SlideShare a Scribd company logo

WP Helsinki Meetup - GDPR for devs

Download as PPTX, PDF
Tiia Rantanen
Tiia Rantanen

GDPR for operations and development teams. GDPR includes the data protection by default and data protection by design principles that can be troublesome if not taken into consideration in the beginning of the secure software development life cycle. What are the technical requirements to be considered as "satte of the art" that are mentioned in the regulation. What are the methods of implementation to the risk-based approach the general data protection regulation has.

Software
1 of 20
GDPR for software development 1 6.6.2018
Tiia Rantanen 2 Senior Developer Bachelor of Engineering, information and communication technology, 2014 tirriainen tirriainen
GDPR for devs and ops 3 1. The fines 2. The risk based approach of GDPR Development 1. Data protection by Design 2. Data protection by Default Operations 1. Data breaches 2. Notification to the supervisory authority 3. Server and application logs 8. Conclusion
The Fines??!! 4 The Data Protection Ombudsman (tietosuojavaltuutettu) in Finland monitors compliance; their work is coordinated at EU-level. The cost of falling foul of the rules can be high. https://ec.europa.eu/justice/smedataprotect/index_en.htm
5 Risk Based Approach ● A risk is evaluated based on the impact it has upon realization to the individuals whose data you have ● IT security risk management framework; measures to mitigate risks for the individuals whose data are processed by adequately securing those data, make a data flow diagram to assist ● InfoSec (CIA triad, software security development lifecycle, owasp 10 and so on..) ● When the processing is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) is mandatory Implement protective measures corresponding to the level of risk of the data processing. If you don’t evaluate risks, you can not be compliant.
Development 6 6
Data protection by Design 7 Implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. - pseudonymise (replacing personally identifiable material with artificial identifiers) and/or anonymize personal data - encrypt (encoding messages so only those authorised can read them). - analyze risks - make sure the entire lifecycle is managed in some way https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
Data protection by Default 8 By default, companies/organisations should ensure that personal data is processed with the highest privacy protection so that by default personal data isn’t made accessible to an indefinite number of persons. - process only necessary data - store only for the needed period (not indefinitely) - limit access to the data https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
9 9 Data protection by Default and Design 1/2 “When developing, designing - producers of the products, services and applications should - take into account the right to data protection when developing and designing - products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.” “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall - implement appropriate technical and organisational measures - in an effective manner and to integrate the necessary safeguards” ● https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
What this means is that the tools to be compliant have to be build in to the software: - individual rights (right to be forgotten, export data and so on…) from 1 to 3 months time to reply to the requests, whatever is considered reasonable eg. for removing data permanently from backups - pseudonymization - logs (system level server logs, application level logs) - encryption - automatic opt-out - and so on... 10 Data protection by Default and Design 2/2
What is “state or the art”? 11 ● Comprehensive and layered approach for modern cyber security standards, is valid for both development and operations. There is no way to be sure before a precedent. Image source: http://www.pinsdaddy.com/physical-security-layers-diagrams_HnU2%7CpG1mJSga3a88AGjQfqCr53P6kJ1DBYnoK7DEEDzFOCEVmrX1Io5zWJOzcpcMBph1G%7ChIaTmilpU6g6uGw/
Operations 12 12
Data breaches 13 ● Notification to the supervisory authority must be made in 72 hours after detecting the breach, can be later if accompanied by reasons for the delay ● When there is no need to notify the data subject: ○ If “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” Remember risk based approach. ○ If the data is encrypted ○ If the supervisory authority doesn’t say so :) GDPR probably isn’t very actively supervised, authorities get their information from individuals that have their rights violated or from data breach notifications. So what about the fines when it comes to data breaches?
14 Notification to the supervisory authority ● Content of the notification: ○ describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; ○ communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; ○ describe the likely consequences of the personal data breach; ○ describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. ● The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance. Where do we get all of this data for the notification..? → Server and application logs https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
Server and application logs 15 ● You must have enough logs to do the required forensics on the breach ○ How much logging do you need? Risk based approach, don’t over do it. ○ Prevent hackers from accessing the logs by having a dedicated log database ○ CIA (confidentiality, integrity and availability) triad must be applied with logging ● Regular server logs might be enough, but... ○ Manage logs with ELK or some other tool ○ Implement machine learning to automate log analysis (eg. logz.io) ○ Take it to the next level ■ use threat hunting (HELK) ■ do auditing ■ build a SOC ■ do bugbounties ■ IPS, IDS, SIEM ■ and so on… Logging is complicated, solution: outsource hosting to a GDPR compliant company (like wp-palvelu.fi).
Conclusion 16 16
Conclusion 17 ● Analyze the risks ● If you don’t have sensitive data, there’s no point in going the extra mile ● Remember the data lifecycle when designing systems ● Use best practices and write safe code (owasp 10, sanitize everything and so on) ● Encryption (symmetric: AES, 3DES; asymmetric: RSA) ● Data loss prevention ● Always have a recovery plan (breaches, errors, breakdowns...) ● Document changes, changes may require re-evaluating risks and impact analysis ● Do security testing (eg. penetration testing) ● Get a cyber security certificate (eg. FINCSC) ● Get somebody (eg. Nixu) to audit the level of compliance ● Automate everything you just possibly can to make this process more painless. ● Build a solid documentation to verify compliance and update it every year.
KEEP CALM AND ANALYZE RISKS 18 18
Sources and additional reading 19 ● European Comission. January 2017. Instructions for small businesses. https://ec.europa.eu/justice/smedataprotect/index_en.htm ● General Data Protection Regulation 2016/679 https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN ● Regulation on Privacy and Electronic Communications (aka ePrivacy Regulation) https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017PC0010 ● European Data Protection Supervisor. May 2018. Preliminary Opinion on privacy by design. https://edps.europa.eu/sites/edp/files/publication/18-05- 31_preliminary_opinion_on_privacy_by_design_en_0.pdf
20 That’s all Folks!

