The document summarizes key points from a presentation on privacy for tech startups. It discusses why privacy is important for startups to consider, providing practical information security controls startups can implement, and new privacy principles from the GDPR that startups should be aware of. Some highlights include:
- Privacy should be a priority from the start and can help startups win trust among users and investors.
- Practical security controls include encrypting data, patching systems, training employees, and monitoring for vulnerabilities.
- The GDPR introduces new principles like data protection by design, security of processing, breach notification requirements, data protection impact assessments, and data protection officers.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
Presented by EndCoder Denise Fouche, this presentation describes South Africa's legal response to cyber security threats, particularly in the banking industry.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
GDPR and NIS Compliance - How HyTrust Can HelpJason Lackey
GDPR (EU 2016/679) and NIS are intended to strengthen data protection for people in the EU, replacing Directive 95/46/EC. Learn how HyTrust can help with compliance.
Presented by EndCoder Denise Fouche, this presentation describes South Africa's legal response to cyber security threats, particularly in the banking industry.
Using international standards to improve EU cyber securityIT Governance Ltd
Cyber security expert Alan Calder takes you through the current cyber threat facing European organisations, the upcoming GDPR and NIS Directive, and how you can use international best practice to get your business cyber secure.
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
IT law : the middle kingdom between east and WestLilian Edwards
Privacy as a value is often as conflicting with and less important than other major societal goals such as nation state secureity and business profits. China as a socialist state emerging a a major digital economuic force may fall prey to both these assumptions. However the recent history in the West shows that over zealous national secueity infringing citizen privacy, as revealed in the recent Snowden PRISM/TEMPORA etc scandals, may backlash against business profits as well as reducing citizen trust in security.China can learn from these lessons as it expands its own privacy law especially in the IT/telecoms area.
This webinar delivers an overview of:
- The GDPR and what it means for Cloud service providers
- The technical and organisational measures applicable to Cloud service providers
- The policies and procedures required by the GDPR
- The 'privacy by design' and 'privacy by default' requirements
- The rights of data subjects
- Breach notification obligations
- The impact of subcontracting on Cloud service providers
- ISO 27018 and implementing security controls for personally identifiable information in the Cloud.
A recording of this webinar is available here:
https://www.youtube.com/watch?v=8i7adBubDzw
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
Using international standards to improve EU cyber securityIT Governance Ltd
Cyber security expert Alan Calder takes you through the current cyber threat facing European organisations, the upcoming GDPR and NIS Directive, and how you can use international best practice to get your business cyber secure.
Norfolk Chamber delivered a morning conference based around the European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. Delegates heared from a variety of GDPR expert speakers from legal, marketing, IT and Data Protection perspectives.
IT law : the middle kingdom between east and WestLilian Edwards
Privacy as a value is often as conflicting with and less important than other major societal goals such as nation state secureity and business profits. China as a socialist state emerging a a major digital economuic force may fall prey to both these assumptions. However the recent history in the West shows that over zealous national secueity infringing citizen privacy, as revealed in the recent Snowden PRISM/TEMPORA etc scandals, may backlash against business profits as well as reducing citizen trust in security.China can learn from these lessons as it expands its own privacy law especially in the IT/telecoms area.
This webinar delivers an overview of:
- The GDPR and what it means for Cloud service providers
- The technical and organisational measures applicable to Cloud service providers
- The policies and procedures required by the GDPR
- The 'privacy by design' and 'privacy by default' requirements
- The rights of data subjects
- Breach notification obligations
- The impact of subcontracting on Cloud service providers
- ISO 27018 and implementing security controls for personally identifiable information in the Cloud.
A recording of this webinar is available here:
https://www.youtube.com/watch?v=8i7adBubDzw
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
A Power Point Presentation with some material of wit and humor. There are Life Lessons to help one grow in Wisdom. For animation effects, download the Slide Show.
Done by Bro. Oh Teik Bin, Lower Perak Buddhist Association , Teluk Intan, Malaysia.
KABBADI is a contact sport in ancient India.kabbadi is the national game of Bangladesh and also the state game of the Indian states of Tamil nadu,Maharashtra,Bihar,Andhra Pradesh,Telangana And punjab.India is the most successful team on the world stage, having won every world cup and Asian games title so far, in both men’s and women’s categories.
