SlideShare uma empresa Scribd logo

GDPR - A practical guide

A
Angad Dayal

6 Lesson GDPR Booklet from Varonis to help stay get compliant and stay compliant. -Locate your sensitive data -Prevent data breaches -Rapidly alert to suspicious behavior -Build long-term data Security

Direito
1 de 12
Baixar para ler offline
GDPRA practical guide
GDPR Get compliant. Stay compliant. Get your FREE GDPR readiness assessment Locate your sensitive data Prevent data breaches Rapidly alert to suspicious behaviour Build long-term data security info.varonis.com/gdpr-risk-assessment EU GDPR Lesson 1 1 What is the GDPR? Why do we Need it? EU GDPR Lesson 2 5 Data Protection by Design and by Default EU GDPR Lesson 3 7 The Right to Be Forgotten EU GDPR Lesson 4 9 Who is affected by the EU GDPR? EU GDPR Lesson 5 11 What Happens if I Don’t Comply with the EU GDPR? EU GDPR Lesson 6 13 Next Steps - How to Get There? INDEX Get in Touch: US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com
2 What is the EU General Data Protection Regulation (GDPR)? The EU GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). The GDPR is uniform law across the EU and beyond, with new requirements for documenting IT procedures, performing risk assessments, rules on breach notifications, and tighter data minimisation – establishing a single law to enforce European data protection rules and regulation and the right to personal data protection. It legislates common sense data security ideas, especially from the Privacy by Design school of thought: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle. What type of data is protected? Personal data – or as it’s called in the US, personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses. Who does it affect? The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country. How does it affect you? It means there are new regulations and requirements for collecting, recording, and storing personal data and processing activities, new regulations on breach notifications, penalties on violations, and more. EU GDPR Lesson 1
4 Privacy by Design – The GDPR has formalised principles of Privacy by Design (PbD) into their regulations including minimising data collection and retention, and gaining consent from consumers when processing data. Data Protection Impact Assessments (DPIA) – Companies will have to first analyse the risks to their privacy when certain high-risk or sensitive data associated with subjects is to be processed. Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This remains a controversial right to stay out of the public view and “to be forgotten”. Extraterritoriality – Even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects (through a website, for example) then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud-based businesses. Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”. Fines – Serious infringements can merit a fine of up to 4% of a company’s global revenue. These infringements can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue can be issued if company records are not in order, or if the supervising authority and data subjects are not notified after a breach. GDPR highlights that awareness of your data— where is sensitive data stored, who’s accessing it, and who should be accessing it— is now more critical than ever. What are the new requirements?
6 Data Protection by Design and by Default Privacy by Design (PbD) is a well-intentioned set of principles to get the C-suite to take consumer data privacy and security more seriously. Overall, PbD is a good idea and you should try to abide by it. But with the General Data Protection Regulation (GDPR), it’s more than that: it’s the law if you do business in the EU zone! EU GDPR Lesson 2 PbD dispenses good general advice on data security that can be summarised in one word: minimise. Minimise collection of consumer data, minimise who you share the data with, and minimise how long you keep it. Less is more: less data for the hacker to take means a more secure environment. It’s not too much of a stretch to say that if you implement PbD, you’re well on your way to mastering the GDPR. So can big data and privacy live together happily ever after? Privacy by Design (PbD) says yes – with just a few basic steps, you can achieve the PbD vision: • Minimise data collected (especially PII) from consumers • Do not retain personal data beyond its original purpose • Give consumers access and ownership of their data
8 This means that in the case of a social media service that publishes personal data to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process! What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still applies: as data processors, that cloud service will also have to erase the personal data when asked to by the controller. Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people! The Right To Be Forgotten The controversial “right to be forgotten” is now law in the EU. For most companies, this is really a right for consumers to erase their data. The GDPR has strengthened the DPD’s existing rules on deletion and then adds the right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third-parties of a request to have information deleted. Discussed in Article 17 of the GDPR, it states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where ... the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ... the data subject withdraws consent on which the processing is based ... the controller has made the personal data public and is obliged ... to erase the personal data”. EU GDPR Lesson 3
