GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
This webinar illustrates:
- Why staff awareness matters
- Assessing your culture
- Common challenges
- Generating a culture shift
- Monitoring progress and measuring sucess
A recording of the webinar can be found here: https://www.youtube.com/watch?v=8xbIt-5GnuM
The project “empoWering prIvacy and securiTy in non-trusteD envirOnMents” (WITDOM for short) is a three-year multi-disciplinary, Research and Innovation Action co-funded by the European Commission in the context of Horizon 2020, the EU Framework Programme for Research and Innovation.
WITDOM aims at protecting the privacy and security of data outsourced to untrusted ICT providers, such as clouds. By protecting sensitive data cryptographically and by applying the privacy-by-design paradigms, WITDOM will provide a holistic framework that addresses end-to-end security for sensitive data. WITDOM's data protection methods will be tailored to the risks associated with different classes of data, so that users remain immune to the threats, vulnerabilities, and risks that may affect remote data processing.
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
This webinar illustrates:
- An overview of the GDPR
- How an ISO 27001-aligned ISMS can support GDPR compliance
- The top risks that result in data breaches
- The benefits of implementing an ISMS
- The technical and organisational requirements to achieve GDPR compliance
- How to improve your overall information security in line with the GDPR’s requirements
A recording of the webinar can be found here: https://www.youtube.com/watch?v=s7XQwBQ6JMg
This webinar illustrates:
- Why staff awareness matters
- Assessing your culture
- Common challenges
- Generating a culture shift
- Monitoring progress and measuring sucess
A recording of the webinar can be found here: https://www.youtube.com/watch?v=8xbIt-5GnuM
The project “empoWering prIvacy and securiTy in non-trusteD envirOnMents” (WITDOM for short) is a three-year multi-disciplinary, Research and Innovation Action co-funded by the European Commission in the context of Horizon 2020, the EU Framework Programme for Research and Innovation.
WITDOM aims at protecting the privacy and security of data outsourced to untrusted ICT providers, such as clouds. By protecting sensitive data cryptographically and by applying the privacy-by-design paradigms, WITDOM will provide a holistic framework that addresses end-to-end security for sensitive data. WITDOM's data protection methods will be tailored to the risks associated with different classes of data, so that users remain immune to the threats, vulnerabilities, and risks that may affect remote data processing.
GDPRvs ISO
The similarities in Privileged Access Management (PAM) requirements
This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help
companies comply with both these regulations.
Traceability is the ability to verify the history, location, or application of an item by means of documented recorded identification. The presentation dedicated to introduce its concepts, requirements and benefits in supply chain management.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification.
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...stevewood900540
A presentation given by Steve Wood, former UK Deputy Information Commissioner and Director of Privacyx Consulting, to the 2023 Asia Bridge Conference in Seoul October 12 2023
In order to have a successful IG program, one of the eight (8) IMalikPinckney86
In order to have a successful IG program, one of the eight (8) Information Risk Planning and Management step is to develop metrics and measure results. From your required readings, discuss the value that metrics brings to the organization, and identify critical measures of success that should be tracked
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
2
A Review of the 8 Generally Accepted
Recording Keeping Principles®
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
So…what is the significance of these principles?
3
IG REFERENCE MODEL
➢ Who?
➢ ARMA International & CGOC
➢ When?
➢ 2012
➢ Where?
➢ As part of the EDRM Project Version 3.0
➢ Why?
➢ To foster the adoption by facilitating
communication and collaboration between
IG stakeholder functions, legal, records
management, risk management, and business
unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outer Ring: Complex set of interoperable processes
and implementing he procedures and structural
element to put them into practice
➢ Requirements:
➢ Understanding of business imperatives
➢ Knowledge of appropriate tools and infrastructure
➢ Sensitivity to legal and regulatory obligations
Inner Ring: Depicts a work-flow (life-cycle) diagram.
Shows that information management is important at
all stages of the lifecycle
5
How the IGRM Diagram related to the
Generally Accepted Recordkeeping Principles®
➢ Support the ARMA Principle by identifying the cross-functional groups of IG
stakeholders
➢ Depicts the intersecting objectives of the organization
➢ Depicts the relationship duty, value and information assets
➢ Used by proactive organizations as an introspective lens to facilitate visualization,
understanding and discussion concerning how to apple the “Principles” to the
organization.
➢ Puts focus on the “Principles”
➢ Provides essential context for the maturity model
6
Considerations in IG Policy Formation
➢ Best Practices?
➢ YES!
➢ Understand that Best
Practices will vary per
organization
➢ Review 25 generic Best
Practices, Pages 75 and 76
of text book
7
➢ Standards?
➢ YES!
