Building A Personal Data Focused IR Plan To Address Breach Notification

so the background to that is that I've actually worked a long time in endpoint protection and specifically working on looking at what the target asset is of an attacker be it insider or outsider and the other things I do the reason he said one and only is because I run besides London I'm one of the directors to be size London I very active as I double let's say I you know I do a lot of things all over the place don't follow my Twitter right now unless you'd like to hear sarcasm rants and complaints about Briggs it that's why I'm wearing the yellow thing because I need to leave the UK by the end by next year I'm not

English so let's get to the gist of the talk I am going to change the format slightly I store going to do the 15 minutes of feedback in to audience feedback but I'm gonna reverse it I'm gonna ask the audience questions just get your feedback on what you're doing with your instant response plan so how many of you are actually doing insert response in this room do you do insert response quite a few Thanks so as you know we have a beautiful thing in Euro ecology DPR I love the gdpr but it's not only Europe right we're seeing a lot more legislation come out we've got the Turkish data protection law which is almost equivalence of the GDP

are there's bit one big difference if you violate the Turkish data protection law you go to jail okay you don't want to go to jail and in the Turkish jail you've got the New York Department of Financial Services that also has a cybersecurity regulation and as a curve when your Privacy Act 20 to 18 does anybody know what the similarities between this one and that one is between NY DFS and gdpr it's a number 72 do you know what 72 is 72 hours right the amount of time that you have to report a data breach you also have roadmap legislation coming into play South Korea is preparing one Japan and Canada are preparing some as

well Japan and Canada are doing it I think Dillons on the list as well because they want to do trade with Europe and Europe is starting to insist but if you're going to doing trade with us you need to have a data protection plan in play so this is becoming really important for incident responders because there is requirements on understanding where data breach comes into play and this is the gist of what I've been doing a lot with with companies as I've been talking about how do you actually focus your incident response because so we're focusing on a GDP off this top story we're focusing on the GDP off of this talk because it's more or less what we

need to talk about so we have different flavors of insert response but one commonality between each each and some flavor of this response is that you're focusing on the who the how and what they've done to your environment you're not really focusing on the consequences initially right you focus on the consequences a lot more down the path so the one on the left is you know the this is the typical if you do if you do your sans Jack cih that's the insolent response loot from sands this is I think if I remember right stuff is basically based on this one and this is this is we're seeing more and more of this does anybody know what the autoloader loop is

1 2 3 4 so the outer loop is actually a military incident response type thing essentially you have four stages observe so like you're trying to understand and identify something that's going on you evaluate what's going on to make to decide on how you're going to take care of it that's when you get to decide you choose that types of actions that you're going to take into play and you act so that's when you actually implement your response so we're seeing a lot more of that and if you go to the US a lot of a lot more and more of the u.s. since that responders are talking about this the other loop I kind of stick to the left

because I like the left it's simple because this one actually over it's like very simply described as Oda it's actually quite complex internally because there's a whole bunch of other loops inside each loop inside each step the preparation identification containment eradication recovery and lessons learnt is simple enough to remember and it's simple enough to do in a very process driven method so are you ready to actually talk to the data breach and to report to your day no authority that's the problem that we have if you think about what do we need to do there's a really important part which is the 72 hours to report if you're only looking at and that's the traditional way of only looking at the

consequences of the breach towards the end you're not going to hit that 72 hour target and it's really important because it's when you become aware of the breach right so if you've detected an incident that's when the clock starts if you've detected an event that could potentially lead to an incident that could potentially lead to data breach that's when the clock started I'm gonna get back to this line later but a breach isn't just exfiltration under most of these legislations you need to notify the data subject so that means you need to have an understanding of who's impacted in terms of whose personal data that you have is going to be impacted by this breach but there's one important

thing but a lot of people didn't realize is you know you hear a lot oh like the Facebook is the recent Facebook incident right the one with the API key that was leaked and some of the ICA some of the data protection authorities are looking into it they won't get fined I'm telling you this because it's not personal data number one number two what is an API how is an API key gonna hurt them hurt a data subject this is the point is that you need to report you need to report a data breach if there's like it's likely to risk the rights and the freedoms of the data subject and a lot of people

miss this out right so they think well we have to report all data breaches you know you don't I so it's very important to understand the consequences what might happen when you actually lose a personal data so before we can actually get down to detecting what personal data is in our breach we need to understand what personal data is and this is where a lot of companies fail okay because gdpr defines it and interprets it so it's defined in article 4 if you'd like to treat to read long documents but the important part in GDP is reading the recitals and as when X number of recitals would actually define personal data to sum it up it's basically any