10 Shifting Meanings Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU. The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply. Companies such as Google, Facebook, and other social networking companies were following this approach. Not so fast! Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google. The long arm of EU law prevailed: the specific search listing was removed. This idea of extended territorial scope is made explicit in the GDPR’s Article 3. The GDPR will apply to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU. Who is affected by the EU GDPR? One of the more complex issues with the new GDPR is what’s being called “extraterritoriality.” Under Article 3, the GDPR will apply to any personal data transferred outside the EU zone. So under these new rules, if a US company collects data from EU citizens, it will be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there! Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the GDPR’s new strict breach notification requirement — it is likely that the EU regulators will target it. Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc. You can map these to your own favourite apps to figure out who would be affected. EU GDPR Lesson 4
12 What Happens if I Don’t Comply with the EU GDPR? The GDPR has a tiered penalty structure that will take a large bite out of offenders’ funds – and GDPR rules apply to both data controllers and processors: therefore huge cloud providers are not off the hook when it comes to GDPR enforcement. Non-compliance results in fines of up to 4% of global revenue. A company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 33). And keep in mind, the GDPR breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. This means you’ll need some detailed intelligence on what the hackers and insiders were doing. More serious infringements merit up to a 4% fine of global revenue. These infringements include violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — violations of the core Privacy by Design concepts of the law. One way the GDPR regulators are hoping to keep everything in line is by requiring companies to have a Data Protection Officer (DPO). The DPO should be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and creating a strong data security policy. EU GDPR Lesson 5
14 EU GDPR Lesson 6 Next Steps - How to Get There? Let’s break down some of the challenges in the new GDPR and how to address them: ⊲⊲ Article 25: Data Protection by Design and By Default What it means: Embrace accountability and privacy by design as a business culture. How to do it: Safely remediate access controls to least privilege. ⊲⊲ Article 30: Records of Processing Activities What it means: Implement technical and organisational measures to properly process personal data. How to do it: Create asset register of sensitive files; understand who has access; know who is accessing it; know when data can and should be deleted. ⊲⊲ Article 17: Right to Erasure and “to be forgotten” What it means: Be able to discover and target specific data and automate removal. How to do it: Find it, flag it, remove it. ⊲⊲ Article 32: Security of Processing What it means: Ensure least privilege access; implement accountability via data owners; provide reports that policies and processes are in place and successful. How to do it: Automate and impose least privileges through entitlement reviews and proactively enforced ethical walls. ⊲⊲ Article 33: Notification of personal data breach to the supervisory authority What it means: Prevent and alert on data breach activity; have an incidence response plan in place. How to do it: Detect abnormal data breach activity, policy violations and real-time alert on it as it happens. ⊲⊲ Article 35: Data Protection Impact Assessment What it means: Quantify data protection risk profiles. How to do it: Assess processing of sensitive, high-risk data.
16 So what should you focus on to meet the EU General Data Protection Regulation? Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data. Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future. Governance – GDPR highlights the need to get back to basics. For enterprise data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls. Monitoring – The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should be “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal data, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues. Varonis helps organisations of all sizes with GDPR projects. Our software automates what would otherwise be an extremely arduous and time-consuming task. Take advantage of our free GDPR readiness assessment today to avoid any non-compliance issues down the road.
18 Get your free GDPR readiness assessment Our team will do all the heavy lifting for you: set up, configuration, and analysis - with concrete steps to improve your General Data Protection Regulation readiness. Varonis has a library of up-to-date privacy rules, and can help create custom rules as needed, constantly scanning your environment and reporting any violations found worldwide to you. Your dedicated engineer will help you • Identify in-scope GDPR data • Find and revoke excessive access to personal information • Audit user activity and detect risky behaviour & ransomware • Find underutilized or stale personal data Schedule your assessment! info.varonis.com/gdpr-risk-assessment Get in Touch: US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com About Varonis Varonis is an innovative data security platform that allows enterprises to manage, analyze and secure enterprise data. We specialize in creating software that manages and protects enterprise data against insider threats, data breaches and cyberattacks by detecting and alerting on deviations from known behavioral baselines, identifying and mitigating exposures of sensitive data and automating processes to secure enterprise data. Varonis has over 5,350 customers worldwide, and we are already helping hundreds of organisations of all sizes with GDPR projects. DETECT insider threats and cyber(security) threats by analyzing data, account activity, and user behaviour. PREVENT disaster by locking down sensitive and stale data, reducing access, and simplifying permissions. SUSTAIN a secure state by automating authorizations, migrations, & disposition.
Varonis Headquarters 1250 Broadway, 29th Floor New York, NY, USA 10001 US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com