➢ Two types to consider
➢ De Jure Standards - Legal standards published by
standards setting bodies such as IOS, ANSI, NIST, BTS and
others
➢ De Facto Standards – Informal standards regarded by
many as actual standards – arising through popular use
(Example: Windows in the business world in 2001-2010).
May be published by formal standards setting bodies
without having “Formal” status
Benefits and Risks of Standards
Benefits
➢ Quality Assurance Support
➢ Interoperability Support
➢ I ...
The WITDOM first project presentation has been updated to include a summary of the results corresponding to the first 18 months of the project. The presentation includes a high-level overview of the project scenarios, methodologies to elicit requirements and to formalize them into technical requirements, as well as the initial architecture.
GDPRvs ISO
The similarities in Privileged Access Management (PAM) requirements
This mapping table aims to highlight the similarities in Privileged Access Management (PAM) requirements that exist between the General Data Protection Regulation (GDPR) and the international standard ISO/IEC 27001:2013. It should help readers understand how a ubiquitous privileged access management solution can be used to answer several compliance regulations without disrupting users’ and administrators’ daily activities. This mapping table distinguishes the direct and indirect values brought by PAM to help
companies comply with both these regulations.
Traceability is the ability to verify the history, location, or application of an item by means of documented recorded identification. The presentation dedicated to introduce its concepts, requirements and benefits in supply chain management.
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
The European Project MEDINA is analysing how to leverage OSCAL to achieve a continuous certification, one step beyond continuous compliance, as required by the European cloud services certification scheme. Presented in the US NIST OSCAL Workshop on February 2021
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
Taiwan Association of Information and Communication Standards (TAICS) organized a private event aimed mainly at Taiwanese developers and manufacturers who intend to integrate their products into the European market.
Due to the amount of existing cybersecurity legislation and methodologies in Europe, TAICS offered a webinar to clarify certain doubts, mainly regarding legal milestones and mandatory compliance when including an IT product in the European market.
The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals.
ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification.
Steve Wood Generative AI and Data Protection Asia Privacy Bridge October 202...stevewood900540
A presentation given by Steve Wood, former UK Deputy Information Commissioner and Director of Privacyx Consulting, to the 2023 Asia Bridge Conference in Seoul October 12 2023
In order to have a successful IG program, one of the eight (8) IMalikPinckney86
In order to have a successful IG program, one of the eight (8) Information Risk Planning and Management step is to develop metrics and measure results. From your required readings, discuss the value that metrics brings to the organization, and identify critical measures of success that should be tracked
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
2
A Review of the 8 Generally Accepted
Recording Keeping Principles®
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition
So…what is the significance of these principles?
3
IG REFERENCE MODEL
➢ Who?
➢ ARMA International & CGOC
➢ When?
➢ 2012
➢ Where?
➢ As part of the EDRM Project Version 3.0
➢ Why?
➢ To foster the adoption by facilitating
communication and collaboration between
IG stakeholder functions, legal, records
management, risk management, and business
unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outer Ring: Complex set of interoperable processes
and implementing he procedures and structural
element to put them into practice
➢ Requirements:
➢ Understanding of business imperatives
➢ Knowledge of appropriate tools and infrastructure
➢ Sensitivity to legal and regulatory obligations
Inner Ring: Depicts a work-flow (life-cycle) diagram.
Shows that information management is important at
all stages of the lifecycle
5
How the IGRM Diagram related to the
Generally Accepted Recordkeeping Principles®
➢ Support the ARMA Principle by identifying the cross-functional groups of IG
stakeholders
➢ Depicts the intersecting objectives of the organization
➢ Depicts the relationship duty, value and information assets
➢ Used by proactive organizations as an introspective lens to facilitate visualization,
understanding and discussion concerning how to apple the “Principles” to the
organization.
➢ Puts focus on the “Principles”
➢ Provides essential context for the maturity model
6
Considerations in IG Policy Formation
➢ Best Practices?
➢ YES!
➢ Understand that Best
Practices will vary per
organization
➢ Review 25 generic Best
Practices, Pages 75 and 76
of text book
7
➢ Standards?
➢ YES!
➢ Two types to consider
➢ De Jure Standards - Legal standards published by
standards setting bodies such as IOS, ANSI, NIST, BTS and
others
➢ De Facto Standards – Informal standards regarded by
many as actual standards – arising through popular use
(Example: Windows in the business world in 2001-2010).
May be published by formal standards setting bodies
without having “Formal” status
Benefits and Risks of Standards
Benefits
➢ Quality Assurance Support
➢ Interoperability Support
➢ I ...
The WITDOM first project presentation has been updated to include a summary of the results corresponding to the first 18 months of the project. The presentation includes a high-level overview of the project scenarios, methodologies to elicit requirements and to formalize them into technical requirements, as well as the initial architecture.
