Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR practical info session for development

2,330 views

Published on

GDPR in 30 minutes from design point of view, some excerpts from regulation

  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

GDPR practical info session for development

  1. 1. EU GENERAL DATA PROTECTION REGULATION IN 30 MINUTES MORE PRACTICAL INFO SESSION FOR SOFTWARE DEVELOPMENT DIRECTIVE SAYS ”WHAT”, WE NEED TO DEFINE ”HOW” TOMI JÄRVINEN – SECURITY SPECIALIST 23/01/2017 1COPYRIGHT © ADITRO. ALL RIGHTS RESERVED.
  2. 2. Personal data The definition is meant to be broad. "Personal data" : when someone is able to link the information to individual person, directly or indirectly. Credit card number, bank statements, medical record (just mention about rare decease) Full name, photo, phone number, birth date, e-mail address, car number plate, physical characteristics…and IP address. The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an whatever IT system, on a CCTV system, photographs, etc 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2 https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf EU Court of Justice ruled that IP addresses are protected personal data https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular
  3. 3. Roles from legislation point of view: Data Controller, Processor and Data Subject The data controller is the natural person, company, association or other entity that is factually in control of the processing of personal data and is empowered to take the essential decisions on the purposes and mechanisms of such processing including the applicable security measures. “Who is responsible and owns Data Subjects information”. A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller (Think about Google and targeted advertising)” Data Processor: Directive: “The natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive” If an organization holds or processes personal data, but does not exercise responsibility for or control over the personal data, then this organization is a "processor." Examples of processors include payroll companies, accountants and market research companies, call centres of telecom or financial companies, all of which could hold or process personal information on behalf of someone else. Data Subject: The natural person a personal data relates to. One individual person (Directive goal, to give full control and knowledge about storing and handling his/hers personal data)23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3
  4. 4. GDPR says “WHAT” , It doesn’t say “HOW” Nothing about: » specific tools to use » specific processes to use » specific standards to use » examples or templates for solutions » Best practices for development or guidelines actual ”privacy engineering (privacy by default)” Specs from GDPR??
  5. 5. GDPR Demands (what) to system design (how) At the moment guidelines are mostly at this level* » “Proactive not Reactive; Preventative not Remedial” » “Privacy as the Default Setting” » “Privacy Embedded into Design” » “End-to-End Security — Full Lifecycle Protection” » “Respect for User Privacy — Keep it User-Centric” Not so practical or useful for system owners or application developers Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada P r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 5
  6. 6. Design principles – typical view and proposals » Article 23 – “Data protection by design and by default” » Minimise » collect only a limited set of attributes » Select before collect » Anonymization and pseudonyms » Hide » hidden from application view if not necessary, e.g. technical admins login can not open data content view » use of encryption of data (when stored, or when in transit, key management -> encrypted back-ups) » Control » User centric identity management and end-to-end encryption support control. » Providing users direct control over their own personal data » Enforce » A privacy policy compatible with legal requirements, and technical protection mechanisms that prevent violations of the privacy policy. » Demonstrate » In case of complaints or problems, controllers must immediately be able to determine the extent of any possible privacy breaches 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 6 https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
  7. 7. Personal Data Flow – subcontractor management (example) Cloud based storage in USAApplication server in Finland Administration and support in India Remote connections to systems API Data analytics HTTPS / SSL encryption Finland USA EU India API Contractor Vendor Vendors subsidiary In all boxes, note: • Data retention (Right to erasure) • Minimisation • Agreements Application development partner Outside EU/ETA Aditro’s Customer Aditro Data Subject HTTPS / SSL encryption, EULA, Input forms
  8. 8. 8 I mage: Based on PrivaOn presentation * https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET) • ”Privacy by Design” is today undefined • Official privacy by design will be defined aftre precedent legal cases Privacy requirements Security requirements PET*a Evidence collection for accountability, technology (log, authentication) process (test reports, memos) Backlog P-I-A Privacy Architecture Threat analyzes Security testing Implementation Auditing Certification Data access process Data retention Backups
  9. 9. Privacy inside application development process 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 9 X http://privacypatterns.org/patterns/ https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design Guide to Privacy by Design Documentation for Software Engineers http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF
  10. 10. Excerpts from GDPR (total amount 85 Articles) Article 30: “appropriate organisational and technical measures” What is appropriate organizational and technical measures? » Article 32 “Security of processing” “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”. The ability to restore the availability and access to “data in a timely manner”. To do: e.g. Documented security implementation, credible documented fault tolerance » Breach notification process (article 33), For processor: ”alert and inform controllers immediately”, no exact time in last regulation proposal. “without undue delay”. From Controller to data subject time is 72hr. To do : e.g. Every customer agreement must have exact time No panic, communication: ” unless the personal data breach is unlikely to result a risk” vs. “breach is likely to result in a high risk” = Encryption? 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 10
  11. 11. Practical implementations » Article 35 Data protection impact assessment (P-I-A) » To do: Formal risk analysis” “Privacy impact assesment” taken into account data confidentiality” To do: e.g. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk » Article 28 “Processor”, “processor shall not enlist another processor without the prior specific or general written consent of the controller.” , transfer data without the approval of the organization originally supplying the data To do: e.g. subcontractor management and contract requirements 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 11 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  12. 12. Practical implementations » Article 17 “right to erasure” (known as forgotten) To do: » Systems must have option to search and delete individual user data, remove data away from “operative level”, not from backups, logs, etc. » Personal data segregation (sensitive/general), retention time/data type, automated processes to delete data (e.g. 10 years in bookkeeping) » But no panic button needed! Note 1: ” taking account of available technology” , note 2: “data retention for compliance with a legal obligation” » Generally, sanctioning. GDPR gives data subjects a private right of action in EU courts. Data subjects will have a right to money damages from either controllers or processors for harm caused by processing personal data. Every article have Sanctions 10/20 M€ or 2/4% turnover. no panic here, (scale is for Google, Microsoft… Accountability by Design for Privacy http://prescient-project.eu/prescient/inhalte/download/3-Butin.pdf 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 12
  13. 13. Practical implementations » Article 14, “Right of access for the data subject (‘s personal data)” data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed” To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content? » Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation” To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 13 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  14. 14. Practical implementations » Article 14, “Right of access for the data subject (‘s personal data)” data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed” To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content? » Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation” To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 14 http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data
  15. 15. The Fines » The GDPR has increased fines for both data controllers and data processors who are prosecuted for data protection breaches. Between 2 to 4% of global annual turnover. » Fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches. » NOTE: will be based upon the seriousness of the infringement and the circumstances of the case, including : (next slide) 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 15
  16. 16. “Circumstances” » The nature, gravity and duration of the infringement » The purpose of the processing concerned » The number of data subjects affected » The level of damage suffered by data subjects (including infringement of their rights) » Whether the infringement was intentional or negligent » Any action taken by the controller or processor to mitigate the damage suffered by data subjects » The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented » Any relevant previous infringements » The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects » The categories of personal data affected by the infringement » The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what extent » Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with » Whether approved codes of conduct or approved certification mechanisms were in place » Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement. » Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place. These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained. * The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority. 23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 16

×