Recommended

Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 

Recommended

Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPSLesson 3- Effectiveness of IDPS
Lesson 3- Effectiveness of IDPS
MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 1 - Technical Controls
Lesson 1 - Technical ControlsLesson 1 - Technical Controls
Lesson 1 - Technical Controls
MLG College of Learning, Inc
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Lesson 1- Risk Managment
Lesson 1- Risk ManagmentLesson 1- Risk Managment
Lesson 1- Risk Managment
MLG College of Learning, Inc
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
MLG College of Learning, Inc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
Cimetrics Inc
 
Business cases internet 30 use cases
Business cases internet 30 use casesBusiness cases internet 30 use cases
Business cases internet 30 use cases
Priyanka Aash
 
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna Leonardo
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Cybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMC
Cimetrics Inc
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014Martin Leroux
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays
 

More Related Content

What's hot

Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
MLG College of Learning, Inc
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
TechSoup Canada
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
MLG College of Learning, Inc
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
MLG College of Learning, Inc
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
MLG College of Learning, Inc
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
Cimetrics Inc
 
Business cases internet 30 use cases
Business cases internet 30 use casesBusiness cases internet 30 use cases
Business cases internet 30 use cases
Priyanka Aash
 
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna Leonardo
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
Cybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMC
Cimetrics Inc
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
IGN MANTRA
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
Rd. R. Agung Trimanda
 

What's hot (20)

Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 1- Intrusion Detection
Lesson 1- Intrusion DetectionLesson 1- Intrusion Detection
Lesson 1- Intrusion Detection
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacy
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01
 
Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2Information Assurance And Security - Chapter 1 - Lesson 2
Information Assurance And Security - Chapter 1 - Lesson 2
 
Lesson 1 - Introduction
Lesson 1 - Introduction Lesson 1 - Introduction
Lesson 1 - Introduction
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover Tridium
 
Business cases internet 30 use cases
Business cases internet 30 use casesBusiness cases internet 30 use cases
Business cases internet 30 use cases
 
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
Selex ES at Le Bourget 2013 Cyber Security Seminar-Alessandro Menna
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
Cybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMC
 
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014
 

Similar to WP Helsinki Meetup - GDPR for devs

Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
Synopsys Software Integrity Group
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
Black Duck by Synopsys
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
TrustArc
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Ulf Mattsson
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
Peter Haase
 
GDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation ChecklistGDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation Checklist
NetworkIQ
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
Security Innovation
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your businessData Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your business
Eversheds Sutherland
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
IT Governance Ltd
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
IT Governance Ltd
 

Similar to WP Helsinki Meetup - GDPR for devs (20)

Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprIsaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdpr
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
GDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation ChecklistGDPR 9 Step SIEM Implementation Checklist
GDPR 9 Step SIEM Implementation Checklist
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Data Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your businessData Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your business
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 

Recently uploaded

Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
Google
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
vrstrong314
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
Hornet Dynamics
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
QuickwayInfoSystems3
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 

Recently uploaded (20)

Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 
AI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website CreatorAI Genie Review: World’s First Open AI WordPress Website Creator
AI Genie Review: World’s First Open AI WordPress Website Creator
 
Nidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, TipsNidhi Software Price. Fact , Costs, Tips
Nidhi Software Price. Fact , Costs, Tips
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus Compute wth IRI Workflows - GlobusWorld 2024
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
E-commerce Application Development Company.pdf
E-commerce Application Development Company.pdfE-commerce Application Development Company.pdf
E-commerce Application Development Company.pdf
 
Enterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptxEnterprise Software Development with No Code Solutions.pptx
Enterprise Software Development with No Code Solutions.pptx
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 

