update is intended to give general information about legal topics and is not intended to apply to specific circumstances. Its contents should not, therefore, be regarded as constituting legal advice and should not be relied on as such. In relation to any particular problem that you may have you are advised to seek specific legal advice.
general processing activities in UK • Stands on its own but tracks GDPR • Fills in the gaps left by the GDPR • Extends to processing the GDPR doesn’t reach: • Law enforcement; and • Intelligence services
name and contact details of the Controllers and DPO the purpose of the processing categories of data subjects categories of personal data categories of recipients of data recipient countries and safeguards in place (if outside EU) Time limits for erasure of different categories description of security measures in place
name and contact details of processor(s) name and contact details of each controller the categories of the processing recipient countries and safeguards in place (if outside EU) description of security measures in place
perspective of data subjects Demonstrates appropriate measures have been taken to ensure compliance with GDPR Can apply to single processing operations or a set of similar operations with similar risks Conducted before processing commences or when change of risk
to result in a high risk to individuals, such as: (a) automated, systemic and extensive evaluation of personal aspects of individuals which is the basis of decision concerning the person (e.g. profiling); or (b) large scale processing of special categories of data; or (c) systematic monitoring of a publicly accessible area on a large scale
Automated- decision making Systematic monitoring Sensitive data Data processed on a large scale Datasets matched or combined Data concerning vulnerable data subjects Innovative use / applying tech Data transfer outside EU Prevents exercising right or using service / contract
must have a written contract in place Important to set out responsibilities GDPR prescribes what needs to be included Standard contract clauses may be prescribed by ICO in future Controllers liable for processors compliance. They must only use processors who can provide sufficient guarantees
all / generic contract terms (re descriptions of processing activities) Ensure that the contract is clear that terms don’t relive the processor of its own direct responsibilities and liabilities under the GDPR Reflect on any indemnities that have been agreed
to individuals when their data is collected: Identity and contact details of Controller Contact details of DPO Purposes of the processing Legal basis for the processing Legitimate interests of the controller of third party* Recipients of the personal data If transfer outside of the EEA, details of adequacy decision / safeguards
to individuals when their data is collected (if necessary): the period for which the data will be stored individual’s rights the right to withdraw consent right to lodge complaint with ICO any statutory or contractual requirement to process where data is required to enter into a contract consequences of failing to provide data if there is automated decision-making
place to detect, report and investigate a personal data breach • Report to ICO if breach is not unlikely to result in a risk to the rights and freedoms of individuals • Data controller must notify ICO not later than 72 hours unless reasoned justification • Controllers must document all breaches • May need to notify individuals
commercial legal services to the Public Sector in the UK. Our clients include a third of all NHS Bodies and all Local Authorities in England, 30 Housing Associations, and over 100 private sector firms who serve these sectors, covering areas such as social infrastructure and waste.
an environment of greater transparency and accountability and that ever increasing expectations are being placed upon them. That is why Bevan Brittan clients do not need to explain themselves to us over and over again – we get it.
that contribute to your success • To give you fair pricing and clarity on costs • To give you the right team • To communicate clearly • To care about our relationship with you
Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice This is NOT an Elephant?! It is in fact a vaguely purple Octopus!
GDPR, but not sure why? How to eat the GDPR Elephant a bit at a time! Andy Powell will … Simplify what GDPR really means and outline an Enterprise approach – so that even the CFO gets it! Explain the Threat – without hype – and why the Threat is not just from ‘Hackers’ but also in other forms! Explain how the Enterprise-wide principles of ‘Build, Watch, Proact and React’, as practiced in Medieval Warfare, and viewed through the lens of data management and Cybersecurity will help you be ready! There is NO silver bullet to dispatch the GDPR Elephant, just good old fashioned common sense, prioritisation of effort and a balanced programme of measures across people, process and tools!!
Octopus Transparency Accountability Governance Consent Rights Safeguards Data Management Legal/Contracts Breach Reporting Security ‘ACCOUNTABILITY’ Appoint DPO Controllers/Processors 3rd Parties External to EU Understand Exclusions Etc...... Rights of: Being Informed Access Rectification Erasure Restrict Processing Data Portability Objection Automated Processing Audit ‘HOW’ Legacy GDPR by Design ‘Show Workings’ PIA The ‘WHO’ owns - Board OWN Plus Enterprise-wide Responsibility NOT Security/CIO Definition of Private Data In-built e.g Encryption, Access etc.. And Security Controls e.g Review SANS/CSC 20 v GDPR and adjust Data: Discovery, Analytics Store/Access/Dispose etc.. Owned by Capgemini/Andy Powell (28 Mar 17) – This DOES NOT constitute any form of legal or legally binding advice
‘… to correct the scaremongering and misunderstanding, we will not be looking to make early Examples to make a point on GDPR Compliance….’. Elizabeth Denham, ICO “The Government’s recent Cyber Risk Survey found that whilst 69 per cent of businesses say their senior management consider cyber security is a very or fairly high priority for their organisation only half of businesses have actually taken recommended actions to identify cyber risks.” ICO “I want organisations to think to themselves: ‘we base our online user experience around what consumers want. We shape our products and services around what consumers want. We need to shape our data protection approach around what consumers expect’.” ICO “To meet the challenges I’ve described, we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.” ICO …the Vendor/Supplier base is over hyping the Cyber Risk and GDPR impact to panic Business into investing in products and solutions they do not need….’ NCSC Leadership
‘Threat (s)’! § ‘Hackers’ § What - Personal Data has Value § Who - Criminals – Organized/Supported § How – Bribery/Blackmail/Stupidity § Internal § Readiness § Complacency – Generational? § Understanding Risk Appetite § External § Third Party and Suppliers § Individual Awareness of Rights § The New PPI? Positive – ‘FINALLY! EXPLOIT YOUR DATA FOR BUSINESS ADVANTAGE’! Negative – ‘FAIL TO PROTECT YOUR DATA – LOSE BRAND, SHAREHOLDER CONFIDENCE, CLIENTS and YOUR JOB’!
