© CGI Group Inc. CONFIDENTIAL

GDPR: 241 (calendar) days to go

CIPS

Maxine Bulmer

CGI Cyber Security Director

25th September 2017

Agenda

1. Welcome

2. What is the General Data Protection Regulation? Features, nature,

applicability and the challenges

3. What is your information?

4. Are you GDPR ready?

5. Next steps

6. Case Study / CGIs capability

7. Questions?

2

GDPR awareness is rising

3

UK Government adoption of GDPR

• “A new law will ensure that the United

Kingdom retains its world-class regime

protecting personal data, and proposals for a

new digital charter will be brought forward to

ensure that the United Kingdom is the safest

place to be online”. Queen‟s Speech 21st June

2017

• “The Government will also make use of all

available levers, including the forthcoming

General Data Protection Regulation (GDPR),

to drive up standards of cyber security

across the economy, including, if required,

through regulation.” National Cyber Security

Strategy 2016-2021

• “In a global economy we need consistency

of law and standards – the GDPR is a strong

law, and once we are out of Europe, we will

still need to be deemed adequate or

essentially equivalent.” Information

Commissioner, 29th September 2016

4

General Data Protection Regulation (GDPR) – the new world

• New features at a glance:

• Common / harmonised approach across Europe (no UK variant – but some local

derogations)

• Fines of up to 4% of global revenue

• Data breaches to be reported “without undue delay”

• Data processing now liable (as well as data handling)

• Data Protection Impact Assessment will be mandatory

• New definitions of personal data – location, IP address, etc.

• “Right to be forgotten” – erasure of personal data

• Right to data portability – changing service provider

• Consent to process data cannot be assumed – it has to be confirmed

• Will apply to non-European companies operating in the EU

5

6

GDPR – essential features Key Items

• Breach notification without “undue delay” in

many cases, within 72 hours

• Applies to all organisations processing

Personally Identifiable Information

• Challenging consent requirements:

• Particularly for marketing

• Active consent confirmation

• Tiers of penalties with Tier 1 fines set at 4%

global turnover or EUR20m, for:

• Breach

• Non-compliance

• Data subject rights to:

• be informed (fair processing info)

• have access (confirmation data is

processed) and portability

• rectification (accuracy)

• be forgotten (i.e. deletion)

• object

Some Specifics

• Full force – 25th May 2018

• Based on risk to data, applied via Data Protection

Impact Assessments or Privacy Impact

Assessments

• Demonstrable security

• Evidence required of measures and good practise

• Privacy by Design and by Default

• Data profiling and pseudonymisation are key issues

• Restrictions on transfer and processing of data

outside the EU

• Mandatory appointment of data protection office in

many organisations

• Expansion of the scope of personal data: location,

IP address, medical, etc.

• Data Processors and Data Controllers share

responsibilities

• GDPR contracts to be implemented across supply

chains

7

GDPR nature and applicability GDPR

• Regulation =

• No local legislation needed‟

• No scope to interpret

• Transition / deployment period

• Operational – 25th May 2018

• All organisations processing

Personally identifiable Information

• Applicable to non-EU organisations

• Based on Risk to Data

• Small/Micro business exclusion

• National Security & Employment

exclusions

“Extras”

• Demonstrable Security

• Data Processors and Data Controllers

• Privacy by Design and by Default

(pseudonymisation)

• Independent DP Officer

• Greater Penalties

• Breach Notification without delay

8

GDPR – the challenge

Key Items

• Breach Notification without undue delay

72 hours

• All organisations processing Personally

Identifiable Information

• Challenging consent requirements:

• Particularly for marketing

• Consent confirmation

• Penalties @ 4% Global Turnover

• Breach

• Non-compliance

• Data Subject Rights:

• To be forgotten

• Accuracy

• Access and portability

Details

• Operational – 25th May 2018

• Based on risk to data

• Data Protection Impact Assessments

• Demonstrable Security

• Privacy by Design and by Default (pseudonymisation)

• Restrictions on processing of data

outside the EU

• Independent DP Officer

• Expansion of the scope of personal data:

location, IP address, etc.

