GDPR for operations and development teams. GDPR includes the data protection by default and data protection by design principles that can be troublesome if not taken into consideration in the beginning of the secure software development life cycle. What are the technical requirements to be considered as "satte of the art" that are mentioned in the regulation. What are the methods of implementation to the risk-based approach the general data protection regulation has.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
Information security officers will need to become involved in privacy issues to maintain relevance in the future. This session will provide the fundamentals of information privacy and building of a privacy program, touching on US, EU, Canadian and other global privacy laws to provide a foundation to begin to intelligently discuss the privacy issues.
(Source: RSA Conference USA 2017)
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider Threat.
This presentation will have been presenting you about my resume assignment one of book, The Complete Guide to Cybersecurity Risks and Controls. I've tried my best to create this presentation. Thank you
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Data privacy in the era of cloud native app
Guillaume Montard, Founder & CEO at Bearer
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
Information security officers will need to become involved in privacy issues to maintain relevance in the future. This session will provide the fundamentals of information privacy and building of a privacy program, touching on US, EU, Canadian and other global privacy laws to provide a foundation to begin to intelligently discuss the privacy issues.
(Source: RSA Conference USA 2017)
ISO 27001 2013 Introduction Study Case IGN Mantra, 2nd Day, 3rd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox
ZoneFox is an award winning market leader in User Behaviour Analytics, providing critical insights around data-flow that you need to secure against the Insider Threat.
This presentation will have been presenting you about my resume assignment one of book, The Complete Guide to Cybersecurity Risks and Controls. I've tried my best to create this presentation. Thank you
Georgie Collins and Dan Hedley, Irwin Mitchell LLP presented, "Data breaches and the law, a practical guide" at Flight East 2018. For more information on Black Duck by Synopsys, please visit our website at www.blackducksoftware.com.
apidays LIVE Paris 2021 - Data privacy in the era of cloud native app by Guil...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Data privacy in the era of cloud native app
Guillaume Montard, Founder & CEO at Bearer
This Webinar featuring guests from the EU Commission, the French data regulator CNIL, DLA Piper and IBM provided an overview of the new EU data protection and privacy perspective from the perspective of the regulation author, regulator, legal advisor and technology providers.
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
In today’s uncertain environment, organizations are regularly confronting new and evolving risks. Data-related risks can stand alone or converge with other enterprise risks, such as third party risk, regulatory compliance risk - such as CCPA and GDPR, security risk, operational and financial risks.
Identifying, understanding, managing, and reporting on data risks across the organization is a critical part of an integrated data governance strategy and essential to enterprise risk management. Organizations that have continuous insights into their evolving risks are able to focus resources on the highest areas of risk and prioritize risk mitigation strategies and plans.
This webinar will review: risk management & privacy, 3rd party vendor risks in today’s climate, top considerations to focus resources on highest areas of risk, risk reporting to management and the board; and the tools & best practices to manage, automate and continuously monitor both company and third-party risk.
Isaca atlanta ulf mattsson - do you have a roadmap for eu gdprUlf Mattsson
Do you have a GDPR Roadmap?
- How to measure Cybersecurity Preparedness
- Oversight of Third Parties
- Related International Standards
- Killing Cloud Quickly?
Technology aspects:
- International/EU PII Customer Case Studies
- Available Data Protection Options
- How to Integrate Security into Application Development
- Security Metrics
GDPR: A checklist for implementing a Security and Event Management tool
The enforcement of the new Data protection directive is less than 6 months away. GDPR will require organisations to provide detailed reports in case of a breach of sensitive data. We share a practical checklist that we think will be invaluable in helping you to put the right security tools in place to detect, investigate and report on a breach.
When GDPR becomes law in a few months, it will be the most wide-ranging and stringent data protection initiative in history. To prepare for this sea change, most organizations have streamlined and detailed their information security policies; however, many are unaware that immature application security programs arguably pose the biggest threat of a data breach. This oft-forgotten piece of data protection puts organizations at risk of GDPR fines.
Attend this joint webinar with Security Innovation and Smarttech247 to learn practical tips on incorporating application security best practices into an InfoSec program to achieve GDPR compliance.
Topics include:
* Summary of GDPR key concepts
* Security of data processing in software and the CIA triad
* The people and process problem of GDPR: Governance
* Using Data Protection by Design for secure design and business logic
* Assessments to verify the security of processing
Presenters:
Roman Garber, Security Innovation
Edward Skraba, Smarttech247
Data Security Breach – knowing the risks and protecting your businessEversheds Sutherland
The impact of a breach in data security can be far reaching, with the risk of reputation damage affecting companies of any size. We will consider how to manage a security breach, its wider impact and building an effective cyber security for your infrastructure.