Webinar presented live on January 10, 2018.
Version 3.0 of Security for Cloud Computing: Ten Steps to Ensure Success has just been released for publication. Read it here: http://www.cloud-council.org/deliverables/security-for-cloud-computing-10-steps-to-ensure-success.htm
As organizations consider a move to cloud computing, it is important to weigh the potential security benefits and risks involved and set realistic expectations with cloud service providers. The aim of this guide to help enterprise information technology (IT) and business decision makers analyze the security implications of cloud computing on their business.
In this webinar, authors of the paper will discuss:
• Security, privacy and data residency challenges relevant to cloud computing
• Considerations that organizations should weigh when migrating data, applications, and infrastructure to a cloud computing environment
• Threats, technology risks, and safeguards for cloud computing environments
• A cloud security assessment to help customers assess the security capabilities of cloud service provide
What approaches are being taken to tackle the policy challenges within the big data landscape, and how are these solutions coping in reality? This webinar will address these issues through the perspective of two projects: e-SIDES and SMOOTH. Daniel Bachlechner, of e-SIDES, will discuss the organizational and technical challenges that privacy-preserving big data technologies present, and how an increased level of dialogue between stakeholders can pave the way for appropriate and fair solutions. Rosa M. Araujo Rivero will delve into the main challenges experienced by SMEs and startups in dealing with GDPR compliance. Rosa’s work with the SMOOTH project will demonstrate how the proposed solutions are experienced in practice.
Cloud computing security or, more simply, cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.
Security issues associated with the cloud
Cloud computing and storage provide users with capabilities to store and process their data in third-party data centers Organizations use the cloud in a variety of different service models (with acronyms such as SaaS, PaaS, and IaaS) and deployment models (private, public, hybrid, and community).
Security concerns associated with cloud computing are typically categorized in two ways: as security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers (companies or organizations who host applications or store data on the cloud). The responsibility is shared, however, and is often detailed in a cloud provider's "shared security responsibility model" or "shared responsibility model." The provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected, while the user must take measures to fortify their application and use strong passwords and authentication measures.
When an organization elects to store data or host applications on the public cloud, it loses its ability to have physical access to the servers hosting its information. As a result, potentially sensitive data is at risk from insider attacks. According to a 2010 Cloud Security Alliance report, insider attacks are one of the top seven biggest threats in cloud computing. Therefore, cloud service providers must ensure that thorough background checks are conducted for employees who have physical access to the servers in the data center. Additionally, data centers are recommended to be frequently monitored for suspicious activity.
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
An overview of EU GDPR key characteristics, its origins and legal implications of non-compliance. It also provides the initial steps that an organisation needs to follow to operate in compliance with new cyber security regulatory landscape.
Παρουσίαση του κ. Κώστα Γκρίτση στην εκδήλωση που πραγματοποίησε ο Κύκλος Ιδεών για την Εθνική Ανασυγκρότηση σε συνεργασία με το Ίδρυμα Διεθνών Νομικών Μελετών- Καθηγητού Ηλία Κρίσπη και με την υποστήριξη της Ελληνοαμερικανικής Ένωσης, με θέμα:
«Προστασία Προσωπικών Δεδομένων - Ηλεκτρονική Ταυτοποίηση»
Διαχείριση Προσωπικών Δεδομένων μετά την υιοθέτηση του νέου Γενικού Κανονισμού (GDPR) και Ηλεκτρονική Ταυτοποίηση με τη χρήση του δικτύου eIDAS (eID_EU): Επιχειρησιακές, τεχνικές και θεσμικές συνέπειες
την Τετάρτη 14 Μαρτίου 2018, στο Θέατρο της Ελληνοαμερικανικής Ένωσης
Στη συζήτηση συμμετείχαν:
Λίλιαν Μήτρου, Πανεπιστήμιο Αιγαίου - Πολυτεχνική Σχολή
Κωνσταντίνος Χριστοδούλου, Πανεπιστήμιο Αθηνών - Νομική Σχολή
Αντώνης Στασής, Υπουργείο Διοικητικής Ανασυγκρότησης - Διεύθυνση Ηλεκτρονικής Διακυβέρνησης
Χρυσούλα Μιχαηλίδου, ΕΕΤΤ, Νομική Υπηρεσία
Γιώργος Παπασταματίου, FORTH-CRS
Κώστας Γκρίτσης, MICROSOFT
Φερενίκη Παναγοπούλου-Κουτνατζή, Πάντειο Πανεπιστήμιο – Σχολή Δημόσια Διοίκησης
Συντόνισε ο Πέτρος Καβάσαλης, Πανεπιστήμιο Αιγαίου - Πολυτεχνική Σχολή & Κύκλος Ιδεών για την Εθνική Ανασυγκρότηση
https://ekyklos.gr/ev/581-14-3-2018-prostasia-dedomenon-ilektroniki-taftopoiisi.html
Trust and security technologies: Lessons from the CRISP projectTrilateral Research
These slides present findings from Work Package 3 of the CRISP project. CRISPaims to develop an innovative evaluation and certification methodology for security products. This talk was given at the 7th Biennial Surveillance & Society Conference in Barcelona in April 2016.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
2. Certification as business card for accountability
Giovanni Buttarelli said in a video-speech on 22 January 2018 , spoke of
Certification is a business card for accountability.
