SETCON'19 - Dzmitry Kukharuk - GDPR

Transcript

1. General Data Protection Regulation Personal data protection Personal data protection

   Powered by EPAM

2. What is GDPR about ? 01

3. GDPR background The General Data Protection Regulation (GDPR) (Regulation (EU)

   2016/679) is a regulation by which the European Parliament intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Powered by EPAM Started in May 25 2018

4. GDPR background On May 25, 2018 The General Data Protection

   Regulation (Regulation (EU) 2016/679) became enforceable on the territory of EU. Every company is represented in European countries MUST comply with presented regulations. Powered by EPAM

5. Applicability of GDPR GDPR makes its applicability very clear -

   it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. Powered by EPAM

6. The penalties for non-compliance Organizations can be fined up to

   4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement. Powered by EPAM

7. What is Personal data from GDPR point of view ?

   02

8. Personal data Any information related to a natural person or

   ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. Powered by EPAM

9. Varieties of personal data Personally identifiable information (PII), or Sensitive

   personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Powered by EPAM

10. Varieties of personal data Protected health information (PHI) is any

    information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history. Powered by EPAM

11. Varieties of personal data Payment card industry (PCI) Data. Powered

    by EPAM

12. The rights of the data subject 03

13. The rights of the data subject - Transparent information, communication

    and modalities for the exercise of the rights of the data subject - Information to be provided where personal data are collected from the data subject - Information to be provided where personal data have not been obtained from the data subject - Right of access by the data subject - Right to erasure (‘right to be forgotten’) - Right to restriction of processing - Notification obligation regarding rectification or erasure of personal data or restriction of processing - Right to data portability Powered by EPAM

14. The rights of the data subject Union or Member State

    law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard: - national security; - defense; - public security; Powered by EPAM

15. 6 general principles of GDPR 04

16. The principles of GDPR Lawfulness, fairness and transparency Personal data

    shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Powered by EPAM

17. The principles of GDPR Purpose limitation Personal data shall be

    collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Powered by EPAM

18. The principles of GDPR Data minimization Personal data shall be

    adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Powered by EPAM

19. The principles of GDPR Accuracy Personal data shall be accurate

    and, where necessary, kept up to date Powered by EPAM

20. The principles of GDPR Integrity and confidentiality Personal data shall

    be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures Powered by EPAM

21. The principles of GDPR Accountability The controller shall be responsible

    for, and be able to demonstrate compliance with the GDPR *A controller is the entity that determines the purposes, conditions and means of the processing of personal data Powered by EPAM

22. The governance of GDPR 04

23. Mandatory artifacts of processing PII data A Contract, Master Service

    Agreement or Statement of Work Must be written consent from customer for access to PII Must contains a list of agreed security measures for protection of PII Powered by EPAM

24. The list of key requirements for processing of PII data

    - Client production data must not be used for testing on vendor premises - Only secure remote access to customer environment is allowed - Establish secured room for exclusive use of the project team to prevent unauthorized access to PII - It is not allowed to transfer the PII to vendor environment - Access control to PII databases is managed by customer Powered by EPAM

25. Typical workflow for authorization and preparation for access to PII

    Step DM/AM shall obtain the information from customer regarding the type of accessed data and the required security controls Target - List of tools/databases with purposes of access - Security requirements from customer (if any) Powered by EPAM

26. Typical workflow for authorization and preparation for access to PII

    Step DM/AM shall send a request to specific vendor groups to assess the expected processing of PII. The review should cover the contract wording, type of accessed data, the required security controls and compliance requirements Target - Data privacy office - Compliance team - Legal - QA Group - IT Security Team Powered by EPAM

27. Typical workflow for authorization and preparation for access to PII

    Step Vendor internal teams shall elaborate decisions and suggestions for the DM/AM. The technical measures should be approved by the Global IT Target - Suggested addition to Contract/MSA - Suggested security measures (when applicable) Powered by EPAM

28. Typical workflow for authorization and preparation for access to PII

    Step AM/DM shall discuss the suggestions with the customer. Based on the agreement with the customer, the Legal Team should change the Contract/MSA/SOW Target Additional resources discussed and agreed Contract/MSA includes appropriate statement and security requirements for access to PII Powered by EPAM

29. Typical workflow for authorization and preparation for access to PII

    Step Technical measures, which were agreed and listed in Contract/MSA/SOW shall be implemented by the Global IT Target It is required to strictly follow the security measures specified in the Contract/MSA Powered by EPAM

30. The example of FAQs The question: The Customer is intending

    to provide us with PII originating in the EU and has not provided any security controls or will not agree to pay for any additional security controls. Is this ok? Does this mean we don’t have to do anything? Powered by EPAM

31. The example of FAQs The answer: No, if we have

    access to this type of customers PII or personal data then we have the same data security requirements as the Customer even though we do not the data controller. In all cases, we are now required by law to implement appropriate technical and organizational measures to ensure a level of data security proportional to the risks inherent in the data processing. Complying with this obligation will require a detailed assessment of various factors including the purposes of data processing activities, potential risks (such as accidental and unlawful destruction or unauthorized disclosure of, or access to, data), and the state of the art of security and implementation costs. We have to include the costs of the security in our bid or make an assumption that costs will be paid by the customer or will need to be agreed. Powered by EPAM

32. Are you ready ?