This document summarizes an upcoming presentation on preparing for the General Data Protection Regulation (GDPR). The presentation will cover what GDPR is, its key impacts and highlights, how to approach GDPR from an IT developer perspective securely, and conclude with a question and answer section. It will discuss GDPR requirements around personal data definitions, data subject rights, penalties for non-compliance, and how to design security and privacy into systems by default. It will also provide recommendations for organizations to discover, centralize and protect personal data, improve test data management practices, and securely expose data to users.
1. Pronti per la legge sulla data protection
GDPR? No Panic!
ROME 24-25 MARCH 2017
Domenico Maracci
Stefano Sali
2. 1 > What is GDPR
2 > Highlights & Key Impacts
3 > How to approach GDPR from a secure, IT Developer perspective
4 > Q&A
3. • Brings into law the original Data Protection Directive
• A single set of rules will apply to all EU member states
GDPR
General Data Protection Regulation 2016/679
4. DIRECTIVE
A "directive" is a legislative act that sets out a goal that all EU countries must
achieve. However, it is up to the individual countries to devise their own laws on
how to reach these goals.
REGULATION
A "regulation" is a binding legislative act. It must be applied in its entirety
across the EU.
REGULATION vs DIRECTIVE
What is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?
5. DATA SUBJECTS RIGHTS
to give citizens back the control of their personal data
HARMONISATION
to simplify the regulatory environment for international
business by unifying the regulation within the EU
PRIMARY OBJECTIVES OF GDPR
What is the difference between a Regulation (like e.g. GDPR) and a Directive (like e.g. PSD2)?
6. • Any information relating to an identified or identifiable
natural person 'data subject'; an identifiable person is
one who can be identified, directly or indirectly
o Name
o ID number
o Location or address
o Physical (Gender, color, age, stature etc)
o Genetic ( includes inherited or acquired characteristics
and Health Data HPII, race)
o Physiological (disability, mental)
o Economic, creed or social identity
• May include online identifiers including IP address,
cookies if they can be easily linked back to the data
subject.
• No distinction between personal data about
individuals in their private, public or work roles
GDPR DEFINITIONS
PERSONAL DATA
7. Personal Data Breach means a breach of
security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data
transmitted, stored or otherwise processed
Data controllers must notify most data breaches to the DPA. This must be done without undue
delay and, where feasible, within 72 hours of awareness. A reasoned justification must be
provided if this timeframe is not met.
In some cases, the data controller must also notify the affected data subjects without undue
delay (Art. 33)
GDPR DEFINITIONS
PERSONAL DATA BREACH
8. The GDPR establishes a tiered approach to
penalties for breach which enables the DPAs to
impose maximum fines of up to 20M€ or 4% of
annual turnover (whichever is highest) if full
compliance cannot be demonstrated (Art. 83)
GDPR FINES
ARTICLE 83
9. Regulation applies to the processing of personal data
in the context of the activities of an establishment of
a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or
not. (Art. 3)
Article 5.1(f) needs to be taken into account because it
literally states: “Personal data should be processed in a
manner that ensures appropriate security of personal
data, including protection against unauthorized or
unlawful processing and against accidental loss,
destruction or damage, using appropriate technical or
organizational measures (‘integrity and
confidentiality’).”
10. Excerpt
One of the most important topics included in this Regulation is a chapter devoted to the
rights of the data subject. The bar has been raised and new rights have been included
that will profoundly impact into the way IT will need to process and control personal
data. While traditional rights of access (Art.15), rectification (Art. 16), erasure (Art.17),
and objection (Art.21) remain largely the same, there has been a new right included:
right to data portability (Art.18) and some modifications to the right to erasure by
including the concept of right to be forgotten (Art 17) and the inclusion of right to
restriction (Art. 18).
11. Excerpt
Art. 25 “The controller shall implement appropriate technical and organizational
measures for ensuring that, by default, only personal data which are necessary for each
specific purpose of the processing are processed. That obligation applies to the amount of
personal data collected, the extent of their processing, the period of their storage and
their accessibility. In particular, such measures shall ensure that by default personal data
are not made accessible without the individual's intervention to an indefinite number of
natural persons”. And article 30 mandates the recording of processing activities.
12. DISCOVER PERSONAL DATA ACROSS YOUR ORGANIZATION AND PROTECT THEM
FROM UNAUTHORIZED ACCESS
1
CENTRALIZE USER IDENTITY MANAGEMENT AND ACCESS CONTROL IN
PARTICULAR (BUT NOT EXCLUSIVELY) OF PRIVILEGED USERS
2
MANAGE AND OPTIMIZE THE USE OF TEST DATA IN YOUR SOFTWARE DEVELOPMENT
LIFECYCLE AND CONSIDER IMPLEMENTING SYNTHETIC DATA GENERATION
3
EXPOSE PERSONAL DATA TO DATA SUBJECT IN A SECURE AND AUDITABLE WAY
4
KEY IMPACTS FOR IT ORGANIZATIONS
A FEW WORDS TO REVIEW
13. • Technical approach to GDPR
• Tools useful for Application Developers
• Demo
HOW TO APPROACH GDPR FROM AN IT SECURITY
PERSPECTIVE
18. Static Code Analysis
on Dev. Workstations
Static Code Analysis
on Scrum Delivery
Penetration Test on
Program Increment
Delivery
Penetration Test
after Code Freeze
Penetration Test
SI/GA SaaS solution
SECURITY BY DESIGN/BY DEFAULT
19. Veracode delivers the application security solutions and services today’s software-driven
world requires. Veracode’s unified platform assesses and improves the security of
applications from inception through production so that businesses can confidently
innovate with the web and mobile applications they build, buy and assemble as well as the
components they integrate into their environments.
