Watch to learn about the effects of GDPR since it became enforced in May 2018.
This webinar was hosted on November 14th, 2018.
To view more recent content, visit https://www.securitymetrics.com/learn/
This webinar covers:
Learn more about SecurityMetrics GDPR Defense
0:00 Alright everyone. We're going to get started now. Welcome to our webinar this morning. My name is Andrew, I work in marketing, our presenter today is Ben Christensen, he holds the credentials of QSA and CISA and and he's been here at SecurityMetrics for almost three years now. Ben has a lot of experience working with organizations and helping them meet GDPR requirements. So we are excited to hear from him today.
0:31 This is the State of GDPR Webinar, so today we'll talk about some best practices that you can implement at your organization. Also, we will be talking about some of the frequently asked questions that we get in regards to GDPR, so we're excited to discuss this topic today. And also for those of you that are interested, at the conclusion of the webinar today, we will be showing a brief demo video of our GDPR Defense product which is a tool that you can use to meet GDPR requirements at your business. So you are welcome to stick around for that. Also before that demo, we will be hosting a Q&A. So if you have questions that come up during the webinar today, feel free to chat those in using your gotowebinar control panel and we will get to as many of those as we can at the end of the webinar today. If we don't get to your individual question, then we will have someone reach out to you on an individual basis in the next couple of days to make sure you get that question answered.
1:41 And just a heads up. We are also recording this webinar today. So feel free to share the recording with others in your organization. We will be sending it out to you at the beginning of next week. We'll send the recording to the email that you use to register for the webinar. So again, feel free to share it with others. We hope you can gain as much information as possible from this webinar today.
2:18 So as we get started, we're going to go ahead and start with a poll to gauge our audience a little bit better today and get an idea of who we're talking to. So first you should see this pop up on your screen. We'd like to know where you're located. I imagine we have a large group from the UK and also from the US, so if you could take just a minute and respond to that poll that'll give us a good idea. Thanks. Okay, just about 10 more seconds, and then I'll close the poll.
3:21 Okay. Thank you everyone for taking the time to answer. So it looks like we have a mostly US audience with us here today, which is interesting. A lot of people in the US sometimes think GDPR may not apply to them but if you're doing business with customers from the UK, if you're storing UK customer information, then yes GDPR does apply to you. So it's good to see that we have a good group of US people here today. And a lot of that probably has to do with the time of the webinar. The workday in the in the UK and in the EU is kind of ending right now. So hopefully for those people that couldn't make it today from from the EU, we are recording this webinar, so we'll get that recording sent out to them as well.
4:07 Okay, so let's let's go on to our next poll question, “How prepared is your organization with GDPR compliance?” So if you'll take just a minute and answer that we'll be right back. Okay, take just a few more seconds, and then we'll close the poll.
4:56 All right. Thanks everyone. So here are the results from that question. So as you can see, it looks like most of you are either moderately prepared or somewhat prepared which is good to see, it looks like some of you have taken steps to meet GDPR requirements and it looks like even 8% of you feel that you're extremely prepared. So that's great. And for the 11% that say you're not prepared at all, that's great, too. That's why we're having this webinar and hopefully we can help you out a little bit with some good information today.
5:33 Okay, so we have just a couple more poll questions here. So the next question is, “How important is GDPR compliance to your organization?” Okay. Thanks everyone for answering that. Here are the results for that question. It looks like it's a high priority to the majority of you. Then we have 6% that are saying, “What is GDPR?” It's good to see we have a broad spectrum of knowledge levels here today, and that's great. Hopefully we will have information that can help everyone that's in attendance both those that don't know what GDPR is and also those that are already somewhat prepared and are looking to get a little bit more information on best practices.
6:50 Okay. We do have two other poll questions, but I'm going to go ahead and save those for the end so that we can dive into the webinar now and get going. As a reminder, we will send a recording of the presentation to the email that you used to register. So like I said before if you'd like to go back and review this we will be sending a recording to your emails probably at the beginning of next week.
7:24 All right. Well at this time I'm going to go ahead and turn the time over to Ben and he'll go over our agenda and we'll dive into the webinar. Thanks, everyone. Thanks, Andrew. All right, I'm really excited to talk about GDPR today. So I'm Ben Christensen with SecurityMetrics and I've been working on GDPR for a little bit now. So we're going to go over some news and updates of GDPR, what's going on today. Then we’ll go over some frequently asked questions that we get a lot and also some best practices that we've seen that help organizations become more ready for GDPR.
