GDPR Seminar 23 November 2017

Transcript

1. GDPR Seminar 23 November 2017

2. GDPR: The legal essentials Jonathan Moore 23 November 2017 This

   update is intended to give general information about legal topics and is not intended to apply to specific circumstances. Its contents should not, therefore, be regarded as constituting legal advice and should not be relied on as such. In relation to any particular problem that you may have you are advised to seek specific legal advice.

3. Introduction General Data Protection Regulation (2016/679) 25 May 2018 Reforms

   data protection in EU Direct effect in Member States Evolution, not revolution

4. DPA v GDPR Data Protection Act 1998 General Data Protection

   Regulation

5. GDPR: Same but different Definitions Data protection principles Subject access

   Data security International transfers ICO

6. GDPR myths Big fines for everyone Need for consent Unnecessary

   burden Report all breaches Not relevant to me

7. Brexit: Data Protection Bill • Implements GDPR standards across all

   general processing activities in UK • Stands on its own but tracks GDPR • Fills in the gaps left by the GDPR • Extends to processing the GDPR doesn’t reach: • Law enforcement; and • Intelligence services

8. Key themes of the GDPR Accountability Transparency Control

9. Accountability

10. Accountability in practice Record keeping Data protection impact assessments Processing

    agreements

11. Accountability: Record keeping Controllers shall maintain a record which include:

    name and contact details of the Controllers and DPO the purpose of the processing categories of data subjects categories of personal data categories of recipients of data recipient countries and safeguards in place (if outside EU) Time limits for erasure of different categories description of security measures in place

12. Accountability: Record keeping Processors shall maintain a record which include:

    name and contact details of processor(s) name and contact details of each controller the categories of the processing recipient countries and safeguards in place (if outside EU) description of security measures in place

13. Accountability: Impact assessments Tool for managing risks to individuals Takes

    perspective of data subjects Demonstrates appropriate measures have been taken to ensure compliance with GDPR Can apply to single processing operations or a set of similar operations with similar risks Conducted before processing commences or when change of risk

14. Accountability: Impact assessments When is it required? Processing is likely

    to result in a high risk to individuals, such as: (a) automated, systemic and extensive evaluation of personal aspects of individuals which is the basis of decision concerning the person (e.g. profiling); or (b) large scale processing of special categories of data; or (c) systematic monitoring of a publicly accessible area on a large scale

15. Accountability: Impact assessments Evaluation of high risk: Evaluation or scoring

    Automated- decision making Systematic monitoring Sensitive data Data processed on a large scale Datasets matched or combined Data concerning vulnerable data subjects Innovative use / applying tech Data transfer outside EU Prevents exercising right or using service / contract

16. Accountability: Impact assessments What does it entail? Defining scope of

    the project Identifying author Involving DPO / IT/ Processors / Individuals Describing processing Assessing necessity & proportionality Assessing risks to individuals Measures to mitigate risk Est residual risk Consult with ICO?

17. Accountability: Processing contracts Whenever a controller uses a processor, it

    must have a written contract in place Important to set out responsibilities GDPR prescribes what needs to be included Standard contract clauses may be prescribed by ICO in future Controllers liable for processors compliance. They must only use processors who can provide sufficient guarantees

18. Accountability: Processing contracts When is a written contract needed? (Art

    28.3) • When a controller directly employs a processor • When a processor, with the controller’s written authority, employs another processor

19. Accountability: Processing contracts Comments on completing processing agreements: Avoid catch

    all / generic contract terms (re descriptions of processing activities) Ensure that the contract is clear that terms don’t relive the processor of its own direct responsibilities and liabilities under the GDPR Reflect on any indemnities that have been agreed

20. Transparency

21. Transparency in practice Privacy notices Breach reporting

22. Transparency: Privacy notices concise transparent intelligible easily accessible written in

    clear and plain language free of charge Information must be provided in a way which is:

23. Transparency: Privacy notices • Controllers must provide the following information

    to individuals when their data is collected: Identity and contact details of Controller Contact details of DPO Purposes of the processing Legal basis for the processing Legitimate interests of the controller of third party* Recipients of the personal data If transfer outside of the EEA, details of adequacy decision / safeguards

24. Transparency: Privacy notices • Controllers should provide the following information

    to individuals when their data is collected (if necessary): the period for which the data will be stored individual’s rights the right to withdraw consent right to lodge complaint with ICO any statutory or contractual requirement to process where data is required to enter into a contract consequences of failing to provide data if there is automated decision-making

25. Transparency: Data breaches • Need to ensure correct procedures in

    place to detect, report and investigate a personal data breach • Report to ICO if breach is not unlikely to result in a risk to the rights and freedoms of individuals • Data controller must notify ICO not later than 72 hours unless reasoned justification • Controllers must document all breaches • May need to notify individuals

26. Final thoughts on GDPR The GDPR builds on the existing

    data protection laws: evolution not a revolution Many of the new obligations are making existing best practice law It’s not that bad

27. Why Bevan Brittan? We are the largest specialist provider of

    commercial legal services to the Public Sector in the UK. Our clients include a third of all NHS Bodies and all Local Authorities in England, 30 Housing Associations, and over 100 private sector firms who serve these sectors, covering areas such as social infrastructure and waste.

