A Practical Approach to GDPR Featuring Duncan Brown, IDC Agenda

A Practical Approach To GDPR Featuring Duncan Brown, IDC Agenda

. Logistics . A Practical Approach to GDPR, Duncan Brown • GDPR Readiness • The Role of DPO • Technology Framework • Recommended Timeline • Action Plan . The Atos Approach to GDPR, Zeina Zakhour . Q&A

2 Duncan Brown

. Leads IDC’s security research Duncan Brown program in Europe Associate Vice President IDC . Broad security expertise including: • Incident response • Threat intelligence • Global privacy . Established and leads IDC coverage: • GDPR • RPEC • NIS Directive

3 A Practical Approach to GDPR Duncan Brown Associate Vice President, European Security [email protected] GDPR is a game-changer

*Article 58

. Fines up to 4% of global revenues • “Effective, proportionate and dissuasive”

. Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation

. Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation . Class-action lawsuits • Brought by activists…?

*Article 58

45%

40%

35%

30%

25%

20%

15%

10%

0% Not relevant, as GDPR We really do not know We are awaiting further We will start addressing There is a solid plan in It is mainly ready now does not affect our where to start guidelines it this year (2017) place to ensure organization readiness by May 2018

Source: IDC EMEA GDPR Survey, March 2017, n=560

45%

40%

35%

30%

43% 25%

20%

15%

10%

Source: IDC EMEA GDPR Survey, March 2017, n=560

45%

40%

35%

57% 30%

43% 25%

20%

15%

10%

Source: IDC EMEA GDPR Survey, March 2017, n=560

Q. In which division or department is the leader based?

2% Corporate management

21% IT

39%

Finance and accounting 7%

Legal

31% Other

Source: IDC EMEA GDPR Survey, March 2017, n=560

Q. In which division or department is the leader based? Q. We have established a cross-functional compliance taskforce or governance board? 2% Corporate management

21% IT

39% 36%

Finance and accounting Yes 7% No

Legal 64%

31% Other

Source: IDC EMEA GDPR Survey, March 2017, n=560

IDC does not provide legal advice

. Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring

IDC does not provide legal advice

. Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice

IDC does not provide legal advice

. Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors

IDC does not provide legal advice

. Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors . Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’ . In-house or external, full- or part-time

IDC does not provide legal advice

7% Appoint someone from within the organization 7%

We already have a DPO in place

13% Appoint a dedicated person from outside the organization

51% Not appoint a DPO

Use a contract resource

22%

Source: IDC EMEA GDPR Survey, March 2017, n=560

Information Governance

Meeting Specific Requirements

Review State of the Art

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 25 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc.

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 26 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. . Discovery Data visibility assessment

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 27 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. . Discovery Data visibility assessment . Automation is essential

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 28 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. . Discovery Data visibility assessment . Automation is essential . Data loss prevention for real-time classification & protection of data-in-transit

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 29 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc.

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 30 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc. . Data Discovery, Classification and Control . Access Control & Identity Management . Privileged User Management

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 31 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc. . Data Discovery, Classification . Encryption and Pseudonymization and Control . Auditing and Forensics . Access Control & Identity . Breach Detection and Notification Management . Managed Services . Privileged User Management

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 32 GDPR Technology Framework Review State of the Art “appropriate technical and organisational measures” Encryption, backup & restore, testing, and everything else…

© IDC Visit us at IDC.com and follow us on Twitter: @IDC 33 GDPR Technology Framework Review State of the Art “appropriate technical and organisational measures” Encryption, backup & restore, testing, and everything else… . “Taking into account state of the art…” . Cost . Risk . Context

. Select a leader

. It’s a program!

. Select a leader

. It’s a program!

. Stakeholder engagement

. Select a leader

. It’s a program!

. Stakeholder engagement

. Select a leader . Visibility

. It’s a program!

. Stakeholder engagement

. Select a leader . Visibility

. It’s a program! . Risk exposure

. Stakeholder engagement

. Select a leader . Visibility

. It’s a program! . Risk exposure

. Stakeholder . Scale of effort engagement

. Select a leader . Visibility

. It’s a program! . Risk exposure

. Stakeholder . Scale of effort engagement

. Select a leader . Visibility . Role of Technology

. It’s a program! . Risk exposure

. Stakeholder . Scale of effort engagement

. Select a leader . Visibility . Role of Technology

. It’s a program! . Risk exposure . Impact assessments

. Stakeholder . Scale of effort engagement

. Select a leader . Visibility . Role of Technology

. It’s a program! . Risk exposure . Impact assessments

. Stakeholder . Scale of effort . Behaviour changes engagement

. Select a leader . Visibility . Role of Technology

. It’s a program! . Risk exposure . Impact assessments

. Stakeholder . Scale of effort . Behaviour changes engagement

. Select a leader . Visibility . Role of Technology . Access control

. It’s a program! . Risk exposure . Impact assessments

. Stakeholder . Scale of effort . Behaviour changes engagement

. Select a leader . Visibility . Role of Technology . Access control

. It’s a program! . Risk exposure . Impact assessments . Data control

. Stakeholder . Scale of effort . Behaviour changes engagement

. Select a leader . Visibility . Role of Technology . Access control

. It’s a program! . Risk exposure . Impact assessments . Data control

. Stakeholder . Scale of effort . Behaviour changes . Breach response engagement

. 17 years cybersecurity Zeina Zakhour Global CTO Cybersecurity . Manages end-to-end spectrum Atos • Security advisory • Integration • Managed security services • IoT & big data security . CISSP . ISO 27005 certified Risk Manager