Threat – ‘a truly Medieval Approach’ BUILD Create a Keep (for precious things) and build security into your Castle (NOT just walls, but small rooms and staircases to contain threat once inside (it will get in!) • Locate and Track Precious Data • Segment Architecture • Target Security Controls • Think Resilience WATCH Constant Reconnaissance Outside and inside the walls • Sentries Looking Out and In • Understand the Threat • Impact of Change! • Adjust your Defence posture constantly PROACT Be proactive and unpredictable • Deny the enemy cover (Access Management) • Slow their advance (Cyber Hygiene) • Change where and when you patrol (Audits, Patching etc..) REACT Be prepared to act! • Be Prepared to Deal with a Breach • Tried and Tested Consent and Access Process • Test and Adjust Think laterally and like a human! CxO!
Data Life Cycle Management from the start and Design to support Secure but Ready Access 1 • Understand Where Your Data is and How it Flows • Compartment your Network and Data via Hard and Soft Means • Build Resilience into your Components and Links • Build to Change • Instrument ‘think laterally and indirectly, how could someone navigate through this and get at something vital for good or bad!”
The key to Data Management and Security is constantly watching And adapting your data processes And security • Strategic and Specific Intelligence • Internal Threat Management • People • Data Flow • Patterns • External Threat Management • Recruit, Train and Retain • Users • Data managers • Security • Network “Intelligence-led, human in the loop, all process harnessed to manage the data for effect, securely”
The 7 Ps! There is NO silver bullet. A combination of Training, Awareness Governance and Process, Underpinned by Tools! • People • Select, Train and Test • Awareness • Process • Governance • Consent • Access • Audit • Change Management • Tools • Patch • Run VM • Data “Mitigate the Threat by Preparation – Good Data Management and Cyber Hygiene is cheap!”
Be Decisive, Meet Obligations, Be Ready for Changes, and Practice! • To Access Requests and Consent Changes • To Events and Breaches • Stop it and Immediate Forensics! • External – Client, Media, Peers, Authority • Internal – Lessons, Implement and Sustain • Share – Intelligence with Peers and Authority • Compliance/Mandate – Legal obligations
& Picture Andy Powell - VP Cyber Security - Capgemini About Andy Andy is Vice-President (VP) for UK Cybersecurity at Capgemini with over 30 years experience in Defence and Security roles and recent senior leadership roles as CIO and CISO for the Royal Air Force, Joint Operations and as head of the Ministry of Defence’s Cyber Defence Operations and Network Operations. As VP for UK Cybersecurity at Capgemini Andy leads a business that covers all Sectors from Public to Energy and Utilities, and including Consumer, Private Sector and Finance – delivering a broad range of Consulting, Project and Managed Cyber Services. A Systems and Electronic Warfare engineer by training he describes Cyber as ‘ the constant battle of wits between attacker and defender where people, process and technology must converge to enable the business!’ [email protected] 07891151835
RISK 11% 18% 20% 22% 28% 34% 37% 37% 42% Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise … DDoS Web application (SQL injection, … User interaction (phishing, … Use of stolen credentials (logins, … Software vulnerability (software … Source: The State of Network Security: 2016-2017, Forrester, January 2017 Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise … DDoS Web application (SQL injection, … User interaction (phishing, … Use of stolen credentials (logins, … Software vulnerability (software …
25% é Total web application attacks 86% é Attacks from the U.S. (current top source country) 86% ê Attacks from Brazil (Q2 2016 top source country) 44% é Increase in SQLi attacks While DDoS attacks were down, the total number of web application attacks were up compared to the same quarter a year ago. Many fewer attacks came from Brazil. SQLi attacks were up 44%.
é Total web application attacks 4% é Attacks sourcing from the U.S. (top source country) 21% é SQLi attacks Application attacks continued to slowly grow with a 5% increase quarter-over-quarter and a 28% increase year-over-year. Unlike DDoS attacks, web application attacks involve relatively little traffic and can be hard to detect.
