CSX2018 - GDPR 3rd Party

The impact of GDPR on Third-
Party and M&A security
Dr Marco Ermini, CISA, CISM, CISSP, ITILv3, GCIH, RCSS, PhD

Senior Security and Compliance Officer, Orange Business Services
Take away
• Describe the impact of GDPR on three different but connected

business processes:
– Mergers & Acquisitions (M&A)
– Third-party security
– Outsourcing security
• Approaching an external organization is

going to be different after GDPR is in
force
Copyright © 2018 Information Systems Audit and Control Association, Inc. All rights reserved.
What is this all about?
• GDPR impact has been mostly focused on technology

• Understand the general impact of GDPR on M&A prospects
• Impact of GDPR on third-party and outsourcing security
• Identify specific GDPR programs, which affect third-party,
outsourcing and M&A processes
• What "privacy" means in the context of M&A activities,
outsourcing and third-party
Let’s get started!
Setting the stage
Compressed GDPR
or
“GDPR for dummies”
Three Dimensions of GDPR
• Legal. The GDPR is a law. This research note is not

intended as legal advice or comprehensive guidance.
• Procedural. (New) roles, responsibilities, accountabilities and

processes to be implemented
• Technical. The GDPR includes many data protection principles

and requirements that must be enabled by technology, or that
require technology to limit impact to internal operations
Personal Data and Privacy
• The GDPR is about protection of personal data and privacy
• Securing personal data is only a subset of all requirements
• “Personal data" in the GDPR depends on context
• Ask the company's legal advisor
Why GDPR is a concern
1. GDPR is enacted law, not an elective standard; penalties for

noncompliance are potentially severe
2. GDPR is "extra-territorial“, which means it applies to all
organizations that offer goods and services into EU markets
3. Reputational damage, loss of employees and erosion of
customer trust are inevitable if you disregard the rights of data
subjects or fail to report and deal with a breach of their
personal data correctly
4. GDPR refers to the inclusion of a data processor in your
business process, which broadens the attack surface for
vulnerabilities and the controller's responsibility to keep
informed on the data processor’s status
Implementing a GDPR program
Gap Analysis
and/or
Implement
Basic Aspects
GDPR in a Nutshell – 1/2
1. Governance and Accountability

2. Privacy “by design” and “by default”
3. Privacy Impact Assessment
4. Enforcement
5. New rights for Data Subjects (DS)
6. New obligations for Data Processors (DP)
7. Privacy Notices
GDPR in a Nutshell – 2/2
6. User consent
7. Data Protection Officers (DPO)
8. Notification of security breaches
9. Enforcement scope
10.European Data Protection Board Image credits:
https://www.peerlyst.com/posts/gdpr-
11.Concepts of “pseudonomysed” data and getting-to-the-lawful-basis-for-processing-

david-froud
privacy seal (“EuroPriSe")
Data Subjects rights
• The GDPR does provide data subjects with a set of rights over
the administration and use of their personal data
• Organizations that control personal-data processing activities
throughout the data life cycle should have less trouble enabling
these rights
• The right to data portability could be assured by implementing a
self-service portal; the same online platform can be used to
provide transparency and notification
• The right "not to be subject to a decision based solely on
automated processing, including profiling" implies a strong
focus on automation of analytics and the use of the subsequent
results
Data Subject consent
• It should be freely given, there can be no coercion or pressure

– Consider employee relations
• "Consent" in the GDPR requires several conditions:

– "By a clear affirmative act"
– "Specific“
– "(As an) informed and unambiguous indication of the data subject's
agreement to the processing of personal data“
• The burden of proof that consent was obtained lies with the
data controller
Recap: DC vs DP
Data Controller Data Processor
Controls what personal data is Uses data only as instructed by Data

processed Controller
Responsible for the processing Processes data as instructed by the
purpose (e.g. determines why that Data Controller
personal data is processed)
Responsible for the means of Must respect the contractual agreement
processing by the Data Processor with the Data Controller
May create third-party agreements with May create sub-Processor agreements
Data Processors and sub-Processors as authorised by the Data Controller
Data Processor = Third-Party

DC vs DP
• Organizations should be aware that they can occupy both roles

in different processing activities
• Using a cloud-hosting provider's services, an organization may
be a data controller and the hosting provider the data processor
as it stores and processes the data on behalf of the data
controller.
• Conversely, when deploying EU-based employees, the cloud
provider may be the controller for the HR activities.
• Similarly, a marketing agency may be a B2B client's data
processor in the initial service provision, but when it uses the
data gained in contracts to enrich profiles for a campaign of its
own, it is the data controller for the latter activity.
GDPR Implementation Basics
GDPR Personal Data Lifecycle
Collect + Classify Process Delete