information relating to identified or identifiable natural person right so any information that will allow you to identify somebody that can be anything from physical characteristics to electronic communications to anything but it's directly or indirectly so this is where the IP address comes in I can use an IP address to indirectly to identify a person I can use a postcode right there in directly identifier a person and this is where you'll see a lot of people argue as how much personal data do you actually need before you can identify a person so for example I'll use the postcode again the postcode in some countries is a city or a town in some places a postcode can actually

identify an individual house like in the UK there's certain parts of the UK where UK postcode is actually probably one house so if you're if I have that one postcode I can technically identify somebody all right so this is where you need to be careful on what how you evaluate that personal data so if you look at most data loss prevention solutions or most technical solutions they basically see personal data is this right so very simple name date of birth gender address salary combs contacts IP addresses emails addresses but if you break it down to how you can identify somebody it's a lot more complex right so this isn't valid not in my opinion anyway this is personal data

okay it's a lot more complicated because you have things that go beyond just the individual you have things like his work-related statuses yeah things like how he's using his mobile devices when where where is he going you've got medical information you've got online information you got smart devices IOT CCTV address yeah to top up the addresses when you have all the financial information and then you have driving you know nowadays we use more and more license plate identification right so if you go into some parking lots they identify your your license plate and they see how long you've been there but if that data gets leaked out that means I can reify some of your

behavior right then there's also other stuff there's political opinion genetic data the interesting thing with the GDP are is that also defines certain date of it you're not allowed really to store or you must store under certain conditions things like little political opinions trade unions if necessary they call that sensitive data so there's certain aspects of personal data which are even more complex in it which have an even greater impact if you breach so I did some work was about well yeah probably a year and a half ago where we started to try and break this down into actual fields that we could contain and and describe and detect and this isn't a complete list we started I think we got

up to about a hundred and some plus 125 plus fields and we just stopped because we've answered some problems right so there's a very generic types of things so like Country tags I P addresses IMEI GPS coordinates social networks email addresses or if ID tags those are pretty much common for any country in Europe all right then you get to the more country specific things right so depending on the country you may you may not have an ID right so in the UK there's no national ID in France and Germany there's a national ID so you have different values for different countries you also have localization right a name right because we are not only just Roman

Roman alphabet anymore we have Roman alphabet plus at Eastern Europe and yeah using European half of it so from a technical point of view you need to kind of address that right so you need to understand all these things and it gets really complex then you get to the yellow box which is the Sun sensitive data right so that's kind of the things were under GDP are you can store only if you have authorizations from the DBA at EPA so they DP as a Data Protection Authority so that's things like D the clearly in France remember what the one in Belgium is called or the one in Luxembourg there's if you look at the cash registers on the bar they've

actually got a sticker from the that's this register has been audited by the your Luxembourg IC DPA basically here these reasons this information is consistent sensitive because it actually describes very personal information of a data subject right so things like your ethnicity so are you you know are you Muslim are you or your religion are you Muslim Catholic or things like that if you think about the history of Europe all of these types of all of this especially the top part has been used in the past to target people and to do racial cleansing and things like that so they want to avoid being able to actually identify types of people so this is a whole bunch of background

political background into why they've actually even done this right so let's get to the crux of the thing what is a data breach right and how do we actually sponsor data breach with personal data so if I go back to my loop how do I prepare so identify all of this data I kind of don't want to identify it afterwards right I don't want to identify it here or there because it'll be too late if my breached if it takes me like five days to understand my breach I'm gonna be too late so what I really want to do is I want to focus my attention on the preparation phase and the identification phase right

so that I actually understand where my personal data is and I'm able to identify as I go along so this is a flow chart based on some work that the Enna's are published that goes about 2017 basically they've break so I mean this is essentially boils down to the same steps right so we have the preparation phase we have the event detection phase and we have the containment and recovery and then we have the lessons learned but what they've done is they've actually looked at how do you go about understanding personal data in your breach and when do you actually need to notify the DBA so what they've done is when you get an event your typical first step is isn't

the event a breach so you want at this stage you want to be able to say okay I've got a breach I'm like it doesn't involve personal data you want to understand the circumstances of that breach was it exploitation was it around somewhere things like that you want to understand the severity how many types of personal data feel to affected how much personal data is affected how many data subjects are affected and you need to understand if there's an easier response needed so if you detect but it's a personal data breach then you need to start thinking about notifications if you don't you just go down into your containment and recovery so primarily notification is do you need