Traditional Indian Dress : Its Origin and Types Paul Mattfield
This PDF describes about the traditional Indian dress and their origin and types. To know more visit : http://www.theindiabazaar.com/girls-indian-outfit-c-258-p-14.html
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have their own privacy and breach reporting laws including Georgia, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network setups
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
User management - the next-gen of authentication meetup 27012022lior mazor
Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
Everyone throws around the word compliance but how do you actually achieve that? In this free, 60-minute webinar Sam Chenkin from Tech Impact discusses achievable goals for the nonprofit community to keep their data safe with the Microsoft Cloud. We explore account security like two-factor authentication, data security like encryption, and how to make sure only compliant devices can access your data.
Microsoft Teams in the Modern WorkplaceJoanne Klein
Joanne Klein delves into Microsoft Teams to give a glimpse of its features, its underlying architecture, and what’s in it for the modern worker and the data protection, data retention, and legal/compliance teams across your organization.
This presentation from the 2014 IPMA conference is intended to provide a framework for a print center manager to use when adding, upgrading or replacing software for the in-plant print center. Learn the questions to ask yourself, your IT department and your vendors, and ensure smooth implementations by choosing the best solution with minimal risk for your organization. Engage IT early for the best results.
Presentation by Soumya Mondal, on "Information Security: Importance of having definded policy & process" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Privacy for tech startups
1. Privacy for Tech Startups
Barcelona KnowledgeNet
June, 18 - 2014
#iappbcn
2. IAPP Presentation
•Marc Gallardo: Why is Privacy important for a Startup?
•Jay Libove: Practical Information Security controls for Startups
•Victor Roselló: New Privacy Principles for Startups
PART 1: Keynotes
•Marta Ruiz (Air Products)
•Tiago Henrique (opscaling, gnuine)
•Ferran Julià (Undertile)
PART 2: Panel
Q & A session
Program
4. Founded in 2000
Over 15,000 members in 83 countries
Largest privacy association in the world
IAPP Europe – created to address the specific needs
of European data protection professionals – counts
almost 2,000 members
IAPP
7. Online community
IAPP Privacy List
Web Conferences
Social Buzz
Blogs and Website
Resource Center
Samples, Tools and Templates
Privacy Research
Career Center
IAPP Articles and Presentations
Privacy Glossary
Data Protection Authorities
Privacy Discussions
8. Connecting the industry
More than a professional association, the IAPP provides
a home for privacy professionals around the world to
share experiences—working to promote career readiness
and improve job effectiveness
9. Setting the industry standard
IAPP certification is the global standard for privacy
and data protection professionals.
• Launched nearly 10 years ago, the CIPP has become the preeminent
credential in the field of privacy and educates on privacy laws and
regulations (variants /US, /E, /CA, /G)
• The CIPM training demonstrates how to embed privacy into an
organization through process and technology
• The CIPT is the world’s only privacy certification designed for IT, security
and engineering pros
10. Privacy for Tech Startups
In short, think of privacy as a good opportunity
to win trust among users and customers
11. Common attitude of startup founders
Privacy and Data Security is usually not a
priority from the start !
Respecting Privacy and safeguarding data is a
core value and a trust enabler for your
customers & investors
12. Privacy attitudes of consumers
• The need to protect
personal data online
is a consumer priority
against the benefits of
convenient online
services
13. EMC Privacy Index - June 12, 2014
15.000 consumers from 15 countries
Three Paradoxes emerged:
• “We want it all”
• “Take no action”
• “Social Sharing”
Viewpoints on privacy vary by persona
14. Be proactive & go beyond compliance
• Make privacy top of mind: consumers do
care and investors are concerned
• Know your data
• Be fully transparent:
- Simplify the language
- Use ‘transparency statements’
- Do as your privacy notice says
• Secure your data and train your people
17. Practical Approach to Privacy
• We have a bad habit in Spain
– DP viewed as legal exercise, not business enabler*