• Define the purposes of • Process personal data • Do not keep personal data for
collection lawfully, fairly and longer than it is necessary
• Collect only the personal data transparently • Upon lawful request, erase a
necessary data subject’s personal data
• Inform data subjects without undue delay
• Facilitate the exercise of
• Identify the categories and • Notify any processors of the
Data Subject rights
sensitivity of personal data erasure request
Secure Share Document

Implement technical and • Only share personal data Maintain records of all
organizational measures to with processors that provide processing activities covering
ensure a level of security sufficient guarantees the entire personal data
appropriate to the risk based lifecycle
on the nature, scope, context • Perform GDPR compliant
and purposes of processing. cross-border data transfers
GDPR Gap Analysis How-To
• Performing a risk assessment

– data processing activities
– each technical and organizational control
• Developing a prioritized remediation roadmap
• Implementing technical, organizational, policy, and process
improvements
• Documenting the overall control environment
– strengths
– weaknesses
– intended future state
Basics of GDPR Implementation
1. Write a Privacy Notice and publish it

2. Inventory of processes and activities
3. Implement Data Retention
4. Implement Data Subject access rights and consent requests
– B2C
– HR
– Procurement
5. Perform Data Protection Impact Assessment
6. Implement Security & Privacy by design / privacy by default
7. Handle personal data transfer & Third-Party management
8. Ensure Data Breach management process is in place
Art. 30, “Records of Processing Activities” – 1/2
• Art. 30 is the foundation for all compliance activities

• Opportunity to leverage information being collected to enable
“flags” which indicates high-risk business processes
• Use art. 30 to set up a system which is starting to document
what is collected and from who is collected
• Automate time consuming and timely processes (sending
reminders, etc.)
• Setup thresholds to identify where something triggers a Data
Protection Impact Assessment (DPIA) – or not
• Use this system to check cross-border data transfer points
Art. 30, “Records of Processing Activities” – 2/2
• Justify the collection of data, data retention, and identify where

the right consent is given – legitimate business activity?
• Setup reminder of when data needs to be “retired”
• Build-in reporting for external vendors – interactive technology,
trigger questionnaires, etc.
• Make it simple for the Data Subject
– single point of contact and front-end process (self-service portal)
– standard templates (informative and standard)
– backend processes codified and standardised
• Interaction as a positive experience, reflect the company
positively
Information is the new gold
• Information is an asset
– Like software and hardware assets, build an inventory
• Information is fluid
– Include data flow diagrams
• Answer these questions & document the answers
– What data do we have?
– How and why do we collect it?
– What do we do with it?
– Where do we store it?
– How do we secure it?
– Who do we share it with?
– How long do we retain it?
– What do we do with it at end of life?
Third-Party vs Critical Infrastructure
Source: Awareness Briefings on Russian Government Activity against Critical Infrastructure
Lessons learned
• Attackers are patient (instances of laying in wait for over a year)

• Attackers know not to walk in the digital front door, preferring to
hit weak vendors
• Pivoting is not confined to just a company, pivoting across
companies is very real
• “Secure” vendors are not as secure as they want us to think
• When vendors brag about having certain companies as clients,
they open themselves up as targets
• External firms are being used as staging and exfiltration points
• Moving between traditional IT and ICS/SCADA is relatively
simple today
Third-party and GDPR
• Many organizations outsource processing of personal data with

third-party service providers
– Very little control over data, increased risk of noncompliance
– Security posture is rarely an evaluation criterion
• Recommendations
– Specify vendor-selection criteria
– Add requirements as exclusion/inclusion criterion in procurement
– Ensure adherence to the requirements throughout the lifetime of
the contract by leveraging one or more assurance methods as
described
Google’s VSAQ
Source: Google VSAQ
Minimize third-party and internal risks
• Use automation for vendor management

• Reduce the amount of work. Look for control that meets the
purpose, they meet controls and documentation level that you
expect for your own internal level
• Teeth in the contracts, periodic review
• Breach due to vendor? Data exposed? Show that due diligence
was done, appropriate controls where in place and additional
security practices where instantiated to protect to the best level
of ability and appropriate to the level of sensitivity
• Diversified data stores – pulling data from different IT security
applications, everything you said you will do is done, if not,
create a gap analysis and remediation plan. Visibility is the key.
Supplier’s Management – ISO 27001
control A.8.1.4
clause 6.1.2 control A.7.1.1 control A.15.1.2 control A.9.4.1 control A.15.2.1
control A.9.2.6
Risk Screening / Selecting Access Compliance Termination

Assessment Auditing clauses in control monitoring of the
the agreement
agreement
Cybersecurity and GDPR for M&A
• Why M&A need Cyber Security support?