28. Why Bevan Brittan? We know our clients are working in

    an environment of greater transparency and accountability and that ever increasing expectations are being placed upon them. That is why Bevan Brittan clients do not need to explain themselves to us over and over again – we get it.

29. Our promises • To understand you • To provide solutions

    that contribute to your success • To give you fair pricing and clarity on costs • To give you the right team • To communicate clearly • To care about our relationship with you

30. Thank you! This presentation contain information of general interest about

    current legal issues and is not intended to apply to specific circumstances. It should not, therefore, be regarded as constituting legal advice.

31. GDPR or ‘How to Eat the Elephant a bit at

    a time’! Andy Powell VP UK Cybersecurity 23 Nov 17

32. 32 Copyright © Capgemini 2017. All Rights Reserved Owned by

    Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice This is NOT an Elephant?! It is in fact a vaguely purple Octopus!

33. 33 Copyright © Capgemini 2017. All Rights Reserved Worried about

    GDPR, but not sure why? How to eat the GDPR Elephant a bit at a time! Andy Powell will … Simplify what GDPR really means and outline an Enterprise approach – so that even the CFO gets it! Explain the Threat – without hype – and why the Threat is not just from ‘Hackers’ but also in other forms! Explain how the Enterprise-wide principles of ‘Build, Watch, Proact and React’, as practiced in Medieval Warfare, and viewed through the lens of data management and Cybersecurity will help you be ready! There is NO silver bullet to dispatch the GDPR Elephant, just good old fashioned common sense, prioritisation of effort and a balanced programme of measures across people, process and tools!!

34. 34 Copyright © Capgemini 2017. All Rights Reserved The GDPR

    Octopus Transparency Accountability Governance Consent Rights Safeguards Data Management Legal/Contracts Breach Reporting Security ‘ACCOUNTABILITY’ Appoint DPO Controllers/Processors 3rd Parties External to EU Understand Exclusions Etc...... Rights of: Being Informed Access Rectification Erasure Restrict Processing Data Portability Objection Automated Processing Audit ‘HOW’ Legacy GDPR by Design ‘Show Workings’ PIA The ‘WHO’ owns - Board OWN Plus Enterprise-wide Responsibility NOT Security/CIO Definition of Private Data In-built e.g Encryption, Access etc.. And Security Controls e.g Review SANS/CSC 20 v GDPR and adjust Data: Discovery, Analytics Store/Access/Dispose etc.. Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice

35. 35 Copyright © Capgemini 2017. All Rights Reserved Some Quotes….!

    ‘… to correct the scaremongering and misunderstanding, we will not be looking to make early Examples to make a point on GDPR Compliance….’. Elizabeth Denham, ICO “The Government’s recent Cyber Risk Survey found that whilst 69 per cent of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken recommended actions to identify cyber risks.” ICO “I want organisations to think to themselves: ‘we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect’.” ICO “To meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.” ICO …the Vendor/Supplier base is over hyping the Cyber Risk and GDPR impact to panic Business into investing in products and solutions they do not need….’ NCSC Leadership

36. 36 Copyright © Capgemini 2017. All Rights Reserved The GDPR

    ‘Threat (s)’! § ‘Hackers’ § What - Personal Data has Value § Who - Criminals – Organized/Supported § How – Bribery/Blackmail/Stupidity § Internal § Readiness § Complacency – Generational? § Understanding Risk Appetite § External § Third Party and Suppliers § Individual Awareness of Rights § The New PPI? Positive – ‘FINALLY! EXPLOIT YOUR DATA FOR BUSINESS ADVANTAGE’! Negative – ‘FAIL TO PROTECT YOUR DATA – LOSE BRAND, SHAREHOLDER CONFIDENCE, CLIENTS and YOUR JOB’!

