GDPR Workshop G LEFTHERIOTIS 21 3 18 GDPR

  • Slides: 17
Download presentation
GDPR Workshop G. LEFTHERIOTIS / 21. 3. 18

GDPR Workshop G. LEFTHERIOTIS / 21. 3. 18

GDPR – Compliance / Business / Technological requirements G. LEFTHERIOTIS / 21. 3. 18

GDPR – Compliance / Business / Technological requirements G. LEFTHERIOTIS / 21. 3. 18 2

Privacy Management / PII Protection within a total IT / Security / Privacy Framework

Privacy Management / PII Protection within a total IT / Security / Privacy Framework G. LEFTHERIOTIS / 21. 3. 18 3

Info Security vs. Privacy vs. PII Protection: Different Perspectives Security by Obscurity…. . …….

Info Security vs. Privacy vs. PII Protection: Different Perspectives Security by Obscurity…. . ……. Privacy by Transparency G. LEFTHERIOTIS / 21. 3. 18 4

Privacy / PII Governance: Security vs. Privacy Security G. LEFTHERIOTIS / 21. 3. 18

Privacy / PII Governance: Security vs. Privacy Security G. LEFTHERIOTIS / 21. 3. 18 Privacy 5

“Mapping” GDPR requirements inside ISO 27001: 2013

“Mapping” GDPR requirements inside ISO 27001: 2013

ISO 27001 GDPR 7

ISO 27001 GDPR 7

“Mapping” GDPR requirements inside BS 10012: 2017

“Mapping” GDPR requirements inside BS 10012: 2017

Privacy & Information Security: the basic Standards Ecosystem Framework - Overall Management System Level

Privacy & Information Security: the basic Standards Ecosystem Framework - Overall Management System Level *PCI DSS (v. 3. 2) * CSA & other Cloud schemes Risk Management Level Controls Level ISO/IEC 27001: 2013 (Requirements for ISMS) ISO 27799: 2016 Health Data G. LEFTHERIOTIS / 21. 3. 18 ISO/IEC 27005: 2011 Risk Management NIST SP. 800 -30 ISO/IEC 27002: 2013 (Code of Practice for ISMS) ISO/IEC 27017: 2015 (Code of practice for Cloud Services) NIST Codes of Practice (NIST SP. 800 -53) ISO/IEC 29100: 2011 (Privacy Framework) PIMS BS 10012: 2017 ISO/IEC 29134: 2017 (Guide for Privacy Impact Assessment) ISO/IEC 29151: 2017 Code of practice for PII protection ISO/IEC 27018: 2014 Code of Practice for PII protection in public clouds acting as PII processors 9

Personal Data Discovery / Mapping / Classification Data Discovery Techniques comparison Technique “Known” Data

Personal Data Discovery / Mapping / Classification Data Discovery Techniques comparison Technique “Known” Data “Unknown” Data / Unstructured Data Questionnaires Interviews Automated Scanning Tools “Combined” Techniques (use of APIs) G. LEFTHERIOTIS / 21. 3. 18 Purpose of Processing & Data Flows IT Expertise needed 10

Personal Data Discovery / Inventory / Mapping: Techniques & Tools Tool Use typical Vendors

Personal Data Discovery / Inventory / Mapping: Techniques & Tools Tool Use typical Vendors Database & File Server “manual audit” PII Discovery Database “scripting” PII Discovery Excel or “simple” Databases PII Inventory & Mapping Microsoft Technical Flow Charters PII Flow & Mapping MS Visio & “similar” flowcharters (semi) Manual BPM suites PII Mapping / Modelling ARIS & other BPM suites Automated Tools Fileshare / Crawlers PII Discovery CASAHL Data Classification / Protection Tools PII Discovery & Classification *TITUS *Spirion / *Varonis Data Discovery / Mapping / Management Platforms & Visual Mappers PII Discovery & Mapping *One Trust *Ave. Point *Altova Map. Force GDPR-focused data inventory / mapping tools PII Inventory / Mapping *Trust Arc suite *Nymity (Expert Mapping tool) Integrated Database Security / Discovery suites PII Database Security / Data Discovery & Mapping *IBM Infosphere / Guardium *Imperva Data Loss Prevention (DLP) PII Discovery / Protection (many Vendors) “Manual” Techniques 11

GDPR: the Legal & Compliance “ecosystem” “e. PD” Directive “The Police Directive” 2016/680/EU *