• What is the impact from the GDPR?
• What value does a security professional bring to the team?
Business Drivers
• Confidentiality
• Speed
• Business as usual
– Zero Impact
• Informed Business Decision on Risk
M&A Threats
• Special Interest Groups – gain from the Operation

– Financial Criminals
– Competitors
– Acquisition / Merger Company
– Disgruntled Employees
• General Interest Groups – gain from Impact
– Script Kiddies / Hackers
– Hacktivists / Terrorists
– Spies
This used to be the only threat…
Introspection moment
Scoping the Risks
• Publicity, raising profile — your interest gets attacker’s interest!
• Impact on:
– Resources
– Technologies
– Infrastructure
• Disgruntled Employees
• Change in threat and risk model
• Absorbing unknown / confusion
• Creating new attack vectors and window of opportunity
• Business drivers force the hand of the Security Manager very quickly
• Are we all really equipped for change?
How Due Diligence looks for real
Virtual Data Rooms
GDPR driving changes in M&A
• Significant behavioural change in acquirers
• Embed GDPR considerations in technology due diligence
• Failing to do this brings significant transaction risks
• Gap Analysis for GDPR readiness
• Key areas: due diligence and post-merger integration
Due diligence – technical goals
• Actual liabilities in terms of compliance

• How divergent a target is from the buyer’s internal processes
and standards
– potential impact on the post-merger roadmap
• Latent security issues in the product/service
– reputational, operational, financial or legal impact
• Identify risks in:
– Compliance
– Market
– Technical assets including intellectual property
– Operations
– Integration
Due diligence risk assessment
• “Privacy risk”
• Much more comprehensive
• How target collects, stores, uses and transfers personal data
• Historical data breaches
• Include data processing in NDAs
• QUIZ time!
Buyer Data Controller

Target Data Processor
M&A experts on GDPR and Cybersecurity
Engage cybersecurity risks for GDPR in M&A
• Engage cybersecurity experts
• New questions
– How is cyber-diligence conducted?
– Specialist service providers?
– What do we need to be aware of?
– Has the business enough technical knowledge?
Four Steps for Due Diligence
• Completeness and suitability of the approach of target
• Data sets, risks and mitigations for GDPR risks have been
assessed
• Changes to the treatment of the data sets, risks and mitigations

for GDPR risks have been assessed as a result of the M&A
activity
• Analysis of the separation and carve out risks for GDPR
Post-Merger activities – Basics
• Capture
• Connect
• Combine
• Consolidate
Post-Merger activities – GDPR specifics
• Address consent from existing Data Subjects
• Security Transformation Program
• Manage risk in the short/medium term while satisfying

compliance
• Ensure detect and respond strategy for cyber security incidents
• Technical Security consulting in cyber security
The Role of the Cybersecurity Expert
• Protecting the effort itself

– Confidentiality of the total effort
– Confidentiality of the team’s work
• Evaluating the security condition of the target company
– Impact on the deal’s value – GDPR into play
– Asking the right questions
• Providing subject matter expertise
– Identify Security Requirements for the New Company
– Controlling Rumors
– Managing Global/International Aspects
– “Team Consultant”
– Low Hanging Fruits
The Cybersecurity Expert in action
• Preliminary background investigations

– Collection of Open-Source information
• Due diligence
– More in-depth look
– Estimation of Costs of Cyber Security – GDPR impact!
• Operations security – post-merger into focus
– Protect operational activities
– Develop and implement protective measures
– Appropriate for each phase of the acquisition
Combining the two companies
• Resources, staffing, processes, and systems

• Business processes
• IT tools
• Active Directory merging strategy is key!
• The Target company has comparable / same security
• Exceptions are documented and signed off by leadership
• Agreed-upon designs
• Operations turned to standard support
• Weekly or recurring meetings
IT/Cybersecurity Post-Mergers Objectives
Target Characteristics Security Guidelines SLAs