Veracode seamlessly integrates application security into the software lifecycle, effectively
eliminating vulnerabilities during the lowest-cost point in the development/deployment
chain, and blocking threats while in production. This comprehensive solution is managed
through one centralized platform and stems from a powerful combination of best-in-class
technology and top-notch security experts who offer remediation coaching and guidance
on processes.
COMING SOON …
20. It will be much harder to use production data for testing and
development
The GDPR will strengthen existing legislation forbidding the use of
personal data for reasons other than why it was given
Data can only be used if:
explicit consent has been given for its use for the specific purpose
necessary for legal purposes (e.g. to fulfil a contract, the subject's vital
interest)
it is necessary for public interest, or for a legitimate interest of the processor
Data shall not be retained “beyond the minimum necessary, in
terms of amount of the data and time of their storage”, and shall
not be made accessible to an indefinite number of individuals
MANAGE TEST DATA IN SDLC
21. Excerpt
Data can only be used if: Explicit consent has been given for its use for the specific
purpose, necessary for legal purposes (e.g. to fulfil a contract, the subject's vital interest),
it is necessary for public interest, or for a legitimate interest of the processor
Organization need to mask personal data and other sensitive data, or getting a sub-set of
production data for testing.
To realize the full benefits of better test data management you must strongly consider
implementing synthetic data generation, as well as how they store, manage and provision
data.
Anonymisation and
Pseudonymisation
22. Innovate or Die
New approach should be taken in order to take into account acceleration
& agile practise.
RISKY
• Sensitive data is stored
inconsistently
• Complexity to mask
everything
SLOW
• Few refresh / year
• Manual masking, in-
house tools processes
are slow and error-
prone
INEFFECTIVE
• 10-20% test coverage
• No negative tests or
future features
WHY PRODUCTION DATA DOESN’T DO THE JOB
23. Substitution Variables
Combinable Functions
CA Test Data Manager
Data Model
Generation
Bulking Scripts
Production Data / Files
Test
Data
Warehouse
Test/Dev Environments
1 2
4 5
Secure Data Subsets
XML
Files
XLS
SQL
Files
CSV Files
API
HTML
Files
FD
TXT
Files
NoSQL
3
6
SYNTHETIC DATA GENERATION IS THE SOLUTION
24. Principal Consultant, Application Delivery, CA Technologies
domenico.maracci@ca.com
Domenico Maracci
@CA_Italy
Slideshare.net/CAInc
Linkedin.com/company/ca-technologies
ca.com/it
Stefano Sali
Senior Principal Consultant Security - CA Technologies
stefano.sali@ca.com
Editor's Notes
Un "regolamento" è un atto legislativo vincolante. Si deve essere applicato nella sua interezza in tutta l'UE
Una "direttiva" è un atto legislativo che prevede un obiettivo che tutti i paesi dell'UE devono raggiungere. Tuttavia, spetta ai singoli paesi per elaborare le proprie leggi su come raggiungere questi obiettivi.
<audio>
Enter Script here.
</audio>
By using modern software such as CA API Management, organizations can include a front end that will permit to comply with the regulation without the need of changing current applications. In addition, CA API Live Creator might be used to build new API’s that will include the appropriate controls and will expose the information needed to third parties.
Just making a calculation on the cost of modifying all applications that currently manage personal data inside your organization and, on the other hand, the cost of just putting one single and standardize interface that might be also used for complying with other regulations related to the industry will suffice to understand the benefits of this approach.
. For deeper info, visit http://transform.ca.com/beyond-masking-subsetting.html
Data can only be used if: Explicit consent has been given for its use for the specific purpose, necessary for legal purposes (e.g. to fulfil a contract, the subject's vital interest), it is necessary for public interest, or for a legitimate interest of the processor
You need to mask personally data and other sensitive data, or getting a sub-set of production data for testing, while important.
Organizations wishing to realize the full benefits of better test data management must strongly consider implementing synthetic data generation, as well as how they store, manage and provision data.
Synthetic data generation is not only more effective in terms of time, quality and money, but also often proves to be easier and more secure than fully masking production data - with the right technology, processes and structural team changes
Because it is not easy!
Story to tell:
1) Profile data & model existing Build a multi-dimensional cube/model
2) Apply sophisticated data Coverage techniques data visualization; Find missing data enterprise wide/invalid data, etc.
3) Synthetically generate/enhance the data based on this model so that it can satisfy every possible test