and
simulation.
GRC (Compliance Management)Combining human expertise with advanced
data monitoring, data analytics &
visualisation to proactively manage and
comply with technical, operational, financial
and legal standards and regulations.
Comprehensive Threat InsightCombining advanced solutions of data
analytics and visualisation to proactively
manage and avert threats.
Ongoing Risk AssessmentCombining business risk
assessments, advanced vulnerability
assessments and penetration testing
with data analytics to proactively
assess and manage cyber risk.
Agenda
• The landscape
• EU GDPR
– Structure
– Aim
– Benefits
– Consequences
– Data Security
• 7 things you should know
• 7 Steps to be ready
The landscape
$V.S
Different
legal system
across the
world
Personal
data is
valuable
Contrast
between
Europe & US
legislation
The landscape
Source: UNCTD, 2016
EU GDPR
European Union General Data Protection Regulation
General Provisions (Articles 1-4)
Principles (Articles 5-11)
Rights of Data Subjects: 5 Sections (Articles 12-23)
Controller and Processors: 5 Section (Articles 24-43)
Transfer of Personal Data (Articles 44-50)
Independent Supervisory Authorities (Articles 51-59)
Cooperation and Consistency (Articles 60-76)
Remedies, Liabilities and Penalties (Articles 77-84)
Processing Situation Provisions (Article 85-91)
Delegation and Implementation Act (Article 92&93)
Final Provisions (Articles 94-99)
1
2
3
4
5
6
7
8
9
10
11
The core of
the regulation
How supervisory
authorities at the
EU are going to
enforce the
regulation
EU GDPR
ConsequencesBenefits
Aim
EU GDPR - Aim
• One Regulation
• Stronger enforcement body
• Data Protection Impact Assessment (DPIA)
• Includes international suppliers in regulation
scope
• Diminishes distinction between data
processor and controller
EU GDPR - Benefits
• For business:
– One market : one law
– One stop shop
– Same rules for all companies
– No general registration requirement
EU GDPR - Benefits
• For customers / citizens:
– Better data security
– Better control over your personal data:
• Mandatory consent
• Right to be forgotten
• Right to object to profiling
• Better subject access request (SAR) regime
EU GDPR - Consequences
• Fine of €10million or 2% of global turnover, whichever is
greater:
ꟷ 8: Child’s consent
ꟷ 11: Processing not requiring
identification
ꟷ 25: Data protection by design and by
default
ꟷ 26 - 30: Processing
ꟷ 31: Cooperation with the supervisory
authority
ꟷ 32: Data security
ꟷ 33: Notification of breaches to
supervisory authority
ꟷ 34: Communication of breaches to
data subjects
ꟷ 35: Data protection impact
assessment
ꟷ 36: Prior consultation
ꟷ 37 -39: DPOs
ꟷ 41(4): Monitoring approved
codes of conduct
ꟷ 42: Certification
ꟷ 43: Certification bodies
EU GDPR - Consequences
• Fine of €20million or 4% of global turnover, whichever is
greater:
– 5: Principles relating to the processing of personal data
– 6: Lawfulness of processing
– 7: Conditions for consent
– 9: Processing special categories of personal data (i.e. sensitive
personal data)
– 12 - 22: Data subject rights
– 44 - 49: Transfers to third countries
– 58(1): Requirement to provide access to supervisory authority
– 58(2): Orders/limitations on processing or the suspension of data
flows
EU GDPR - Consequences
Audit failure
Fines &
criminal
charges
Financial loss
Loss of data
confidentiality,
Integrity
and/or
availability
Violation of
employee
privacy
Loss of
customer
trust
Loss of brand
reputation
Loss of
market share
Damaged
reputation
Legal
exposure
CEO CFO/COO CIO CHRO CMO
Greater Reputation
Risk
EU GDPR – Data security
• Chapter 4:
– 4 Key articles:
• Section 2: Security of personal data
– Article 32: Security of Processing
– Article 33: Notification of personal data breaches to the supervisory
authority
– Article 34: Communication of personal data breaches to the data
subjects
• Section 3: Data Protection Impact Assessment and Prior
Consultation
– Article 35: Data protection impact assessment
EU GDPR – Data security
Organisation must Organisation will
• greatly reduce the
likelihood of being fined
• will not need to notify
affected data subjects of
the breach
• Implement appropriate security
measures to protect personal
data
• Have a clear data protection
policy
• Appoint a data protection officer
7 Thing you should know
EU GDPR is already a reality
It is all about protecting the fundamental rights of natural person
It applies to every organisation and every type of data
Consent Rules
Accountability and transparency are the organisation responsibility
Data Protection Officer is needed
Encryption is not the answer
1
2
3
4
5
6
7
7 steps to get ready
1• Audit your data
2• Identify who is responsible for this data
3• Design and implement appropriate measure to protect this data
4• Develop processes to deal with breaches/incidents
5• Designate a Data Protection Officer (DPO) and supporting team
6• Understand whose data you are controlling and/or processing
7• Develop culture of privacy by design across the organisation
7 steps to get ready
1• Audit your data
2• Identify who is responsible for this data
3• Design and implement appropriate measure to protect this data
4• Develop processes to deal with breaches/incidents
5• Designate a Data Protection Officer (DPO) and supporting team
6• Understand whose data you are controlling and/or processing
7• Develop culture of privacy by design wide across the organisation
EU GDPR Readiness
• Get your organisation EU GDPR Readiness report - email
us for details: contact@cynation.com
© Copyright CyNation Limited 2016. All rights reserved. Without the express prior written consent of the CyNation, the presentation and any information contained within it may not be
(i) reproduced (in whole or in part), (ii) copied at any time, (iii)used for any purpose other than your evaluation of the company or (iv) provided to any other person, except your
employees, and advisors with a need to know who are advised of the confidentiality of the information. The information contained in these materials is provided for informational
purposes only, and is provided as is without warranty of any kind, express or implied. CyNation shall not be responsible for any damages arising out of the use of, or otherwise related
to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from CyNation or its suppliers or
licensors, or altering the terms and conditions of the applicable license agreement governing the use of CyNation solutions and services. Product release dates and / or capabilities
referenced in these materials may change at any time at CyNation’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future
product or feature availability in any way.
We would be delighted to talk to you:
Shadi A. Razak
shadi.razak@cynation.com
T: +44(0)7768 686638