SMALL ➤ Baseline security ➤ Security controls established or
➤ Small employee base (< 200 employees) controls Target is fully confirmed in less than 100 days
absorbed into IT
➤ Low complexity
infrastructure
➤ Private ownership
➤ All IT labor is absorbed
➤ Little to no geographical diversity into IT global business
➤ No separate legal entities units
➤ No/limited need to keep the same facilities
➤ No/limited to keep the existing technologies
➤ Purchased for limited product portfolio, technology, talent, or
local presence
MEDIUM ➤ Integration of Target ➤ Operation integration of some IT

➤ Similar to previous kind, but Target has certain identifiable may be full, hybrid, or infrastructure may take +180 days
complexities that require specific sensitivity during integration standalone
➤ Fewer than 500 employees ➤ All IT labor is absorbed ➤ Processes may take 3 to 9 months
➤ Needs to be stand-alone for a certain period of time into IT global business
units
➤ During stand-alone time, Target maintains defined non-
compliances
➤ Supports its own IT infrastructure during the stand-alone
phase
LARGE ➤ Integration of Target ➤ Operation integration of some IT

➤ More than 500 employees may be full, hybrid, or infrastructure may take +180 days
standalone
➤ Relatively large operations ➤ Customized integration plan
➤ IT labor can stay
➤ Significant multinational presence and subsidiaries
➤ Target contains certain identifiable complexities that require
funded by Target ➤ IT Support is shared
company
specific sensitivity during integration ➤ Processes take more than 12 months
Merging Policies
• Safeguards against disgruntled employees

• New employee contracts
– Are existing Policies still relevant?
– Are we “dumbing down” their security?
• Existing employee contracts
– Do they protect you?
– Do they meet new relationship?
• Identify key policies — yours vs theirs
– Work with Legal Departments
Conclusions
• Lack of privacy documentation can lower target’s value

• Privacy by design and by default can have business fall behind
• “Personal information is the new gold”
• Strategy for cost-effective data protection =
– Competitive advantage
– Boost in value
– Considered more secure trustworthy by customers
– Emphasize valuation
• Rewards in greater utilization of personal data
• Potential reward: increase M&A deal value significantly
GDPR has no specific guidance on Cloud
• Using Cloud Services invokes a shared responsibility model

• GDPR creates issues for organizations that process personal
data in the Public Clouds
– rights of data subjects
– data residency
– cross-border transfers
• The level of support from cloud providers may not be known
• Recommendations:
– gap analysis
– identify the organizational and technical actions required
– ask all public cloud service providers to provide required
certification or proof of adherence to a code of conduct
Helpful Cloud tools
• A Data Controller is responsible for the conduct of any of its

Data Processors – even if they are Cloud Providers
• Noncompliance with regard to GDPR on the vendor side
reflects on the compliance of the end-user organization
• Moving to the cloud may add to the security aspects of the
processing activity, but could also lead to residency concerns
• CASB service may be helpful
• Data protection in hybrid or on-premises operations is
increased by adoption of DCAP products
• Privacy compliance is demonstrated by mapping, dashboarding
and logical control application
Cloud IaaS and GDPR
• IaaS cannot make a company GDPR-compliant, but can help

• On their own, Clouds’ behaviour and tools will be insufficient
– Google and Microsoft have specific awareness of user-generated
personal data
– AWS currently offers this in a limited way with Amazon Macie
• Recommendations
– Perform a DPIA when selecting a Cloud Provider
– Perform a DPIA for each business process using a Cloud Provider
– Use Cloud-provided tools when the risk assessment identifies that
they can adequately address that part of the GDPR problem
Can I insure against GDPR violations?
What cannot be insured
• Generally, any fine

– especially if connected to deliberate
recklessness or connected to a
criminal offence
• Customer’s churn
• An insurer may not be liable for
payment of indemnity in certain
circumstances
What can be insured
GDPR Regulatory Heat Map
Data Regulatory Environment
High
Austria, Belgium, France,
Not insurable Germany, Ireland, Italy,
Austria, Belgium, Bulgaria, Netherlands, Norway, Poland,
Cyprus, Croatia, Czech Portugal, Spain, Sweden,
Republic, Denmark, Switzerland
France, Hungary, Ireland,
Italy, Latvia, Luxembourg, Fairly High
Cyprus, Czech Republic,
Malta, Portugal, Romania,
Denmark, Estonia, Finland,
Slovakia, Spain, Greece, Hungary, Latvia,
Switzerland, United Luxembourg, Romania,
Kingdom Slovakia, Slovenia
Unclear
Moderate
Estonia, Germany, Greece,
Bulgaria, Croatia, Lithuania,
Netherland, Poland, Malta
Lithuania, Sweden
Insurable
Finland, Norway
Source: DLA Piper (update 2018)