7:59 So you may have seen some of these in the news and on TV about GDPR. We're talking more about that in the US, especially right now with privacy concerns. Carphone Warehouse was a bigger one in the UK that lost some records as you can see here. And so that was kind of a big deal. I mean you look in the news every day and there's some kind of breach going on, whether it’s GDPR, credit card breaches or other personal information. You tend to see that every day and you think, “Oh no, what are we getting into now?” There's been a relatively large fine, 400,000 pounds, from the ICO in the UK. They are looking for these things and they are going to fine people if they feel that's necessary. But as you've seen, some of these occurred back before GDPR was effective. And so I think we'll see that those fines will be more under the old directive but they are still looking for that and they are going to enforce those.
8:58 Google and Facebook of course, everybody saw that one. There were huge fines, billions of dollars. They are obviously going to look for Google and Facebook, the big players and see what they're doing. They're going to set the trends for how things are handled I think for GDPR as well. But they failed to protect users personal information and I think that is a big deal. We all should be concerned about that. Most of us probably use Google and or Facebook, right? A hospital was fined 400,000 euros with GDPR violations and AggregateIQ was given their first enforcement notice from for GDPR. So many things are happening, right? May 25th has come and gone and we're wondering what's going to happen. Well things are happening. They are looking for these issues and these violations of personal data not being handled correctly.
9:53 So May 25th come and gone, we were all really worried and I think we still are a little bit but what's going on now? Do we still need to do anything with GDPR? Are we Okay?
10:08 Well, some things we found as we're looking at businesses and talking to people about privacy and data security is that yeah, people are worried about it. We do need to do something. I think GDPR is a good thing for the industry and from the perspective of a personal data user. It is a good protection to have, I think. Now for businesses, it can be very difficult to follow but from my perspective, I think it is good for the industry. GDPR is meant to help unify privacy laws across Europe. To have everybody on the same playing field and make sure personal data is handled appropriately. So, I think that is a good thing.
10:50 So who does it affect? Andrew mentioned this a little bit before and people always wonder am I in scope? Should I worry about this? Primarily, it's any organization operating in or across the European Union. Of course it affects them. But really it's any organization processing personal data from EU citizens, natural born citizens. So if you look at it, I think really the whole world could be in scope, if you look at it from that broad perspective. So yeah, it does affect a lot of people and a lot of businesses.
11:23 So, of course you should care because it may affect you and you should do at least something, at least know where you stand because there are fines. Of course, that's the scary thing, there could be fines that are four percent of your annual Global revenue or up to 20 million euros, whatever is greater. So obviously there's a little bit of teeth here. They can fine you if they feel that they need to. So, yeah, we should be aware of what's going on and where we fit in this.
11:52 So what to look for and where the scope of this fits in for you. It's good to know. Are you a Data Controller or Data Processor? Data Controllers are any entities that determine the means and purposes for which data is processed. And then you have the data Processor, that's an entity that processes or does things on behalf of a Data Controller or Data Controllers. So which one are you? Maybe you're both. You could be both, right? Some businesses are set up to be primarily a Data Processor where they're working on behalf of Data Controllers to process data. But they could be both. They could be a Data Controller for their own data, for their own employees’ data depending on the type of employees. If they’re European citizens, they may be a Data Controller for at least those. They may be Data Controller for other people as well and not know it. So you need to know where you fit in. Are you a Data Controller, Processor or both? There's also a thing called a Joint Controller actually, where you can be a Data Controller with another Data Controller.
12:51 So it's good to know where you fit and what types of activities you're doing for personal data. So number one, know if you're a Controller or Processor. So when we look at GDPR versus general data security, where does GDPR fit? Well, GDPR is more focused on privacy, of course, but it does encompass some basic data protection principles. It does mention being secure to a certain degree. But GDPR is going to probably require a lot of additional policies and procedures and step-by-step documentation on what to do as far as personal data. You’ll need to make sure your scope includes all that personal data, not just your traditional network architecture that's protecting credit card numbers or other types of sensitive information. So it does play a part but GDPR has a lot more things that you do need to look at.
13:47 And people might be familiar with other things that they're regulated in like PCI-DSS, SOC, ISO 27000 and many others that are more familiar with regulations and things where those fall but again GDPR as we know is more privacy focused.
14:04 So what about PCI DSS specifically? We do have PCI DSS customers that we work with and they always ask, “Well if I'm PCI DSS compliant, am I good with GDPR, am I done, do I need to do anything else?” Of course, there are some things that can carry over, some data security principles that will work. But there's a lot more to do that we found. There's just so much more to do. Your GDPR scope is much bigger typically because PCI DSS focuses on credit card numbers. It's easier to define where credit card numbers are. It's easier to know, these are credit card numbers and these are not. Personal data can be so many things that point to an individual either directly or indirectly. So your scope probably just grew a lot. So you need to make sure that you're protecting that and you're considering that as part of your scope.
