SlideShare a Scribd company logo
EU GENERAL DATA PROTECTION
REGULATION IN 30 MINUTES
MORE PRACTICAL INFO SESSION FOR SOFTWARE DEVELOPMENT
DIRECTIVE SAYS ”WHAT”, WE NEED TO DEFINE ”HOW”
TOMI JÄRVINEN – SECURITY SPECIALIST
23/01/2017 1COPYRIGHT © ADITRO. ALL RIGHTS RESERVED.
Personal data
The definition is meant to be broad. "Personal data" : when someone is able to
link the information to individual person, directly or indirectly.
Credit card number, bank statements, medical record (just mention about rare
decease) Full name, photo, phone number, birth date, e-mail address, car number
plate, physical characteristics…and IP address.
The definition is also technology neutral. It does not matter how the personal data
is stored – on paper, on an whatever IT system, on a CCTV system, photographs,
etc
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2
https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf
EU Court of Justice ruled that IP addresses are protected personal data
https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular
Roles from legislation point of view: Data
Controller, Processor and Data Subject
The data controller is the natural person, company, association or other entity that is
factually in control of the processing of personal data and is empowered to take the
essential decisions on the purposes and mechanisms of such processing including the
applicable security measures. “Who is responsible and owns Data Subjects information”.
A processor becomes a controller if he or she uses data for his or her own purposes, not
following the instructions of a controller (Think about Google and targeted advertising)”
Data Processor: Directive: “The natural or legal person, public authority, agency or any
other body, which processes personal data on behalf of the controller. Article 2(e) of the
Data Protection Directive” If an organization holds or processes personal data, but does
not exercise responsibility for or control over the personal data, then this organization is a
"processor." Examples of processors include payroll companies, accountants and market
research companies, call centres of telecom or financial companies, all of which could hold
or process personal information on behalf of someone else.
Data Subject: The natural person a personal data relates to. One individual person
(Directive goal, to give full control and knowledge about storing and
handling his/hers personal data)23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3
GDPR says “WHAT” , It doesn’t say “HOW”
Nothing about:
» specific tools to use
» specific processes to use
» specific standards to use
» examples or templates for solutions
» Best practices for development or guidelines
actual ”privacy engineering (privacy by default)”
Specs from GDPR??
GDPR Demands (what) to system design (how)
At the moment guidelines are mostly at this level*
» “Proactive not Reactive; Preventative not Remedial”
» “Privacy as the Default Setting”
» “Privacy Embedded into Design”
» “End-to-End Security — Full Lifecycle Protection”
» “Respect for User Privacy — Keep it User-Centric”
Not so practical or useful for system owners or application developers
Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada
P r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 5
Design principles – typical view and proposals
» Article 23 – “Data protection by design and by default”
» Minimise
» collect only a limited set of attributes
» Select before collect
» Anonymization and pseudonyms
» Hide
» hidden from application view if not necessary, e.g. technical admins login can not open data content
view
» use of encryption of data (when stored, or when in transit, key management -> encrypted back-ups)
» Control
» User centric identity management and end-to-end encryption support control.
» Providing users direct control over their own personal data
» Enforce
» A privacy policy compatible with legal requirements, and technical protection mechanisms that prevent
violations of the privacy policy.
» Demonstrate
» In case of complaints or problems, controllers must immediately be able to determine the extent of any possible
privacy breaches
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 6
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
Personal Data Flow – subcontractor management (example)
Cloud based
storage in USAApplication
server in Finland
Administration
and support in
India
Remote
connections to
systems
API
Data
analytics
HTTPS / SSL encryption
Finland USA
EU India
API
Contractor
Vendor
Vendors
subsidiary
In all boxes, note:
• Data retention
(Right to erasure)
• Minimisation
• Agreements
Application
development
partner
Outside EU/ETA
Aditro’s Customer
Aditro
Data Subject
HTTPS / SSL encryption, EULA, Input forms
8
I mage: Based on PrivaOn presentation
* https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET)
• ”Privacy by Design” is today undefined
• Official privacy by design will be defined aftre precedent legal
cases
Privacy
requirements
Security
requirements
PET*a
Evidence collection for accountability, technology (log, authentication) process (test reports, memos)
Backlog
P-I-A
Privacy Architecture
Threat analyzes
Security testing
Implementation
Auditing
Certification
Data access process
Data retention
Backups
Privacy inside application development process
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 9
X
http://privacypatterns.org/patterns/
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
Guide to Privacy by Design Documentation for Software Engineers
http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html
https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf
https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF
Excerpts from GDPR (total amount 85 Articles)
Article 30: “appropriate organisational and technical measures”
What is appropriate organizational and technical measures?
» Article 32 “Security of processing” “ongoing confidentiality, integrity, availability and
resilience of systems and services processing personal data”. The ability to restore the
availability and access to “data in a timely manner”.
To do: e.g. Documented security implementation, credible documented fault tolerance
