dfgfdhsjfgdghjghfkfhgkfhjsrt

Data Protection Matters- How to Do It in Practice

Christina Brunvoll ErnstThomas Deigaard Hedberg

KMD

Disclaimer

We are not lawyers

This presentation is not legal advise

It is based on our current understanding of the legislation

1000 page guidance from Justice Department scheduled for May/17

Additional Danish legislation is scheduled for Q4/17

Nothing to sell

No quick fixes

No promises of “turn key” solutions that solves it all

$whoami

Christina Brunvoll ErnstSenior Information Security Specialist –Governance, Risk and Compliance

KMD

I been working with information security management and privacy for over ten years.

KMD (current)

Deloitte

KMD

Digitaliseringsstyrelsen

DK-CERT

• Information Security Manager (CISM)

• Risk and Information Systems Control (CRISC)

• Certified Information Privacy Management (CIPM)

• Certified ISO/IEC 27001 Lead Implementer

• ISO/IEC 27001 Lead Auditor

• Certified ISO/IEC 31000 Risk Management

• DPO training, Plesner

$whoami

Thomas Deigaard Hedberg

Senior Information Security Specialist

– Governance, Risk and Compliance

20+ years of IT experience for both public and private sector and a strong technical background

KMD (current)

NNIT

IBM

Lotus

TopNordic

Danish Police

Certifications

CISM, CISA, CRISC, GGEIT

ISO 27001 MasterISO 27001 Lead ImplementerISO 27001 Lead AuditorISO 27005 Lead Risk ManagerISO 31000 Lead Risk ManagerISO 22301 Lead Implementer

The principle of a right to privacy implies that:

In a world of personal and commercial interaction and communication, there are some

aspects of our daily living which should be protected from abuse, surveillance and

intrusion.

UN Declaration of Human Rights (1948)Result of the second world war

Article 12: “Right to privacy”

European Convention of Human Rights (1950)Article 8 Right to respect for private and family life

OECD Guidelines on Data Protection (1980)8 Basic principles

EU Data Protection Convention – Treaty 108 (1981)Closely aligned with principles in the OECD Guidelines

European Data Protection Directive (1995)

Danish Data Protection Act (2000)Includes changes from the Data Protection Directive

E-privacy directive 2002/58

EU General Data Protection Regulation (2016/679)

This is all about protecting our personal data and our right to privacy!

The purpose of the EU General Data Protection Regulation is to protect the individual’s right to privacy.

Our personal data must only be collected when there is a legal basis and used according to the purpose

to which it has been collected.

Must your company comply?

Test data is in the scope when it includes personal data

Motivation for compliance?

Today there is no financial motivation

for non-compliance

Non-compliance to GDPR can be fined up to 4% fine of global revenue

Tort could add up in case of a breech

[10-15.000 * Number of data subjects]

Definition of personal data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Sensitive personal data means personal data showing race and ethnic origin, political, religious or philosophical convictions, sexual orientation, or gender identity, trade union activities, and treatment of genetic or biometric data, health information and sexual orientation or information related to criminal offenses including administrative sanctions.

Definitions

Data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Definitions

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

What is a ISO27001?

• Published on the 25th September 2013

• Clause 4-10 is mandatory

• Annex A with 114 controls in 14 groups

• Groups range from security in HR to IT operations and auditing

• Security controls are safeguards to avoid, detect, counteract or minimize security risks to assets.

• Covers Confidentiality, Integrity and Availability

• Certification available

ISO27001 briefly

A.5: Information security policies (2 controls)

A.6: Organization of information security (7 controls)

A.7: Human resource security (6 controls)

A.8: Asset management (10 controls)

A.9: Access control (14 controls)

A.10: Cryptography (2 controls)

A.11: Physical and environmental security (15 controls)

A.12: Operations security (14 controls)

A.13: Communications security (7 controls)

A.14: System acquisition, development and maintenance (13 controls)

A.15: Supplier relationships (5 controls)

A.16: Information security incident management (7 controls)

A.17: Information security aspects of business continuity management (4 controls)

A.18: Compliance (8 controls)

* Not mandatory, but must be explained in the Statement of Applicability (SOA)

Annex A controls

Risk Based Security

• Determine your company’s risk profile and appetite– What kind of company and what is the main threat

• What is your assets

• Impact * Likelihood = Risk

• How will an incident impact the organization?– Helps determine criticality of assets

• Are they vulnerable?

• Are there any threats?

• What it the likelihood of an incident happening?– Likelihood = Threat * Vulnerability

OWASP Risk Rating Methodology

• Threat Agent Factors:

– Skill level– Motive– Opportunity– Size of threat agent group

• Vulnerability Factors

– Ease of discovery– Ease of exploit– Awareness – Detection

Data Protection Impact Assessments

DPIAs are important tools for accountability, as they help controllers not only to comply with requirements

of the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with

the GDPR. (Citat Article 29 Working Group)

DPIAs and the risk assessments can be used for input to the controls that should be tested.

20

Data Protection Impact Assessments

The purpose of the Data Protection ImpactAssessments are

assessing consequensesfor the data subject

• Processing with high risk to the rights and freedoms of natural persons

• Prior to the processing

• Advice from DPO

• Code of conduct

• a systematic and extensive evaluation of personal aspects relating to natural persons including profiling and automation

• processing on a large scale of special categories of data

• a systematic monitoring of a publicly accessible area on a large scale

• Systematic description of the envisaged processing operations and the purposes of the processing

• Assessment of the necessity and proportionality of the processing operations in relation to the purposes

• Assessment of the risks to the rights and freedoms of data subjects

• the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data

When

Requiredwhen

Require-ments

Security Controls

• Executive Order no. 528 of 15/06/2000 (Sikkerhedsbekendtgørelsen)

– Access Control

– Logging

– Encryption

• General Data Protection Regulation

– Risk based security

– Confidentiality, Integrity and Availability

• No real guidance on security controls

– Mentions encryption and pseudonymisation

Novo Nordisk

• Supplier published a web test page by mistake

• 95.000 job applicants data leaked

– Name, Phone, Email, Years experience, Job interests, Date etc.

• Danish Data Protection Agency received complaints

– Data found through search sites

• Novo Nordisk only knew when Danish Protection Agency contacted them

– Test site up for 21 days

How many percent of the population in USA

can you identity with the following information?

Date of birth

Gender

Postal code

87%

The Re-identification

• William “Bill” Weld

– Governor, Massachusetts.

• Medical data within an insurance data set

– Stripped of direct identifiers

• Re-identified because of a quasi-identifier shared between a voter registration list and the insurance data set

Privacy by design

Think privacy and security into the design from the beginning and into a project model that includes requirements for:

Risk assessments and DPIA

Measurements to mitigate risks (e.g. Data minimisation and pseudonymisation)

Controlling test data

Testing controls to verify

Privacy by Default

When a security incident happen -be prepared!

• The data controller must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.

• The data processor shall notify the controller without undue delay after becoming aware of a personal data breach.

DefinitionPersonal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthoriseddisclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Protection Matters

Use existing frameworks and methods to ensure data protection

and compliance

dfgfdhsjfgdghjghfkfhgkfhjsrt

Data Protection Matters- How to Do It in Practice

Thank you for listening

Christina Brunvoll ErnstThomas Deigaard Hedberg

cbe@kmd.dk / tde@kmd.dk