14:57 So some best practices that we've seen here at SecurityMetrics as we've been talking with a lot of different folks at different entities are number one, you’ve got to do your data mapping. You’ve got to know which data you have, what type of personal data, how much personal data, where the personal data is in your organization, where it goes internally. How does it come into your organization? Does it flow out of your organization and where? Do you have controls over that? Do you know where it's stored, how it's protected, when it's in transit or when it's sitting there on your servers?
You really need to do that data mapping to know where things are. And I highly highly recommend diagrams, pictures, things that are easy to look at and understand for multiple people in different departments. So do your data mapping and flow diagrams to know where things are coming and going as far as personal data is concerned. And also, you have got to know where your processes might have gaps. What processes do you currently have that address personal data? Maybe you don't have many. Maybe they're mostly addressing other security aspects of your organization. But making sure that you know where that data is, is number one. You have got to know what you have to be able to decide how to protect it.
16:13 GDPR policies and procedures. So we go into organizations and people will say, “Well, I think I'm good. I'm not sure but you know, I have PCI DSS policy procedures. I have gone through a SOC audit. I do HIPAA. I have procedures.” Again, I think those are great. I think they could be a good starting point. But you may not have GDPR specific policies and procedures. And sometimes we see that they do have policies and procedures that address GDPR, but they're high level, “We will do GDPR or this and that,” but maybe they lack how to actually do it. So step-by-step procedures, how to handle an incident or a breach. What actual step-by-step procedures should you do when a request comes in from a Data Subject to do something with their data. Do you have step-by-step procedures? And also, have you tested those? At least run through them a little bit to make sure, “Yeah, they kind of make sense, they kind of work.” And then obviously to make them better as time goes on. But having those step-by-step procedures is something I've seen that's a little bit lacking.
17:17 Legal Basis For Processing Data. Make sure you document why you have this data. Why are you using this data? Document it. In the audit realm, if you didn't document it, it didn't happen or it won't happen, so you’ve got to document everything, right? Document the basis for what decisions you've made, why do you have personal data? How are you handling it? What processing activities are you performing? And then explain it. Just document what you've done along with your data mappings and your explanations of why you have data. Just make it clear. Make it so somebody can come behind you and understand what decisions you've made and why you made those decisions.
17:59 Consent is another big one. That's kind of a hot topic. If your legal basis is consent, there are several different reasons for having personal data, such as contracts or or consent, depending on what you're doing. But if consent is your basis, make sure you're obtaining that. First of all, make sure you are getting some kind of consent to process their personal data. But make sure it's clear and easy to see and easy to know from the Data Subject perspective what you're doing with your data. And so they know when they click ‘agree’ or ‘sign up’ they know what you're doing with it. And yes, you're clearly allowing them to give their consent. And have a clear privacy notice document or something on your web page or an email somewhere that you can send or give to Data Subjects that can be easily read for more information. But again that's clear easy to read easy to understand.
18:55 Going along with that, Privacy Notices. I've seen some that are really long and hard to read, especially in the US when we're pre-GDPR days. You know, you look at those things and they're really tough to read and write and nobody reads them. They click, yeah I need this service, whatever, get me through the next page, and click through it. But it really shouldn't be that way. It should be, maybe it's a pop-up, maybe it's a clear text box, maybe it's an icon, maybe it's a couple of bullet points that say, here's the most important thing I'm going to clearly explain to you, the data subject. Here's what I'm doing, here's why I need the data, here are your rights as the data subject, here's how long we keep it. Maybe a couple bullets and then, they click here for more information, for example. Just make it super easy, super clear. I think that's the intent is to make it super easy. Again, when you're looking at GDPR, something that helps me is to always think from the data subject’s perspective, not from the business perspective or what's going to be easy or hard for the business. It's not about that. It's about the data subject and their rights and freedoms and what's going to be good for them. So that perspective helps me understand, Oh, OK, maybe I should tweak things a little better. Or here’s a better recommendation based on that perspective.
20:02 Data Subject Access Requests. Those are big as well. You know when GDPR first came out everybody focused on the right to be forgotten. I can have somebody forget me and that is a right, right? Are you ready to have data subjects request information or requests that you don't process their data? Are you ready to delete data, remove data or communicate with data subjects regarding their personal data? The time limit to comply with one of these is one month. So you need to have things ready. One month might seem like a lot but it can go by pretty quickly when you're not ready. And if you're working with multiple vendors, processors and Data Controllers, that time might not be a lot of time. So make sure you have those requests documented and ready to go and you can be really quick and ready to handle those. If there's a lot coming in, that could be a big problem. So make sure your processes are efficient and they work for you and you're ready to handle those requests as they come in a timely manner.
