Don't Ignore GDPR; It Matters Now! presented at FirstConferenceKualaLumpur 2018

by Thomas Fischer,

Summary : GDPR is in effect since May 25, 2018, any organization handling EU residents’ personal data should be complying with stricter privacy regulations or be ready to pay up to four percent of their global annual revenue in fines or €10,000,000. This is a substantial penalty for non-compliant companies, and does not focus just on companies based in Europe – it’s for ALL companies globally who do business in the EU.There is a lot of talk in about compliance with GDPR but in fact it may need some fundamental and deep organizational changes to be prepared and ensure EU citizen personal data. But what does this mean to our incident response process? Let's explore what is covered by GDPR and how it may impact your organisation, answering questions such as do I need to have a DPO; I don't do business directly in the EU when does GDPR affect me; what data is affected? What key processes need changing and importantly how should my incident response procedures work in order to meet GDPR accountability.A key first step in protecting that data and being able to respond is to first understand what is personal data as defined under GDPR which not only includes basics but also things like an IP address, IMEI and biometrics. Once we understand the nature of personal data, we can look at what the impact on what needs to be implemented or addressed versus the various Articles in GDPR, look at what they mean to some of our key Infosec best practices (such as SDLC, backup, …) to the discuss the impact and improvement on the incident response process and interactions with the DPO and DPA.