Three dimensions of continuous improvement
Security Processes
Risk Management
Information Lifecycle
Privacy by Design
Privacy by Default
Data Discovery & Classification
Technical Measures
Asset Management Access Control
Physical Security Data Deletion
Change Management Encryption
Incident Response Pseudonymisation (Data Masking) Organizational
Breach Notification Monitoring Measures
Compliance Programs Secure Configuration Employment Procedures
Vulnerability Management DR/BCM Confidentiality Agreements
Third-party Management Application Security Security & Privacy Awareness
Documentation Management Data Leakage Prevention Acceptable Use Policy
Content Filtering Access Controls
Selected Controls Supporting GDPR Activities
Consent Data Record of Data Privacy

Management Portability Processing Impact
Activities Assessment
Art. 7 Art. 20 (ROPAs) (DPIA)
Art. 30 Art. 35
Right to Protection by Continuous International

Access Design and Default Compliance Data Transfer
Art. 25
Art. 15 Art. 32 Art. 44-46
Ability to Erase Pseudonymisation Breach

Personal Data (Data Masking) Notification
Art. 6
Art. 17 R. 26, 28 Art. 33, 34
Encryption and Pseudonymisation
• Encrypted data usually leads to pseudonymisation

– Re-identification and decryption after a data breach are still a risk
• Anonymise means delete or change identification marks so that
re-identification is impossible
• Pseudonymisation means prevent identification of the individual
by unauthorized parties or render such identification difficult
• Pseudonymisation can include data masking, redaction,
tokenization and/or encryption
• Ways to enhance security, but do not necessarily create data
that is out of scope for the GDPR
• Data breaches on encrypted personal data should be still
reported to regulatory authority
Data Masking
• Two main reasons to use data masking
1. personal identifiable data can only be used for designated

purposes
2. masking reduces risk/impact from a data breach
Tokenisation vs Encryption
Tokenisation Encryption
Output is format and length Output is generally not format length
preserving preserving, except for FPE/OPE
May or may not use encryption as Encryption does not have any use for
mapping function (can use hashing tokenisation
as mapping table)
Output may or may not be reversible Given the key, output is always
reversible
PCI DSS, GDPR GDPR, HIPAA
Main use case: reduce PCI scope Main use case: confidentiality of data
at rest
Consent Management Tools
• Standards are lacking

• Building trust-based relationships between consumers and
brands that put consumers in control of their personal data.
• Key to avoid the high costs of noncompliance
• It will likely be absorbed into consolidated marketing suites
– Document precise user experience (UX) requirements
– Develop a granular consent matrix
– Provide a customer consent dashboard
– Determine if a packaged consent management solution is justified
– Implement formal review and approval for consent flow designs
– Prototype with designers and customer experience experts
– Designs soliciting consent where its value is clear to users
Identity and Access Management
• Heart of data compliance strategy

• Central SSO management is critical for Cloud control
– “GDPR policy”
– Multi-factor authentication
– Restrict contractors/externals
– Geographical policies
• Can be paired with a CASB product
Zero Knowledge Proofs
• “Privacy-preserving messaging protocols that enable entities to prove

that information available to both of them is correct, without the
requirement to transmit or share the underlying information”
• Characteristics
A) Completeness – encoding as a polynomial problem
• The prover wants to convince the verifier that this equality holds
B) Succinctness by random sampling
• Reduces both the proof size and the verification time tremendously
C) Homomorphic encoding / encryption
• Allows proving E(func(s)) without knowing s
D) Zero Knowledge
• The prover obfuscates in a way that the verifier can still check their
correct structure without knowing the actual encoded value
Zero Knowledge Proofs – user advice
• Gain a deeper understanding of the nature of these controls