21:04 So Data Protection By Design By Default. That's a big one. I remember when I first read the GDPR and I saw Data Protection By Design By Default, I'm like, what does that mean? It is right there in the articles. You're like, that's a huge thing. If you read it, you're like, okay check box, yeah, I'm secure. But if you really think about it, there are a lot of controls that come under that. Data protection could be PCI, NIST, ISO or SOC. Whatever those controls that you highlight in those requirements. But there's a lot of requirements, right? It's not just one requirement. There are many underneath that. So make sure you understand what that means. It’s big and it's kind of a hidden. There are a lot of controls in that one little sentence there. So that's a big deal. That's a big one.
We also recommend using data protection assessments. You may or may not need to do one based on if you are a Processor or Data Controller. But regardless of that to support being secure by design by default, I think you have got to perform risk assessments. You got to perform these impact assessments to know, Okay, if I change a process, if I have new data flows, how might that impact my personal data? And more importantly, how might that impact the rights and freedoms of the data subjects for the data that I hold on them, how might that impact them. And then if you can understand the impacts and the controls together that will help you to know how big of a deal this is. What is the impact?
Because I have all these controls, these safeguards, when I do this impact assessment I have a better understanding where I sit, what my what my posture is and then I can better handle and fill in the gaps and bolster my security from there.
22:49 Contracts And Agreements I think are also important. We go to companies and everybody has a contract with somebody. Typically with some kind of Processor or other Data Controller to perform some function or business deal. Make sure those contracts are clear and they include GDPR language or whatever you want to call it. Make sure you know your role as a data Processor or Data Controller. What are your obligations to each other and who does what when an access request comes in. What about breaches if those happen? Who reacts first? Does the data subject call the controller or do they call you as a Processor? Make sure those are clear in your contracts and make sure that it's well understood and you've really discussed those with with those third parties. Because when it all comes down to it, if there's a problem, I think probably everybody is going to be on the hook, right? I don't know that the ICO or whoever is going to really care. “Oh, I didn't know, I thought it was them.” Just have clear agreements so that you know who's responsible for what.
23:48 Here are some bullets from our forensics team showing some security considerations. We highly recommend you consider and have controls and safeguards for these. When our forensics team goes out, these are the top issues they see where people have breached their network. These are the top things that they've seen problems with such as remote access. I've seen and heard a lot of examples of people misconfiguring remote access or their RDP is directly accessible from the internet. And people get in and take control of your network and potentially expose personal data and other things, bigger problems. So look at your remote access. What are your flows of data and access in and out of your network. Is your web application secure? Are you looking at penetration tests? Are you making sure your firewall, your edge security perimeter is secure. That is something you should be looking at whether you have other regulations you're following or not. That's just basic.
24:48 You need to have good perimeter security and make sure you know what's allowed in and out of your network. Wireless security, password policies, malware, physical, there are so many controls. These are just the top ones but these are some big ones, just make sure you have those policies and procedures in place. If you're following PCI DSS, for example, a lot of these are in the requirements and for other requirements NIST, ISO. These are pretty standard. So make sure you're taking care of these basic things. I think these are part of Security by Design and by Default, right? These are some of the top things.
Some other things to look at, I mentioned penetration testing. That's something you may consider. You may have to do it for PCI DSS or other regulations. That's really making sure that things are really secure. If somebody tries to get in, how far can they go? These are good to perform. Pseudonymization is something that we've talked about more with GDPR. That's something you can do. Encryption, you can encrypt data. Are you encrypting personal data at rest and in transit? File Integrity monitoring, do you know when files change on your network and ones that should or shouldn't change? Do you get alerts? Do you know what's going on on your network? Training personnel, that that's a huge one. No matter what industry, what regulations, whatever you're trying to do, you’ve got to train your folks, right? You’ve got to make sure they know what to do and if an incident happens, what do they do?
26:09 They have got to know what to do. They are the first line of defense a lot of times on phishing and password issues. Make sure they know what they're doing which then leads to more secure environment for your personal data. Patching. We still see it today where patches aren't managed very well and things are open and you have breaches and problems. Internal Vulnerability Scanning. So think about these these bullet points here. These are some minimum things that we highly recommend you do. And if you're not ‘required’ to do these things, think about doing them for your environment to make sure they're secure. It's gonna help your business anyway, right?
26:47 Data Protection Officers. We get this question a lot, “Should we assign a DPO or Data Protection Officer. We don't really think we need one. We don't think we fall under the requirements to have one.” We recommend you have somebody in that capacity whether you call them DPO or not. Someone that's responsible for your compliance for GDPR specifically. We recommend that they have the support of the president or CEO. They need that authority to carry out their role and make decisions. Make sure you're following things for GDPR being secure and being concerned about privacy and all of your process and procedure. So I would consider having someone in that role whether you feel you need one or not.