» Breach notification process (article 33), For processor: ”alert and inform controllers
immediately”, no exact time in last regulation proposal. “without undue delay”. From Controller
to data subject time is 72hr.
To do : e.g. Every customer agreement must have exact time
No panic, communication: ” unless the personal data breach is unlikely to result a risk” vs. “breach
is likely to result in a high risk” = Encryption?
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 10
Practical implementations
» Article 35 Data protection impact assessment (P-I-A)
» To do: Formal risk analysis” “Privacy impact assesment” taken into account data
confidentiality”
To do: e.g. Where a type of processing in particular using new technologies, and taking
into account the nature, scope, context and purposes of the processing, is likely to result
in a high risk
» Article 28 “Processor”, “processor shall not enlist another processor without
the prior specific or general written consent of the controller.” , transfer data
without the approval of the organization originally supplying the data
To do: e.g. subcontractor management and contract requirements
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 11
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
Practical implementations
» Article 17 “right to erasure” (known as forgotten)
To do:
» Systems must have option to search and delete individual user data,
remove data away from “operative level”, not from backups, logs, etc.
» Personal data segregation (sensitive/general), retention time/data type,
automated processes to delete data (e.g. 10 years in bookkeeping)
» But no panic button needed! Note 1: ” taking account of available technology”
, note 2: “data retention for compliance with a legal obligation”
» Generally, sanctioning. GDPR gives data subjects a private right of action in EU
courts. Data subjects will have a right to money damages from either controllers
or processors for harm caused by processing personal data. Every article have
Sanctions 10/20 M€ or 2/4% turnover. no panic here, (scale is for Google,
Microsoft…
Accountability by Design for Privacy http://prescient-project.eu/prescient/inhalte/download/3-Butin.pdf
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 12
Practical implementations
» Article 14, “Right of access for the data subject (‘s personal data)”
data subject shall have the right to obtain:.. are being processed, where
processed, purpose of processing…”, “the recipients or categories of recipients
to whom the personal data have been or will be disclosed”
To do: Log management, at the moment no one knows exact requirements. After 2018,
after first legal cases there will be final answers. But, good educated guesses can be
done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single
person or organization, Only data content?
» Article 22: ”be able to demonstrate that the processing of personal data is
performed in compliance with this Regulation”
To do: Evidence* proof information security, updated systems,
modern firewall, malware protection, documentation,
formal documented risk management, ISMS, ISO 27001, demonstrate somehow
to be compliant
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 13
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
Practical implementations
» Article 14, “Right of access for the data subject (‘s personal data)”
data subject shall have the right to obtain:.. are being processed, where
processed, purpose of processing…”, “the recipients or categories of recipients
to whom the personal data have been or will be disclosed”
To do: Log management, at the moment no one knows exact requirements. After 2018,
after first legal cases there will be final answers. But, good educated guesses can be
done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single
person or organization, Only data content?
» Article 22: ”be able to demonstrate that the processing of personal data is
performed in compliance with this Regulation”
To do: Evidence* proof information security, updated systems,
modern firewall, malware protection, documentation,
formal documented risk management, ISMS, ISO 27001, demonstrate somehow
to be compliant
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 14
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
The Fines
» The GDPR has increased fines for both data controllers and data processors who are prosecuted
for data protection breaches. Between 2 to 4% of global annual turnover.
» Fines can be levied for an infringement of the data controller’s or data processor’s obligations
under the GDPR and not just for data security breaches.
» NOTE: will be based upon the seriousness of the infringement and the circumstances of the case,
including : (next slide)
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 15
“Circumstances”
» The nature, gravity and duration of the infringement
» The purpose of the processing concerned
» The number of data subjects affected
» The level of damage suffered by data subjects (including infringement of their rights)
» Whether the infringement was intentional or negligent
» Any action taken by the controller or processor to mitigate the damage suffered by data subjects
» The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented
» Any relevant previous infringements
» The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects
» The categories of personal data affected by the infringement
» The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what
extent
» Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with
» Whether approved codes of conduct or approved certification mechanisms were in place
» Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement.
» Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place.
These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure
personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing
operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these
risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include
the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and
maintained.
* The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority.
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 16