– L.O.P.D. trailer on website is (not) enough
• .. And as much as imitation is the sincerest form of flattery…
• So, why would you bother? †
• Focus on business: Do security and get compliance
– Don’t do “compliance for compliance’s sake”
– Do well with practical DP, and if/when you have a problem, you
have some defence
• Information Security is a part of Privacy/DP, necessary but not
sufficient
18. Organizational
• Don’t put privacy/DPO in your Legal department *
• Make sure your outside counsel understands your
business! **
• Do have an internal IT leader
• Have department heads meet regularly, as a group,
with your privacy leader (cross-pollenate disciplines)
• Fund professional memberships and
training/certifications (such as my CISSP, CIPP, CISM) †
19. Policies, Procedures* (philosophy)
• Privacy by Default/ Privacy by Design (operationalize)
• Privacy Impact Assessments (operationalize)
• Limit your IT Footprint, & only buy what you’ll use
• Re-Use, standardise – don’t reinvent †
– Open source, commercial Libraries
– OWASP libraries
– Commercial Emailer services
• Stay on Supported Versions
20. Policies, Procedures* (philosophy, cont’d)
• Use 2-Factor/ Multi-Factor/ Strong/ Two-Step
authentication wherever practical
• Leverage Amazon AWS IAM and similar
• Know Before You Go (learn before using, especially
OAuth)
• Insurance (general business, also “Cyber”)*
• Procedures, Checklists for when people leave your
company
• Change Management
21. Awareness
• People, Process and Technology
– Acceptable Use Policy
• Subscribe everyone in your company to
– SANS OUCH*, and/or
– CyberHeist† newsletter, and/or
– Front Page of the New York Times, El Mundo, …
• Test your people
– Phishing email test
– Not just .EXE attachments, but .PDF, even . JPG, .MP3*
– USB drive left sitting around with autorun binary on it, …
• Check your Credit Card & Bank statements carefully
23. Techie Things To Do
• Change default passwords!
• Encrypt everywhere where it’s easy to do
– Disks, Android & iOS mobile devices
– Network traffic (Web SSL, VPN)
– Wi-Fi infrastructure
– VoIP / SIP gateways
• do Backups*,**
• run Anti-Virus
• have Vulnerability awareness/ perform Patching
24. Techie Things To Do (cont’d)
• UAC, sudo – Don’t compute as Root!
• install Microsoft EMET
• if you create Windows code, opt-in to
– DEP, SEHOP, SafeSEH, ASLR
• buy (and use!) a UTM appliance
• enable Logging (& direct to different server)*
• consider subscribing to Anti-DDoS protection
• give your CFO a separate computer to do on-line banking…
25. Patching, Vulnerability awareness
(desktop/client)
• Windows – WSUS, InTune *
• Secunia SmallBusiness* (beta), LANDesk Patch Manager*,
BeyondTrust Retina free 256-IP edition
• Deploy everything you can with auto-updating
– More attacks come against apps today than against
platforms
– But make sure you trust the software vendor†
• Choose commonly used, actively maintained products
26. Patching, Vulnerability awareness
(server)
• Canonical (ubuntu) Landscape*, RedHat
Network*
• Qualys free online vulnerability scan
• Auto-updating may not be appropriate
(but vulnerability management is still critical)
• Have a Test environment
– Use it for testing patches too
27. Some Great Free Tools
• LastPass † (Freemium model)
• Android, iOS Device Encryption*
• WSUS
• NTP
• SSH, RDP
• Microsoft EMET
• Windows Firewall, Linux iptables
28. More Great Free Tools
• OWASP code libraries (ESAPI)
• File Vault 2, TrueCrypt, BitLocker*, Windows
8.1 Device Encryption †
• Google Mobile Device Management
• EFF’s “HTTPS Everywhere” (Firefox, Chrome,
Opera)**
29. … and some Not-So-Great “Free” tools
• Pirated software is NEVER a good idea
– It’s illegal, and it should go without saying that you
should not do illegal things
– You don’t others to steal YOUR stuff
– Pirated software very often comes with “extras”
• Viruses, Trojan horses
• Back doors, Spyware
30. Synergies
• Use the Cloud †
– AWS EC2 ELB, etc provides
security front-end
– Cloud SaaS (anti-virus,
IT management; converged
services – buy one, more
available for small add-on cost)
– Backup (Mozy*, Carbonite, …)
31. Targeted Training
• Developers – to avoid common tech errors
– Re-review the OWASP Top 10 every year
– Send one or two top developers to SANS training
• Marketing – to avoid creepy/annoying uses
– Meet with people like your presenters today
• Data Protection Official (IAPP CIPP, CIPM, CIPT!)
32. Human Things to To
• Use Bookmarks/Favorites
– no typos, can include https:// explicitly
35. • Data protection by design & by default (art. 23).