He advised to “treasure past good practices taking into account of the
novelties”.
ISO context, but also on national practices, moving towards a
harmonization of experiences through the EDPB criteria.
Technologically neutral approach” so as to avoid market distortions and
trust enhancers for consumers and users.
Clear criteria on who can accredit and certify
Sustainable criteria at European level + dialogue with the organizations
involved in the world, such as the Consortium W3C and ISO.
Application of the certifications can make an innovative contribution,
create new skills and jobs and compensate for the technological gap
Paramount to involve all the stakeholders, including the certification bodies.
3. General Methodology of the Commission Study
Full data protection
Partly focusing ondata
protection
Data protectionrelated
topics (cyber security)
BSI BS 10012 (UK)
TÜV Italia ISO/IEC 27001
BSI ISO/IEC 27018 (UK)
Certificazione ISDP 10003:2015 Data
protection (IT)
Datenschutzaudit beim ULD (DE)
E-privacy app (DE)
EuroPrise (DE)
IkeepSafe Coppa Safe Harbor (US)
Label CNIL digital safe boxes (FR)
Health Personal Data Storage
Agreement (FR)
Myobi Privacy Seal (NL)
Norea Privacy-Audit-Proof (NL)
PrivacyMark System (JP)
Privacy by Design Certification Ryerson
(CA)
TrustArc APEC CBPR certification (US)
Scope
Normative criteria
Scheme arrangements
--
Conformity assessment
Certification issuance
Renewal
Monitoring
Sanction policy
Complaint and dispute
management
Quick Scan
117 schemes identified
Case studies
15 schemes selected
Case studies
8 themes analyzed
4. A privacy seal for Europe
Project funding :1,3 Mio by EU
July 2007 - February 2009
18 pilot projects
Over 65 experts accredited
Consortium: 9 partners from 8 EU Countries
5. From a small state to a EU wide certification
IT products
•Hardware (e.g., an external hard
disc drive secured by strong
encryption methods)
•Software (e.g., a software module
for obfuscation of video data or a
fraud prevention software tool)
6. Europrise services
IT-based services
• Web-based services(e.g., a metasearch engine or
a service for collaboration of medical
professionals)
• Other services(e.g., a digitising service for photo
negatives)
Websites (since 2016)
• Publicly accessible parts of a website (focus on
interaction between website and website visitors)
7. Content of certifications – Targets of Evaluation
Cert. of IT products & IT-based
services (controller services +
processor services):
• The European Privacy Seal
certifies that an IT product or IT-
based service facilitates the
use of that product or service in
a way compliant with European
regulations on privacy & data
protection.
Cert. of websites:
• The seal certifies that data processing
that results from the interaction
between a visitor of a website and the
website when the visitor browses
publicly available parts of the
websites is compliant with
European regulations on privacy &
data protection.
8. Key factors for trust
Trasparency:
• public criteria + procedure
Verifiability:
• publication of results
Credibility :
• reliability of auditors and recognition of
certification bodies in DE
Compliance with General Data
Protection principles
Technical-Organisational Measures:
Accompanying Measures for
Protection of the Data Subjects
Technology-specific and Service-
specific Requirements
Data Subjects’ Rights
Rights under the ePrivacy Directive
11. Key factors : expertise of auditors
Mandatory accreditation (note: not to be confused with art.
43 accreditation) process called ’admission’ managed by
EuroPriSe board
· External auditor can be accredited on legal or/and technical
audit side
· 1st step: Applicant self-declaration of probity and
independence
· 2nd Step: Technical or/and legal exam from a use case
· The admission is granted for three years, renewable if the
auditors conducted a EuroPriSe audit at least in this area in
the meantime or if s/he followed an upgrade training
proposed by EuroPriSe.
International high profile Advisory Board
13. What for
The scheme provides the
principles and lines of
control for a complete
compliance assessment of
the organisation's internal
processes regarding
protection of personal data
with particular reference to
proper risk management.