BOTNET Username Password LOGIN Username Password LOGIN Username Password LOGIN LOG IN CUSTOMER SITE Shopping Accounts Data FINANCIAL GAIN END USER ASSETS CREDENTIAL ABUSE ACCOUNT TAKEOVER Leaked credentials Credential Abuse and Account Takeover
had a security incident that negatively impacted their business in the past year.1 91% of cyberattacks and the resulting data breach begin with a phishing attack.6 390,000 Over 390,000 new malicious programs are registered every day.3 980 DATA BREACHES In 2016, there were 980 data breaches with more than 35 million records exposed.5 93% of phishing emails are related to ransomware.4 84% of enterprises have suffered phishing attacks.2 CryptoWall version 4,a notorious ransomware virus,has so far resulted in $18 million in damages,36,000+ confirmed victims, and 7.1 million attempted infections.7
breach goes undetected for over 5-8 months.8 IoT MOBILE APPS 80% 71% 201 DAYS Mean time to identify a data breach is 201 days.9 25% of companies do not treat cyber threats as significant corporate risks.13 80% of IoTand 71% of mobile applications are not tested for security vulnerabilities.12 38% Only 38% of global organizations feel prepared for a sophisticated cyberattack.11 19% Less than 19% of data breaches are self-detected.10
of cybercrime is predicted to hit $6 trillion annually by 2021.14 68% of funds lost as a result of a cyberattack were declared unrecoverable.16 68% of corporations have not considered the financial impact of a cyberattack.18 Most organizations fold their security budgets and spending into another cost center, whether IT (48%), general operations (19%), or compliance (4%), where security budget and cost line items are combined with other related factors.Only 23% track security budgets and costs as its own cost center.20 The Internet economy annually generates between $2 trillion and $3 trillion.It’s estimated that cybercrime extracts between 15% and 20% of thatvalue.19 $18 MILLION Average cost of an APT data breach is $18 million; 50% is damage to brand reputation.17 $1.68 The estimated cost of using existing cloud offerings to break into mostWi-Fi networks is $1.68. It would take six minutes.15
The rate of evolution and volume of complex targeted threats continue to increase. • The growing prevalence of mobile, cloud, hybrid WANs, direct Internet access, and IoT is only going to exacerbate this problem. • Existing security point solutions and applications are often reactive, inconsistent, and ineffective. • The consequences of not proactively preparing for a targeted attack are enormous.
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Where Scale Matters Delivering Content and Security from the Edge Application Origin Akamai delivers Unique and Reusable content from the edge of the Internet • 85% of internet is within 1 hop of an Akamai Edge Server • 100% Availability Scale enables your customer to reach users anywhere in world with confidence FastDNS Bot-Manager X Client Reputation X
that they are “Appropriate”) • OWASP ++ • Distributed/Scalable. • Personal Data transported via API’s. • Know the reputation of who is approaching your internet facing resources to even further improve effectivity. *OWASP plans to release the final public release of the OWASP Top 10 - 2017 in November 2017
personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Because WAFs are notoriously difficult to manage 11% 29% 34% 18% 8% None 1 to 2 3 to 5 6 to 10 More than 10 Q. How many employees (on an FTE basis) are needed to properly manage WAF within your organization? Source: Ponemon Institute
to configure WAF • Gartner still identifies lack of Application Security as a risk for many enterprises. • Even those companies who can afford a Web App Firewall, 30% have not deployed their firewall. Not deployed (30%) Combination of inline and out-of-line (25%) Out-of-line (23%) In-line (20%) Not sure (2%)
Self-service installation and automatic rule deployments, bring DDoS AND Application security to organizations who might otherwise leave their web applications exposed.
up to Security Experts • Continuous security monitoring. • Attack mitigation and support capabilities. • Experts to periodically review and tune the security setup. • Recommendations to protect against the evolving threat landscape.
by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Zero Trust Simplifies GDPR Compliance Enterprise User App B Internet No attack footprint Create Audit Trails Keep Single User Administration App A App C Why • Simple Search Path • Control 3rd Party access to sensitive data • Keep people accountable How • Isolate applications containing sensitive data • Keep single Administration • Create Audit Trails
Help • Work Risk Based: Implement “Appropriate Technical and Organizational measures” risk based, and based on industry best practices, to protect Web applications and websites. • Build evidence: Do not let your WAF rules go stale. • Use State-of-the-Art Technology: Use “State-of-the-Art” technology to prevent data theft, by using a fully integrated DDoS and Advanced Threat Protection solution. • Implement a Zero-Trust Strategy: Don’t trust anybody/anything, isolate sensitive apps and inspect everything.
zlatchfo
morganepeng
sergeychernyshev
tammyeverts
sugarenia
garrettdimon
konakalab
bkeepers
ks91
addyosmani
tamaranovitovic
stuffmc
kimpetersen
