The doctrine of harmonious construction under Interpretation of statute
Dealing with 3rd parties under gdpr
1. General Data
Protection
Regulation
GDPR
Dealing with 3rd Party
Partners/Suppliers
Joe Orlando
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
2. The EU Not the Only One to Enact Privacy Law
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
3. Over 80 Countries Enacted Privacy laws
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
4. Significant Data Protection EU
Personal data is defined as “any information relating to
an identified or identifiable natural person ‘data
subject…:”
• Name
• Location
• Identification Number
• OnLine ID / Cookies
• Gender
• Personal Preferences
• Ethnic
• Cultural
• Social Identity
• Memberships
• Biometric
• CCTV Video
• Event photos
• Insurance
• Visas
• Religion
• Insurance Claims
4Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
5. Data Has Different States
5
At REST
At WORK
In MOTION
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
6. NOT “Just another IT Project!”
EVERYONE “owns” the
Solution.
Data Controller (who NEEDS the
data)
Why Do You NEED the Data?
Data Processor (who uses the data
to complete tasks)
What Do You DO with the Data?
How is this Data Stored; Managed;
Secured; Shared; Refreshed;
Processed and Destroyed?
6
ICT only FACILITATES
the Outcome:
Store
Move
Protect
ICT Cannot Do This
Alone.
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
8. Privacy by Design and by Default
8Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
9. GDPR requires businesses to implement “technical and organizational measures
to provide appropriate protection to the personal data they hold.”
GDPR expressly states that such measures
include:
1. The pseudonymization and encryption of personal data
2. Measures to ensure resilience of systems and services
processing data
3. Measures that allow businesses to restore the availability and
access to the data in the event of a breach
4. Frequent testing of the effectiveness of the security
measures
3Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
10. 10
“Show Your Work!”
DPIA
Records of Processing
Incident Response Plans
Breach Reporting
Vendor Assessments
Data Flow Mapping
SSP
Tests and AuditsI
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
11. An Individual’s Rights
• Right to Know
• What PII You Have
• Source of the PII you Have
• To Where and to Whom does my PII Go
• Right to Edit Inaccuracies
• Right to Be Forgotten (Delete)
• Right to Opt Out
• Object to Processing
• Object to Automatic Decision Making
• Right to Portability
• Limit Retention Period
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
12. OBJECTIVE: Secure the Data
Secure the Personal
Identifiable Information (PII)
& Personal Health
Information (PHI) to
Prevent Unauthorized
Access and, in the event of
unauthorized access …
the data they get is
unintelligible.
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
13. Of the 261 pages of GDPR, “encryption” appears
• "...implement measures to mitigate those
risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may
include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the
pseudonymisation and encryption of personal
data." (P160 (1a))
• "...unintelligible to any person who is not
authorised to access it, such as encryption"
(P163 (3a))
2/5/2018 4Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
14. Regulatory “PASS” if Using Encryption
“…in case of a data breach, the
controller is not required to
communicate to the data
subject if he or she has
implemented encryption as a
technical and organisational
protection measure”
(Article 34 Par. 3 (a) GDPR).
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
15. OPTIONS (Easy toHardest) RISK to PII/ PHI EXPOSURE (High to Low)
SUBSET DATACOMING OUT OF PRODUCTION
ACCESS MANAGEMENT & MONITORING
FIELD PRESERVING DATA MASKING
DATAPSEUDONYMIZATION
FIELD/ROW/COLUMN
ENCRYPTION
FULL DISK
ENCRYPTION
Things to Consider…
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
16. 16
Race Against the Clock!
• Residents of EU
• Establish a Data Protection Officer (some require in Country)
• Register Processing and/or Records of Processing
• Cross Border Data Transfers
• Data Breach MUST Be Reported in 72 Hours of Aware of
Breach with Incident Response Plan
• Individuals Can ask for Data and Controllers Must Be
Responsive in 30 Days…for FREE (DSAR)
• Individuals MUST provide CLEAR Permission to Hold
Information & for How Long?
• 3rd Party Processors Does NOT Eliminate YOUR Responsibility
• Data in Cloud – Cookies – Devices
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
17. 17
GDPR Has Teeth!
