Information Security Frameworks: GDPR
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now our next framework is going to be the GDPR,
00:00
which is the general data privacy regulation.
00:00
We'll talk about that a little bit and then
00:00
look at the rights of data subjects.
00:00
I'm the person to whom the data
00:00
describes and applies to so I'm the data subject.
00:00
Here in the US, there are not a lot of laws,
00:00
certainly no federal laws regarding things like
00:00
privacy or ownership of data.
00:00
We have regulations specific to industry.
00:00
There regulations for health care industries
00:00
and banking and government.
00:00
But as far as federal generalized laws,
00:00
we don't have them.
00:00
In the European Union and many other countries they're
00:00
subjected to the GDPR as a law.
00:00
Now, we'll look at, like I said,
00:00
the rights of data subjects and then we'll talk about
00:00
some responsibilities that we have to adhere to GDPR.
00:00
Again, not necessarily here in the States,
00:00
but for environments that adopt
00:00
GDPR we have certain roles
00:00
and responsibilities and requirements.
00:00
Now this is a good slide.
00:00
I'm obviously not going to go everything here.
00:00
This might be a time that you would take
00:00
a screenshot of what's on the screen.
00:00
Not that the exam is specifically going to
00:00
say how many hours
00:00
does an organization have to report
00:00
a data breach according to GDPR.
00:00
The exam will not get that detailed.
00:00
But certainly what's information that would be covered
00:00
like private information and
00:00
on the upper right-hand corner,
00:00
just a sample of some types of data that are sensitive.
00:00
You can wrap it up by thinking
00:00
about personally identifiable information,
00:00
personal health care information,
00:00
personal financial information.
00:00
But there are a lot of pieces that go
00:00
into the sensitivity of data.
00:00
Now, we talk about what's lawful processing over on
00:00
the left-hand side and down towards
00:00
the bottom the rights of our data subjects.
00:00
I would familiarize myself with
00:00
the concepts of GDPR and again,
00:00
also be aware of the fact that we do
00:00
not adhere to GDPR here in the US,
00:00
but many other countries and organizations do.
00:00
How that could come up on the test,
00:00
might be something to the effect of,
00:00
let's say, the United States, Canada,
00:00
and the European Union are going to
00:00
enter in to a treaty that has
00:00
a consistent means of
00:00
protecting the privacy of data subjects.
00:00
Which country would have
00:00
the hardest time being compliant?
00:00
If you see what I'm asking.
00:00
The answer would be the US because we don't have
00:00
these federal policies and regulations.
00:00
The regulations are industry specific,
00:00
but they're not federally mandated across the board.
00:00
That might be something that would come up.
00:00
Now, the more
00:00
detailed aspects of the rights of our data subjects.
00:00
Now, I think these are important.
00:00
Again, not going to read all of them.
00:00
But the idea like the right to be informed,
00:00
if you're collecting information on me,
00:00
I have a right to know that.
00:00
I have a right to access
00:00
that information because it could be incorrect and
00:00
I should have the right to
00:00
>> dispute and to request that it
00:00
>> be rectified if there's any mistake or error,
00:00
the right to erasure.
00:00
How long do you keep the information you store on me?
00:00
I get to say.
00:00
At the end of
00:00
legitimate need for storing
00:00
that information and retaining that data.
00:00
I have the right to request a ratio.
00:00
We can go on and on through this list.
00:00
Again, they're not going to say list
00:00
the ten properties are
00:00
rights of data subjects that's all fine.
00:00
But just getting these concepts as just general data,
00:00
privacy requirements of GDPR and
00:00
really focusing on the one thing that GDPR gives us.
00:00
Is it really takes a very firms step
00:00
on data subjects and their rights.
00:00
In addition with that,
00:00
we also have to consider the fact that there are
00:00
repercussions for breaching those requirements.
00:00
Finds a lot larger fines
00:00
in relation to organizations that don't adhere to GDPR.
00:00
One of the things I find interesting here
00:00
is that breaches must be
00:00
disclosed within 72 hours
00:00
of first becoming aware of the breach.
00:00
That's not a long time.
00:00
I think many times organizations have
00:00
a breach and they wait and wait and wait.
00:00
There are a couple of reasons for that.
00:00
They don't only come out to the public and say, yeah,
00:00
we're right in the middle of a huge security compromise
00:00
and they only come out and say,
00:00
"We don't even know the origin of this yet."
00:00
They want to come out and they want to
00:00
present a confident front.
00:00
They want to be able to
00:00
provide solutions to their customers.
00:00
72 hours isn't a lot of time so that really
00:00
requires a very quick turnaround
00:00
in response for the public.
00:00
As you can see, again,
00:00
some of these ideas,
00:00
the scope of GDPR,
00:00
some of the mandatory requirements for having
00:00
a privacy officer or a Data Protection Officer.
00:00
This is a really good,
00:00
I think that there are a lot of
00:00
things that GDPR gets right.
00:00
This replaces some of the older regulations.
00:00
If you were familiar with the safe harbor laws,
00:00
we've really forgotten those in favor of GDPR.
00:00
Again, on the exam, not nitpicky details,
00:00
but just the concept,
00:00
the importance of privacy,
00:00
the rights of data subjects,
00:00
as well as the
00:00
responsibility of organizations to adhere to GDPR,
00:00
as well as the repercussions if they don't.
00:00
That's what we've talked about in this video
00:00
and the GDPR provides a framework
00:00
>> to which we can adhere.
Up Next
Instructed By
Similar Content