27:38 Data Breaches. We've seen in the news that it happens all the time. It's not a matter of if, it's a matter of when. We say that a lot. Be ready. We have those policies and procedures in place to detect, report, investigator a breach. Again, whether you feel like you have a lot of data or not, it’s still a good business practice to have these breach procedures. If something does happen, even if it's a false positive, what do you do? Who starts it? Where do you go? Who do you report it to? Who does what on your team? So, have that ready to go and just as important, test that plan. Does it work. Does it make sense? At least do a tabletop exercise run through to make sure that it works. Reporting data breaches is obviously a big part of GDPR. If something happens and it fulfills certain requirements, you need to report that potentially to authorities and to Data Subjects in a timely manner. So have those ready to go.
28:31 Because if you don't have that ready to go you might have a fine or have issues from some those authorities, right? If you did not respond in a timely manner or give justification. I am not an attorney. I say that a lot to my clients. I am not an attorney. We always recommend you seek legal counsel, either your own legal counsel or outside counsel. We're experts in data security and we can help you a lot with that but always at the end of the day talk to your legal counsel to make sure this does work. Does it sound good legally and from that perspective?
29:10 We've gone over a lot. If you remember anything just remember a few things, have your documents ready to go, your GDPR efforts ready to go. At least start with something, what you're doing, what your roles are, have those ready to go. And do that data mapping. If anything just do a data mapping and know where you have personal data. If you don't do anything at least do that, know where it's at, then you can make decisions on what else to do. Where do I need to focus my efforts? Perform a risk analysis and gap assessment. Know if you are in a good or bad position and how much data you have floating around your organization?
29:49 And if you process large amounts of data, consider doing more. In the end just don't ignore it. Don't say. Oh I'm not going to do anything. At least know what you have to do or don't have to do. Do that data mapping, know what you've got, talk to somebody. We’re willing to talk to you and at least go through some things with you to see where you're at and where you need to go. Especially from a data security perspective. What are some things you've done and what are some things you may still need to do. We recommend that you don't ignore it. Do something. Document your decisions and what things you need to do going forward.
30:32 And I think I'll turn the time back to Andrew to have some poles and then we'll do some questions after that.
30:41 Awesome. Thanks Ben. Some really good information on that webinar and we had a few questions come in as well. So we'll get to those in just a minute. We want to end with a couple more polls. So first question here, what other mandates are you trying to comply with?
31:35 Alright, so it looks like almost all of you are working to comply with the PCI DSS. So that's awesome. Looks like we have a good number of you working to meet HIPAA requirements as well. So that's great.
31:52 And then one final poll here. Are you planning to use a third party to help you meet GDPR requirements?
32:14 It looks like many of you will be taking care of it yourselves in-house and then a good number of you are also interested in looking to hire someone to help you so that's awesome. And the percentage of people responding with ‘What is GDPR’ has gone down since the beginning of the webinar, so that's good. All right, so we're going to go ahead and dive into our Q&A now. Thanks everyone for taking the time to answer those questions.
33:04 So feel free to chat in some questions and we'll answer as many of those as we can and then we will launch into our GDPR defense demo, which is about a 4 minute video demo that we can share with you. So for those of you interested in a third party resource, this could be something of interest to you.
33:23 So we'll be back in just a minute to answer your questions. We will give you a minute to chat those in. All right. Thanks everyone. We've got some good questions coming in here to start things off. We had a question about data collection. How does it differ between data collected for the purchase of a product and data in general when someone visits a website with session storing? Obviously, we need the users data and information for sales and business records. Is that something the user has the right to ask us to delete? So that's our first question and I'll turn it back over to Ben to answer that.
34:01 So thanks for the question. First of all, I mean, there's going to be a lot of different scenarios and questions that are going to be very specific to your environment and as GDPR is new, some things we are not sure about. We don't know how it's going to shake out, how it's going to end up but that's a good question. I think from a Data Subject perspective, I go to a website, I purchased some goods and services or whatever. I put in my name and email, things you typically would expect to when you purchase a product and you have information on that. I think that's more clear-cut. Yeah, they probably can ask you to stop processing that and to delete that but your question is more interesting to the session data. So first of all, is that session data unique to them because it can identify them? Is it personal data? Does it directly or indirectly identify that person with session, IP, or certain information that's in those logs?
34:56 And if so, then yeah possibly they could ask you to delete all personal information on them. If you're not sure, document your reasoning of why or why not you're doing certain things. But yeah, I mean that is the intent, that they can delete their information or anything that identifies them directly or indirectly. So they can request that be removed. So document the type of information you have, in what scenarios things will apply, how you would delete that, what type of data and if you feel that it can't be deleted maybe a justification for that. You may need to delete that data. So yeah.