37. 37 Copyright © Capgemini 2017. All Rights Reserved Countering the

    Threat – ‘a truly Medieval Approach’ BUILD Create a Keep (for precious things) and build security into your Castle (NOT just walls, but small rooms and staircases to contain threat once inside (it will get in!) • Locate and Track Precious Data • Segment Architecture • Target Security Controls • Think Resilience WATCH Constant Reconnaissance Outside and inside the walls • Sentries Looking Out and In • Understand the Threat • Impact of Change! • Adjust your Defence posture constantly PROACT Be proactive and unpredictable • Deny the enemy cover (Access Management) • Slow their advance (Cyber Hygiene) • Change where and when you patrol (Audits, Patching etc..) REACT Be prepared to act! • Be Prepared to Deal with a Breach • Tried and Tested Consent and Access Process • Test and Adjust Think laterally and like a human! CxO!

38. 38 Copyright © Capgemini 2017. All Rights Reserved Build Think

    Data Life Cycle Management from the start and Design to support Secure but Ready Access 1 • Understand Where Your Data is and How it Flows • Compartment your Network and Data via Hard and Soft Means • Build Resilience into your Components and Links • Build to Change • Instrument ‘think laterally and indirectly, how could someone navigate through this and get at something vital for good or bad!”

39. 39 Copyright © Capgemini 2017. All Rights Reserved Watch 2

    The key to Data Management and Security is constantly watching And adapting your data processes And security • Strategic and Specific Intelligence • Internal Threat Management • People • Data Flow • Patterns • External Threat Management • Recruit, Train and Retain • Users • Data managers • Security • Network “Intelligence-led, human in the loop, all process harnessed to manage the data for effect, securely”

40. 40 Copyright © Capgemini 2017. All Rights Reserved Proact 3

    The 7 Ps! There is NO silver bullet. A combination of Training, Awareness Governance and Process, Underpinned by Tools! • People • Select, Train and Test • Awareness • Process • Governance • Consent • Access • Audit • Change Management • Tools • Patch • Run VM • Data “Mitigate the Threat by Preparation – Good Data Management and Cyber Hygiene is cheap!”

41. 41 Copyright © Capgemini 2017. All Rights Reserved React 4

    Be Decisive, Meet Obligations, Be Ready for Changes, and Practice! • To Access Requests and Consent Changes • To Events and Breaches • Stop it and Immediate Forensics! • External – Client, Media, Peers, Authority • Internal – Lessons, Implement and Sustain • Share – Intelligence with Peers and Authority • Compliance/Mandate – Legal obligations

42. 42 Copyright © Capgemini 2017. All Rights Reserved Synopsis, Bio

    & Picture Andy Powell - VP Cyber Security - Capgemini About Andy Andy is Vice-President (VP) for UK Cybersecurity at Capgemini with over 30 years experience in Defence and Security roles and recent senior leadership roles as CIO and CISO for the Royal Air Force, Joint Operations and as head of the Ministry of Defence’s Cyber Defence Operations and Network Operations. As VP for UK Cybersecurity at Capgemini Andy leads a business that covers all Sectors from Public to Energy and Utilities, and including Consumer, Private Sector and Finance – delivering a broad range of Consulting, Project and Managed Cyber Services. A Systems and Electronic Warfare engineer by training he describes Cyber as ‘ the constant battle of wits between attacker and defender where people, process and technology must converge to enable the business!’ [email protected] 07891151835

43. 43 Copyright © Capgemini 2017. All Rights Reserved Interrogation and/or

    Torture can commence!

44. General Data Protection Regulation Using Technology for Compliance with the

    GDPR Jay Coley, sr. Director Security Strategy and Technology Erik van Veen, CISSP, EMEA SME GDPR 23 Oct. 2017

45. ©2017 AKAMAI | FASTER FORWARDTM Agenda • Data Breaches, how

    real are they? Jay Coley • How can Akamai help customers? Erik van Veen • Q&A

46. ©2017 AKAMAI | FASTER FORWARDTM Data Breaches, How Real are

    they? Jay Coley

47. ©2017 AKAMAI | FASTER FORWARDTM Top external attack vectors BUSINESS

    RISK 11% 18% 20% 22% 28% 34% 37% 37% 42% Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise … DDoS Web application (SQL injection, … User interaction (phishing, … Use of stolen credentials (logins, … Software vulnerability (software … Source: The State of Network Security: 2016-2017, Forrester, January 2017 Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise … DDoS Web application (SQL injection, … User interaction (phishing, … Use of stolen credentials (logins, … Software vulnerability (software …

48. Web Application Attack Trends Q2 2017

49. ©2017 AKAMAI | FASTER FORWARDTM Q2 2016 vs Q2 2017

    25% é Total web application attacks 86% é Attacks from the U.S. (current top source country) 86% ê Attacks from Brazil (Q2 2016 top source country) 44% é Increase in SQLi attacks While DDoS attacks were down, the total number of web application attacks were up compared to the same quarter a year ago. Many fewer attacks came from Brazil. SQLi attacks were up 44%.

