GDPR (General Data Protection Regulation)
GDRP (General Data Protection Regulation) Compliance Roadmap for new EU Privacy Law to be enforced from 25.05.2018
8 step roadmap to demonstrate GDPR compliance
- GDPR Compliance Scope Application
- GDPR Compliance Forum Role Players
- Personal Data Protection legal rights
- Personal data processing types
- Personal data processing location mapping
- Data Protection Impact Assessment (DPIA)
- Personal Data Protection Policy (outcome of DPIA)
- Personal Data Protection Procedures
1. GDPR Compliance Scope Application
GDPR (personal data protection law) will apply to all of the following personal data processing
- EU Citizen data processing located outside the EU
- Global Citizen data processing located inside the EU
- PII (Personally Identifiable Information) of all living data subjects (customers, employees, suppliers)
2. GDPR Compliance Forum Role Players
- Compliance (requirements, monitor, report)
- Legal (privacy & cookie policies, T&C, supplier contracts)
- CISO (personal data security policy, awareness)
- IT (technology solution delivery)
3. Personal data protection legal rights
accessible website links to enable the affirmative exercise of such legal rights:
- Specified Valid Purposes (for personal data processing)
- Explicit consent (unambiguous, informed, logged)
- Withdraw consent (unambiguous, informed, logged)
- Submit a complaint of personal data misuse
- Request personal data update
- Request personal data erasure (subject to retention for legal,
regulatory and other specified valid purposes)
- ePrivacy Regulation (ePR) is estimated to be enforced from 25.05.18
(same EU enforcement fines as GDPR). ePR (Cookie Law) will require
data subjects can exercise all their cookie data processing rights.
4. Personal data processing types
Map all personal data processing types (part of DPIA Procedure):
- PII – name, street address, ID #, email, mobile, online identifier
- KYC – ID document, utility bill, credit history, financial information
- Billing – cardholder PAN and expiry, deposits, withdrawals
- Trading – open positions, transactions, profit & loss
5. Personal data processing location mapping
Map all global locations of all the personal data processing
types (part of DPIA Procedure):
- on-premise – primary and secondary data center sites
- cloud services – SaaS (software), IaaS (VM server
infrastructure), PaaS (database platform)
6. Data Protection Impact Assessment (DPIA)
Perform a DPIA for new projects, technologies and current personal data processing activities that
may result in a high risk to the rights and freedoms of data subjects (identifiable living persons):
- Map all the personal data processing types (step 4 – PII, KYC, Billing, Trading, Other).
- Map the personal data processing on-premise locations and cloud services (step 5).
- Map the collection, storage and replication data flows of all personal data processing types.
- Assess the user access rights management, activity auditing and monitoring processes.
- Identify the risks of unauthorized access to and disclosure of PII (+ other personal data).
- Assess the technical and organizational controls in place, vulnerabilities and potential risks.
- Identify the risk-appropriate technical and organizational security measures.
- Obtain CRO signoff to implement security measures that mitigate high risks to data subjects.
7. Personal Data Protection Policy (outcome of the DPIA)
Implement risk-appropriate ‘technical and organizational measures” to demonstrate compliance with
GDPR personal data protection requirements – Personal Data Security Policy:
- Ensure a level of security appropriate to the risk of personal data breach (identified in DPIA).
- Encrypt PII data to prevent personal identification of and serious harm to all living persons.
- Manage user access rights in accordance with role-based access control and SOD principles.
- Review privileged/other user access rights on a regular and annual basis.
- Implement appropriate MFA (multi-factor authentication) for all authorized users.
- Implement user activity event audit logs, monitoring and alert notification (timely detect breaches).
- Implement timely incident response to mitigate the impact of any personal data breach events.
- Restore data access and availability timely in response to any personal data breach events.
- Regularly review and improve the effectiveness of personal data security controls in place.
8. Personal Data Protection Procedures
Establish and Implement the required GDPR Privacy Procedures:
- Data Privacy by Design (build data security upfront)
- Data Privacy By Default (retain minimum required data)
- Data Protection Impact Assessment (DPIA)
- Data Breach Notification to Impacted Data Subjects
- Data Breach Notification to Lead Data Protection Supervisor
- Appoint Data Protection Officer (DPO) to monitor and advise on compliance.
PREPARE NOW.. RATHER THAN PAY LATER
4% of annual global
turnover or 20M €
+ Personal Damages
Israel Privacy Regulation to be enforced from 31.05.2018
The Protection of Privacy Regulation (passed by the Knesset on 21.03.17) applies to anyone who
owns, manages or maintains a database containing personal data in Israel. Data Security Protocol
and Breach Notification Requirements (“high” data security classification) will apply to anyone who
owns, manages or maintains a “personal database” hosted in Israel that processes “financial
information” (financial obligations, solvency & status) of more than 100,000 data subjects
- Database Specification Document (data collection and processing activities, purposes, data
types, DB Manager, Data Security Officer, Processors, data security risks, mitigating actions).
- Physical Security, Data Security Officer (reports to DB Owner/Manager, establish data security
protocols, ongoing compliance review, present findings from the review to DB Manager), Data
Security Protocols (physical security, portable devices, access credentials, safeguard measures,
risks, incident response plan according to severity), Mapping the Database Computer Systems
(hardware and software components, system architecture), Access Credentials, Authentication
and User Admin (appropriate clearance level, role-based access), Data Breach Register,
Automated Logging Tools, Portable Devices, Segregation from other Systems, Internet
Security (access control and malware safeguard measures, encrypt personal data transmitted
over the Internet, remote access authentication).
- Additional stringent requirements )such as breach notification to ILITA( apply to
security classified “personal databases”.
IT Regulatory Compliance Framework
Risk Assessment > Policies & Procedures > Compliance Review > Legal rights protection > Personal Data protection
ITGC + CYBERSECURITY Baseline Controls