Top Six GDPR Takeaways: "What's New and What's Changed" and Data-centric security philosophy

On March 1st, Chief Privacy Officers , Data Governance, CISO’s, Information Compliance and Risk Management executives from some of the largest US and Canadian organizations in banking, Insurance, and other regulated industries including CIBC Scotiabank Financial Services Commission of Ontario, CIBC, BMO, Canadian Credit Union Association, and other enterprises in a lively conversations about Lessons from the Security Trenches: Data Loss Incidents, Reputational Risks, Investigations, new Governance Obligations and Trends with the focus on GDPR compliance for enterprises in regulated industries:

Data Governance regulatory compliance became a Board-level priority for taming the risks in cybersecurity and regulatory enforcement. Preventing Privacy violations, meeting Cybersecurity and Data Governance challenges, Regulatory Obligations and being Investigation ready are front and center on the agenda of C-level Executives in Financial Services industry and other Federally Regulated industries.

John P. Beardwood a senior partner at Fasken Martineau, and the Chair of the Technology practice group was speaking about “Understanding the New GDPR: What’s New, and What’s the Same for Canadian Enterprises”.

Three key takeaways form Johns presentations

  1. GDPR issues arise in non-EU companies as GDPR has an extended reach based either because companies have EU customers or provide services to companies with EU customers. The GDPR applies to both processors and controllers. GDPR now includes location data and “online identifiers” in the definition of “personal data”.
  2. Controller Obligations increased and now include a new definition of consent, broader rights of data subjects, a new definition of sensitive data and specific security and breach notification in addition to cross-border transfers.
  3. Consent: companies can only process personal data if there is a lawful basis to do so, of which consent must be “freely given, specific, informed, and unambiguous… by a statement or clear indication of affirmative action”. Consent will not be valid if:

The data subject has no genuine choice or is unable to refuse or withdraw consent.

There is a clear imbalance between the controller and the data subject (e.g. an employment relationship)

“Utmost account” must be given to whether the performance of a contract made conditional on the data subject consents to process activities that are not necessary for the performance of the contract.

The principle of data minimization also requires that that personal data be limited to what is necessary and the right to erasure is limited where there is another lawful basis other than consent to process personal data.

David Damo, a Senior Security Lead, and Architect at Long View Systems. David is responsible for resolving major data breaches. David talked about recent scenarios that caused data stewardship and compliance incidents and the new trends in Data-centric security philosophies for securing and preventing loss of sensitive data.

Three takeaways from David’s speech

  1. New patterns: almost nobody knows nor understand the flow of data. Organizations have no clear internal ownership of data passing through systems. Solutions are project focused and are rarely enterprise-wide programs. Enterprises don’t want to take responsibility for third parties as data controllers.
  2. Smartest companies are solving these issues: Data contains the meta-data on what to do, and key across a blockchain inline tokenization, masking, encryption
  3. Infrastructure is built to protect data, yet it is in the clear, that data is at risk as soon as it leaves its silo.

Key questions to ask your security and data governance groups:

  • What data do we have?
  • Who can see what?
  • Where is your data, and who owns it externally and internally?
  • Where is the perimeter, what is encrypted and where is it not?
  • What data is outside of the perimeter?

About Speakers:

John P. Beardwood, a senior partner at Fasken Martineau, and the Chair of the Technology practice group. John is nationally and internationally recognized “go-to expert in Canada for privacy and IT law” for his expertise by the Chambers Canada, Chambers Global, The Legal 500 Canada speaking about “Understanding the New GDPR: What’s New, and What’s the Same for Canadian Enterprises”.

John often advises clients on privacy law and access to information matters and has been developing and implementing privacy compliance programs for more than twenty years. John is regularly listed in Who’s Who Legal- The International Who’s Who of Business Lawyers as one of the ten “most highly regarded individuals” globally; and is also listed as one of only five “Thought Leaders” in TMT- North America. He is listed in Chambers Global - The World’s Leading Lawyers for Business, for Information Technology, as “ very effective, efficient and remarkably accessible” and “a great lawyer”.

David Damo, a Senior Security Lead, and Architect at Long View Systems. David is responsible for resolving major data breaches, architecting and implementing security programs for a number of Fortune 500 companies, Telcos and HPE. David will talk about recent example scenarios that caused data stewardship, enforcement and compliance incidents and the new trends in Data-centric security philosophies for securing sensitive data.

About Feroot Security: ot Security is on a mission to Making World’s Data Safer. Today’s “stick your head in the sand” approach no longer works in the age of GDPR, PIPEDA, and other soon-to-be effective and increasingly stringent privacy regulations. Feroot platform monitors sensitive data that is handled by third-party AI and SaaS vendors and creates data-mapping and data-chaining for associating data with respective regulatory obligations.


Picture of Lori Smith
Lori Smith
Lori is marketing lead at Feroot Privacy

More articles