to notify the DBA sometimes you do sometimes you don't you need to that's something that I usually a handoff to discussions with legal teams because really depends on how you interpret the GDP are an independent also depend on on your local Data Protection Authority does it adversely affect data subjects so will they hurt a data subject will it hurt your customers right so if you lose credit card numbers yes that might hurt your corporate that might financially hurt your good customers so you probably need to notify your customers that's when you do with any notification to theta subjects now you notice I put preliminary there because you need to notify but the actual contents of the

notification doesn't mess isn't necessarily defined at this time because you need time to actually understand the total impact of the breach so once you've get to that stage you go into further assessment and if needed you detail the and evidence what data is being breached and that's at that time that you do a detailed notification so that you can actually send out more details and what's been breached the effects and things like that you go into your containment and recovery and then you need to do a data breach inventory that's an additional step that we don't have normally in the instant response process you need to keep an inventory of what personal data you're actually has

actually been breached because although something might not happen tomorrow after the breach in six months there might be a recurrence of that same breach so you need to know what data was affected but she also might need to report it at a so you might need to go back and report what's the activities that you've done to actually protect the data following that breach now this is the part that you need to do in 72 hours [Music] okay so that preliminary notification is what needs to get done in 72 hours and you know my big question to everybody is does your event detection lead you to this when you escalate an event to an incident can you get to that stage where

you're reporting things that's 7-under 72 hours so breach show of hands how many people think that a breach is just exfiltration so if you have if you have a breach in your organization do you say it's a breach if you exfiltrate date exfiltrate data good nobody here because if you read the gdpr i've i've been in a number of companies especially on the other side of the of the Atlantic where breach stops at exfiltration if you read the GDP are properly it's not just exfiltration you have destruction so if you get a ransomware attack you're full under the GDP are all right so if your personal data is if you've got personal data it's like if you go database what

gets encrypted by ransomware with personal data is technically unlawful destruction of the data and you need to report it alteration so this is somebody modify the data outside the parameters of which you're collecting them or somebody changes your information so like I've submitted my information to us to a store to a service when a malicious admin goes in and changes my date of birth right that falls under the GPR doesn't have any main consequences money for Sergeant there's one more before you take the picture unauthorized disclosure so that's here if somebody recent personal data to the press or to a dark web site or things like that and finally unauthorized access this is the killer one okay if you have let's

say technically you have a data breach or I'll breach right some reason your systems somebody's got a persistent threat in your systems they're standing there they're listening they hooked into your applications knocked into the databases if they do select star from customer DB that's a breach on the GD P are okay it's unauthorized access how many come I mean seriously in in this room do you think your companies are ready to do that last one probably not probably not and this is this is where I mean I I get I get okay's from the top two steps when I start to get to the bottom three it's like people like do we really need to do

that yes like wake up that's in the breach - description of the GPR it's it's funny because it's like nobody thinks about this um I recently did a pen test for somebody to the penthouse for me and I was reading the results and I was like huh I wonder if this companies actually thought about this part under the GDP are so if you're doing pen tests red teaming you're okay because there's right beside all 47 you guys all know about Rosario 47 right now recital 47 basically says but you're allowed to test your protections if your protections on of personal data so as security teams you're allowed to implement tools and test the protections that you're implementing so it gives you

it gives si certs inserts the ability to actually say okay we're doing this for testing purposes to ensure that that personal data is protected so the preparation phase this is where I get lots of question well not questions but after we really need to do that and I'm like how else are you going to actually determine if you've got a personal data breach if you don't understand where your personal data lives and and is it and is you're not going to be able to actually focus your instant response plan on that personal data so I like to introduce this model right and so you know I mean adapter sign identify you think it's a very common model when

you're doing threat modeling right or you when you're doing some kind of net evolvability models as well so you want to adapt your existing models so if you have threat models and you're looking at you know your fret models look at the potential vulnerabilities and your infrastructure and the threats against your infrastructure your systems your applications you want to look at those and say well it's my personal data fit into this you want to assign personal data related attributes as well so is this critical date personal data will affect the user will it be disastrous if I lose this data will it is it sensitive data will that have more impact you want identify the risks right so I mean that's a