Recomendados

GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
Dryden Geary
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 

Recomendados

GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with Varonis
Angad Dayal
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
Dryden Geary
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2EveryCloud_GDPR_Whitepaper_v2
EveryCloud_GDPR_Whitepaper_v2
Paul Richards
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
TRA - Tax Representative Alliance
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
"John "Jeb"" Beckwith
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regime
ijtsrd
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
VILT
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
Jenny Ferguson
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
Steven Salter
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
David Erdos
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
Lilian Edwards
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
Faidepro
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
David Erdos
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
Symantec
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
Sally Hunt
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
David Erdos
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
Hubilo
 
All you need to know about GDPR
All you need to know about GDPRAll you need to know about GDPR
All you need to know about GDPR
Hubilo
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 

Mais conteúdo relacionado

Mais procurados

GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regime
ijtsrd
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
David Erdos
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
Jes Breslaw
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
David Erdos
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
Sally Hunt
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
David Erdos
 

Mais procurados (19)

Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
How to get started with being GDPR compliant
How to get started with being GDPR compliantHow to get started with being GDPR compliant
How to get started with being GDPR compliant
 
GDPR A Privacy Regime
GDPR A Privacy RegimeGDPR A Privacy Regime
GDPR A Privacy Regime
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
UK GDPR: What New Direction?
UK GDPR: What New Direction?UK GDPR: What New Direction?
UK GDPR: What New Direction?
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
The GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacyThe GDPR, Brexit, the UK and adequacy
The GDPR, Brexit, the UK and adequacy
 
Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)Data theft rules and regulations things you should know (pt.1)
Data theft rules and regulations things you should know (pt.1)
 
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google SpainDisclosure, Exposure and the "Right to be Forgotten" After Google Spain
Disclosure, Exposure and the "Right to be Forgotten" After Google Spain
 
The Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To ConsiderThe Evolution of Data Privacy: 3 Things You Need To Consider
The Evolution of Data Privacy: 3 Things You Need To Consider
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
Data_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UKData_Privacy_Protection_brochure_UK
Data_Privacy_Protection_brochure_UK
 
Data Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR FrameworkData Protection and Academic Research: The New GDPR Framework
Data Protection and Academic Research: The New GDPR Framework
 

Semelhante a GDPR - A practical guide

GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
Jim Wilson
 

Semelhante a GDPR - A practical guide (20)

The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event Professionals
 
All you need to know about GDPR
All you need to know about GDPRAll you need to know about GDPR
All you need to know about GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Operational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbeanOperational impact of gdpr finance industries in the caribbean
Operational impact of gdpr finance industries in the caribbean
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
IDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPRIDC on 10 myths regarding GDPR
IDC on 10 myths regarding GDPR
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 
The Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t knowThe Evolution of Data Privacy: 3 things you didn’t know
The Evolution of Data Privacy: 3 things you didn’t know
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
GDPR
GDPRGDPR
GDPR
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
GDPRIBMWhitePaper
GDPRIBMWhitePaperGDPRIBMWhitePaper
GDPRIBMWhitePaper
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
 
GDPR: Are you Ready?
GDPR: Are you Ready?GDPR: Are you Ready?
GDPR: Are you Ready?
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
Aon GDPR white paper
Aon GDPR white paperAon GDPR white paper
Aon GDPR white paper
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
 
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 

Último

Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
Fir La
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
A AA
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
e9733fc35af6
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
Airst S
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
e9733fc35af6
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
e9733fc35af6
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
ss
 
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
acyefsa
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 

Último (20)

Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理一比一原版(Warwick毕业证书)华威大学毕业证如何办理
一比一原版(Warwick毕业证书)华威大学毕业证如何办理
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
一比一原版(UM毕业证书)美国密歇根大学安娜堡分校毕业证如何办理
 
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy NovicesIt’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
It’s Not Easy Being Green: Ethical Pitfalls for Bankruptcy Novices
 
Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.Cyber Laws : National and International Perspective.
Cyber Laws : National and International Perspective.
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)加拿大昆特兰理工大学毕业证如何办理
 
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
一比一原版(CQU毕业证书)中央昆士兰大学毕业证如何办理
 
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
一比一原版(Carleton毕业证书)加拿大卡尔顿大学毕业证如何办理
 
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
一比一原版(OhioStateU毕业证书)美国俄亥俄州立大学毕业证如何办理
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURYA SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
A SHORT HISTORY OF LIBERTY'S PROGREE THROUGH HE EIGHTEENTH CENTURY
 
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
一比一原版(KPU毕业证书)昆特兰理工大学毕业证如何办理
 
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
买(rice毕业证书)莱斯大学毕业证本科文凭证书原版质量
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 

