You are on page 1of 28

PRIVACY INSIGHT SERIES

Winter / Spring 2018 Webinar Program

72 Hours Notice: Incident Response


Management under the GDPR
18 April 2018

© 2018 TrustArc Inc Proprietary and Confidential Information


Today’s Speakers

Ashley Slavik
Senior Counsel & Data Protection Officer
Veeva Systems Inc.

K Royal
Consulting Director (West)
Senior Privacy Consultant
TrustArc

2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Today’s Agenda

• Welcome & Introductions

• Legal requirements

• Practical approach

• Operational effectiveness

• Case study

3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Legal Requirements

5 © 2018 TrustArc Inc Proprietary and Confidential Information


Definitions
• Personal data breach: a breach of security
leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or
access to, personal data transmitted, stored or
otherwise processed.

• Controller: determines the purposes and means


of the processing of personal data.

• Processor: processes personal data on behalf of


the Controller.

6 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Notification requirements

• Controller: without undue delay and, where feasible, not


later than 72 hours after having become aware of it, notify
the supervisory authority unless it is unlikely to result in a
risk to the rights and freedoms of natural persons.

• Controller: When likely to result in a high risk to the rights


and freedoms of natural persons, notify the data subject
without undue delay.

• Processor: notify Controller without undue delay after


becoming aware of a personal data breach.

7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Documentation requirements

• Controller: must document any personal data


breaches, comprising the facts relating to the
personal data breach, its effects and the remedial
action taken.

8 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Lifecycle of an event

Non- Possible Possible


Event Incident Breach
event incident breach

A non-event may be screened out from alerting at all.


An event is a trigger that looks like something out of the normal
occurred.
This may become a possible incident (or they may be used
interchangeably) if it appears the systems were compromised or
personal data was involved.
An incident is when it is verified that something occurred and may be
the same as a possible breach.
A breach is a compromise to the integrity of systems or unauthorized
access or disclosure of personal data.

9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Possible event / incident
Is this a breach?
Breach is a legal issue
Two main points:
• Don’t use the word “breach” when communicating about
an “event” that may have disclosed information without
permission.
• Don’t make that call yourself.
• Alert someone who can make the decision.

10 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Privacy vs. Security Breach

• You can have a privacy breach without impacting


the information systems.
• Examples: misfax, lost USB.
• You can have a security breach without involving
personal data.
• You can have breaches that involve both.
• You can also think it is one type of breach and then
learn the other type is also involved.

• Incident plans need to accommodate all scenarios.


• Incident managers need to know how to identify all
areas impacted.

11 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Privacy vs. Security Breach

• You can have a privacy breach without impacting the


information systems.
– Examples: misfax, lost USB.
• You can have a security breach without involving personal
data.
• You can have breaches that involve both.
• You can also think it is one type of breach and then learn
the other type is also involved.

• Incident plans need to accommodate all scenarios.


• Incident managers need to know how to identify all areas
impacted.

12 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Practical approach

13 © 2018 TrustArc Inc Proprietary and Confidential Information


How to identify and classify threats

• Examples: unauthorized access, data loss,


compromised data, system failure

• Automated detection systems

• Investigation: First line, IT and Security


employees

• Internal reporting: Senior level management

14 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


How to manage questions about breach

• Communication policy

• Escalation path

• From the Luxembourg DPA:

15 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Breach: now what?
Practical responses

Document circumstances of breach, including


whether or not personal data had been protected
by appropriate technical protection measures,
effectively limiting the likelihood of identity fraud
or other forms of misuse.

16 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


To notify or not?

• What happened: Theft of a customer database


• What harm: data may be used to commit identity
fraud or financial loss
• What happened: loss or inappropriate alteration
of a staff telephone list
• What harm: minimal effect on individuals outside
organization

17 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Operational effectiveness

18 © 2018 TrustArc Inc Proprietary and Confidential Information


Incident response plans

• Incident Management Policies

• Incident Response Procedures

• Incident Report Generation Work Instructions

19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Simulated breach: lessons learned

• Andrea Jelinek, new Chair of the EU Art 29 WP suggests


one of her biggest recommendations around breach is to
prepare internally by doing a simulation exercise.

• Mock table tops i.e. planting a fake breach and either


letting the teams know (or not) to see how they respond.

• Most likely cause of breach is human error. Make sure


your workforce is your biggest asset, not your greatest
risk.

20 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


True cost of breach

• Not whether you suffer a breach but how quickly


and in what manner you respond

• Loss of trust and damage to reputation

OR

• Resilience and cooperation with authorities

21 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Enforcement View from DPAs
• UK ICO currently has 200 case workers and a 60-strong “enforcement
team” with FBI-style jackets to enter businesses for “dawn-raids.”
They plan to add another 150 people to the ICO team, bringing it to
more than 400 and with a budget of 34 million GBP per annum.
Infringements of the organisation’s obligations, including data security
breaches, will be subject to the lower level, as opposed to individual’s
privacy rights will be subject to the higher level.

• France’s data protection authority, the CNIL, publicly acknowledged


the difficulty of complete GDPR compliance, stating that companies
not yet fully compliant “can expect to be treated leniently initially
provided that they have acted in good faith.”

• The Dutch DPA has stated that “fines will only be imposed at the
beginning if it is obvious something is very wrong” in response to the
fears of local municipalities.

22 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Case study: Red teaming

23 © 2018 TrustArc Inc Proprietary and Confidential Information


Practice makes perfect

• Ethical hacking
• Kidnapping executives
• Competitors
• Using field level employees to compromise
system or provide information
• Government subverting an employee
• Using passwords across accounts

24 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Questions?

26 © 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Contacts
Ashley Slavik ashley.slavik@veeva.com
K Royal kroyal@trustarc.com

27 © 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thank You!
Register now for the next webinar in our 2018 Winter / Spring
Webinar Series “One Week to Go – Are you Ready for May 25?” and
is due to take place on May 16, 2018.

See http://www.trustarc.com/insightseries for the 2018


Privacy Insight Series and past webinar recordings.

28 © 2018 TrustArc Inc Proprietary and Confidential Information