typical threat modeling aspect use the DPI a and so you guys know what the DPI is so inside the GDP are there's a section where they talk about doing data protection impact assessments basically it's evaluating the risks along on your personal data so you look at you you document that and you can build your accountability based on this assessment GDP ours a lot about accountability to be honest so then you got to think we'll this harm the data subject if I do is my credit card database with a home data subject probably yes financial loss right so you want to think about if this personal data gets leaked what's the impact on that user or those users and once you

understand this you can put your controls in place right because you're going to need controls in place to actually help you into the response so this is a P ia okay this one's actually from the keel so really nice one if you go to the clear they even have a tool to help you do them I'm gonna skip this because this isn't really this is more upstream from the incident response this when you're modeling your personal data fretts is really great so this is a Noah's project crap forgot his names the Guyver this is the guy over on some photo photo photo box in the UK he started this basically he's done data flow mapping

he's built the data flow mapping process so essentially what you do is you look at your data source right so where's the data coming from are you the controller so if your controller what kinds of data subject information are you are you capturing or who's who it is what information you're capturing while you're processing it where you're why the lawful basis of processing where you're actually storing it and what security on to it the categories of recipients where you might send the data to how long you're retaining the data for and some of the data transfers outside of the EU on the US so basically if you so for an example what you would do is you

say okay I'm a controller I'm looking at my individuals I'm collecting tax details pay details pension details bank details contact details because it's an HR database purpose of processing personnel file right or payroll then lawfully lawful SS contract I'm going to retain it for one year post relationship with you know one mayor post contract I've got I'm gonna put all of these security things in play I'm not going to transfer it to any of us of a country oh wait hold on sir my payrolls out sourced oh wait I'm not I'm sending it to another country categories of recipients so HTML Caesars tax authority in the UK might have a payment provider the banks so you understand that the purpose of

this and the insert response process to me is you understand number one what personal data you're actually gathering how it's being used so you can start to look at where is it gonna actually sit and where it's being sent so where my transfer points so we're potentially my areas where the data might be sitting in an in a week zone right or might be sitting in an area where somebody else might actually capture it because if you're the controller and say the bank has an incident it's still your responsibility to report it to the employee right so you need to understand that then it has to be added to your incident response so one of the ways but I talked to

company so this is funny how many of you have done data discovery I have done a date of discovery process and actually know where your personal data sits not too many most companies can't fathom this I've done a couple for a companies and they were like after the first million records I say stop it's like you can't it's this personal data just becomes an explosion in a lot of companies it just ends up everywhere so they're different different governments fingerprinting is the easiest in the fastest but you need to know what kind of personal data you have right so it's not always good because you have to have a pre-existing copy of other person that

area so you can fingerprint it and then go look for it pattern matching is a little bit better because you're actually building patterns so like an address can be built into a pattern so you can actually find find a little bit faster and you don't have to have a fingerprint but ultimately and especially if you start looking at controls and detection reg X is the answer right it's not good it's not it's does a lot of false positives but until we come up with something better and pattern matching like NLP reg X is your friend or your enemy depending so basically a lot of times what I talk to do tend to do when to understand where

the data is when I'm building my Incident Response identification process is I'll talk to the data owners so I'll go to HR and say where do you put the data how do you use it I call it the environment now you can go high-priority tools you can use Perl Python I'd prefer a Perl because I'm old and you build a data map and then you can focus your detection and this is the important part you want to focus your it detection and then you want to do reg X right I mean this we so if the here are some examples of reg exes but I've used so like Greek I banned Greek dat Greek national ID UK

passport you k-va-t UK national insurance national resource just like a social security credit card number this one this nice little one is a bank account number there's some Wikipedia entries here the government guides you're usually fine I'm actually trying to build a GDP our data pattern detection github but I keep running into customers and I don't have time to complete it I only have so many hours in the day and so many hours a day get you don't quit quickly but how the f do you reg ex this this is personal data okay if you work for a bank you have a core or anything but has a call center and you're recording the calls for quality purposes

or for auditing purposes that's personal data CCTV is your CCTV completely compartmentalize than your network how long do you keep the tapes for all of this stuff is personal data as well I was with one company it's like we have like 15 years worth of printed versions of the of our documents you have a GDP our process for that right it's like no I thought it was only to F it was only IT I know and she TPR any personal later right so that this so the extension of that is your assistance for response plan becomes really complicated because if you're not monitoring every potential outflow of personal data you how are you gonna do the 72 hours identification