50. ©2017 AKAMAI | FASTER FORWARDTM Compared to Q1 2017 5%

    é Total web application attacks 4% é Attacks sourcing from the U.S. (top source country) 21% é SQLi attacks Application attacks continued to slowly grow with a 5% increase quarter-over-quarter and a 28% increase year-over-year. Unlike DDoS attacks, web application attacks involve relatively little traffic and can be hard to detect.

51. ©2017 AKAMAI | FASTER FORWARDTM Attack vectors. Distribution 51% 33%

    9% 2% 2% 3%

52. ©2017 AKAMAI | FASTER FORWARDTM Attacks involving EMEA countries (no

    attribution)

53. ©2017 AKAMAI | FASTER FORWARDTM Source of Attacks for top

    10 EMEA as targets (no attribution) 91.5% 8.5% Country

54. ©2017 AKAMAI | FASTER FORWARDTM Data Breaches :: Global View

55. DDoS Attack Trends Q2 2017

56. ©2017 AKAMAI | FASTER FORWARDTM DDoS Attacks Per Target, Q3

    2016 – Q2 2017 The average number of DDoS attacks per target in Q2 was 32. The most targeted organization faced 558 DDoS attacks.

57. ©2017 AKAMAI | FASTER FORWARDTM Cost of DDoS Attack -

    Breakdown 57

58. Credential Abuse

59. ©2017 AKAMAI | FASTER FORWARDTM BUY CREDENTIALS FRAUDSTER VERIFY CREDENTIALS

    BOTNET Username Password LOGIN Username Password LOGIN Username Password LOGIN LOG IN CUSTOMER SITE Shopping Accounts Data FINANCIAL GAIN END USER ASSETS CREDENTIAL ABUSE ACCOUNT TAKEOVER Leaked credentials Credential Abuse and Account Takeover

60. ©2017 AKAMAI | FASTER FORWARDTM Credential Abuse Example TOTAL:: 150,025k

    requests from botnet PEAK :: 75246k bots BOTNET:: 1333 separate IP addresses

61. ©2017 AKAMAI | FASTER FORWARDTM Credential Abuse Numbers Monthly Attacks

    Number of Account Targeted Total Cost :: $546,000 to $54,000,000 per year

62. ©2017 AKAMAI | FASTER FORWARDTM Scale 70% of organizations have

    had a security incident that negatively impacted their business in the past year.1 91% of cyberattacks and the resulting data breach begin with a phishing attack.6 390,000 Over 390,000 new malicious programs are registered every day.3 980 DATA BREACHES In 2016, there were 980 data breaches with more than 35 million records exposed.5 93% of phishing emails are related to ransomware.4 84% of enterprises have suffered phishing attacks.2 CryptoWall version 4,a notorious ransomware virus,has so far resulted in $18 million in damages,36,000+ confirmed victims, and 7.1 million attempted infections.7

63. ©2017 AKAMAI | FASTER FORWARDTM Vulnerability The average network security

    breach goes undetected for over 5-8 months.8 IoT MOBILE APPS 80% 71% 201 DAYS Mean time to identify a data breach is 201 days.9 25% of companies do not treat cyber threats as significant corporate risks.13 80% of IoTand 71% of mobile applications are not tested for security vulnerabilities.12 38% Only 38% of global organizations feel prepared for a sophisticated cyberattack.11 19% Less than 19% of data breaches are self-detected.10

64. ©2017 AKAMAI | FASTER FORWARDTM Cost $6 TRILLION Global cost

    of cybercrime is predicted to hit $6 trillion annually by 2021.14 68% of funds lost as a result of a cyberattack were declared unrecoverable.16 68% of corporations have not considered the financial impact of a cyberattack.18 Most organizations fold their security budgets and spending into another cost center, whether IT (48%), general operations (19%), or compliance (4%), where security budget and cost line items are combined with other related factors.Only 23% track security budgets and costs as its own cost center.20 The Internet economy annually generates between $2 trillion and $3 trillion.It’s estimated that cybercrime extracts between 15% and 20% of thatvalue.19 $18 MILLION Average cost of an APT data breach is $18 million; 50% is damage to brand reputation.17 $1.68 The estimated cost of using existing cloud offerings to break into mostWi-Fi networks is $1.68. It would take six minutes.15

65. ©2017 AKAMAI | FASTER FORWARDTM How can Akamai help Customers?