61 Atos approach to GDPR Journey towards compliance How to get prepared ? The Journey for GDPR compliance

Do you know where the personal data is stored in your organization, Who has access and how data is used/exchanged?

Did you identify none-compliance risks related to personal data processing? Did you nominate a DPO (Data Protection Officer) for your organization and does he or she have a clear visibility of all personal data lifecycle? Do your business lines understand the impacts of this regulation? (changes to Data Consent Forms, providing legal forms for access/modification/erasure, running Data Protection Impact Analysis (DPIA) for projects processing personal data?)

Are you using cloud service for personal data ?

Do your suppliers mobilize their efforts to implement compliancy procedures to the regulation? How do they demonstrate compliance? Can you report personal data breaches (stolen personal data) and notify the national authorities within 72 hours?

Can you demonstrate the compliance of your organization to the GDPR?

63 How to get prepared ? A structured and continuous improvement approach

▶ Incident management ▶ Personal data mapping ▶ CERT/CSIRT ▶ GDPR Readiness Assessment ▶ Data breach notification ▶ Data classification ▶ People, Process & ▶ Data Protection Impact Information alignment Personal Data Breach DPIA Assessment ▶ Agile architecture Notification ▶ Security controls (Including data encryption Article 33) ▶ Contractual commitment ▶ 24/7 security monitoring Data GDPR update (New/old) ▶ Audit and penetration testing protection Governance ▶ Define organisational and ▶ Compliance Reporting technical controls Business Update SLAs for GDPR processes compliance ▶ Consent forms update update ▶ Security by Design & follow-up implementation of DPIA ▶ Auditability and Traceability ▶ Provide forms for data of access, data flows access/modification/withdrawal requests

64 Atos & Digital Guardian GDPR Readiness Assessment

▶ 30-day software guided data security consulting assessment ▶ Data at Rest Assessment ▶ Discover personal data across network shares, databases and cloud storage ▶ Data in Motion Assessment ▶ Identify sensitive content leaving your network (web and email) ▶ Detailed report on data protection risks & recommendations ▶ Requires no additional customer resources

65 Atos & Digital Guardian Locate Personal Data & Gaps with GDPR

66 GDPR Governance Shared responsibility on GDPR compliance

Data Controller Data processor Technology Catalog Monthly discussion, reassessment and adoption of measures (aligned process for change requests and cost impact) ▶ IAM / PAM Monthly Reporting ▶ Data Operate Controls and defined services Encryption ▶ Data Masking Define Metrics / KPI ▶ SIEM/TI Define Data Location / Restrictions / Controls / Contractual agreement ▶ CSIRT Risk Assessment ▶ Data Breach Notification Process Data Create Data Catalogue Catalogue ▶ Data Breach Customer Customer legal Responsibility Visibility study to identify personal data Emergency against data privacy authorities available Process

IT Managed Services data processing

67 GDPR Data Protection Controls Security Service Packages

GDPR Data Protection GDPR Reporting GDPR Response

AHPS (Log Management) CISO Processes Interface

AHPS (Detection & Monitoring) GDPR KPI setting & reporting CISO Processes Interface Access Control (Privileged automation Account Management)

Access Control (IAM) DB – Notification readiness

Data Encryption/Masking DB – Notification exec

Data Loss Prevention GDPR Compliance Dashboard DB – Forensics Behavior Analytics

Threat Intelligence DB – Insurance

68 Intelligence Driven Security Management For GDPR Compliance

Governance Risk and Compliance Compliance Management Services Threat Intelligence Security Operations Computer Security Customer Center Analysts Incident Response Security Team Interface Global Threat Intelligence Incident Mgmt. L1/L2 Incident Mgmt L3 Targeted Threat Ticket Management Forensics Services Intelligence Security Reports Atos High Performance Security Prescriptive Analytics Knowledge Base Security Dashboard Micro Infrastructure Endpoint Malware segmentation & Network Protection Scanning FW & IPS Protection Services Services Data Change Identity and DDoS Data Loss APT Detection Mgmt. Access Mitigation

Testing, Vulnerability and Remediation and Testing,Vulnerability Prevention & Remediation Management Services

Secure Data Center Operation and Orchestration

69 GDPR compliance is a journey towards a secure & efficient data management lifecycle

Think Extended Enterprise