this is the hard part wait no data discovery was the hot part no this is the hard part as well do you have the right tools and the right alerts in place to actually identify when an event has personal data so there's two ways to basically look at it you do active detection so you have some kind of M for network detection system or you do passive you rely on data discovery and look at your events I'll dig into that so this is a process that I try to push to to people and to get people to look at so basically what I do is I run the data discovery or I try to understand all the personal data is I

dump that into a CSV I extract key personal data locations I extract network path servers locations I please I built some look-up tables the extracts what I do here I can update into if you have DLP solutions in play we put them into playing with what rules play that actually focus on that on data protect on personal data that gives you a networking endpoint detection in real well almost real time let's say look up tables I feel then I push into your sim or your log management platform to actually extract reports and alerts focused around the events what might have personal data then you can build alerts personal data dashboards personal data reports you extract those reports

for your personal data breach and your forensics in your notifications so that's a quick overview of that but I mean if you think about it's very simple right it's not too complicated the complicated part is getting all that initial data understanding where that personal data lives and building it into that simp lat form so these are some of the tools that I look at typically so for data discovery you've got some you know you got 3d dog that hasn't been updated in a while but that one's open source you've got the typical players same thing for detection I've been playing with using sis model and WMI for detection it's complicated it doesn't really work too well but I think it

could work if we had a little bit more detection events on in system or if you're looking at the cloud you're probably looking to start looking at Cosby and some next-gen products like dark Trace although I don't still don't believe that thing actually does anything right correct you feed that into your platform you're gonna pull out reports and you're gonna send out alerts and this is going to be a start of your detection right that's going to help you do your focalize your detection I don't have all the answers unfortunately but that's one of the reasons why I did this talk because I want your feedback and we'll get to that in sec you feed your

sim with your endpoint detection tools your network events you capture your file events that's very important you need to capture the file events because that's how you're going to detect if there's unauthorized or alteration or if there's enough for eyes access and you want to do CVS lookups where external lookups and your in things like Splunk give me a complaint email bit lately so you can do things like this you know look up personal data paths CSVs on the source file path and destination file path this is more complex this is a spunk oops this one's a splint query we're basically looking for any personal files that are being copied onto cloud drives or something or some kind of

solution like that you run into really is if you don't have kind of like if you can't build this file those personal data pass these you can't get these queries out all right it's very difficult to get the screws up and so we're back to the problem of data discovery this is another one so here this is this was an attempt that we tried to do generate a low false positive but basically we were looking at personal data path and the user right so we associated users of personal data pass so that we could actually detect if a user was allowed to use that file so remember the unauthorized access that's how we were trying to contain that one

so essentially we built a set of of files list of file names and things like that and all databases or network servers associated to a list of users this you can do this with products like sale point things like that if you have an access access request the management system you can pull out the users were authorized to address certain service or certain paths files if that file is open if there's a file operation on that one of those file paths and you're not in the looked in the allowed users then you can go back and say okay this is a unauthorized access notification I think in a skip how good quickly for this one

because usually I pass this off to a better understanding of your deep you know this has to work with your DPO and your and your PR and your legal teams but essentially what you need to know when you're doing building those reports when you're building the information which you need to capture is a the types of individual categories of individuals were a concern some number and deep or people data subjects what personal data has been accessed or reached let's get this one it's a bit complex it's what's not complex but it's just not partner so I know you know we want to have this interchange with people here so I've actually come up with six subjects where I have questions

to you guys right so I'm going to kind of feed this back to you guys so if we talk about why in which so I'm actually curious how many of you well how many of you which I our process to you guys actually use those you know she is more focused on NIST or set or the sounds one show of hands for NIST one sounds yeah one the sounds I mean NIST is very Americanized of I mean and sounds has got more pushing in the in Europe so I can understand that so what about this how many of you have actually we looked at your instant response process since GDP are one two three four five six so like 10% it's not

too bad had worse I mean it's a lot of people just haven't the problem the problem I found with that one is that people have actually gone off on you and said oh this is a compliance problem and once they start talking about compliance they start talking about all that you know checks and balances and things like that and they actually think about the impact on IT security teams and things like that and they don't follow through on the actual technical aspects of what we're going what we need to do so when so how many of you think you can respond in 72 hours does anybody have any opinion on this or any opinions and well actually I'd like

to get your feedback on when you think personal data detection should happen I've presented to you mine which is during identification and and detection does anybody have any other ideas nobody you just haven't thought about it right hasn't come across your path it's hard okay so yeah maybe something that we could try to implement in order to reach different forces to implement like flag you know inventory system to say not what the system contains but just does it contain data that is belonging to the GDP regulation or not so that we know if the system is impacted at the beginning of the incident we can directly send this notification even though we do not have the full extent of detail of the