    Erik van Veen, CISSP

66. ©2017 AKAMAI | FASTER FORWARDTM Summary Cyber Threat Landscape •

    The rate of evolution and volume of complex targeted threats continue to increase. • The growing prevalence of mobile, cloud, hybrid WANs, direct Internet access, and IoT is only going to exacerbate this problem. • Existing security point solutions and applications are often reactive, inconsistent, and ineffective. • The consequences of not proactively preparing for a targeted attack are enormous.

67. ©2017 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Where Scale Matters Delivering Content and Security from the Edge Application Origin Akamai delivers Unique and Reusable content from the edge of the Internet • 85% of internet is within 1 hop of an Akamai Edge Server • 100% Availability Scale enables your customer to reach users anywhere in world with confidence FastDNS Bot-Manager X Client Reputation X

68. ©2017 AKAMAI | FASTER FORWARDTM Work Risk Based 1

69. ©2017 AKAMAI | FASTER FORWARDTM hints Higher Accuracy Akamai´s WAF:

    KRS Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 P( ) P( ) P( ) P( ) P( ) combination Risk Based approach demanded by GDPR Akamai RISK BASED Kona Rule Set helps customers to balance their risks.

70. ©2017 AKAMAI | FASTER FORWARDTM Use Industry Best Practices (provided

    that they are “Appropriate”) • OWASP ++ • Distributed/Scalable. • Personal Data transported via API’s. • Know the reputation of who is approaching your internet facing resources to even further improve effectivity. *OWASP plans to release the final public release of the OWASP Top 10 - 2017 in November 2017

71. ©2017 AKAMAI | FASTER FORWARDTM Build Evidence 2

72. ©2017 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast,

    personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Because WAFs are notoriously difficult to manage 11% 29% 34% 18% 8% None 1 to 2 3 to 5 6 to 10 More than 10 Q. How many employees (on an FTE basis) are needed to properly manage WAF within your organization? Source: Ponemon Institute

73. ©2017 AKAMAI | FASTER FORWARDTM …few companies have the money/expertise

    to configure WAF • Gartner still identifies lack of Application Security as a risk for many enterprises. • Even those companies who can afford a Web App Firewall, 30% have not deployed their firewall. Not deployed (30%) Combination of inline and out-of-line (25%) Out-of-line (23%) In-line (20%) Not sure (2%)

74. ©2017 AKAMAI | FASTER FORWARDTM ...so WAFs become shelfware

75. ©2017 AKAMAI | FASTER FORWARDTM Where Possible Keep It Simple

    Self-service installation and automatic rule deployments, bring DDoS AND Application security to organizations who might otherwise leave their web applications exposed.

76. ©2017 AKAMAI | FASTER FORWARDTM Where Necessary Leave WAF management

    up to Security Experts • Continuous security monitoring. • Attack mitigation and support capabilities. • Experts to periodically review and tune the security setup. • Recommendations to protect against the evolving threat landscape.

77. ©2017 AKAMAI | FASTER FORWARDTM Use State-of-the-Art Technology 3

78. ©2017 AKAMAI | FASTER FORWARDTM Coordinated mitigation of DDoS and

    Application attacks Globally distributed platform Platform architecture • Reverse HTTP/S proxy • Basic caching Network-layer controls • IP whitelists / blacklists • Geo-blocking Application-layer controls • Adaptive rate controls • Common attack tool signatures • Custom DDoS signatures SOC coverage • 24x7 monitoring / alerting • Expedited Activation • Time-to-mitigate SLA Optional modules • Site Shield Globally distributed platform

79. ©2017 AKAMAI | FASTER FORWARDTM Implement a Zero Trust Strategy

    4

80. ©2017 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime

    by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Zero Trust Simplifies GDPR Compliance Enterprise User App B Internet No attack footprint Create Audit Trails Keep Single User Administration App A App C Why • Simple Search Path • Control 3rd Party access to sensitive data • Keep people accountable How • Isolate applications containing sensitive data • Keep single Administration • Create Audit Trails

81. ©2017 AKAMAI | FASTER FORWARDTM Summary of How Akamai Can

    Help • Work Risk Based: Implement “Appropriate Technical and Organizational measures” risk based, and based on industry best practices, to protect Web applications and websites. • Build evidence: Do not let your WAF rules go stale. • Use State-of-the-Art Technology: Use “State-of-the-Art” technology to prevent data theft, by using a fully integrated DDoS and Advanced Threat Protection solution. • Implement a Zero-Trust Strategy: Don’t trust anybody/anything, isolate sensitive apps and inspect everything.

82. ©2017 AKAMAI | FASTER FORWARDTM For More Information • Contact:

    e-mail address: [email protected] • Akamai GDPR www.akamai.com/gdpr • Akamai Security Website