GDPR: the Legal & Compliance “ecosystem” “e. PD” Directive “The Police Directive” 2016/680/EU * 6. 5. 2018 (replaces 2008/977/JHA) “PNR” Directive 2016/681/EU ** “GDPR” Regulation 2016/679/EU (replaces EC/95/46) à 24. 5. 2018 *under reform (2018) “e. CD” Directive 2000/31/EC (e. Commerce Directive) “NIS” Directive 2016/1148/EU May 2018 * “The Police Directive” (Police & Criminal Justice) repealing Council Framework Decision 2008/977/JHA) *** e. PD = Directive on Privacy and Electronic communications (incl. cookies) G. LEFTHERIOTIS / 21. 3. 18 Originally amended by 2009/136/EC 25. 5. 2018 (replaces 2004/82/EC) ** PNR = “Passenger Name Record” Directive 2002/58/EC ***** “e. IDAS” Regulation 910/2014/EU **** 1/7/16 Sep. 2018 (replaces 1999/93/EC **** e. IDAS = Regulation for e. ID & Trust Services for electronic transactions ***** NIS = “Cyber. Security” Directive on Networks & IT Systems Security 12

GDPR Certification scheme (Art. 42 -43) Article 29 WP 261 “Guidelines on Accreditation of

GDPR Certification scheme (Art. 42 -43) Article 29 WP 261 “Guidelines on Accreditation of Certification Bodies” 6. 2. 2018 G. LEFTHERIOTIS / 21. 3. 18 13

GDPR: Seals & Marks / Codes of Conduct IT Products & IT-related Services Certification:

GDPR: Seals & Marks / Codes of Conduct IT Products & IT-related Services Certification: • ref. Euro. Prise “Privacy Seal” - certification criteria & certified products / services / web sites list • the new GDPR-ready criteria for the European Privacy Seal is operational as of January 2017 ref. CISPE. cloud (Cloud Infrastructure Services Providers – Code of Conduct) G. LEFTHERIOTIS / 21. 3. 18 14

Data Protection Officer (DPO) DPO Training & Personal Certification (Personnel Certification schemes) ref. GPDR

Data Protection Officer (DPO) DPO Training & Personal Certification (Personnel Certification schemes) ref. GPDR – Art. 37 - 39 ref. 16/EN WP 243 (13. 12. 2016) “Guidelines for Data Protection Officers (DPOs)” & related FAQs http: //ec. europa. eu/justice/data-protection/index_en. htm • Designation of the DPO • Position of the DPO • Tasks of the DPO “Person Certification” for DPOs (ISO/IEC 17024 scheme) G. LEFTHERIOTIS / 21. 3. 18 Spanish DPA (AEPD) DPO scheme (2017) DPOs Training (DPO Professional Seminars) 15

DPO: Climbing the “Ladder of Skills” Skil Le kgro gal und / Bac G.

DPO: Climbing the “Ladder of Skills” Skil Le kgro gal und / Bac G. LEFTHERIOTIS / 21. 3. 18 rity kills S Secu Info round / g Back ls Managerial / Business Skills

DPO: Training issues • Personal Data • GDPR • Legislative context • Compliance •

DPO: Training issues • Personal Data • GDPR • Legislative context • Compliance • Data Privacy • Data Management • Audit Skills • “Technical” Skills • A “single” seminar or “split” / specialized seminars ? • Minimum training duration ? iapp / Certified Information Privacy Professional/Europe (CIPP/E) & Privacy Manager (CIPM) iapp / Certified Information Privacy Technologist G. LEFTHERIOTIS / 21. 3. 18

GDPR GDPR GDPR The European Commission support forGDPR GDPR GDPR The European Commission support for
GDPR Overview GDPR Overview GDPR Individuals Rights ToGDPR Overview GDPR Overview GDPR Individuals Rights To
General Data Protection Regulation GDPR What is GDPRGeneral Data Protection Regulation GDPR What is GDPR
Algorithmic fairness meets the GDPR How the GDPRAlgorithmic fairness meets the GDPR How the GDPR
EU n TIETOSUOJA GDPR Mik GDPR The GeneralEU n TIETOSUOJA GDPR Mik GDPR The General
GDPR GDPR The European Commission support for theGDPR GDPR The European Commission support for the
GDPR Hotel Challenges Hospitality Unprepared for GDPR TheGDPR Hotel Challenges Hospitality Unprepared for GDPR The
GDPR GDPR The European Commission support for theGDPR GDPR The European Commission support for the
GDPR IT Challenges ico Who does the GDPRGDPR IT Challenges ico Who does the GDPR
GDPR GDPR The European Commission support for theGDPR GDPR The European Commission support for the
GDPR 2018 Co je GDPR General Data ProtectionGDPR 2018 Co je GDPR General Data Protection
GDPR GDPR The European Commission support for theGDPR GDPR The European Commission support for the
GDPR online GDPR sessie Emmanuel Steyaert TC BlueGDPR online GDPR sessie Emmanuel Steyaert TC Blue
GDPR Case Studies David Sumner EU GDPR PGDPR Case Studies David Sumner EU GDPR P
GDPR e Privacy 28 3 2017 GDPR aGDPR e Privacy 28 3 2017 GDPR a
GDPR Compliance User Guide Official Extension Page GDPRGDPR Compliance User Guide Official Extension Page GDPR