5 key steps for SMBs for reaching GDPR ComplianceGabor Farkas
In this GDPR Compliance presentation, you can learn more about the key steps to take for GDPR Compliance, including:
- What are data management processes and how to identify them at small and medium sized businesses
- What is personal data under the GDPR and how to establish a record of processing activities to map personal data
- How does encryption help with safeguarding personal data and ensuring GDPR compliance
- What your business should do to get ready for the new General Data Protection regulation on time
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
This webinar covers:
-The GDPR’s impact and the benefits of conducting a DPIA
-The legal requirements for a DPIA under the GDPR
-High-risk DPIAs and prior consultation with the supervisory authority
-DPIAs and their links to an organisation’s risk management framework
-The practical steps to conduct a DPIA
You can watch the webinar here https://www.youtube.com/watch?v=fm9Ysg4LUQg&t=640s
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec
Learn more about the transfer of personal data across borders, including best practices for protecting your information against physical and virtual threats in order to maintain data integrity and confidentiality.
To view the on demand version of the webinar click here: https://symc.ly/2uLlDNf.
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
This webinar covers:
- An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector.
-Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus.
-Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture.
-The practical steps that healthcare organisations need to take when looking at GDPR compliance.
-The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance.
A recording of the webinar can be found here: https://www.youtube.com/watch?v=xFEkkkwAdl4
Similar to WP Helsinki Meetup - GDPR for devs (20)
AI Genie Review: World’s First Open AI WordPress Website CreatorGoogle
AI Genie Review: World’s First Open AI WordPress Website Creator
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-genie-review
AI Genie Review: Key Features
✅Creates Limitless Real-Time Unique Content, auto-publishing Posts, Pages & Images directly from Chat GPT & Open AI on WordPress in any Niche
✅First & Only Google Bard Approved Software That Publishes 100% Original, SEO Friendly Content using Open AI
✅Publish Automated Posts and Pages using AI Genie directly on Your website
✅50 DFY Websites Included Without Adding Any Images, Content Or Doing Anything Yourself
✅Integrated Chat GPT Bot gives Instant Answers on Your Website to Visitors
✅Just Enter the title, and your Content for Pages and Posts will be ready on your website
✅Automatically insert visually appealing images into posts based on keywords and titles.
✅Choose the temperature of the content and control its randomness.
✅Control the length of the content to be generated.
✅Never Worry About Paying Huge Money Monthly To Top Content Creation Platforms
✅100% Easy-to-Use, Newbie-Friendly Technology
✅30-Days Money-Back Guarantee
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIGenieApp #AIGenieBonus #AIGenieBonuses #AIGenieDemo #AIGenieDownload #AIGenieLegit #AIGenieLiveDemo #AIGenieOTO #AIGeniePreview #AIGenieReview #AIGenieReviewandBonus #AIGenieScamorLegit #AIGenieSoftware #AIGenieUpgrades #AIGenieUpsells #HowDoesAlGenie #HowtoBuyAIGenie #HowtoMakeMoneywithAIGenie #MakeMoneyOnline #MakeMoneywithAIGenie
Understanding Nidhi Software Pricing: A Quick Guide 🌟
Choosing the right software is vital for Nidhi companies to streamline operations. Our latest presentation covers Nidhi software pricing, key factors, costs, and negotiation tips.
📊 What You’ll Learn:
Key factors influencing Nidhi software price
Understanding the true cost beyond the initial price
Tips for negotiating the best deal
Affordable and customizable pricing options with Vector Nidhi Software
🔗 Learn more at: www.vectornidhisoftware.com/software-for-nidhi-company/
#NidhiSoftwarePrice #NidhiSoftware #VectorNidhi
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
3. GDPR for devs and ops
3
1. The fines
2. The risk based approach of GDPR
Development
1. Data protection by Design
2. Data protection by Default
Operations
1. Data breaches
2. Notification to the supervisory authority
3. Server and application logs
8. Conclusion
4. The Fines??!!
4
The Data Protection Ombudsman (tietosuojavaltuutettu) in Finland monitors compliance;
their work is coordinated at EU-level.
The cost of falling foul of the rules can be high.
https://ec.europa.eu/justice/smedataprotect/index_en.htm
5. 5
Risk Based Approach
● A risk is evaluated based on the impact it has upon realization to the
individuals whose data you have
● IT security risk management framework; measures to mitigate risks for
the individuals whose data are processed by adequately securing those
data, make a data flow diagram to assist
● InfoSec (CIA triad, software security development lifecycle, owasp 10 and
so on..)
● When the processing is likely to result in a high risk to the rights and
freedoms of natural persons, a Data Protection Impact Assessment
(DPIA) is mandatory
Implement protective measures corresponding to the level of risk
of the data processing.
If you don’t evaluate risks, you can not be compliant.
7. Data protection by Design
7
Implement technical and organisational measures, at the earliest stages of the design of
the processing operations, in such a way that safeguards privacy and data protection
principles right from the start.
- pseudonymise (replacing personally identifiable material with artificial identifiers)
and/or anonymize personal data
- encrypt (encoding messages so only those authorised can read them).