• Security of processing (art. 30).
• Data breach notification to DPA (art. 31) & to DS (art. 32).
• Data Protection Impact Assessment (art. 33).
• Data Protection Officer (art. 35).
GDPR “new” principles
36. DP by design
•Data controller and processor.
• At the time of purposes and means determination.
• Appropriate and proportionate technical and organizational
measures.
• Ensure data subject rights.
• Entire lifecycle.
• Accuracy, confidentiality, integrity, physical security and
deletion of personal data.
DP by default
• No personal data processing beyond the minimum
necessary for a predetermined purpose.
Data protection by design & by default
37. • A level appropriate to the risks. Nature of processing and of
personal data (DPIA).
• Integrity, confidentiality, availability and resilience of
systems.
• Reliable Back up process.
• Sensitive information?
• PII only accessed by authorized personnel.
• PII protected against accidental or unlawful destruction.
Security of processing
38. To DPA
• No undue delay.
• Nature of breach (categories and number of PII affected).
• DPO contact details.
• Measures recommended to mitigate effects.
• Consequences.
• Describe measures taken to mitigate effects.
• Document and public register.
To DS
• Notification to DS in case of adverse affect to personal data
and privacy.
• Comprehensive and clear plain language.
Breach notification to DPA and DS
39. • Analyze potential risks (more than 5000 DS in 12-month
period, sensitive PII).
• Description of processing operations and purposes of
processing.
• Proportionality in relation to purposes.
• Risks to DS rights.
• How to minimize PII to be processed.
• Security measures.
• Data retention period.
• DP by design and by default.
• Categories and recipients of personal data.
• Data transfers to third countries.
• Context of data processing.
Data Protection Impact Assessment
40. • More than 5000 DS in 12-month period.
• Regular and systematic monitoring of DS.
• Special categories of PD.
• Inform and advise controller of processor.
• Monitor and implement policies, train staff and audit.
• DP by design and by default.
• Data breaches.
• DPIA.
• Co-operate with DPA.
• At least two years term. Might be reappointed. Employee or
external contractor.
Data Protection Officer
The IAPP is the largest privacy association in the world and a leader in the privacy industry, facilitating conversations/debates and collaboration among key industry leaders and organizations.
The organization provides resources to support practitioners to develop and advance their careers while helping professionals and businesses navigate the complexities of the evolving environment.
Starting with just a handful of dedicated professionals, today the organization has more than 14,000 members across 83 countries
Membership has tripled in the last five years and the growth rate has been over 20 percent in each of the last two years
Daily Dashboard: The IAPP’s FREE daily e-newsletter, that summarizes the day’s top stories from around the world with links to the full articles—sent direct to your desktop each weekday!
Privacy Advisor: The Privacy Advisor, the IAPP’s digital monthly member newsletter featuring news and analysis of privacy issues worldwide from leading experts.
Privacy Tracker: Privacy Tracker is a member-only blog featuring the latest legislative developments and expert analysis .
Online Community
IAPP offers online educational and networking opportunities for those located in regions outside of in-person events
IAPP Privacy List
Connect with the IAPP community online to exchange ideas, share best practices and discuss privacy issues and concerns. The provides a friendly forum for the exchange of ideas and information related to a broad scope of subjects.
Social Buzz
The IAPP is active on Twitter (@DailyDashboard has 1,450 followers), LinkedIn (1,222 followers) and Facebook (1,803 Likes).
Blogs
Privacy Perspectives and Privacy Tracker
Resource Center—members-only content on the IAPP website
Tools, templates, research, articles, job board and more.
More than a professional association, the IAPP provides a home for privacy professionals around the world to gather and share experiences - working to promote career readiness and improve job effectiveness
Several global events/conferences providing education and networking opportunities including the IAPP Global Privacy Summit, annual event held for the last 13 years; the IAPP Privacy Academy; IAPP Canada Privacy Symposium; IAPP Europe Data Protection Congress, IAPP Europe Data Protection Intensive
Events continue to attract industry thought leaders and policy makers, for example at the most recent Global Summit FTC Chairwoman Edith Ramirez made her first remarks in her new role
Navigate event brings academics, industry thought-leaders and others together for intellectual provocation and debate to shape the future of privacy
Launched nearly 10 years ago, the CIPP is the introductory training that educates on U.S. privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the United States.