35:38 Awesome. Thanks Ben. So reading over the questions here. We've had a couple people ask about the new California initiative. It sounds like it's similar in some aspects to GDPR but maybe you could give us a little bit of background on California's new Data Privacy Law and how it differs from GDPR. So the new California law is a big topic in the news in the US. I think we see it coming. I think more data privacy regulations are needed. That's just my own personal opinion and we think it's coming. From the data subjects perspective, it's probably a good thing. From a business perspective, it’s probably difficult, but with the California law, it’s new and it's a little way out. I think there are some similarities to the GDPR. I think they probably looked to the GDPR to to copy a little bit of that and focus on the Data Subject and their rights and their freedoms.
So I don't know all the specifics. It is a new law and I haven't gotten into all the various differences and specifics. I haven't done any mapping or anything like that with GDPR but I know that you're going to have to look out for that and other states may pass the same type of regulations, right? And in the end we may be looking at more of GDPR type regulations here where you're going to have to have clear cut policies, procedures and consent and privacy notices that are better than we've had in the past. And so I think GDPR is going to help us prepare for those regulations. So I don't know if I directly answered your question, but I would look for those and use GDPR to help you be on the forefront of those new regulations coming out.
37:24 Awesome. Well, then we've had a few questions come in about Data Controllers and Data Processors. How do you determine if you're a Data Controller or Data Processor? How are they treated differently and also if you could maybe give an example of each? Okay, so let's start with the definition, that helps. That's why I always go back to the language of the regulation to help me and then I try to hopefully figure out the intent. A Data Controller determines the means and how they're going to process data. A Processor would be somebody that acts on behalf of a Data Controller. So let's give a couple examples Data Controller an easy example is your own employees in your organization. You are the Data Controller for your own employees data because you determine the means and how you're going to process that data. You need it for this and that, for your employment records and you've got to have these records for insurance, Etc. You're determining why you have that data.
38:32 A Processor might be somebody used for your HR or accounting database, a third party that you say, “Will you please issue checks or deposit money into the bank account? Here's their personal information, you need to fulfill this request, please do that for us.” So they're doing it on behalf of you. And so you need to make sure which one you fall under, am I a Processor, am I a Controller, am I both? So that that's how I think of those. Just make sure you know which one you are and you could be both. Okay. Awesome. A lot of good questions coming in right now. We've had a couple of people asked about data mapping. If you could talk a little bit more about that. For example, where do people start with data mapping and are there templates for data mapping to help people get started?
39:24 So data mapping I would say is probably the most important thing to get out of this webinar. Starting with the data mapping is key. For any regulation, for anyone to have proper security in any kind of environment, you need to know what you have. So data mapping, you can do this in many ways. Some simple steps that I've used are, first is you send out a survey to your organization and say, where do we have personal data, where do we have credit card information If you're doing a credit card one, but where do we have personal data? And here's the types of personal data were looking for. Maybe you meet with department heads and say here's personal data that I'm concerned with, where do we have it? Start making a list or a spreadsheet of where the data is. Some may do it by department, some may do it per process.
40:11 Put down all our business processes and underneath each process go and interview the department heads, IT, personnel development personnel, management and the people with boots on the ground. Find out where the data is so you can document it from that perspective as well. You may want to do it from both perspectives to make sure you don't miss anything. Start with interviewing people asking the questions in each department, who has personal data? Then from there you can start getting containers of data. Okay, I have stuff in AWS and I have stuff on my accounting server. And then you start listing these out and then from there I start drawing pictures and doing a diagram. Here's a box, over here is my AWS stuff, here's my local network with personal data. And then I start breaking it down even more. Okay within that AWS, here are the types of personal data I have. So just trying to break it down into pretty granular bits of information of what types of personal data and where it is. And then again with that diagram, I'm huge on pictures, it's really easy to see and understand that picture. So start drawing it out literally with a flow diagram with lines and arrows of where things are going and then I would just build on that.
41:24 And I think the key is working with different members of your company or organization to more fully understand. You're probably not going to get it perfect the first time. I would say start anywhere and then just make it bigger and better as you go along. Then I would recommend that at least every year refining it. As things change, add to it and make sure you're assessing the data points. I think part of the question was about a template. I think we do have certain things we can help folks out with. We can say, here's some examples of a starting point for data mappings and flows and diagrams. So we do have some things we can we can point you in the right direction with.
Awesome that leads into our next question here. We've had a few people ask if SecurityMetrics specifically has templates for things like policies. We had someone ask about templates for docs that can help evaluate GDPR readiness. Someone else asked about a GDPR checklist. But really the question is, what tools does SecurityMetrics offer? Do you have templates, policies and procedures and those kind of things?
