Data Privacy and Data Security –

Introduction to GDPR
CS 622 – Session 5
Saturday, Dec 19, 2020
G Krishnamurthy
 What is it & why is it important?
What?
• Any data relating to
identifiable individuals –
employees, suppliers, clients
– Names
– Addresses
– Email addresses
– Telephone numbers
– Sensitive information
Why?
• Covered by the Data
Protection Act 1998 which
sets out legal conditions which
must be satisfied in relation to
– Obtaining
– Handling
– Processing
– Storing
– Transportation
– Destruction of personal
information
Why do we collect personal data?

To service To make To invite

the contract better them or
you have decisions others to
with about your buy more
customers business from you

Demand Request Beg or Mislead

Personal data lifecycle
 Personal Data Protection Risks

Breaches of confidentiality e.g. information being given out inappropriately, lost or overseen
Failing to offer choice e.g. individuals should be free to choose how the company uses data
relating to them
Reputational damage e.g. the company losing data should suffer if hackers successfully gain
access to personal data.
Clients should expect the company having their data to look after their data securely and in a
professional manner, regardless of any regulations!
 So what if ?
• Breaches have to be reported
• Potential fines
• Reputational damage, Due Diligence risk
• Potential to strike the company off panels
e.g. Mortgage Panels
• Potential for investigations into company’s
compliance
 Future of Personal Data

Data
Protection
Act 1998
GDPR
 GDPR- What’s New?
General Data Protection Regulation – Effective from 25th May 2018

• A complete overhaul of data protection regulation with extensive updates of

what can be considered identifiable information
• Applies across all member states of the EU
• Applies to all organizations processing the data of EU subjects – wherever the
organization is geographically based
• Specific and significant rights for data subjects to seek compensation, rights to
erasure and accurate representation
• Compensation can be sought against organizations and individuals employed
by them
• Fines of up to 20,000,000 Euros or 4% of global annual turnover
 GDPR
Personal data is defined as any information
There will be a substantial increase in fines
relating to a person who can be identified directly
for organisations that do not comply with this
or
new regulation.
indirectly. This includes online identifiers, such as IP
addresses and cookies, if they are capable of
Penalties can be levied up to the greater of ten
being linked back to the data subject.
million euros or two per cent of global gross
turnover for violations of record‑keeping, security,
Indirect information might include physical,
breach notification and privacy impact
physiological, genetic, mental, economic, cultural or
assessment obligations.
social identities that can be linked back to a
specific individual.
These penalties are doubled to twenty million
euros or four per cent of turnover for violations
There is no distinction between personal data
related to legal justification for processing, lack of
about an individual in their private, public or work
consent, data subject rights and cross‑border
roles –
data transfers.
all are covered by this regulation.

The lawful bases for processing are set out

in Article 6 of the GDPR. At least one of these
must apply whenever you process personal data

 50% of global companies say they will struggle to

6
meet the rules set out by Europe unless they
make significant changes to how they operate.
 GDPR
Companies will be required to “implement
appropriate technical and organisational measures”
in relation to the nature, scope, context and
purposes of their handling and processing of
personal data. Data protection safeguards
must
be designed into products and services from
the earliest stages of development.
These safeguards must be appropriate to the
degree of risk associated with the data held
and might include:
• Pseudonymisation and/or encryption
of personal data
• Ensuring the ongoing confidentiality, integrity,
availability and resilience of systems
• Restoring the availability of, and access to,
data in a timely manner following a physical or
technical incident
• Introducing a process for regularly testing,
assessing and evaluating the effectiveness
of these systems.
10
A key part of the regulation requires consent to be
given by the individual whose data is held. Consent
means “any freely given, specific, informed and
unambiguous indication of his or her wishes by
which the data subject, either by statement or by a
clear
affirmative action, signifies agreement to
personal data relating to them being
processed”.
Organisations will need to be able to show how
and when consent was obtained. This consent
does not need to be explicitly given, it can be
implied by the person’s relationship with the
company. However, the data obtained must be for
specific, explicit and legitimate purposes.
Individuals must be able to withdraw consent at
any time and have a right to be forgotten; if their
data is no longer required for the reasons for
which it was collected, it must be erased.
GDPR areas
Privacy culture
GDPR compliance
Organize changes
Organisational
Theory to practice