GDPR - A practical guide

  • 2. GDPR Get compliant. Stay compliant. Get your FREE GDPR readiness assessment Locate your sensitive data Prevent data breaches Rapidly alert to suspicious behaviour Build long-term data security info.varonis.com/gdpr-risk-assessment EU GDPR Lesson 1 1 What is the GDPR? Why do we Need it? EU GDPR Lesson 2 5 Data Protection by Design and by Default EU GDPR Lesson 3 7 The Right to Be Forgotten EU GDPR Lesson 4 9 Who is affected by the EU GDPR? EU GDPR Lesson 5 11 What Happens if I Don’t Comply with the EU GDPR? EU GDPR Lesson 6 13 Next Steps - How to Get There? INDEX Get in Touch: US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com
  • 3. 2 What is the EU General Data Protection Regulation (GDPR)? The EU GDPR is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). The GDPR is uniform law across the EU and beyond, with new requirements for documenting IT procedures, performing risk assessments, rules on breach notifications, and tighter data minimisation – establishing a single law to enforce European data protection rules and regulation and the right to personal data protection. It legislates common sense data security ideas, especially from the Privacy by Design school of thought: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle. What type of data is protected? Personal data – or as it’s called in the US, personally identifiable information (PII). Think names, addresses, phone numbers, account numbers, and more recently email and IP addresses. Who does it affect? The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country. How does it affect you? It means there are new regulations and requirements for collecting, recording, and storing personal data and processing activities, new regulations on breach notifications, penalties on violations, and more. EU GDPR Lesson 1
  • 4. 4 Privacy by Design – The GDPR has formalised principles of Privacy by Design (PbD) into their regulations including minimising data collection and retention, and gaining consent from consumers when processing data. Data Protection Impact Assessments (DPIA) – Companies will have to first analyse the risks to their privacy when certain high-risk or sensitive data associated with subjects is to be processed. Right to Erasure and To Be Forgotten – There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This remains a controversial right to stay out of the public view and “to be forgotten”. Extraterritoriality – Even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects (through a website, for example) then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud-based businesses. Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”. Fines – Serious infringements can merit a fine of up to 4% of a company’s global revenue. These infringements can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue can be issued if company records are not in order, or if the supervising authority and data subjects are not notified after a breach. GDPR highlights that awareness of your data— where is sensitive data stored, who’s accessing it, and who should be accessing it— is now more critical than ever. What are the new requirements?
  • 5. 6 Data Protection by Design and by Default Privacy by Design (PbD) is a well-intentioned set of principles to get the C-suite to take consumer data privacy and security more seriously. Overall, PbD is a good idea and you should try to abide by it. But with the General Data Protection Regulation (GDPR), it’s more than that: it’s the law if you do business in the EU zone! EU GDPR Lesson 2 PbD dispenses good general advice on data security that can be summarised in one word: minimise. Minimise collection of consumer data, minimise who you share the data with, and minimise how long you keep it. Less is more: less data for the hacker to take means a more secure environment. It’s not too much of a stretch to say that if you implement PbD, you’re well on your way to mastering the GDPR. So can big data and privacy live together happily ever after? Privacy by Design (PbD) says yes – with just a few basic steps, you can achieve the PbD vision: • Minimise data collected (especially PII) from consumers • Do not retain personal data beyond its original purpose • Give consumers access and ownership of their data
  • 6. 8 This means that in the case of a social media service that publishes personal data to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process! What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing? The long arm of the EU regulations still applies: as data processors, that cloud service will also have to erase the personal data when asked to by the controller. Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people! The Right To Be Forgotten The controversial “right to be forgotten” is now law in the EU. For most companies, this is really a right for consumers to erase their data. The GDPR has strengthened the DPD’s existing rules on deletion and then adds the right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third-parties of a request to have information deleted. Discussed in Article 17 of the GDPR, it states that “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where ... the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ... the data subject withdraws consent on which the processing is based ... the controller has made the personal data public and is obliged ... to erase the personal data”. EU GDPR Lesson 3