Failure to Comply with the Regulation
could mean
Up to 4% of GLOBAL GROSS
REVENUES or $ 20,000,000
whichever IS GREATER
as a fine
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
18. Other Steps to Take…
NEXT UP: GDPR and 3rd Party Considerations
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
19. Our 3rd Party Partners
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
20. 3rd Party Partners
• Sales Channel Partners
• Distributors
• Resellers
• Marketing Campaign Providers
• 3rd Party Processors
• Off Prem Storage and Backup Vendors
• 3rd Party Administrators (ESOP; Benefits; Pension)
• Security Providers (Physical; Swipe cards; CCTV)
• 3rd Party Analytics Providers
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
21. The likelihood of
data going OUT
from INSIDE is
greater than the
likelihood of data
being exfiltrated
from OUTSIDE
Things to Consider…
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
22. Amendments to the 3rd Party Provider Agreements
Data Privacy Amendments (GPO and Legal)
22
• Commitment to Compliance
• Commitment to Cooperation
• Commitment to Validation and Audit
• Commitment to Being Responsive to Leidos and DSAR
• Commitment to Incident Response
• Commitment to Appropriate Record Keeping
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
23. The Controller OWNS the Outcome!
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
24. Under GDPR – Vendor Assessment Questions
24
• Awareness and understanding of GDPR regulations and data protection principles
• Lawfulness of processing and further processing and legitimate interests
• Consent management
• Information notices
• Data Subject rights, access, rectification, portability, erasure, object & restriction of
processing processes
• Record retention policies and processes
• Privacy By Design, including Impact Assessments
• Cross Border Transfers of Personal and Sensitive Data
• Data governance obligations
• Personal data breaches and notifications
• Sub-Contractor Agreements and Controls
• Codes of conduct and certifications
• Roles, Responsibilities and Competencies
• Co-operation and consistency between supervisory authorities, remedies and liabilities
• Derogations, special conditions and delegated acts, implementing acts and final provisions
• Subcontracted processes, processors and security controls
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
25. Consider YOUR Development Environment AND Your
VENDOR’S
2/5/2018 4Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
26. Grading Your 3rd Party Partner
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
27. Section Sub-section
Participating 3rd Party Vendor must ensure that they are fully compliant with the Leidos Security Policy.
0
The 3rd Party Provider Security Policy Baseline creates a general security and data protection baseline adapted
to Leidos needs.
The 3rd Party Provider Security Policy Baseline addresses all elements of data flows into Leidos, including
national and cross-border data flows.
0
The 3rd Party Provider shall take all reasonable steps to ensure data security (including data confidentiality,
integrity, authenticity, availability and non-repudiation).
0
3rd Party Provider must ensure that cross-border data is not transmitted via these services to a Member State
that either does not belong to or is not allowed into the cross-border environment.
0
3rd Party Vendor shall ensure that communication of identifiable personal data is subject to secure
communication and end-to-end security measures.
0
6.3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and
shall
0
a) allow authorised official bodies to duly inspect the established mechanis3rd Party Vendor for data
collection, processing, translation and transmitting
0
b) make logs available for legal purposes, e.g. if requested by a individual.
0
The 3rd Party Vendor must ensure that Leidos has clearly identified the responsible data controller and data
processor in accordance with the provisions of General Data Protection Regulation.
0
Sub-section ScoreSection Criteria - Checks
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
28. Security Incident Management Information Security
Incidents
Does the 3rd Party Provider has policies in place which set out how information security incidents, and breaches
to the confidentiality of data, should be managed?
0
Are the security responsibilities of technical staff, data security officer addressed at the recruitment stage,
included in contracts, and monitored during an individual’s employment?
Does the 3rd Party Provider engage employees and third party users of information processing facilities to sign a
confidentiality (non-disclosure) agreement?
0
Incidents affecting security MUST be reported to the designated (by each
3rd Party Vendor ) point of contact through appropriate management channels as quickly as possible.
0
Is all staff trained in security procedures and the correct use of the information processing facilities to minimize
possible security incidents and risks.
0
Responsibilities and procedures for the management and operation of information processing facilities must be
established. This includes the development of appropriate operating instructions and incident response
procedures.