The new CIPM training demonstrates how to embed privacy into an organization through process and technology
The CIPT is the world’s only privacy certification designed for IT, security and engineering pros
Proof Points:
Starting with just a handful of dedicated professionals, today the organization has more than 12,000 members across 78 countries
Membership has tripled in the last five years and the growth rate has been over 20 percent in each of the last two years
Currently there are more than 5000 certified privacy professionals
According to the latest IAPP Privacy Professionals Role, Function and Salary Survey professionals with their CIPP certification saw an increase in salary in 2013, outpacing even those with MBA’s
Privacy and more particularly ‘Personal Data Protection’ is a growing concern at this moment in our history. Tech startups have to think of it very seriously from the beginning of their project. This can provide a huge competitive advantage and not many are taking advantage of it today. At the same time you can expect investors to seek confirmation that you are privacy-savvy from the start.
Therefore, as a startup founder, think of privacy as not only a regulatory issue, which it certainly is, but as a human issue as well. People around the world are developing a real fear that they are losing control of their personal data, and politicians are reacting by increasing restrictions on what companies can do with the data they collect. To approach privacy in this context can put you in a position to become a future market leader.
When you start up your business your main goals are signing up users and raising money … Privacy and Data Security is not top of mind !!!
This is wrong … privacy and data security must be strategic.
Understand your business model and know what data you are collecting. Don’t settle for open-ended or vague responses like ‘nothing sensitive’ or ‘no personal data’. Someone needs to understand exactly what data is being collected and why. But do not use intuition, the distinction between what is personal data and not can be very tricky and highly technical.
As Jay and Victor will explain later on using tools to properly secure data and be proactive by implementing PbD and other new principles is the way to get it right, meaning not only to be compliant but also to seize the opportunity to win trust from your users or customers.
* Spain and southern Europe in general have the bad habit of approaching privacy as a legal, checkbox, paper exercise, driven by fear of the Regulator (and how the LOPD is used by Consumer organizations to invoke the power of the Regulator), rather than as pro-business risk management for enablement. (The George Washington Law Review, Vol. 81:1529 - Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, SSRN 2328877, Bamberger & Mulligan, 08/2013)
Copying someone else’s privacy statement is a very bad idea. They’re probably not as good at it as you think, and your business is probably different from theirs, so your copy of their privacy statement is unlikely to represent your information practices.
† You might want to get a large(r) round of investment or sell the company; then, the investors’/buyers’ due diligence will require them to look at your practical data protection posture!
* Most people in the company try to avoid talking with Law departments and with Lawyers, but you want Privacy to be Operational and integrated, so your DPO must be somewhere and someone who people will want to talk to, and you must instill a sense of information “ownership” in your managers whose business function gets the most value from each database.
** An outside lawyer is not part of your company. He does not understand you. So he cannot be practical in helping you do Data Protection. SP Contest example.
Operationalizing anything – general IT, privacy, data protection/ security, makes it more efficient and reliable. If you don’t have an IT Operations role, it will be difficult to operationalize information governance.
Your HR head probably doesn’t understand IT, who thinks HR just gets in the way; they must work together to facilitate what HR needs to do with data, while allowing for compliance.
† Yeah, I know, no time/money. In reality, it’s cheaper to fund this than to waste time searching for and reinventing that which is already readily available, if only your IT/privacy/developer guy knew about it from professional associations and conferences.
* Few, simple, and really teach your people about them, and evaluate their performance. Dusty policy books on the shelf which nobody ever reads are worse-than-useless.
PbD, PIA – One before, the other after, every project.
Footprint - The fewer different things you have, the less time you have to waste training, patching/updating.
Only custom develop that which is core to your business model. Re-use (open source, buy) everything else. Yes, even OpenSSL.
† Reinventing - Almost everyone who thinks they can implement their own Widget to save money ends up with a poor quality, expensive widget.
- Staray S125, S325 encrypted hard drives http://www.h-online.com/security/features/Cracking-budget-encryption-746225.html
- Lexar JumpDrives (ca. CY2004) stored PIN retrievably on the drive
- OWASP Enterprise Security API (ESAPI)
- Session State Management – use the functions built-in to your chosen framework (ASP .NET, PHP, J2EE, …)
- HTML Purifier to help avoid XSS in user-provided HTML code
- Zend Framework ZendInputFilter, ZendFilter, ZendValidate
- PHP PEAR
- Django for Python
Commercial Emailers give you functionality (who opened it) as well as unsubscription management (avoids/defends spam complaints).