Yeah. So the short answer is yes, we do have templates, and policies and procedures. They are a good starting point that we have developed. They talk about general GDPR, security policies and components that help you define your controller or processor, things that help you think-map data points. Things that can help you document legal basis and the different types of personal data you hold. So we do have things that can help. And again, it's a starting point. You don't have to use all of it, use what you want. We found that in other regulations it's kind of helpful sometimes to give people that haven't done it before a good starting point. Then you can modify it from there. So yeah, we can we definitely help with that.
We will be showing an example of that in just a few minutes. So stick around for our demo. We will show you a video about what we offer and the templates that we have. So another question for Ben. You mentioned designed by default earlier in the webinar. Which article in the GDPR talks about design by default? Article 25 is the Data Protection by Design and by Default. It talks about that a little bit more, having the controller and different parties have appropriate technical and organizational measures. So it does talk about that a little bit but you'll find that it doesn't explain what that really means and you have to divine and know what that means. I think we at SecurityMetrics know what that means. We have a good idea of how to design securely by default so we can definitely help you with that.
We had another good question come in. Is there a central location where someone could look up which third parties have completed their GDPR compliance correctly? If we are in purchase mode of a third party, we would want to know that they are GDPR compliant. So I guess the question is, you know, is there somewhere where I can go and look and see who's GDPR compliant and who's completed the requirements correctly? That is not available. But if you as an individual organization, if you are working to meet GDPR requirements, we do have a checklist that we can provide to you so that you can make sure that you're hitting all the requirements and checking off everything that you need to do. If you want to look up another company and see if they are GDPR compliant, there is no official GDPR certification. It's different from PCI-DSS where you can obtain certification from the PCI council. With GDPR they currently do not have that. That's not to say they couldn't have something further down the road, but for now, it's really up to the individual organizations to make sure that they're meeting those requirements.
46:20 We have time for just a couple more questions here and then we'll dive into the demo. What constitutes personal data? If we just have a unique ID for the customer without their name or personal information, does that have to be managed in the same way? Let's go back to that conversation about what personal data is. Let's start with the definition again get my methodology as you go back to the definition. Let's all read that together and make sure we understand. Personal Data is anything that directly or indirectly identifies an individual. So does the unique ID directly or indirectly identify a unique individual? The answer depends. If you only have the the ID that doesn't mean anything to anybody and it's separate from those others, could you somehow put them back together and then you know it's ‘Bill Smith’. Or is there no way to recombine those? It's all about identifying an individual directly or indirectly. So I think if you can do that then the answer is yes, if you can't, then document why you believe you can't and why it's good and you don't feel it's personal data. That would be my recommendation. Of course always when you're making decisions like this, document your business reason or justification and why you came to such decisions. I would also highly recommend that you get your legal department to take a look at these kinds of decisions.
48:07 Awesome. So this is probably our last question due to time constraints. But again, feel free to keep chatting them in. We will have someone reach out to you on an into individual basis in the next few days to get your questions answered. We've had a couple people asking, how is the EU regulating GDPR? Someone else asked, what about US companies, have any of them been fined successfully for non GDPR compliance? Could you speak a little bit to the enforcement of GDPR?
It is a little up in the air. I think there are some bodies like the ICO, its Supervisory Authorities, each Member State and their courts who are going to be the ultimate authority. We know it is happening. We know that people are getting fined. We know Google and Facebook and different companies like that are on the radar and have fines right now so we know it is happening and they are enforcing it. Those fines have been through the ICO.
49:06 We will see. I don't know how else that's going to work. We have not had a lot of things go to court to see who's really going to do all this. Does the ICO have the manpower to do this? And what about each Member State? Can they do it on their own? I don't know. We don't know so we'll have to see but yeah it is there is some enforcement is happening. We've seen it and I think it will continue.
Awesome. Well, that's all the time we're going to take four questions for today. Thank you all for participating and for asking those questions. We're going to go ahead and pause for just a minute and get our demo ready. This will be a demo of our GDPR defense tool which can be used to help you meet the requirements as I mentioned. There are templates for policies and things that you can use so stick around for just a minute and we'll be back with that demo for you.
50:09 This is the GDPR Defense Checklist. We also have PII Scan included in the GDPR Defense package and a Reports Tool. So the GDPR defense checklist comes with four different sections. You have the Company Information section. You have the Data Mapping section. You have the Data Policy section and you have the Data Security section. You'll see here in the upper right-hand corner there is a % complete. So as you go through and complete your checklist, it will be recorded up there and displayed. When you first login to GDPR Defense, you'll see the GDPR Defense Checklist (adherence assessment) and that will talk to you about what GDPR is. You will also get a quick understanding of what GDPR Defense is and set your expectations for the product.