0
0
Cryptographic
controls
- Does the 3rd Party Provider verify that CA (Certificate Authorities) are registered as such in the EU Trusted
Lists of Certification Service Providers?
- Is there a documented procedure and defining this and where?
0
- Does the 3rd Party Provider have documented descriptions on service addresses and certificates compliant to
the appropriate Regulators?
0
0
0
Information security
continuity
Planning information
security continuity
• Have the availability requirements been established for the 3rd Party network?
• Have the availability requirements between the 3rd Party Provider and its service providers been defined and
established? Are these documented in the Service Level or similar Agreements?
0
Redundancies Availability of
information processing
facilities
• Does the 3rd Party Provider have a backup procedure for at least the critical assets?
• Does the 3rd Party Provider have defined backup times (Recovery Point Objective) in alignment with the
business requirements and (if applicable) in the multilateral or other agreements between the partners in the 3rd
Party Network?
0
Not Compliant
Information security aspects of business continuity management
Average Area Score
Area
Not Compliant
Cryptography
Average Area Score
Area
Area
Not Compliant
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
29. 0
Physical and environmental
security
Physical security measures should exist in the 3rd Party Vendor premisses where authorized users have access
to the e Information System and the respective information storing facilities (i.e. network, server roo3rd Party
Vendor etc.) to ensure that only authorized personnel have physical access.
Environmental Safeguard measures should protect premises and syste3rd Party Vendor from hazards and
destruction.
0
Secure Areas Physical security
perimeter
• Are the physical areas where the processing facilities and staff operating the e system defined and
documented (e.g. under Asset Management, Procedure or elsewhere)?
• Is the 3rd Party Vendor operations environment including networks adequately segragated from environments
operated by external parties?
• Are the 3rd Party Vendor personnel offices segragated in order to protect security of operations and preclude
access by unauthorised personnel?
0
Physical entry controls • Are the 3rd Party Vendor building premises where staff operates the system have controlled building
entrances and exits?
• Are building entrances and exits equipped with intruder prevention and alarm syste3rd Party Vendor ? Are
visitors logged in a visitors logbook and guided when visiting the 3rd Party Vendor premises?
• Does server/computer room facilities have a visitor log system used by 3rd Party Vendor for logging
entrances and exits to the systems rooom of the 3rd Party Vendor , either automatically or manually?
• Are Intruder Alarm Systems attached to a backup power supply system (battery, generator or UPS) to ensure
that server rooms are adequately protected and accessible during a disruption to the main power supply
system?
• Are the permission rights of personnel to those areas documented, reviewed and updated at specified
intervals?
(Note: Retention period of access logs and any CCTV recordings respect the nationally applicable legislation for
private and personal data protection)
0
A.11.1.3 Securing
offices, roo3rd Party
Vendor and facilities
• Are 3rd Party Vendor offices where staff operates the e information system protected by physical measures
adequate for the level of sensitivity of the system?
0
Equipment should be physically protected from security threats and environmental
hazards. Protection of equipment is necessary to reduce the risk of unauthorized access to
data and to protect against loss or damage. This should also take into consideration
equipment location and disposal. Special controls may be required to protect against hazards
or unauthorized access, and to safeguard supporting facilities, such as the electrical supply
and cabling infrastructure.
0
Not Compliant
Average Area Score
Area
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
30. 0
0
Review of the policies
for information security
• Are the 3rd Party Vendor responsibilities defined for managing the lifecycle of the Security Policies ensuring
that they are always kept up to date? 0
0
Internal organization Information security
roles and
responsibilities
• Are the responsibilities for the 3rd Party Vendor Processes (especially for information security) included in the
security policies?
• Are the specific processes and assets of the 3rd Party Vendor identified and defined?
• Are the local responsibilities for the protection of assets for the 3rd Party Vendor documented and carried out?
• Is the process of information security risk management documented and suitable?
• Does the information security risk management process include the 3rd Party Vendors processes and assets?
0
Segregation of duties • Does the 3rd Party Provider a responsible for the security of information within the context of e ?