More Related Content

What's hot

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
IT Governance Ltd
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
Naomi Holmes
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
Jason Lackey
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Caroline Boscher
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
Hans Demeyer
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
SPIN Chennai
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
IBM Security
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
isc2-hellenic
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
Christiana Kozakou
 
SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution
Google
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
John Greenwood
 

What's hot (20)

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
GDPR Presentation slides
GDPR Presentation slidesGDPR Presentation slides
GDPR Presentation slides
 
GDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can HelpGDPR and NIS Compliance - How HyTrust Can Help
GDPR and NIS Compliance - How HyTrust Can Help
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity LegislationHow IBM Supports Clients around GDPR and Cybersecurity Legislation
How IBM Supports Clients around GDPR and Cybersecurity Legislation
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
 
How does GDPR affect your business?
How does GDPR affect your business?How does GDPR affect your business?
How does GDPR affect your business?
 
SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution SureSkills GDPR - Discover the Smart Solution
SureSkills GDPR - Discover the Smart Solution
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
 
Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016Regulation (EU) 2016_679_GDPR_Overview_June 2016
Regulation (EU) 2016_679_GDPR_Overview_June 2016
 

Viewers also liked

GDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessGDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectiveness
Kai Roer
 
The Security Culture Conference 2016
The Security Culture Conference 2016 The Security Culture Conference 2016
The Security Culture Conference 2016
Kai Roer
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
Ramiro Cid
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
Ghostery, Inc.
 
An overview of the Security Culture Framework, and the services around it
An overview of the Security Culture Framework, and the services around itAn overview of the Security Culture Framework, and the services around it
An overview of the Security Culture Framework, and the services around it
Kai Roer
 
GDPR - Den nya dataskyddsförordningen
GDPR - Den nya dataskyddsförordningenGDPR - Den nya dataskyddsförordningen
GDPR - Den nya dataskyddsförordningen
Information Resource Management
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
Fintan Swanton
 
Seminar General Data Protection Regulation
Seminar General Data Protection RegulationSeminar General Data Protection Regulation
Seminar General Data Protection Regulation
Axon Lawyers
 
TCF Nieuwsbrief Bovib Modelovereenkomst
TCF Nieuwsbrief  Bovib ModelovereenkomstTCF Nieuwsbrief  Bovib Modelovereenkomst
TCF Nieuwsbrief Bovib Modelovereenkomst
Roy Kolmschot ✔
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
ESET
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
 
GDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - German
Gigya
 
2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar
The CMR Agency
 
Gdpr compliance
Gdpr complianceGdpr compliance
Gdpr compliance
Bart Van Den Brande
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC  approach to GDPR V 0.1 www.3grc.co.uk3GRC  approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
►David Clarke FBCS CITP
 
EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance
Tom Haynes
 
gdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeersgdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeers
The CMR Agency
 
8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace
Tripwire
 

Viewers also liked (19)

GDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectivenessGDPR and Security Culture: Measuring effectiveness
GDPR and Security Culture: Measuring effectiveness
 
The Security Culture Conference 2016
The Security Culture Conference 2016 The Security Culture Conference 2016
The Security Culture Conference 2016
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
The Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection RegulationThe Practical Impact of the General Data Protection Regulation
The Practical Impact of the General Data Protection Regulation
 
An overview of the Security Culture Framework, and the services around it
An overview of the Security Culture Framework, and the services around itAn overview of the Security Culture Framework, and the services around it
An overview of the Security Culture Framework, and the services around it
 
GDPR - Den nya dataskyddsförordningen
GDPR - Den nya dataskyddsförordningenGDPR - Den nya dataskyddsförordningen
GDPR - Den nya dataskyddsförordningen
 
GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!GDPR - Fail to Prepare, Prepare to Fail!
GDPR - Fail to Prepare, Prepare to Fail!
 
Seminar General Data Protection Regulation
Seminar General Data Protection RegulationSeminar General Data Protection Regulation
Seminar General Data Protection Regulation
 
TCF Nieuwsbrief Bovib Modelovereenkomst
TCF Nieuwsbrief  Bovib ModelovereenkomstTCF Nieuwsbrief  Bovib Modelovereenkomst
TCF Nieuwsbrief Bovib Modelovereenkomst
 
ESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection RegulationESET Quick Guide to the EU General Data Protection Regulation
ESET Quick Guide to the EU General Data Protection Regulation
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
GDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - GermanGDPR Implications Customer Identity Management - German
GDPR Implications Customer Identity Management - German
 
2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar2017 The CMR Agency AVG/ GDPR seminar
2017 The CMR Agency AVG/ GDPR seminar
 
Gdpr compliance
Gdpr complianceGdpr compliance
Gdpr compliance
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
3GRC  approach to GDPR V 0.1 www.3grc.co.uk3GRC  approach to GDPR V 0.1 www.3grc.co.uk
3GRC approach to GDPR V 0.1 www.3grc.co.uk
 
EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance EU GDPR - 12 Steps To Compliance
EU GDPR - 12 Steps To Compliance
 
gdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeersgdpr - avg algemene introductie voor marketeers
gdpr - avg algemene introductie voor marketeers
 
8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace8 Tips on Creating a Security Culture in the Workplace
8 Tips on Creating a Security Culture in the Workplace
 

Similar to GDPR practical info session for development

WP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devsWP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devs
Tiia Rantanen
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
Black Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
Jerika Phelps
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
Black Duck by Synopsys
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR  DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
Dataconomy Media
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
MongoDB
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
TokenEx
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
GDPR (En) JM Tyszka
GDPR (En)  JM TyszkaGDPR (En)  JM Tyszka
GDPR (En) JM Tyszka
Jean-Michel Tyszka
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
Interaktiv
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
automatskicorporation
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
Konstantinos Demertzis
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
Ulf Mattsson
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protection
Jos Dumortier
 

Similar to GDPR practical info session for development (20)

WP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devsWP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devs
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management
 
New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management New Security Legislation & Its Implications for OSS Management
New Security Legislation & Its Implications for OSS Management
 
New Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS ManagementNew Security Legislation and its Implications for OSS Management
New Security Legislation and its Implications for OSS Management
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR  DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
DN18 | Privacy by Design for Blockchain | Silvan Jongerius | TechGDPR
 
How MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR complianceHow MongoDB can accelerate a path to GDPR compliance
How MongoDB can accelerate a path to GDPR compliance
 
Continuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric SecurityContinuous PCI and GDPR Compliance With Data-Centric Security
Continuous PCI and GDPR Compliance With Data-Centric Security
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
GDPR (En) JM Tyszka
GDPR (En)  JM TyszkaGDPR (En)  JM Tyszka
GDPR (En) JM Tyszka
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
A Dynamic Intelligent Policies Analysis Mechanism for Personal Data Processin...
 