Additionally, it details security
requirements and controls, so that the
data respect the levels of precision,
accuracy, timeliness, consistency,
completeness, credibility and updating
required by current regulations
regarding the protection of personal
data, with particular attention to the
principles of quality and security of the
data processed, in compliance with the
main international standards.
17. Outcome - Certification models
Several schemes
claim a multi-
sectoral coverage,
offering certification
of processes in all
business activities,
while some others
focus on dedicated
business activities.
Certification scope
models
EuroPriSe,
ISDP 10003:2015,
JIPDEC PrivacyMark,
Privacy by design certification Ryerson,
Privacy-Audit-Proof,
Privacy Seal MYOBI,
TRUSTArc APEC CBPR,
TUV Italia - ISO/IEC 27001 certification
Single-sector model
The scheme applies to one specific
business activity
BSI- ISO/IEC 27018
CNIL Safebox,
CNIL - ASIP Santé
Datenschutzaudit beim ULD
E-Privacy App
IKeepSafe
Multi-sector
v.
Single-sector
Multi-sector model
The scheme applies to all or certain
processes in all business activities
18. Allprocessesv.dedicatedprocesses(tab.3.4)
• Several of the
certifications that
were analysed,
certify all types of
processes while
half of them focus
on dedicated
processes and two
schemes only
certify the
conformity to
management
systems dedicated
to personal data
Outcome - Certification models
19. International v. national
and sub-national
certifications
• Several schemes have an
international scope in the
sense that they offer to
certify entities established
inside and outside the EU.
• Other certifications certify
entities registered within
the national territory of the
scheme operator.
Certification scope
Subnational model
The scheme applies within a subdivision ofthe
national territory
Datenschutzaudit beimULD
National model
The scheme applies to a nationalterritory CNIL Safebox,
CNIL - ASIP Santé,
Datenschutzaudit beimULD,
IKeepSafe, (USA)
JIPDEC PrivacyMark,(Japan)
Privacy-Audit-Proof,
TRUSTe APEC CBPR(USA)
EU-wide model
The scheme applies to all the EUMember
States
BSI-BS 10012,
BSI- ISO/IEC 27018,
EuroPriSe,
ISDP 10003:2015,
Privacy by design certificationRyerson,
TUV Italia - ISO/IEC 27001certification.
International model
The scheme applies worldwide or, at least,in
the EU and outside theEU
BSI-BS 10012,
BSI- ISO/IEC 27018,
EuroPriSe,
ISDP 10003:2015,
Privacy by design certificationRyerson,
TUV Italia - ISO/IEC 27001certification.
International v. National
Outcome - Certification models
20. Outcome - Certification models
Single-issue
certification
v.
Comprehensive
certification
Certification
scope
models
Dedicated GDPR provisionsmodel
(‘single-issue’)
The scheme helps to demonstrate
with
certain GDPR provisions
BSI - ISO/IEC 27018 (Article 28)
CNIL - SafeBox (Article
28) CNIL - ASIP Santé
(Article 28)
Privacy by design certification Ryerson (Article 25)
TUV Italia - ISO/IEC 27001 certification (Article 32)
All GDPR model (‘comprehensive’)
The scheme helps to demonstrate
compliance with all GDPR provisions
BSI - BS 10012
Datenschutzaudit beim ULD
E-Privacy
App
EuroPrie
ISDP10003
2015
Certifications based on international standards seem to follow ISO/IEC’s
approach that is encouraging a dedicated/sectoral approach, while European
schemes seem to prefer a more generic all-encompassing model.
Two opposing models
• On the one hand, a
Comprehensive model
encompasses certifications
certifying against the vast
majority of provisions included in
the GDPR or other data
protection laws
• On the other hand, a single-issue
certification model encompasses
the schemes certifying the
conformity with a single or
limited number of legal
obligations in the regulation.
21. Outcome - Certification models
Legal framework
v.
Standard
v.
Combined
Normative
criteria
Normative basis: law
The scheme is based on a legal framework (EU
or non-EU one)
CNIL Safebox,
CNIL - ASIP Santé,
Datenschutzaudit beim ULD
E-Privacy App,
EuroPriSe,
IKeepSafe (US)
ISDP 10003:2015,
Privacy by design certification Ryerson,
Privacy Seal MYOBI,
Privacy-Audit-Proof
Standard model
The scheme is based on a standard issued bya
national or an international standardization
body
BSI -BS 10012,
BSI- ISO/IEC 27018,
JIPDEC PrivacyMark,
TUV Italia - ISO/IEC 27001 certification
Combined model
The schemes both refer to a regulation and to
one or several other(s) normative basis
(Technical standard(s) or and code of conduct)
BSI -BS 10012,
BSI- ISO/IEC 27018,
E-Privacy App,
ISDP 10003:2015,
Privacy by design certification Ryerson,
TUV Italia - ISO/IEC 27001 certification
22. In scope of Art.42
Because already
accredited for
certification for
process, service and
product having been
accredited for 17065
2012 and in line with
the requirements of
Art. 43.1.b).