0
0
When information is sent from one country to another, it must be assured that the information has been properly
received by the end user (source of country B). (note: this requirement is applicable under Information Security
Domain in the area "Integrity") 0
Confidentiality The 3rd Party Provider must ensure that Leidos data is not transmitted to 3rd Party Vendor not belonging or
allowed into the Leidos environment.
The 3rd Party Provider must ensure the security (confidentiality, integrity, availability, non-repudiation, authenticity
and auditability) of data processed on their territory.
Event loggin, protection
of log information
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept
and regularly reviewed.
Logging facilities and log information shall be protected against tampering and unauthorized access.
System administrator and system operator activities shall be logged and the logs protected and regularly
reviewed.
3rd Party Vendor shall ensure that their 3rd Party Provider establish an appropriate system of audit trail and
shall
- allow authorised official bodies to duly inspect the established mechanis3rd Party Vendor for data collection,
processing, translation and transmitting
- make logs available for legal purposes, e.g. if requested by a individual.
0A60:G67F64A62:G67A59:G67C63:G67C64:G6
Not Scored
Information security policies
Management
direction for
information security
• Does the 3rd Party Provider have documented policies that define how personally identified information is
safeguarded?
Average Area Score
Area
Average Area Score
Integrity
Operations Security
Area
Not Compliant
Not Compliant
Organization of information security
Policies for information
security
Area
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
31. Under GDPR – We are All One Family
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
32. There are options… where to start
Subsetting Data used in Test/QA and Dev
Data Minimization
Pseudonymisation / Masking
Rigid Roles Based Access Controls and Management
Reduce Unauthorized Access to PII/PHI
Automatic Logging and Monitoring of User Activities (Regular Testing)
Lock Down Download and Mobile Media Ability
Make “Data in Motion” and “At Rest” Unintelligible
Format Preserving Encryption
Field; Column; Row Encryption
Encrypt Workstations (& Laptops) or
Full Disk Encryption with Individual Workstation Keys
Provide end to end encryption (in motion and at rest)
2/5/2018 19Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
33. Some First Steps…
Reduce the number of Access Points (Minimize User and
AuthorizedAccess)
Segregate, As Much As Possible, the Production Users –
Testers - Developers and QAUsers
Ensure Secure Data Transmission
Rigidly Restrict Access by Well Defined Role/Authorization
Prevent Data Download to Portable Media
Ensure Comprehensive Training on Handling PII/PHI as
Part of Employee Code of Ethics
Reduce # of people who are “authorized to see” Sensitive
Data (PII/PHI)
2/5/2018 20Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
34. Some First Steps…
Minimize; Pseudonymise; Mask Data as Much as
Viable
Ensure Data Secured “At Rest” and “In Motion”
Rigidly Restrict Access by Well Defined
Role/Authorization
Implement End Point Security (DLP)
Deliberately Reduce Potential Attack Surfaces
(Vulnerabilities) that Potentially Expose PII/PHI
Administer Regular Test & Audits on Internal and 3rd
Party “Data Privacy by Design and Default”
Procedures, Policies and Protocols
2/5/2018 21Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
35. OPTIONS (not mutually exclusive)
Data At Rest
• Pseudonymisation and
Masking
• Rigid Roles Based
Access Controls and
Management
• Encrypt Workstations
(& Laptops) to Prevent
Download and Export
Data In Motion
• Safe or Encrypted
Transfer (SFTP
(connection); encrypt
(the data))
• TLS Tunnel and/or ZIX
for mail transport
Data In Use
• Data Minimization
• Data Subsetting
• Rigid Roles Based
Access Controls and
Management
• Pseudonymisation and
Masking
• Format Preserving
Encryption
• Field; Column;
Row Encryption
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
36. Options: Specific Ideas
Data At Rest
• File Share
• BitLocker
• USB/Media Lock
down
• DLP Policies
• Restricted Access to
Db
Data In Motion
• CASB
• DLP
• Network Protocols
• ACLS
• VPN
• Firewall
Data In Use
• Rigid User Access
Rules and Regular
Reviews
• Proactive User
Lifecycle
Management
• Multi Factor
Authentication
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.
37. Thank You!
Leidos Proprietary
The information in this document is proprietary to Leidos.
It may not be used, reproduced, disclosed, or exported without the written approval of Leidos.