.png)
In this podcast, Darron Gibbard, Chief Technical Security Officer, EMEA, Qualys, talks about preparing for the GDPR and provides a good basis to start your program and understand what departments you need to be working with, and how you should be engaging with your respective businesses.
Here’s a transcript of the podcast for your convenience.
Hello, my name is Darron Gibbard, I’m the Chief Technical Security Officer for Qualys based in the EMEA region. I’m going to be talking to you today about what is involved in GDPR for information security, cybersecurity and IT security teams and get across what is important to your respective organizations, and what you should be doing now to basically get your GDPR program commenced so that you can be compliant with your regulation by May 2018.
The Information Commissioner has published some really useful articles around basically what the 12 steps are and what is involved with GDPR, and there’s a lot of areas that touch on information security and cybersecurity teams that they need to be done and need to be started as soon as possible. So, I’m going to run through the 12 steps very quickly and briefly, and hopefully this will give you a good basis to start your program and understand what departments you need to be working with and how you should be engaging with your respective businesses.
So, the first one is awareness. Awareness needs to be a continuous process, it needs to be something that you are doing continually and you can demonstrate that you’re doing continually throughout your business. No longer is it the time of tick box exercises once a year, awareness programs that you need to do for PCI, you need to be able to demonstrate that everybody within your respective organizations is aware of the requirements of GDPR and how personal information is used, transmitted and stored within your organizations.
The second one is around information that you hold, so you need to document every single piece of personal data and where it came from, who you share it with and you need to perform an information audit. And Qualys can help with basically these aspects of GDPR in respects to using Asset View to identify and understand your assets within your environment, and also that has the effect of then understanding where your data is going. And when we talk about data, we talk about any piece of personal, identifiable information that can be used to identify an individual, and it’s a lot broader now with GDPR as well.
The third aspect is communicating privacy information, and this is about what you publish on your website, this is about privacy notices, and insuring that you are communicating what you are doing with the personal information that you’re collecting. The big change with GDPR with number 4 is the individual’s rights. The rights now have been transferred to the citizen, whereas before with previous data protection laws you were able to capture the information and as long as you put it in a hidden away privacy policy, you would’ve been able to basically use that data as the organization sees fit. With the new regulation, with GDPR it is now by the individual’s rights. So you have to think about this from the perspective of one being a security professional, and two as an owner of personal information and understand what organizations are doing with your own information, as well as what the organization is doing with the information.
Another big change and another big impact is a subject access request, which is number 5. Subject access request now, there is no charge for subject access requests. Under the previous data protection laws there was a minimal fee of 10 pounds, which went towards basically processing the request. Now, with subject access request, you need to basically hold and understand where all the information is and you need to provide all that information within 30 days. That, within the 30 days you need to provide a full and honest report of every single piece of information that is howled about you, as an individual.
At number 6 we have legal basis for processing personal data. So this is looking at the various types of data that you’re processing, how you’re using that data and identify from that what your legal basis is for carrying it out and have it documented. So this is a stage above the information you hold, what personal data, you have to demonstrate you have a legal right to process that information and to be able to use that information, you have to provide a legal basis and have legal expertise. So the thing and point about this one is making sure that the information security, cybersecurity teams are working very, very closely with your legal and compliance departments. Once you got that information and once you are working very, very closely, it becomes a lot easier to meet this requirement and make sure that you are fully compliant with the rule.
The next major impact in one of the biggest areas, which is not necessarily an impact on security teams, but it’s something that needs to be made aware through your websites, your applications, wherever you’re capturing personal information is consent. And consent is now around basically, you need to review how your seeking, retaining and recording consent. Because now you have to demonstrate that your customers, your users, your employees have agreed to you as an organization processing and using that information that you’ve just given.
At 8 you’ve got children, so obviously there needs to be additional technical controls, additional levels of protection and you need to basically be verifying the individual’s ages. If you are working with children or how you’re capturing parental and guardian consent and making sure that that is stored and additional controls, technical controls are placed upon that date. Your access controllers need to be as minimal and as security can possibly make them.
Data breaches or instant notification which is one of the biggest challenges now. So all organizations have 72 hours as a maximum notification period. If you look at what’s going on in Holland at the moment, in the Dutch market they require immediate notification. And they’ve gone on record and that is now law within Holland that you’re required to notify the regulators immediately. So there will be varying breach notification rules, depending upon the countries that you’re dealing with within the EU and the EA.
Another one for security teams, and basically it’s very important for security teams, is basically data protection by design. The security teams in history have basically been proven, especially with project management and program management teams as a very, last-minute inclusion in any approval for a program or a project to go live. Now, with data protection by design and data protection impact assessments, security teams now have the opportunity to be able to be in control, be engaged early and instead of being a reactive service that somebody has realized they’ve got a gate that they need to get security sign off on, now they have to be at the inception at the beginning of the program and the beginning of the project, and ensure that data protection by design, and their signing off that the project is meeting and understands what personal information is being transmitted. Is it secure? Are your technical controls in operation?
At 11, you’ve got data protection officers. Obviously, depending upon the size of the organization, and there are still some further clarification from the information commissioner office and also the EU regulation itself as to what size of organization. I would also recommend that data protection officer sits in legal rather within the information security. There’s going to be enough for information security officers, for cybersecurity officers to be doing to make sure that they are compliant with the regulation, to be taken on that additional responsibility I think is a step too far, and should sit very clearly within the legal team.
And the final, by no means least, is the international, so data transfers. And one of the ways that this ties in very nicely with the information you hold is basically where is the data going? Where is it being transferred to? So you may rely upon your third party to provide outsource services to your organization. When those services basically then share it with their third parties, then you have to understand what’s basically going on, where the data is going and how that organization and that fourth party is using the data that they have access to, and is it leaving the EU? So is it being transferred to South Africa or Australia, China, South America, the US? And you need to understand end-to-end where that data is going. And with the security assessment questionnaire, we are able for Qualys to be able to provide you service that will actually go away and assess what your third parties are doing with the data that they have.
We had a GDPR questionnaire in the product since October of last year, it’s been fully verified by independent consultants, by independent legal companies and asks all of the pertinent questions that you should be asking your supply chain to help them understand what they have. Because data controllers and data owners, data processors are treated exactly the same. There’s no difference between them, so a fine you get for the data owner is going to be the same fine for the data processor or controller. There is no differentiation, there is no difference between the fines.
I’d like to say thank you for this opportunity. If you need any further information, please visit the Qualys website where we have a whole GDPR section, demonstrating what products and how we can help, and thank you!
from Help Net Security http://ift.tt/2tHBvyr
0 comments:
Post a Comment