ISACA Houston - Practical data privacy and de-identification techniques
ISACA Houston  - Practical data privacy and de-identification techniquesISACA Houston  - Practical data privacy and de-identification techniques
ISACA Houston - Practical data privacy and de-identification techniques
 
20131008 agoria big data vs data protection
20131008 agoria big data vs data protection20131008 agoria big data vs data protection
20131008 agoria big data vs data protection
 

More from Tomppa Järvinen

Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"
Tomppa Järvinen
 
Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012
Tomppa Järvinen
 
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminenKyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Tomppa Järvinen
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
Tomppa Järvinen
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research data
Tomppa Järvinen
 
Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015 Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015
Tomppa Järvinen
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in Practice
Tomppa Järvinen
 
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public CloudPilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Tomppa Järvinen
 
Safe use of cloud - alternative cloud
Safe use of cloud - alternative cloudSafe use of cloud - alternative cloud
Safe use of cloud - alternative cloud
Tomppa Järvinen
 
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Tomppa Järvinen
 
Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva -  24.5.2011Pilvipalvelut ja tietoturva -  24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011
Tomppa Järvinen
 
Pilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmastaPilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmasta
Tomppa Järvinen
 
Service goes accessible_2013_sh
Service goes accessible_2013_shService goes accessible_2013_sh
Service goes accessible_2013_sh
Tomppa Järvinen
 

More from Tomppa Järvinen (13)

Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"Riskienhallinnan koulutus "public"
Riskienhallinnan koulutus "public"
 
Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012Tietoturvaa it kehitykselle 12 2012
Tietoturvaa it kehitykselle 12 2012
 
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminenKyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
Kyberrikos 2018 - verkkokaupan kyberriskit ja niihin varautuminen
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
Information security and research data
Information security and research dataInformation security and research data
Information security and research data
 
Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015 Yliopistojen Projekti SIG 2015
Yliopistojen Projekti SIG 2015
 
Data protection in Practice
Data protection in PracticeData protection in Practice
Data protection in Practice
 
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public CloudPilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
Pilvipalvelut Hallitusti käyttöön SaaS & Public Cloud
 
Safe use of cloud - alternative cloud
Safe use of cloud - alternative cloudSafe use of cloud - alternative cloud
Safe use of cloud - alternative cloud
 
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
Pilvipalvelut lainsäädännön näkökulmasta 31.01.2012
 
Pilvipalvelut ja tietoturva - 24.5.2011
Pilvipalvelut ja tietoturva -  24.5.2011Pilvipalvelut ja tietoturva -  24.5.2011
Pilvipalvelut ja tietoturva - 24.5.2011
 
Pilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmastaPilvipalveluhanke tietoturvan nakokulmasta
Pilvipalveluhanke tietoturvan nakokulmasta
 
Service goes accessible_2013_sh
Service goes accessible_2013_shService goes accessible_2013_sh
Service goes accessible_2013_sh
 

Recently uploaded

Flinders Cert degree offer diploma
Flinders Cert degree offer diploma Flinders Cert degree offer diploma
Flinders Cert degree offer diploma
popecap
 
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
sukaniyasunnu
 
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
parichopra4
 
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
sankisogandhi
 
2024-07-14 Transformed 07 (shared slides).pptx
2024-07-14 Transformed 07 (shared slides).pptx2024-07-14 Transformed 07 (shared slides).pptx
2024-07-14 Transformed 07 (shared slides).pptx
Dale Wells
 
Pass AWS Certified Developer Associate with new exam dumps 2024
Pass AWS Certified Developer Associate  with new exam dumps 2024Pass AWS Certified Developer Associate  with new exam dumps 2024
Pass AWS Certified Developer Associate with new exam dumps 2024
SkillCertProExams
 
Conflict resolution in corporate worlds
Conflict resolution in corporate  worldsConflict resolution in corporate  worlds
Conflict resolution in corporate worlds
artemacademy2
 