WP Helsinki Meetup - GDPR for devs

  • 2. Tiia Rantanen 2 Senior Developer Bachelor of Engineering, information and communication technology, 2014 tirriainen tirriainen
  • 3. GDPR for devs and ops 3 1. The fines 2. The risk based approach of GDPR Development 1. Data protection by Design 2. Data protection by Default Operations 1. Data breaches 2. Notification to the supervisory authority 3. Server and application logs 8. Conclusion
  • 4. The Fines??!! 4 The Data Protection Ombudsman (tietosuojavaltuutettu) in Finland monitors compliance; their work is coordinated at EU-level. The cost of falling foul of the rules can be high. https://ec.europa.eu/justice/smedataprotect/index_en.htm
  • 5. 5 Risk Based Approach ● A risk is evaluated based on the impact it has upon realization to the individuals whose data you have ● IT security risk management framework; measures to mitigate risks for the individuals whose data are processed by adequately securing those data, make a data flow diagram to assist ● InfoSec (CIA triad, software security development lifecycle, owasp 10 and so on..) ● When the processing is likely to result in a high risk to the rights and freedoms of natural persons, a Data Protection Impact Assessment (DPIA) is mandatory Implement protective measures corresponding to the level of risk of the data processing. If you don’t evaluate risks, you can not be compliant.
  • 7. Data protection by Design 7 Implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start. - pseudonymise (replacing personally identifiable material with artificial identifiers) and/or anonymize personal data - encrypt (encoding messages so only those authorised can read them). - analyze risks - make sure the entire lifecycle is managed in some way https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
  • 8. Data protection by Default 8 By default, companies/organisations should ensure that personal data is processed with the highest privacy protection so that by default personal data isn’t made accessible to an indefinite number of persons. - process only necessary data - store only for the needed period (not indefinitely) - limit access to the data https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
  • 9. 9 9 Data protection by Default and Design 1/2 “When developing, designing - producers of the products, services and applications should - take into account the right to data protection when developing and designing - products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.” “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall - implement appropriate technical and organisational measures - in an effective manner and to integrate the necessary safeguards” ● https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
  • 10. What this means is that the tools to be compliant have to be build in to the software: - individual rights (right to be forgotten, export data and so on…) from 1 to 3 months time to reply to the requests, whatever is considered reasonable eg. for removing data permanently from backups - pseudonymization - logs (system level server logs, application level logs) - encryption - automatic opt-out - and so on... 10 Data protection by Default and Design 2/2
  • 11. What is “state or the art”? 11 ● Comprehensive and layered approach for modern cyber security standards, is valid for both development and operations. There is no way to be sure before a precedent. Image source: http://www.pinsdaddy.com/physical-security-layers-diagrams_HnU2%7CpG1mJSga3a88AGjQfqCr53P6kJ1DBYnoK7DEEDzFOCEVmrX1Io5zWJOzcpcMBph1G%7ChIaTmilpU6g6uGw/
  • 13. Data breaches 13 ● Notification to the supervisory authority must be made in 72 hours after detecting the breach, can be later if accompanied by reasons for the delay ● When there is no need to notify the data subject: ○ If “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” Remember risk based approach. ○ If the data is encrypted ○ If the supervisory authority doesn’t say so :) GDPR probably isn’t very actively supervised, authorities get their information from individuals that have their rights violated or from data breach notifications. So what about the fines when it comes to data breaches?
  • 14. 14 Notification to the supervisory authority ● Content of the notification: ○ describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; ○ communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; ○ describe the likely consequences of the personal data breach; ○ describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. ● The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance. Where do we get all of this data for the notification..? → Server and application logs https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
  • 15. Server and application logs 15 ● You must have enough logs to do the required forensics on the breach ○ How much logging do you need? Risk based approach, don’t over do it. ○ Prevent hackers from accessing the logs by having a dedicated log database ○ CIA (confidentiality, integrity and availability) triad must be applied with logging ● Regular server logs might be enough, but... ○ Manage logs with ELK or some other tool ○ Implement machine learning to automate log analysis (eg. logz.io) ○ Take it to the next level ■ use threat hunting (HELK) ■ do auditing ■ build a SOC ■ do bugbounties ■ IPS, IDS, SIEM ■ and so on… Logging is complicated, solution: outsource hosting to a GDPR compliant company (like wp-palvelu.fi).
  • 17. Conclusion 17 ● Analyze the risks ● If you don’t have sensitive data, there’s no point in going the extra mile ● Remember the data lifecycle when designing systems ● Use best practices and write safe code (owasp 10, sanitize everything and so on) ● Encryption (symmetric: AES, 3DES; asymmetric: RSA) ● Data loss prevention ● Always have a recovery plan (breaches, errors, breakdowns...) ● Document changes, changes may require re-evaluating risks and impact analysis ● Do security testing (eg. penetration testing) ● Get a cyber security certificate (eg. FINCSC) ● Get somebody (eg. Nixu) to audit the level of compliance ● Automate everything you just possibly can to make this process more painless. ● Build a solid documentation to verify compliance and update it every year.
  • 19. Sources and additional reading 19 ● European Comission. January 2017. Instructions for small businesses. https://ec.europa.eu/justice/smedataprotect/index_en.htm ● General Data Protection Regulation 2016/679 https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN ● Regulation on Privacy and Electronic Communications (aka ePrivacy Regulation) https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017PC0010 ● European Data Protection Supervisor. May 2018. Preliminary Opinion on privacy by design. https://edps.europa.eu/sites/edp/files/publication/18-05- 31_preliminary_opinion_on_privacy_by_design_en_0.pdf