Company Confidential

1

How to implementprivacy and security requirements in practice?Tobias Bräutigam, OTT Senior Legal Counsel, Nokia8 October 2012

Company Confidential

2

Three questions ...

1.Why do we need security requirements?

2.How does Nokia organize privacy compliance?

3.How are privacy and security requirements implemented in collaboration cases?

Company Confidential

3

What does the law say about security requirements?

Company Confidential

4

Finnish Law

Henkilötietolaki

• § 5: General commitment to „ hyvää tietojenkäsittelytapaa“• § 32: obligation to implement technical and organizational

measures depending on the circumstances

Sähköisen viestinnän tietosuojalaki

• § 2: Definition of data security = administrative and technical measures to make sure only those entitled may process the data)Degrees from Finnish Communications

Regulatory authority (viestintäviraston määräykset)

Company Confidential

5

Directive 95/46Article 17 Security of processing

1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.2. Summary: applies for processors, too.3.+4. Summary: need a contract in writing and instructions

Company Confidential

6

DRAFT General Data Protection Regulation (1)Article 23 Data protection by design and by default

Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Company Confidential

7

DRAFT GDPR(2)

Article 30 Security of processing1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.

2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organizational measures referred to in paragraphs 1 and 2 […]

Company Confidential

8

How is privacy and security organized in Nokia?

Company Confidential

9

Nokia Privacy Program elements

1. Executive Oversight2. Training and Awareness*3. Policies and processes to implement

the policies4. Staffing and delegation5. Risk assessment and mitigation6. Issue Response Management7. Internal enforcement8. Redress

Company Confidential

10

Different needs for training

All Employe

es

Privacy 2500

Privacy Networ

k

Basic knowledge => eLearning

Role Specific knowledge => face to face or other

tailored learnings

Expert knowledge => Privacy Academy +

Certifications

Company Confidential

How are privacy and security requirements

implemented in collaboration cases?

Company Confidential

12

TARGET:~

Ensuring Security in Extended Nokia

HOW:~

Team effort of several stakeholders using

consistent and fit for purpose security principles

Company Confidential

Risk Management based approach

What are the risks?

Compliance based approach (privacy, ethical business)Business continuity (availability)

Leak prevention and asset protection

Consumer / personnel data (confidentiality)

ICM / L&C service delivery (integrity)

Product security (various risks)

How to adresse the risk?

Contractual controls

IT security controls

Document/onsite review

Relationship/governance

Support/knowledge sharing

Awareness raising

Company Confidential

Introducing Third Party Security Management

(3PSM)

Company Confidential

Four aspects of 3PSM

Requirements• Lay the foundation of the

3PSM arrangement. • E.g. Common or Advanced

Security Requirements, Nokia Supplier Requirements

Processes• Ensure consistent

implementation of 3PSM practices.

• E.g. Consultative review, self-assessment, Preventive & Corrective Actions

People• Deliver the 3PSM

requirements through physical or virtual means.

• E.g. Sourcing, 3PSM experts, Business People

Tools• Help the case for Sourcing,

Business & 3PSM network. • E.g. Case profiling tool,

Current State Analysis tool, Reporting tool

Company Confidential

Modular requirements structure

Case Profile

SpecificSecurity

Requirement

(e.g. Web Application)

SpecificSecurity

Requirement (e.g.. Hosting

Services)

SpecificSecurity

Requirement

(e.g.. Software Development)

Common Security Requirements for Nokia Third Parties

3PSM Expert

Pre-set, all cases

Pre-set,

decided

case-by-

case

Adhoc, decide

dcase-by-

case

Company Confidential

Case Profiling Tool

•Case profiling tool helps Business and Sourcing to understand what kind of security requirements are needed for a collaboration case and how critical the case is from a security point of view.

•The tool has two sections:−Control selection – case specific requirements for agreements

−Mini BIA (business impact assessment)

Company Confidential

© Nokia 2012 Mobile Industry Privacy Challenge

Locate use case

Kiitos!