- analyze risks
- make sure the entire lifecycle is managed in some way
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
8. Data protection by Default
8
By default, companies/organisations should ensure that personal data is processed with
the highest privacy protection so that by default personal data isn’t made accessible to an
indefinite number of persons.
- process only necessary data
- store only for the needed period (not indefinitely)
- limit access to the data
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
9. 9
9
Data protection by Default and Design 1/2
“When developing, designing - producers of the products, services and applications
should - take into account the right to data protection when developing and designing
- products, services and applications and, with due regard to the state of the art, to
make sure that controllers and processors are able to fulfil their data protection
obligations.”
“Taking into account the state of the art, the cost of implementation and the nature,
scope, context and purposes of processing as well as the risks of varying likelihood and
severity for rights and freedoms of natural persons posed by the processing, the
controller shall - implement appropriate technical and organisational measures - in an
effective manner and to integrate the necessary safeguards”
● https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
10. What this means is that the tools to be compliant have to be build in to the software:
- individual rights (right to be forgotten, export data and so on…) from 1 to 3 months
time to reply to the requests, whatever is considered reasonable eg. for removing data
permanently from backups
- pseudonymization
- logs (system level server logs, application level logs)
- encryption
- automatic opt-out
- and so on...
10
Data protection by Default and Design 2/2
11. What is “state or the art”?
11
● Comprehensive and layered approach for modern cyber security standards, is valid
for both development and operations.
There is no way to be sure before a precedent.
Image source: http://www.pinsdaddy.com/physical-security-layers-diagrams_HnU2%7CpG1mJSga3a88AGjQfqCr53P6kJ1DBYnoK7DEEDzFOCEVmrX1Io5zWJOzcpcMBph1G%7ChIaTmilpU6g6uGw/
13. Data breaches
13
● Notification to the supervisory authority must be made in 72 hours after detecting the
breach, can be later if accompanied by reasons for the delay
● When there is no need to notify the data subject:
○ If “the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons” Remember risk based approach.
○ If the data is encrypted
○ If the supervisory authority doesn’t say so :)
GDPR probably isn’t very actively supervised, authorities get their information from
individuals that have their rights violated or from data breach notifications.
So what about the fines when it comes to data breaches?
14. 14
Notification to the supervisory authority
● Content of the notification:
○ describe the nature of the personal data breach including where possible, the
categories and approximate number of data subjects concerned and the
categories and approximate number of personal data records concerned;
○ communicate the name and contact details of the data protection officer or other
contact point where more information can be obtained;
○ describe the likely consequences of the personal data breach;
○ describe the measures taken or proposed to be taken by the controller to address
the personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects.
● The controller shall document any personal data breaches, comprising the facts
relating to the personal data breach, its effects and the remedial action taken. That
documentation shall enable the supervisory authority to verify compliance.
Where do we get all of this data for the notification..? → Server and application logs
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
15. Server and application logs
15
● You must have enough logs to do the required forensics on the breach
○ How much logging do you need? Risk based approach, don’t over do it.
○ Prevent hackers from accessing the logs by having a dedicated log database
○ CIA (confidentiality, integrity and availability) triad must be applied with logging
● Regular server logs might be enough, but...
○ Manage logs with ELK or some other tool
○ Implement machine learning to automate log analysis (eg. logz.io)
○ Take it to the next level
■ use threat hunting (HELK)
■ do auditing
■ build a SOC
■ do bugbounties
■ IPS, IDS, SIEM
■ and so on…
Logging is complicated, solution: outsource hosting to a GDPR compliant
company (like wp-palvelu.fi).
17. Conclusion
17
● Analyze the risks
● If you don’t have sensitive data, there’s no point in going the extra mile
● Remember the data lifecycle when designing systems
● Use best practices and write safe code (owasp 10, sanitize everything and so on)
● Encryption (symmetric: AES, 3DES; asymmetric: RSA)
● Data loss prevention
● Always have a recovery plan (breaches, errors, breakdowns...)
● Document changes, changes may require re-evaluating risks and impact analysis
● Do security testing (eg. penetration testing)
● Get a cyber security certificate (eg. FINCSC)
● Get somebody (eg. Nixu) to audit the level of compliance
● Automate everything you just possibly can to make this process more painless.
● Build a solid documentation to verify compliance and update it every year.
19. Sources and additional reading
19
● European Comission. January 2017. Instructions for small businesses.
https://ec.europa.eu/justice/smedataprotect/index_en.htm
● General Data Protection Regulation 2016/679
https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
● Regulation on Privacy and Electronic Communications (aka ePrivacy Regulation)
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017PC0010
● European Data Protection Supervisor. May 2018. Preliminary Opinion on privacy by
design.
https://edps.europa.eu/sites/edp/files/publication/18-05-
31_preliminary_opinion_on_privacy_by_design_en_0.pdf