23. Certification 17065 vs 17021
ISO 17021-1ISO/IEC 17021-1:2015 -Conformity
assessment — Requirements for bodies providing
audit and certification of management systems
• Ensures the company's ability to organise itself and manage
internal resources and processes in order to meet customer
needs
• Usable as best practice
• Partially referred to in the GDPR (Art. 32)
Principles and requirements for the competence,
consistency and impartiality of the audit and
certification of management systems of ALL
types and for the bodies providing these activities
Management system – system to establish policy
and objectives and to achieve those objectives
ISO/IEC 17065:2012 Conformity assessment —
Requirements for bodies certifying products, processes and
services.
• The overall aim of certifying products, processes or services is to
give confidence to all interested parties that a product, process
or service fulfils specified requirements. The value of certification
is the degree of confidence and trust that is established by an
impartial and competent demonstration of fulfilment of specified
requirements by a third party.
• Certification of products, processes or services is a means of
providing assurance that they comply with specified
requirements in standards and other normative documents.
• It specifies requirements, the observance of which is intended to
ensure that certification bodies operate certification schemes in a
competent, consistent and impartial manner, thereby facilitating
the recognition of such bodies and the acceptance of certified
products, processes and services on a national and international
basis and so furthering international trade.
• This International Standard can be used as a criteria document
for accreditation or peer assessment or designation by
governmental authorities, scheme owners and others
Editor's Notes
Buongiorno a tutte e a tutti,
Sono Marco Moreschini svolgo il mio intervento in italiano in quanto socio dell’Osservatorio , ma sono anche un Distaccato del Ministero dell’ Interno da qualche anno presso le istituzioni europee ed oggi al Garante Europeo ed e’ per questo che per facilitare l’audience proietto delle slides in inglese.
Volevo ringraziare innanzitutto l’Osservatorio679 e l’EDPS per avere reso possibile l’organizzazione di questo evento che vuole fare il punto su una materia complessa e in itinere, e stimolare il dibattito fra stakeholders e interlocutori istituzionali, anche per fungere da sprone ad un completamento della stessa architettura normativa delle certificazioni GDPR da parte degli attori istituzionali preposti.
Come noterete riferendoci alla stesso studio riproporro’ delle slides gia’ mostratevi da Eric Lachaud, ma cerchero’ di non essere ridondante nella mia panoramica che vuole darvi un quadro delle best practices delineate dallo stesso studio commissionato dalla Commissione Europea per meglio esercitare le sue prerogative che le sono attribuite dal GDPR.
2
Come già anticipato da dal Professor Lachaud lo studio effettuato per la Commissione ha passato in rapida rassegna 117 schemi di certificazione, di cui 87 europei e 7 riferibili all’Italia.
Dei quindici schemi di certificazione analizzati piu’ di presso, perche’ considerati gia’ piu’ maturi e aventi caratteristiche in linea con gli art. 42 e 43, due sono stati classificati come completamente in scopo 42, migliori pratiche , che potrebbero essere immediatamente applicabili secondo il GDPR.
Nello stesso studio come abbiamo visto si sono analizzati piu’ in dettaglio otto temi per tutti gli organismi di certificazione, che richiamano in un certo modo i criteri che sono stati dettati nelle Guidelines dall’EDPB
4
5
Le certificazioni riguardano prodotti IT ( hardware and software, ma anche servizi basati sulla rete ( web-based) e dal 2016 anche i siti web, concentrando l’attenzione sul rapporto fra utenti e sito. Europrise quindi offre una certificazione volontaria ai produttori e ai venditori di questi prodotti. La creazione di affidabilità per le aziende o fiducia è lo scopo di queste certificazioni
Per i prodotti quindi la certificazione attesta che il prodotto favorisce il suo utilizzo in una maniera che è conforme alla regolamentazione europea sulla privacy e sulla data protection, mentre quella sui siti attesta che appunto l’interazione fra gli utenti e le parti pubbliche del sito è conforme alla normativa dati personali.
Per l’affidabilità, e questo discorso è valido per qualsiasi tipo di certificazione , ci sono dei fattori che sono imprenscindibili.
La trasparenza, con la pubblicazione dei criteri e la semplicità della procedura.
La verificabilità che si deve manifestare con la pubblicazione dei risultati e in ultimo poi c’e’ la credibilità che è data dalla affidabilità e competenza del comitato di controllo e di verifica e dalla qualificazione del suo personale.