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
rashmikasinghdelhiro
 
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
satpalsheravatmumbai
 
NAAC REFORMS IN ACCREDITATION 2024.pptx
NAAC REFORMS IN ACCREDITATION  2024.pptxNAAC REFORMS IN ACCREDITATION  2024.pptx
NAAC REFORMS IN ACCREDITATION 2024.pptx
VeluSureshKumar
 
Chapter 1 A - Introduction to Arbitration
Chapter 1 A - Introduction to ArbitrationChapter 1 A - Introduction to Arbitration
Chapter 1 A - Introduction to Arbitration
Adroit PMC
 
CULTURE-The way of life for entire society.
CULTURE-The way of life for entire society.CULTURE-The way of life for entire society.
CULTURE-The way of life for entire society.
RIYAPAWASHE
 
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
satpalsheravatmumbai
 
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
saroohilakhatariroy
 
Colorfcul Presentation - Public Relations
Colorfcul Presentation - Public RelationsColorfcul Presentation - Public Relations
Colorfcul Presentation - Public Relations
StephanieFeliciano8
 
Integrated and localized Approach in Development Communication.pptx
Integrated and localized Approach in Development Communication.pptxIntegrated and localized Approach in Development Communication.pptx
Integrated and localized Approach in Development Communication.pptx
Sayan Bachaspati
 
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
shalvikaprincessparv
 
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp DriegerPSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
Tomas Moser
 
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdfChapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
Adroit PMC
 
ulcerative colitis case presentation
ulcerative colitis case presentation ulcerative colitis case presentation
ulcerative colitis case presentation
anshu reddy
 

Recently uploaded (20)

Flinders Cert degree offer diploma
Flinders Cert degree offer diploma Flinders Cert degree offer diploma
Flinders Cert degree offer diploma
 
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Shimla Girls Call Shimla 0X0000000X Doorstep High-Profile Girl Service Ca...
 
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
Varanasi Girls Call Varanasi 0X0000000X Payment On Delevery Cash Hot Premium ...
 
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
Dehradun Girls Call Dehradun 0X0000000X Unlimited Short Providing Girls Servi...
 
2024-07-14 Transformed 07 (shared slides).pptx
2024-07-14 Transformed 07 (shared slides).pptx2024-07-14 Transformed 07 (shared slides).pptx
2024-07-14 Transformed 07 (shared slides).pptx
 
Pass AWS Certified Developer Associate with new exam dumps 2024
Pass AWS Certified Developer Associate  with new exam dumps 2024Pass AWS Certified Developer Associate  with new exam dumps 2024
Pass AWS Certified Developer Associate with new exam dumps 2024
 
Conflict resolution in corporate worlds
Conflict resolution in corporate  worldsConflict resolution in corporate  worlds
Conflict resolution in corporate worlds
 
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
Hyderabad Girls Call Hyderabad 0X0000000X Unlimited Short Providing Girls Ser...
 
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
VIP Ahmedabad Girls Call Ahmedabad 0X0000000X Doorstep High-Profile Girl Serv...
 
NAAC REFORMS IN ACCREDITATION 2024.pptx
NAAC REFORMS IN ACCREDITATION  2024.pptxNAAC REFORMS IN ACCREDITATION  2024.pptx
NAAC REFORMS IN ACCREDITATION 2024.pptx
 
Chapter 1 A - Introduction to Arbitration
Chapter 1 A - Introduction to ArbitrationChapter 1 A - Introduction to Arbitration
Chapter 1 A - Introduction to Arbitration
 
CULTURE-The way of life for entire society.
CULTURE-The way of life for entire society.CULTURE-The way of life for entire society.
CULTURE-The way of life for entire society.
 
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Mysore Girls Call Mysore 0X0000000X Doorstep High-Profile Girl Service Ca...
 
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Nashik Girls Call Nashik 0X0000000X Doorstep High-Profile Girl Service Ca...
 
