dfgfdhsjfgdghjghfkfhgkfhjsrt
Data Protection Matters- How to Do It in Practice
Christina Brunvoll ErnstThomas Deigaard Hedberg
KMD
Disclaimer
We are not lawyers
This presentation is not legal advise
It is based on our current understanding of the legislation
1000 page guidance from Justice Department scheduled for May/17
Additional Danish legislation is scheduled for Q4/17
Nothing to sell
No quick fixes
No promises of “turn key” solutions that solves it all
$whoami
Christina Brunvoll ErnstSenior Information Security Specialist –Governance, Risk and Compliance
KMD
I been working with information security management and privacy for over ten years.
KMD (current)
Deloitte
KMD
Digitaliseringsstyrelsen
DK-CERT
• Information Security Manager (CISM)
• Risk and Information Systems Control (CRISC)
• Certified Information Privacy Management (CIPM)
• Certified ISO/IEC 27001 Lead Implementer
• ISO/IEC 27001 Lead Auditor
• Certified ISO/IEC 31000 Risk Management
• DPO training, Plesner
$whoami
Thomas Deigaard Hedberg
Senior Information Security Specialist
– Governance, Risk and Compliance
20+ years of IT experience for both public and private sector and a strong technical background
KMD (current)
NNIT
IBM
Lotus
TopNordic
Danish Police
Certifications
CISM, CISA, CRISC, GGEIT
ISO 27001 MasterISO 27001 Lead ImplementerISO 27001 Lead AuditorISO 27005 Lead Risk ManagerISO 31000 Lead Risk ManagerISO 22301 Lead Implementer
The principle of a right to privacy implies that:
In a world of personal and commercial interaction and communication, there are some
aspects of our daily living which should be protected from abuse, surveillance and
intrusion.
UN Declaration of Human Rights (1948)Result of the second world war
Article 12: “Right to privacy”
European Convention of Human Rights (1950)Article 8 Right to respect for private and family life
OECD Guidelines on Data Protection (1980)8 Basic principles
EU Data Protection Convention – Treaty 108 (1981)Closely aligned with principles in the OECD Guidelines
European Data Protection Directive (1995)
Danish Data Protection Act (2000)Includes changes from the Data Protection Directive
E-privacy directive 2002/58
EU General Data Protection Regulation (2016/679)
This is all about protecting our personal data and our right to privacy!
The purpose of the EU General Data Protection Regulation is to protect the individual’s right to privacy.
Our personal data must only be collected when there is a legal basis and used according to the purpose
to which it has been collected.
Must your company comply?
Test data is in the scope when it includes personal data
Motivation for compliance?
Today there is no financial motivation
for non-compliance
Non-compliance to GDPR can be fined up to 4% fine of global revenue
Tort could add up in case of a breech
[10-15.000 * Number of data subjects]
Definition of personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Sensitive personal data means personal data showing race and ethnic origin, political, religious or philosophical convictions, sexual orientation, or gender identity, trade union activities, and treatment of genetic or biometric data, health information and sexual orientation or information related to criminal offenses including administrative sanctions.
Definitions
Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Definitions
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
What is a ISO27001?
• Published on the 25th September 2013
• Clause 4-10 is mandatory
• Annex A with 114 controls in 14 groups
• Groups range from security in HR to IT operations and auditing
• Security controls are safeguards to avoid, detect, counteract or minimize security risks to assets.
• Covers Confidentiality, Integrity and Availability
• Certification available
ISO27001 briefly
A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security (6 controls)
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance (8 controls)
* Not mandatory, but must be explained in the Statement of Applicability (SOA)
Annex A controls
Risk Based Security
• Determine your company’s risk profile and appetite– What kind of company and what is the main threat
• What is your assets
• Impact * Likelihood = Risk
• How will an incident impact the organization?– Helps determine criticality of assets
• Are they vulnerable?
• Are there any threats?
• What it the likelihood of an incident happening?– Likelihood = Threat * Vulnerability
OWASP Risk Rating Methodology
• Threat Agent Factors:
– Skill level– Motive– Opportunity– Size of threat agent group
• Vulnerability Factors
– Ease of discovery– Ease of exploit– Awareness – Detection
Data Protection Impact Assessments
DPIAs are important tools for accountability, as they help controllers not only to comply with requirements
of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with
the GDPR. (Citat Article 29 Working Group)
DPIAs and the risk assessments can be used for input to the controls that should be tested.
20
Data Protection Impact Assessments
The purpose of the Data Protection ImpactAssessments are
assessing consequensesfor the data subject
• Processing with high risk to the rights and freedoms of natural persons
• Prior to the processing
• Advice from DPO
• Code of conduct
• a systematic and extensive evaluation of personal aspects relating to natural persons including profiling and automation
• processing on a large scale of special categories of data
• a systematic monitoring of a publicly accessible area on a large scale
• Systematic description of the envisaged processing operations and the purposes of the processing
• Assessment of the necessity and proportionality of the processing operations in relation to the purposes
• Assessment of the risks to the rights and freedoms of data subjects
• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data
When
Requiredwhen
Require-ments
Security Controls
• Executive Order no. 528 of 15/06/2000 (Sikkerhedsbekendtgørelsen)
– Access Control
– Logging
– Encryption
• General Data Protection Regulation
– Risk based security
– Confidentiality, Integrity and Availability
• No real guidance on security controls
– Mentions encryption and pseudonymisation
Novo Nordisk
• Supplier published a web test page by mistake
• 95.000 job applicants data leaked
– Name, Phone, Email, Years experience, Job interests, Date etc.
• Danish Data Protection Agency received complaints
– Data found through search sites
• Novo Nordisk only knew when Danish Protection Agency contacted them
– Test site up for 21 days
How many percent of the population in USA
can you identity with the following information?
Date of birth
Gender
Postal code
87%
The Re-identification
• William “Bill” Weld
– Governor, Massachusetts.
• Medical data within an insurance data set
– Stripped of direct identifiers
• Re-identified because of a quasi-identifier shared between a voter registration list and the insurance data set
Privacy by design
Think privacy and security into the design from the beginning and into a project model that includes requirements for:
Risk assessments and DPIA
Measurements to mitigate risks (e.g. Data minimisation and pseudonymisation)
Controlling test data
Testing controls to verify
Privacy by Default
When a security incident happen -be prepared!
• The data controller must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
• The data processor shall notify the controller without undue delay after becoming aware of a personal data breach.
DefinitionPersonal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthoriseddisclosure of, or access to, personal data transmitted, stored or otherwise processed.
Data Protection Matters
Use existing frameworks and methods to ensure data protection
and compliance
dfgfdhsjfgdghjghfkfhgkfhjsrt
Data Protection Matters- How to Do It in Practice
Thank you for listening
Christina Brunvoll ErnstThomas Deigaard Hedberg