I criteri, e la copertina del catalogo dei criteri e’ riproposta in questa slide, dicevamo i criteri «rispetto» ai quali la certificazione viene svolta sono volti ad accertare:
la conformità ai principi della protezione dei dati, le misure di sicurezza , ma anche quelle di tutela per gli interessati ( cosiddetti data subjects), i requisiti specifici, ma anche i diritti scaturenti dall’applicazione anche di altre norme che siano ancora riferibili alla data protection, come ad esempio la eprivacy directive.
La procedura è semplice:
dopo il contatto/ contratto fra il cliente e l’organismo di certificazione un gruppo di esperti ( third party/terza parte) si occupa della valutazione del prodotto o del servizio prima di sottoporre il rapporto di valutazione al controllo di una Autorità di Certificazione imparziale che ne valuta la metodologia, la coerenza e la completezza. Solo dopo cio’ il Sigillo verrà rilasciato all’ente che ha fatto domanda.
Online su uno speciale registro sono pubblicati i risultati delle verifiche e quindi dei processi e trattamenti che sono stati certificati.
Come abbiamo già accennato in precedenza ad attribuire credibilita’ a tale meccanismo di certificazione soccorre/c’è una procedura di accreditamento interna per gli esperti che effettuano materialmente le verifiche e le valutazioni.
Si valutano infatti in maniera molto meticolosa le capacità e competenze tecniche e legali dei valutatori e l’auditor puo’ svolgere il suo ruolo una volta superato questo vero e proprio esame per un periodo di tre anni. L’Advisory Board, infatti , è composto da personalita’ che sono vere e proprie eccellenze in questo campo e presiede a questo vero e proprio esame degli auditor.
Passiamo ora all’altra best practise citata dallo Studio dell’Università di Tilburg, vale a dire quella dello Schema internazionale della Protezione Dati, il cui scheme owner è una società italiana , la In-Veo di Roma.
La data di creazione è il 2015, l’accreditamento da Accredia ai sensi del Regolamento europeo 765/2008 è avvenuto nel 2016 a ridosso dell’adozione del Regolamento Generale sulla Protezione Dati. E’ stata aggiornata all’entrata in vigore del GDPR , ha una copertura, rivela lo studio della Commissione, internazionale e si riferisce ad ogni tipo di organizzazione. Al momento dello Studio 31 aziende erano state certificate attraverso questo schema che e’ stato dato in licenza anche ad altri tre organismi di certificazione. Inoltre lo Studio ci dice esplicitamente che lo stesso schema è pronto per il GDPR e dà molti vantaggi per le piccole e medie imprese, cosi’ come del resto auspicato dall’art. 42,1 del GDPR.
Quindi questa certificazione rispetta tutti i crismi del Considerando 100 del GDPR applicandosi a prodotti (processi) e servizi e anche quelli dell’art. 24, coinvolgendo insomma tutte le obbligazioni del titolare, nell’assolvimento di tutti i suoi compiti o doveri di accountability.
Logicamente la certificazione di conformità si basa sul GDPR, ma anche sugli altri standard internazionali cui lo stesso Regolamento si richiama. L’interoperabilità dello Schema ISDP con gli altri standard è assicurata dall’utilizzazione del Sistema HLS o Struttura ad alto livello, in pratica nuove regole specificate dall’ISO in nuove direttive che stabiliscono una struttura comune per consentire la compatibilità con le principali norme ISO. Gli altri standard sono per esempio, the ISO 9001, ISO 19011 ISO 17021-1 (Audit methodology), ISO 2859-10 (Sampling methodology), ISO 25012 and ISO 25024 (data quality model) and ISO 31000 (Risk Management), Annex SL (drafting guide) , ISO 27001 (security)
Lo schema quindi dettaglia e sviluppa i principi di data protection cui attenersi e ci offre una pletora di controlli che saranno l’arma degli auditor per verificare scrupolosamente la conformità del trattamento oggetto di valutazione. Particolare importanza è riposta sulla valutazione del rischio legata a ciascun trattamento a far da giusta eco all’approccio risk based più volte richiamato negli articoli del GDPR.
E legate al risk management ci sono tutte le varie soluzioni e controlli di sicurezza che incidono sulle caratteristiche di precisione, tempestività , completezza e credibilità del dato e inoltre tutta una serie di misure tecniche volte a dare attuazione al principio di qualità e non solo sicurezza del dato.
Questa è la struttura tecnica dell ISDP. Come vedete la stessa adotta l’approccio per processi al fine di programmare, predisporre , verificare , riesaminare , mantenere efficace , aggiornare, correggere e magari migliorare la conformità dei trattamenti dei dati personali alle norme vigenti. E fa questo appunto seguendo l’approccio classico per i processi di gestione secondo lo schema del cosiddetto ciclo di Deming.