  • 7. 10 Shifting Meanings Under the old rules in the Data Protection Directive (DPD), there was some wiggle room that allowed data collectors to escape having to follow the regulations. A common practice was for service or app providers to keep their data processing outside the EU. The idea was that if the main processing and servers weren’t located in the EU zone, then the rules didn’t apply. Companies such as Google, Facebook, and other social networking companies were following this approach. Not so fast! Google was famously making this argument when a Spanish DPA asked it to remove a listing in a search result. The case eventually made its way to the EU’s highest court, the ECJ, which ruled against Google. The long arm of EU law prevailed: the specific search listing was removed. This idea of extended territorial scope is made explicit in the GDPR’s Article 3. The GDPR will apply to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU. Who is affected by the EU GDPR? One of the more complex issues with the new GDPR is what’s being called “extraterritoriality.” Under Article 3, the GDPR will apply to any personal data transferred outside the EU zone. So under these new rules, if a US company collects data from EU citizens, it will be under the same legal obligations as though the company had headquarters in say France, UK, or Germany — even though they don’t have any servers or offices there! Legal experts note this may not be that easy to enforce, but if a large enough multinational breaks one of the rules — such as the GDPR’s new strict breach notification requirement — it is likely that the EU regulators will target it. Obviously, extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc. You can map these to your own favourite apps to figure out who would be affected. EU GDPR Lesson 4
  • 8. 12 What Happens if I Don’t Comply with the EU GDPR? The GDPR has a tiered penalty structure that will take a large bite out of offenders’ funds – and GDPR rules apply to both data controllers and processors: therefore huge cloud providers are not off the hook when it comes to GDPR enforcement. Non-compliance results in fines of up to 4% of global revenue. A company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 33). And keep in mind, the GDPR breach notification requires more than just saying you have had an incident. You’ll have to include categories of data, records touched, and approximate number of data subjects affected. This means you’ll need some detailed intelligence on what the hackers and insiders were doing. More serious infringements merit up to a 4% fine of global revenue. These infringements include violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — violations of the core Privacy by Design concepts of the law. One way the GDPR regulators are hoping to keep everything in line is by requiring companies to have a Data Protection Officer (DPO). The DPO should be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches within 72 hours, and creating a strong data security policy. EU GDPR Lesson 5
  • 9. 14 EU GDPR Lesson 6 Next Steps - How to Get There? Let’s break down some of the challenges in the new GDPR and how to address them: ⊲⊲ Article 25: Data Protection by Design and By Default What it means: Embrace accountability and privacy by design as a business culture. How to do it: Safely remediate access controls to least privilege. ⊲⊲ Article 30: Records of Processing Activities What it means: Implement technical and organisational measures to properly process personal data. How to do it: Create asset register of sensitive files; understand who has access; know who is accessing it; know when data can and should be deleted. ⊲⊲ Article 17: Right to Erasure and “to be forgotten” What it means: Be able to discover and target specific data and automate removal. How to do it: Find it, flag it, remove it. ⊲⊲ Article 32: Security of Processing What it means: Ensure least privilege access; implement accountability via data owners; provide reports that policies and processes are in place and successful. How to do it: Automate and impose least privileges through entitlement reviews and proactively enforced ethical walls. ⊲⊲ Article 33: Notification of personal data breach to the supervisory authority What it means: Prevent and alert on data breach activity; have an incidence response plan in place. How to do it: Detect abnormal data breach activity, policy violations and real-time alert on it as it happens. ⊲⊲ Article 35: Data Protection Impact Assessment What it means: Quantify data protection risk profiles. How to do it: Assess processing of sensitive, high-risk data.
  • 10. 16 So what should you focus on to meet the EU General Data Protection Regulation? Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data. Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future. Governance – GDPR highlights the need to get back to basics. For enterprise data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls. Monitoring – The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should be “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal data, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues. Varonis helps organisations of all sizes with GDPR projects. Our software automates what would otherwise be an extremely arduous and time-consuming task. Take advantage of our free GDPR readiness assessment today to avoid any non-compliance issues down the road.
  • 11. 18 Get your free GDPR readiness assessment Our team will do all the heavy lifting for you: set up, configuration, and analysis - with concrete steps to improve your General Data Protection Regulation readiness. Varonis has a library of up-to-date privacy rules, and can help create custom rules as needed, constantly scanning your environment and reporting any violations found worldwide to you. Your dedicated engineer will help you • Identify in-scope GDPR data • Find and revoke excessive access to personal information • Audit user activity and detect risky behaviour & ransomware • Find underutilized or stale personal data Schedule your assessment! info.varonis.com/gdpr-risk-assessment Get in Touch: US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com About Varonis Varonis is an innovative data security platform that allows enterprises to manage, analyze and secure enterprise data. We specialize in creating software that manages and protects enterprise data against insider threats, data breaches and cyberattacks by detecting and alerting on deviations from known behavioral baselines, identifying and mitigating exposures of sensitive data and automating processes to secure enterprise data. Varonis has over 5,350 customers worldwide, and we are already helping hundreds of organisations of all sizes with GDPR projects. DETECT insider threats and cyber(security) threats by analyzing data, account activity, and user behaviour. PREVENT disaster by locking down sensitive and stale data, reducing access, and simplifying permissions. SUSTAIN a secure state by automating authorizations, migrations, & disposition.
  • 12. Varonis Headquarters 1250 Broadway, 29th Floor New York, NY, USA 10001 US: +1-877-292-8767 UK: +44-203-695-3900 INTL: +1-646-706-7336 www.varonis.com