50:58 The first section is the company information. So those are six questions that are outlining exactly what size your company is, does your organization do regular business monitoring, does it organization conduct business in more than one EU Member State and so forth. Those are yes/no questions. There is no wrong answer. Then you can move onto your checklist. This is the data mapping and tracking section. How to complete this section? Each checklist item is intended to be marked when the requirement is in place and completed. You're not required to upload documentation, however, it is highly recommended as proof of implementation.
As you're going through your checklist, we have identified terms that may be confusing so you can just hover over ‘Personally Identifiable Information’ and you will see the definition. You can also click on ‘How to Implement’, that's the data flow analysis tips, and you'll receive an outline on how to implement your data flow analysis. Once you have a data flow analysis in place, you can upload that document. This is not required but recommended. Once you've implemented your checklist, it will indicate that it has been completed including the date it was completed.
52:11 And then you can go through the rest of the checklist. You have the Data Security section, there are four sections in data security you go through and then mark those complete. Once that's done there is an attestation page that you'll see that will let you know that you have completed your checklist and then it will be reflected in your percentage complete as 100%. You can also view your reports page at any time and see that 65% is implemented and what is not implemented. You can also track how many documents you've uploaded to the portal. We do have a view expanded section. This allows you to see all the changes that you've made historically to your checklist. This helps you to avoid willful neglect.
52:55 In order to access your SecurityMetrics GDPR Fundamentals training course, you go into your Litmus platform. Click on your GDPR Fundamentals course, click on preview course. Then click on GDPR fundamentals and it will take you into your training course.
53:16 Here you will see the Privacy and the GDPR. You have your Introduction section, the General Data Protection section, the Small Mistakes, Global Impact, Compliance Matters, Identifying Personal Data, and then you can move into your GDPR Principles.
53:31 There's a glossary here of the courses that you'll go through, Individual Rights, Global Transfers, Privacy by Design. So here's an example, once you get into your course, this is the Privacy and GDPR. There is audio that you can listen to you as you go through your course or depending on your time, you can read through that at your own leisure.
53:54 Once you get through the course there is an assessment. There are ten questions that will test you on your knowledge of the course information. The courses are meant to be taken as often as you'd like. They are good for one year. Here's where you'll access your assessment and complete those ten questions. Once you have completed the assessment. There is a completion certificate validating that you have taken the training, the day and the time. Part of GDPR requires businesses to update and expand their policies and procedures to meet new regulations such as data subject rights, consent, data retention and breach notification.
54:32 Rather than trying to build your own GDPR policies and procedures from the ground up. We provide templates that you can easily tailor to your business. This is the GDPR Breach Notification Policy Template. Each of the templates begins with instructions for using this document section. You can replace all instances of ‘customer name’ that are highlighted in red and go through and fill out your company specific information. All notes indicated by the red text can be removed and you can fill out tables one, two, and three as they apply with the appropriate information. You can delete this page when you're finished.
55:09 Here's an example of the policy itself. Here you would make edits as it's highlighted in red and mentions company name below. I am just going to scroll through so you get an idea of what that will look like in your document. As always, if you have questions, feel free to contact our technical support for assistance.
GDPR requires you to complete an entire data flow map of your business environment, including what data goes inside and outside of your business. This is a template to help you identify where information is being collected and stored. These policy and procedure templates are included in our GDPR defense plus package or can be purchased on their own. This concludes our demo of our GDPR products. If you have any questions about our products, please send an email to support@securitymetrics.com. If you need to request a quote for GDPR defense, you can contact our sales agents at compliance@securitymetrics.com.
GDPR Defense is our tool that lays everything out in an easy to understand checklist. It makes it easier for you to make sure that you're not leaving any gaps.
56:35 And as mentioned in the training, upon completion of the training you do receive a certificate that says you completed the GDPR training course. This is not by any means any sort of official documentation for GDPR compliance. It's not an official document from a GDPR regulatory body, but it is something that you can have to show that you are taking steps to meet GDPR requirements and that you are doing something. And at the end of the day, that's really what's most important when it comes to GDPR is that you're working towards meeting the requirements and that you're taking the steps necessary to meet these requirements. So again, if you'd like more information about this tool, please reach out to us, you can send us an email at compliance@securitymetrics.com. You can also visit our website securitymetrics.com. We have a GDPR page where you can learn more.
57:37 Well with that we'll go ahead and end the webinar. It looks like we were we're ending right on time.We were able to keep it to an hour, which was our goal. So, thanks everyone for joining us today, and we'll hope to see you next time. Thanks.
.svg)