Colorfcul Presentation - Public Relations
Colorfcul Presentation - Public RelationsColorfcul Presentation - Public Relations
Colorfcul Presentation - Public Relations
 
Integrated and localized Approach in Development Communication.pptx
Integrated and localized Approach in Development Communication.pptxIntegrated and localized Approach in Development Communication.pptx
Integrated and localized Approach in Development Communication.pptx
 
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
VIP Kolkata Girls Call Kolkata 0X0000000X Doorstep High-Profile Girl Service ...
 
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp DriegerPSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
PSUG 3 - 2024-07-15 - Splunk & AI with Philipp Drieger
 
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdfChapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
Chapter 1 - Comparsion of Dispute Resolution Technique - Reading Material.pdf
 
ulcerative colitis case presentation
ulcerative colitis case presentation ulcerative colitis case presentation
ulcerative colitis case presentation
 

GDPR practical info session for development

  • 1. EU GENERAL DATA PROTECTION REGULATION IN 30 MINUTES MORE PRACTICAL INFO SESSION FOR SOFTWARE DEVELOPMENT DIRECTIVE SAYS ”WHAT”, WE NEED TO DEFINE ”HOW” TOMI JÄRVINEN – SECURITY SPECIALIST 23/01/2017 1COPYRIGHT © ADITRO. ALL RIGHTS RESERVED.
  • 2. Personal data The definition is meant to be broad. "Personal data" : when someone is able to link the information to individual person, directly or indirectly. Credit card number, bank statements, medical record (just mention about rare decease) Full name, photo, phone number, birth date, e-mail address, car number plate, physical characteristics…and IP address. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an whatever IT system, on a CCTV system, photographs, etc 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2 https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf EU Court of Justice ruled that IP addresses are protected personal data https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular
  • 3. Roles from legislation point of view: Data Controller, Processor and Data Subject The data controller is the natural person, company, association or other entity that is factually in control of the processing of personal data and is empowered to take the essential decisions on the purposes and mechanisms of such processing including the applicable security measures. “Who is responsible and owns Data Subjects information”. A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller (Think about Google and targeted advertising)” Data Processor: Directive: “The natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive” If an organization holds or processes personal data, but does not exercise responsibility for or control over the personal data, then this organization is a "processor." Examples of processors include payroll companies, accountants and market research companies, call centres of telecom or financial companies, all of which could hold or process personal information on behalf of someone else. Data Subject: The natural person a personal data relates to. One individual person (Directive goal, to give full control and knowledge about storing and handling his/hers personal data)23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3
  • 4. GDPR says “WHAT” , It doesn’t say “HOW” Nothing about: » specific tools to use » specific processes to use » specific standards to use » examples or templates for solutions » Best practices for development or guidelines actual ”privacy engineering (privacy by default)” Specs from GDPR??
  • 5. GDPR Demands (what) to system design (how) At the moment guidelines are mostly at this level* » “Proactive not Reactive; Preventative not Remedial” » “Privacy as the Default Setting” » “Privacy Embedded into Design” » “End-to-End Security — Full Lifecycle Protection” » “Respect for User Privacy — Keep it User-Centric” Not so practical or useful for system owners or application developers Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada P r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 5
  • 6. Design principles – typical view and proposals » Article 23 – “Data protection by design and by default” » Minimise » collect only a limited set of attributes » Select before collect » Anonymization and pseudonyms » Hide » hidden from application view if not necessary, e.g. technical admins login can not open data content view » use of encryption of data (when stored, or when in transit, key management -> encrypted back-ups) » Control » User centric identity management and end-to-end encryption support control. » Providing users direct control over their own personal data » Enforce » A privacy policy compatible with legal requirements, and technical protection mechanisms that prevent violations of the privacy policy. » Demonstrate » In case of complaints or problems, controllers must immediately be able to determine the extent of any possible privacy breaches 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 6 https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
  • 7. Personal Data Flow – subcontractor management (example) Cloud based storage in USAApplication server in Finland Administration and support in India Remote connections to systems API Data analytics HTTPS / SSL encryption Finland USA EU India API Contractor Vendor Vendors subsidiary In all boxes, note: • Data retention (Right to erasure) • Minimisation • Agreements Application development partner Outside EU/ETA Aditro’s Customer Aditro Data Subject HTTPS / SSL encryption, EULA, Input forms