• Data Processors and Data Controllers

• Compliant contracts

GDPR – business challenges

• Understanding impact of legislation and regulations

• Identifying gaps in current practices

• Understand information assets landscape including risks and threats

• Establishing effective governance, direction and oversight

• Ensuring policies are robust in design and implementation

• Selecting and deploying the right technology

• Data management (including discover, deletion, etc.)

• Consent management

• Access controls

• Web / Office / Operational interface

• Auditing and monitoring

• Monitor the effectiveness of the technical controls

• Accessing the right skills, structures and numbers of staff

• Training, education and awareness across the organisation

• Prioritise funding and investments

9

The realisation of how and where your data is

shared….

10

11

Our methodology for GDPR

12

How can we help? (Our sell !!)

• Understand the impact of GDPR on “As Is” position - Gap Analysis

• Assess GDPR maturity

• Plan for GDPR

• Discover data landscape including discovery and mapping data flows

• Assess risk using Information Commissioner‟s Office methodology

• Execute DPIAs

• Design data management regime.

• Implement Information Classification, Marking and Handling (ICMH)

• Validate GDPR preparations of 3rd party suppliers and partners

• Establish roles – Data Protection Officer and “Data Controller”

• Deliver staff awareness campaigns

• Prepare responses and plan for breaches

• Select and integrate appropriate technology

13

What can you gain from GDPR?

14

1. A „blueprint‟ of your

sensitive data, how and

where it is processed.

2. Touch-points with

senior stakeholders

across the organisation

3. An understanding of

your key corporate risks

4. Understand your

security maturity,

with opportunities to

enhance security

posture

5. Identify any

transformational

opportunities,

including cloud

7. Validate the need for

any endpoint security

solutions

6. Identify need for any

business process change

8. Is there a

need for

managed

security

services?

Things to be aware of

• The clock is ticking to May 2018

• ICO estimates that 43% businesses are not doing anything - despite

knowing about GDPR

• Digital Act 2017 – fines for company Directors – up to £500,000

• If organisations are seen to be taking right steps, penalties may not be

as severe

• This is coming…..Brexit or not!

15

Your next steps? • Discover your data

• Understand all the data held by your organisation

• Understand the data flows (where the data goes)

• Categorise the data

• Identify data that contains personally identifiable attributes

• Determine what the data is being used for

• Establish a Data Management Framework including: • Identifying Data Owners

• Defining Access Policies

• Privacy by Design

• Justifying use (business purpose and/or consent)

• Roll out polices and controls

• Implement technical / procedural controls to implement policy including:

• Privacy by Design

• Data Use Statements

• RBAC, DLP, Encryption

• Access Requests and Right to be Forgotten

• Educate staff on their responsibility to protect personal data

• Prepare for Cyber Security incidents

• Stand up incident management capability

• Define and exercise your security incident processes

• Monitoring • Implement monitoring to enable identification of data loss

• Ensure controls are correctly implemented

• Use with a proven Information Security Management System (ISO 27001)

16

17

Case Study - summary

Our involvement:

• Data Privacy Impact Assessment and

GDPR Data Governance Review - gap

analysis of current state

• Identification and mapping of internal

and external data flows

• Information gathering across 26 UK

Business Units

• Risk Assessment using Information

Commissioner‟s Office methodology

• Identification of 3rd party stakeholders

where personal data is shared

• Health Check score of Data Protection

Act compliance indicating areas for

improvement

• Final report (69 risks / 119

recommendations)

• Presentation to Board members

Recommendations:

• Roll out education, awareness and

training

• Support preparation for responding to a

data breach

• Identify accountable roles

• Identify Data Processors / Data

Controllers and confirm their contracted

roles

• Validate 3rd party stakeholders‟ GDPR

preparations

• Investigate “Right to be Forgotten”

capability

• Consider data portability requirements

• Ensure processes and data retention is

transparent

• Identify data retention options

Our privacy capability

18

Thank you.

Any questions ?

Follow me on Twitter @maxine_bulmer

Connect with me on LinkedIn

19