Unsupported software – Staying on XP or Java 1.5 or PHP 5.1 or … sounds like “If it ain’t broke, don’t fix it”. Until it breaks (or suffers a new, never-to-be-patched vulnerability).
2-Factor – The biggest single technical weakness is passwords.
IAM, etc – reduce privilege. Also, EC2 firewall rules, instance monitoring and alerting (is that CPU or bandwidth spike just business or is it an attack?)
OAuth – GREAT tool. Frequently implemented wrong, provoking risks *to others*.
* When you first look at buying insurance which would help you in case of a “Cyber” incident, you probably won’t qualify! .. But the process of learning why you don’t quality will be instructive to you.
People come first. Process helps People do right. Technology helps Process and limits People’s ability to screw up.
* SANS Ouch, April 2014 “You (yes, you) Are a Target”! Not because you’re so interesting, but just because you have stuff that the attackers can use to attack others.
Phishing tests are available cheaply from several security awareness vendors. Phishing plays on trust. We’re wired to trust. So we must verify, always.
† KnowBe4 publishes the CyberHeist newsletter, and offers phishing tests (one free, then subscription).
* In fact, almost any file attachment could be launched by a handler with a data format vulnerability, so you must mistrust all file types
of learning why you don’t quality will be instructive to you.
Stuxnet, anybody?
VPNs help you test “From” anywhere (CDNs, latency) and also protect you against evil Wi-Fi access points and Man-in-the-Middle attacks.
* Security is traditionally described as Confidentiality, Integrity and Availability. Of these business is usually most concerned with Availability. Backups keep you available (Disaster Recovery); Ransomware, Technology failure, Finger “oops”! …
** Those Finger “oops!” being actually the most common, use a (cloud) Backup solution which keeps multiple versions of files!
* Separate management domains between core operations and supporting systems like the Logging server, so that a compromise of the core system cannot also easily destroy the log data which you would need in order to investigate the incident.
* - commercial products/ services
Auto-updating: The fear was always that an update would break something operational. In truth this happens rarely, whereas hacks of unpatched software happens daily. Anything that patches itself, you don’t have to waste your time patching.
- Adobe Flash Player, Adobe Reader, Firefox, Chrome, Java, iTunes, QuickTime, KMPlayer
† Mobile Apps especially. Auto-updating there gets you a constant stream of new features. Somewhat
* - commercial products/ services
† LastPass’ free version is excellent, including for businesses. It’s premium (personal) and enterprise (business) versions are even better. There’s no excuse to not use it!
* Note that not all Android variants encrypt all data, especially removable SD cards, and iOS has different “levels” of encryption. Be sure to read the manual, so to speak!
* BitLocker is only available on “Pro” and above Windows Vista/7 versions.
† Windows 8.1 Device Encryption is completely automatic, but only on very new hardware which meets requirements.
** HTTPS Everywhere is great in theory; in practice I have found it can cause websites to malfunction, so approach with caution/ only for very technical users. But hopefully it will get better!
† Yes, we know, the Cloud may provoke regulatory concerns. But if it’s going to do security better than you otherwise would (despite Luke Skywalker’s success – twice – against the Death Star, unless your enemy is using the Force, Señor Vader igualmente como Señor Google, Señor Amazon y Señor Microsoft will have better security on their cloud-hosted Death Star than you will in anything you run yourself!), and it’s speed and cost efficiency will let you do more business, and more secure business, that’s Practical, and more defensible than having not done it.
* Some backup services, such as Mozy, allow you to control the Encryption Key.
Tech startups and SMEs have a long list of to-dos. Data security is one of them.
Tinder, the popular dating app, recently aknowledged flaws in its software that would let hackers pinpoint the exact locations of people using the service. Kickstarter, the crowdfunding site, also said that hackers had gained access to customers’ data, including passwords and phone numbers. Half joking we can add: for many companies, a security breach would almost be a nice problem to have in some cases; it means you have enough customers for someone to care. (Except that we know that many breaches are opportunistic, so you don’t have to have enough customers for someone to care, in order for someone to care…!)
It’s a legal requirement. But more importantly, you want to maintain control over what they can do with your valuable data asset, so they don’t use it for their own gain, where you should have been getting that advantage yourself!