GDPR, risk management, cybersecurity and privacy management.

Data Sony Inc. collects and uses.

Sony Group Corporation collect certain data on public roads as part of “VISION-S” project. Images and
videos of persons and objects on public roads vehicles are taken. This date will be used for a specific
function and not identifying individual persons or any other purposes. The data collected will be used for
Sony’s vehicles sensor tuning, evaluation and verification of their vehicles like their Advanced Driver
Assistance Systems functionality and future mobility/robotics-related development, in pursuit of their
legitimate interest.

Sony Music Entertainment may access and store some or all “Third Party Data” from user account. SME
may utilize third party data to enhance their relationship with you, to send you other relevant marketing
communications and also to conduct research and analysis.

Sony Panel members description on relevance of GDPR to their work.

They have 50 employees globally at global security operation center and they are monitoring so means
on-premise cloud platform. Operates all the parts of the multinational conglomerate and are responsible
24/7 for that. Also, every time monitoring and getting some response team and they watch the SIM.
Technology used there, actioning alerts, performance investigations, also perform digital forensics
analysis and malware analysis as needed which is really the core and most critical part of the
organization that provides a service that any company would need. They also have supporting functions
like cyber threat intelligence and their teams trying to understand what threats they are seeing
internally, but also what a threat actor doing externally to the company and which threat actors should
they be concerned about. And then also tracking some of the most specific technical capability so that
they can better in firm and compare both strategic decisions being made by information security
organization’s and also more tactically, what sort of counter measures or preventive measures that they
are preventing or deploying it internally. Also have dedicated team for threat detection engineering, so
they are building custom signatures, understanding adversary trade craft, and how that manifests itself
on networks and on operating systems. And then building essentially are developing code that will
detect that when they appear on her.

Have folks doing full time malware analysis and reverse engineering, which is not just kind of running a
piece of malware through like an automated sandbox, but actually breaking down with the compilers
and just assemblers getting into the assembly language and understanding all the things about how
malware works.

Risk data analytics-Focus on two different problems but essentially serving the same cause, which is
enabling Sony’s management teams, stakeholder from IT to business, really visualize risk and then help
them make good and are driven and risk-based decisions on how to manage that risk. They take all of
that great data and then translate that back into business relevant KPIs and dashboards, represent data
in all different languages. Also, heavy duty data analytics and massaging of the data, quality control but
then equally translating that data into presentations and dashboards. Using automated and manual
checking processes, making sure important assets and information at Sony is protected and basic policy
requirements are being met.

Program management function-important for large companies to be in compliance with the regulations
and also to do better have some cost savings idea ways.

Risk management that Sony will need to undertake in order to meet requirements of the GDPR

A number of obligations is imposed by the GDPR on both controllers and processors which require them
to assess the risks posed by their personal data processing operations to the rights and freedoms of
individuals.

Data Protection by Design

It requires the controller to take into account various factors including the risks of their personal data
processing operation to the fundamental rights and freedoms of the individuals in order to decide how
to implement data protection by design.

Data Security

Among other factors, controllers and processors must consider the risks to the fundamental rights and
freedoms of individuals that are associated with their processing activities and “appropriate technical
and organizational measures to ensure a level of security appropriate to the risk “must be implemented.
Controllers and processors have to take into account the risks of their personal data processing
operations when determining the appropriate level of security, in particular, the risks that may arise
from “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to
personal data transmitted, stored or otherwise processed”.
The risks of processing as a matter of a contractual obligation in contracts with controllers are also
required to be accessed by processors. Contract must require processors to implement the security
measures by considering several factors, including the risk that the personal data processing operation
poses to the fundamental rights and freedoms of individuals.

Data Breach Notification to European Data Protection Authorities

If a breach results in a risk to the rights or freedoms of individuals, the controller must notify the EU DPA
of the data breach without undue delay or not later than 72 hours after becoming aware of it.

Appointment of Representative of Controller or Processor Established Outside the EU

It is “unlikely to result in a risk to the rights and freedoms” of individuals where processing, “taking into
account the nature, context, scope and purposes of the processing”, a controller or processor not
established in the EU does not have to designate a representative in the EU. However, it does not apply
to large-scale processing of sensitive personal data or data relating to criminal convictions or offences,
nor to public authorities processing or bodies.