Con il termine processo, e qui giova specificare, si intende un insieme di attivita’ correlate o interagenti che trasforma elementi in ingresso in elementi in uscita.
15
Qui potete vedere l’articolazione meticolosa dello schema di certificazione ( questo è l’indice dello schema di certificazione) che scandaglia e dettaglia tutta l’attività legata ai trattamenti della organizzazione richiedente la certificazione. Questa meticolosità nell’analisi è volta ad accertare la reale volontà dell’azienda di conformarsi alle regole sul trattamento dati.
Nello studio della Commissione sono analizzate in rassegna le caratteristiche che fanno dei due modelli di certificazioni appena descritti le best practices a livello europeo.
In primis il fatto di adattarsi a molteplici settori di business e non focalizzarsi solo su settori specifici.
Non solo i settori, ma anche i processi. Come vedete anche qui si mette in evidenza che Europrise e ISPD coprono tutti i processi e certificano la conformita’ dell’intero Sistema di gestione dati personali.
Anche la portata geografica va a definire i pregi dei due schemi di certificazione . Entrambe possono avere uno scopo internazionale certificando anche enti extra UE, mentre molti altri hanno una portata e un’applicazione al massimo europea se non solo nazionale.
Altro pregio e’ quello di essere certificazioni omnicomprensive che dimostrano la conformita’ all’intero impianto normativo del GDPR e non solo a processi e trattamenti indicati in singoli articoli.
Lo studio dell’Universita’ di Tilburg ha rilevato poi la particolarita’ che i modelli di certificazione che seguono gli standard internazionali hanno un approccio maggiormente settoriale, mentre quelli Europei prediligono una certa omnicomprensivita’ a coprire tutti i settori richiamati dal GDPR.
Per quanto riguarda i principi ispiratori, il modello Europrise si rifà integralmente a dei modelli normativi, mentre ISDP interpreta un modello combinato fra leggi e altre basi normative, quali gli standard tecnici internazionali e i codici di condotta.
Qui vedete un riassunto e una comparazione fra alcuni modelli di certificazione secondo alcune caratteristiche o criteri principali. Cio’ che si rileva e’ che le caratteristiche che abbiamo gia’ visto nelle precedenti slides sono si’ importanti, ma non sono determinanti per poter far rientrare Europrise e ISDP fra le Certificazioni GDPR ready e quindi gia’ pronte, salvo piccoli ulteriori accorgimenti, per il GDPR. Per essere in scopo art. 42, non solo la certificazione deve essere volontaria, deve riguardare dati personali, deve essere data da una valutazione di terza parte e non autocertificazione e non è sufficiente che riguardi dei non precisati trattamenti.
Fattore e criterio determinante e’ invece proprio il fatto che questi organismi di certificazione sono gia’ accreditati come prevede l’art. 43, comma 1, let b ISO/IEC 17065 e quindi idonei per certificare non sistemi di gestione come per le 17021 (che accreditano enti certificatori idonei anche ad esempio a certificare la sicurezza secondo la ISO 27001), ma processi, prodotti e servizi.
Questo fatto sembra proprio il fattore chiave per considerare i modelli di certificazione in scopo art. 42 per i ricercatori che hanno effettuato lo studio per la Commissione in linea con le scelte fatte nei regolamenti precedent (ad esempio l’EIDAS, la direttiva NIS o il Cybersecurity Act) . Per stare in scopo art. 42 si deve quindi certificare il prodotto e non il sistema
Gli altri modelli descritti nello studio sono piuttosto certificati ai sensi della ISO-IEC 17021 che si rivolge ad enti certificatori che attestano la capacita’ dell’azienda di organizzarsi e gestire risorse interne per soddisfare le esigenze dei client. Tale standard puo’ anche essere utilizzato come best practice ed e’ parzialmente ed implicitamente richiamato dall’art. 32.
Lo standard ISO 17065 serve quindi ad accreditare organismi di certificazione che certificano che un prodotto, un servizio o un processo sia conforme a determinati requisiti rintracciabili in standard internazionali o altre basi normative.
Serve anche a porre al centro criteri tali da poter rendere l’attivita’ di certificazione coerente, imparziale e competente al fine ultimo di favorire il commercio internazionale.
Secondo lo studio di Tilburg quindi, le buone pratiche del passato possono essere utili e offrire modelli validi per l’inizio di una nuova era delle certificazioni. Spetta ora alle autorita’ competenti di completare questo complesso disegno facendo tesoro anche di cio’ che gia c’e’ e rendendo effettivo ed esecutivo l’ambizioso disegno di armonizzazione del Regolamento 679. Rigraziamenti