  • 8. 8 I mage: Based on PrivaOn presentation * https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET) • ”Privacy by Design” is today undefined • Official privacy by design will be defined aftre precedent legal cases Privacy requirements Security requirements PET*a Evidence collection for accountability, technology (log, authentication) process (test reports, memos) Backlog P-I-A Privacy Architecture Threat analyzes Security testing Implementation Auditing Certification Data access process Data retention Backups
  • 9. Privacy inside application development process 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 9 X http://privacypatterns.org/patterns/ https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design Guide to Privacy by Design Documentation for Software Engineers http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF
  • 10. Excerpts from GDPR (total amount 85 Articles) Article 30: “appropriate organisational and technical measures” What is appropriate organizational and technical measures? » Article 32 “Security of processing” “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”. The ability to restore the availability and access to “data in a timely manner”. To do: e.g. Documented security implementation, credible documented fault tolerance » Breach notification process (article 33), For processor: ”alert and inform controllers immediately”, no exact time in last regulation proposal. “without undue delay”. From Controller to data subject time is 72hr. To do : e.g. Every customer agreement must have exact time No panic, communication: ” unless the personal data breach is unlikely to result a risk” vs. “breach is likely to result in a high risk” = Encryption? 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 10
  • 11. Practical implementations » Article 35 Data protection impact assessment (P-I-A) » To do: Formal risk analysis” “Privacy impact assesment” taken into account data confidentiality” To do: e.g. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk » Article 28 “Processor”, “processor shall not enlist another processor without the prior specific or general written consent of the controller.” , transfer data without the approval of the organization originally supplying the data To do: e.g. subcontractor management and contract requirements 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 11 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  • 12. Practical implementations » Article 17 “right to erasure” (known as forgotten) To do: » Systems must have option to search and delete individual user data, remove data away from “operative level”, not from backups, logs, etc. » Personal data segregation (sensitive/general), retention time/data type, automated processes to delete data (e.g. 10 years in bookkeeping) » But no panic button needed! Note 1: ” taking account of available technology” , note 2: “data retention for compliance with a legal obligation” » Generally, sanctioning. GDPR gives data subjects a private right of action in EU courts. Data subjects will have a right to money damages from either controllers or processors for harm caused by processing personal data. Every article have Sanctions 10/20 M€ or 2/4% turnover. no panic here, (scale is for Google, Microsoft… Accountability by Design for Privacy http://prescient-project.eu/prescient/inhalte/download/3-Butin.pdf 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 12
  • 13. Practical implementations » Article 14, “Right of access for the data subject (‘s personal data)” data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed” To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content? » Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation” To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 13 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  • 14. Practical implementations » Article 14, “Right of access for the data subject (‘s personal data)” data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed” To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content? » Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation” To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 14 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  • 15. The Fines » The GDPR has increased fines for both data controllers and data processors who are prosecuted for data protection breaches. Between 2 to 4% of global annual turnover. » Fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches. » NOTE: will be based upon the seriousness of the infringement and the circumstances of the case, including : (next slide) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 15
  • 16. “Circumstances” » The nature, gravity and duration of the infringement » The purpose of the processing concerned » The number of data subjects affected » The level of damage suffered by data subjects (including infringement of their rights) » Whether the infringement was intentional or negligent » Any action taken by the controller or processor to mitigate the damage suffered by data subjects » The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented » Any relevant previous infringements » The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects » The categories of personal data affected by the infringement » The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what extent » Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with » Whether approved codes of conduct or approved certification mechanisms were in place » Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement. » Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place. These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained. * The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority. 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 16