data breach we know that one of the SEM has been impacted and the flag is true so yeah and it'll help you start that investigation right and I've seen quite a few companies actually take that that idea and approach as long as you've got some kind of as as you said a flag where you can start your approach or you can start your think four process on does this contain personal data needs to be notified that's it doesn't at the end of the day it doesn't really matter where it happens it's just you got to take into account how long is it going to take you to respond to that flag right so because that flag becomes your kind of when I

became aware of the incident right so that from that time frame you need 72 hours so what happens if somebody else tells me I've got personal data on the internet from my company do you guys if you guys thought about that one no well I mean it's just somebody else told me I started from that I didn't detect it now that opens a whole nother bag of that's not really related to in some response what and where so I showed you the personal data definition how many of you have a very large personal data data definition or our youth well I mean what's your what how do you categorize personal data in your organization anybody I should have

done this it's not direct answer but it's something my mentor to me in my company you see that most of the time people they say okay I need for example a motorized vehicle so you as an engineer you ask would you want to carve about the motorcycle I say I want to motorcycle race vehicle and then something bad happen it can come back to you and say see I wanted a boat it said what I wanted so I just want to keep the term as broad as possible so we can include what they want what we want after these events I don't think I think you it's a certain extent you're right because if you look at the definition on

the under the gdpr for example they say anything that can be used to identify in a day an individual it directly or indirectly so the colors I wear one day could technically be used if they're very unique could technically be used to reify me all right but one of the great conversations I have with companies is when does it become identifiable a birthdate by itself isn't identifiable right because many people born on the same day so I get so I mean here's a story along that line I was in I was checking out of a hotel in Monaco last year after there's a season and I asked for my bill and the guy goes okay so

yeah Thomas Thomas Fisher you live in X Y is there Germany it's like nope damn things and it's like you sure it's not you they date of birth like mm-hmm we went through for names like that and I just told the guys stop it's like doesn't your manager to teach you about personal day elite and the guys like no it's like you just basically give them the information of four people and it's technically a violation of so many laws so the the thing was my name alone wasn't able to me I dent off' i me in directly right but indirectly he could he went through five different names but allowed him to identify who I really was and that's the

problem of this directly or indirectly in the gdpr is like a piece of information by itself may not identify a person but if you get multiple data breaches and data and and multiple pieces of data sitting in different applications in different databases suddenly get taken by the same person or get aggregated somewhere else how far they're going to be able to actually re identify that person and this is the this is kind of questions that I still am I mean I haven't been able to solve iver right because at one time did they steal the names database that then got the credit card database and how does that credit card database relate back to the name database I mean

I don't I don't really have an answer to that unless everything is flat file right but when you can extract it via the application but as individual pieces of information how long will it take that person to reify my credit card right so you have to think in those kind of it's a into a vicious game let's get that one so this one is also fun to is how many of you who are doing instant response know the name of your DP oh okay that's good not enough hands but that's good how many of you interact with PR and comms people even less do you as an ensign responder communicate with TPA no no it's a DPF

communicates OTP that's the role of dpo as defined in the legislation who do you inform in the dps yeah okay so let me rephrase the question who does which DPA does a GPO inform because the DPO might come back to you and say okay so I can weather this data breach occur if you're a multinational organization and it's a server in France with French personal data information you probably your first port of call is the key right but if that database also contains German information do I go also go and talk to the German DPA so this is where depending on your legal team you'll get an answer of yes but if you actually read the legislation they're

supposed to coordinate DPA is a supposed to coordinate across Europe so technically if our reports from the Camille I can just notify that the German DPA but I've reported that the clear but there's probably German information inside that breach right it's not my problem anymore so final thoughts 28 percent of organizations are not ready for the gdpr that was last year just recently I read a report one in six business this is our unprepared for a data breach and this was my favorite was just recently right that's the British Airways one if you can't see it 38 380,000 payment cards were captured over two month period I'm still waiting for the file on that one and I ate the

worst part is I literally booked a ticket a day and a half before this was announced so I was really happy it's been spent the whole morning on my credit card company details so we're out of time thank you I'll be around it will day anyway so if you want to come talk to you PR and service bond something happy to have a chat if you need to if you want more information about the GPR I'm happy to chat with about there as well I hope you like the talk hope I put some question marks in your heads and thanks for having me and thanks to the organizers [Applause]