• Be realistic with the current immaturity of ZKP solutions
• Evaluate how such controls may impact transaction authentication and
ultimately consumers
• Assess the impact on the broader information management strategy
• Assess the architectural implications for using ZKP with different
blockchains and distributed ledgers
“Hype-Cycle” of GDPR
Privacy Officers
• Preparatory plan
• Build relationships
– Identify stakeholders
– Campaign internally
– Increase organizational understanding
– Map out a plan for the future
• Establish the Privacy Program
– Maintain privacy documentation for business units and users
– Establish a companywide mandatory reporting mechanism
– Review existing personal-data-processing operations
– Prioritize actions
• Keep reputation for integrity, inside and outside the company
Incident Management
Incident Management
Recent Incidents
Recent Incidents
Reporting to the CFO and Potential Investors
Key Findings from breached companies
• Shares hit low point approximately 14 market days after breach

– share prices -2.89% on average, underperform NASDAQ by 4.6%
• After about a month, share prices rebound and catch up to
NASDAQ performance
• After first month, companies performed better than prior breach
– six months before breach, average share price +3.64%, but is
+7.02% after breach
– underperformed the NASDAQ by 1.53% before breach, outperform
it by 0.09% afterward
• Finance and payment companies have largest drop in share
price performance, Healthcare companies are the least affected
• Highly sensitive information see larger drops in share price
Dealing with a Breach
• Plan for a security incident.

• Determine and document your response priorities and escalation paths.
• Brainstorm with members of the organization to think through various
scenarios.
• Draft messaging and corporate communications based on the
scenarios.
• Know which vendors are material to your operations.
• Make sure that those involved in the response know what their roles will
be and what authority they hold. Document it.
• Exercise the plan at least twice per year — preferably quarterly. The
more realism you inject into the exercise, the more likely it will execute
smoothly in real life.
Backup Slides
Backup Slides
GDPR Implementation Landscape
Practice Validation Requirements
Gartner’s Recipe for GDPR Compliance
Gartner’s Priority Matrix for GDPR

CSX2018 - GDPR 3rd Party

Uploaded by

Copyright:

Available Formats

CSX2018 - GDPR 3rd Party

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CSX2018 - GDPR 3rd Party

Uploaded by

Copyright:

Available Formats

The impact of GDPR on Third-

Party and M&A security

Dr Marco Ermini, CISA, CISM, CISSP, ITILv3, GCIH, RCSS, PhD

• Describe the impact of GDPR on three different but connected

• Approaching an external organization is

• GDPR impact has been mostly focused on technology

“GDPR for dummies”

• Legal. The GDPR is a law. This research note is not

• Procedural. (New) roles, responsibilities, accountabilities and

• Technical. The GDPR includes many data protection principles

• The GDPR is about protection of personal data and privacy

• Securing personal data is only a subset of all requirements

• “Personal data" in the GDPR depends on context

• Ask the company's legal advisor

1. GDPR is enacted law, not an elective standard; penalties for

1. Governance and Accountability

11.Concepts of “pseudonomysed” data and getting-to-the-lawful-basis-for-processing-

privacy seal (“EuroPriSe")

• It should be freely given, there can be no coercion or pressure

• "Consent" in the GDPR requires several conditions:

Data Controller Data Processor

Controls what personal data is Uses data only as instructed by Data

Data Processor = Third-Party

• Organizations should be aware that they can occupy both roles

GDPR Implementation Basics

Collect + Classify Process Delete

Secure Share Document

• Performing a risk assessment

1. Write a Privacy Notice and publish it

• Art. 30 is the foundation for all compliance activities

• Justify the collection of data, data retention, and identify where

Source: Awareness Briefings on Russian Government Activity against Critical Infrastructure

• Attackers are patient (instances of laying in wait for over a year)

• Many organizations outsource processing of personal data with

Source: Google VSAQ

• Use automation for vendor management

Risk Screening / Selecting Access Compliance Termination

• Why M&A need Cyber Security support?

• Special Interest Groups – gain from the Operation

• Significant behavioural change in acquirers

• Embed GDPR considerations in technology due diligence

• Failing to do this brings significant transaction risks

• Gap Analysis for GDPR readiness

• Key areas: due diligence and post-merger integration

• Actual liabilities in terms of compliance

Buyer Data Controller

• Engage cybersecurity experts

• Completeness and suitability of the approach of target

• Changes to the treatment of the data sets, risks and mitigations

• Analysis of the separation and carve out risks for GDPR

• Address consent from existing Data Subjects

• Security Transformation Program

• Manage risk in the short/medium term while satisfying

• Ensure detect and respond strategy for cyber security incidents

• Technical Security consulting in cyber security

• Protecting the effort itself

• Preliminary background investigations

• Resources, staffing, processes, and systems

Target Characteristics Security Guidelines SLAs