A Practical Approach To GDPR Featuring Duncan Brown, IDC Agenda . Logistics . A Practical Approach to GDPR, Duncan Brown • GDPR Readiness • The Role of DPO • Technology Framework • Recommended Timeline • Action Plan . The Atos Approach to GDPR, Zeina Zakhour . Q&A 2 Duncan Brown . Leads IDC’s security research Duncan Brown program in Europe Associate Vice President IDC . Broad security expertise including: • Incident response • Threat intelligence • Global privacy . Established and leads IDC coverage: • GDPR • RPEC • NIS Directive 3 A Practical Approach to GDPR Duncan Brown Associate Vice President, European Security [email protected] GDPR is a game-changer *Article 58 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 5 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” © IDC Visit us at IDC.com and follow us on Twitter: @IDC 6 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation © IDC Visit us at IDC.com and follow us on Twitter: @IDC 7 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation . Class-action lawsuits • Brought by activists…? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 8 GDPR is a game-changer . Fines up to 4% of global revenues • “Effective, proportionate and dissuasive” . Mandatory Breach Notifications • Consequential loss of reputation . Class-action lawsuits • Brought by activists…? . Ban on personal data processing* • In extreme cases *Article 58 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 9 GDPR Readiness 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% Not relevant, as GDPR We really do not know We are awaiting further We will start addressing There is a solid plan in It is mainly ready now does not affect our where to start guidelines it this year (2017) place to ensure organization readiness by May 2018 Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 10 GDPR Readiness 45% 40% 35% 30% 43% 25% 20% 15% 10% 5% 0% Not relevant, as GDPR We really do not know We are awaiting further We will start addressing There is a solid plan in It is mainly ready now does not affect our where to start guidelines it this year (2017) place to ensure organization readiness by May 2018 Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 11 GDPR Readiness 45% 40% 35% 57% 30% 43% 25% 20% 15% 10% 5% 0% Not relevant, as GDPR We really do not know We are awaiting further We will start addressing There is a solid plan in It is mainly ready now does not affect our where to start guidelines it this year (2017) place to ensure organization readiness by May 2018 Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 12 Who leads GDPR? Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 13 Who leads GDPR? Q. In which division or department is the leader based? 2% Corporate management 21% IT 39% Finance and accounting 7% Legal 31% Other Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 14 Who leads GDPR? Q. In which division or department is the leader based? Q. We have established a cross-functional compliance taskforce or governance board? 2% Corporate management 21% IT 39% 36% Finance and accounting Yes 7% No Legal 64% 31% Other Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 15 The role of the Data Protection Officer IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 16 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 17 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 18 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 19 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors . Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’ IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 20 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors . Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’ . In-house or external, full- or part-time IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 21 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors . Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’ . In-house or external, full- or part-time . No conflict of interest IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 22 The role of the Data Protection Officer . Mandatory for public bodies, and • Processing of ‘large scale’ systematic monitoring . Voluntary DPOs are encouraged as good practice . Applies to controllers & processors . Requires ‘expert knowledge’ and ‘ability to fulfil the tasks’ . In-house or external, full- or part-time . No conflict of interest . Can’t be fired for ‘performing their duties’ IDC does not provide legal advice © IDC Visit us at IDC.com and follow us on Twitter: @IDC 23 Sourcing a DPO 7% Appoint someone from within the organization 7% We already have a DPO in place 13% Appoint a dedicated person from outside the organization 51% Not appoint a DPO Use a contract resource 22% Source: IDC EMEA GDPR Survey, March 2017, n=560 © IDC Visit us at IDC.com and follow us on Twitter: @IDC 24 GDPR Technology Framework Information Governance Meeting Specific Requirements Review State of the Art © IDC Visit us at IDC.com and follow us on Twitter: @IDC 25 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. © IDC Visit us at IDC.com and follow us on Twitter: @IDC 26 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. Discovery Data visibility assessment © IDC Visit us at IDC.com and follow us on Twitter: @IDC 27 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. Discovery Data visibility assessment . Automation is essential © IDC Visit us at IDC.com and follow us on Twitter: @IDC 28 GDPR Technology Framework Information Governance What personal data do I have, where is it, how sensitive is it, why do I have it, do I have consent to use it, can I delete it, etc. Discovery Data visibility assessment . Automation is essential . Data loss prevention for real-time classification & protection of data-in-transit © IDC Visit us at IDC.com and follow us on Twitter: @IDC 29 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc. © IDC Visit us at IDC.com and follow us on Twitter: @IDC 30 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc. Data Discovery, Classification and Control . Access Control & Identity Management . Privileged User Management © IDC Visit us at IDC.com and follow us on Twitter: @IDC 31 GDPR Technology Framework Meeting Specific Requirements RTBF, Consent, Encryption, Data Loss Prevention, Data Portability, Access Control, Record keeping, Incident Response, etc. Data Discovery, Classification . Encryption and Pseudonymization and Control . Auditing and Forensics . Access Control & Identity . Breach Detection and Notification Management . Managed Services . Privileged User Management © IDC Visit us at IDC.com and follow us on Twitter: @IDC 32 GDPR Technology Framework Review State of the Art “appropriate technical and organisational measures” Encryption, backup & restore, testing, and everything else… © IDC Visit us at IDC.com and follow us on Twitter: @IDC 33 GDPR Technology Framework Review State of the Art “appropriate technical and organisational measures” Encryption, backup & restore, testing, and everything else… . “Taking into account state of the art…” . Cost . Risk . Context © IDC Visit us at IDC.com and follow us on Twitter: @IDC 34 When to start? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 35 When to start? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 36 When to start? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 37 When to start? © IDC Visit us at IDC.com and follow us on Twitter: @IDC 38 When to start? Manage Discover Assess Review © IDC Visit us at IDC.com and follow us on Twitter: @IDC 42 Manage © IDC Visit us at IDC.com and follow us on Twitter: @IDC 43 Manage .