Legal Technica
l
 Info Security and boards
2017 Security and Privacy Survey by Protiviti

87% of FTSE 100 companies disclosed cyber as a

principal risk
Only 33% with a high board engagement in
cyber risks
Boards are not discussing cyber risks
Directors more prepared for compliance risks than cyber risks
Weak cybersecurity controls and preparedness

38% with all core infosec policies

Big impact on security, distinguishing top performers

31% with an excellent understanding of critical

information
Many companies unable to identify the most valuable data assets
60% with mandatory training on security to all
employees
 GDPR and Cyber Security
• Boards not discussing cyber risks; 350 survey
– 53% of respondents only receive "some information"
– 1/3 receive "comprehensive & informative data“
• 50% have a clear understanding of data assets
• 10% not have a cyber incident response plan
– 27% has no defined role in the response to
incidents
• 68% had not received incident response
training
• 6% feel their company is prepared for GDPR
• 68% of large UK companies, & 46% had one
breach
• In a 2015 information security breaches survey, 90% of
large organisations and 74% of SMEs reported a security
breach.
A - Plan
How well prepared are we?
How can we start?
How can we get support?
Do we need a DPO?
What personal data do we
hold?
What is it being used for?
How secure is it?
Step 1: Obtain the buy-in
Key factor for success
Fines + Reputation

Board members
Senior
managers
Chief compliance
officer Chief risk
officer Chief legal
officer
Chief information
offices
Chief security
information officer
 Step 1: Tips to obtain buy in
Educate key stakeholders about GDPR
Explain the privacy risks for their own career
Invite them to conference and training
Communicate the link between GDPR and
cyber risks
Propose a plan adjusted to the
organization culture
Efficient and transparent plan Plan
aligned to available resources
GDPR project linked to strategies
e.g. better use of data, update marketing databases, protect patents and
trade secrets
Share cases about data breaches
“Good privacy is good business”
 Step 1: Tips Documentation
• Document all Data processing activities
• Document and Data inventory
• List of consents
• List of data processors and related agreements
• Risk Analyses
• Privacy Impact Assessment (PIA)
• Data Protection Impact Assessment (DPIA)
• Security Policy
• Contingency plans
 Why is GDPR important?
Fines!
20M EUR up to
4% global revenue
in the last year
Failure to implement core
principles, infringement of
personal rights and the
transfer of personal data to
countries or organisations
without adequate protection
10M EUR up to
2% global revenue
in the last year
Failure to comply with
technical and organisational
requirements such as impact
assessment, breach
communication and
certification

Reduced with appropriate technical and organisational

measures
Why is GDPR important?
Data Privacy as a competitive advantage

Protect the reputation

Organise and control data
Remove unnecessary
data
Identify privacy vulnerabilities at an early stage
Focus the client and customer contact lists
 Exercise 1: Discussion case
Ashley Madison site
enabled extramarital
affairs

Lack of protective and detective measures

Required users to pay USD 19 for deleting their
data (which was partially done)
Cybercriminals posted e-mail addresses, credit
card numbers and account details of 32 M
current and former members
 Exercise 1: Discussion case
Top management allowed
not to have:
a security policy
data transparency
a risk assessment

Consequences for the

company and users?
 Step 2: Get a team
One man army?
Data protection officer
Implementation team <> Maintenance team
Define a clear objective and responsibilities
Be a leader
Experience in project management, security,
training and legal
Commit time of process subject experts
Document all the project activities
Get the team early
Core team
Lead the implementation
efforts
Knowledge of GDRP
compliance, privacy
controls, data security and
change management

Subject matter experts

IT, compliance, HR,
marketing,
procurement,
customer support
 Change management
GDPR Impact

New or New operational Changes in IT Changes in

amended roles and tools, solutions, contracts,
policies and responsibilities, applications and agreements,
record DPO role infrastructure consents, notices
management
Continuous improvement
 Change management
GDPR Impact

Create a protection Identify owners of Determine the need Document compliance

impact personal data for PIAs efforts
assessment policy Assess key staff skills Follow-up remediation Get approvals for
Improve the access Create and conduct plans for IT solutions changes
management policy learning and Incident management Metrics for GDPR
Review processes awareness programs compliance
dealing with personal Communicate the
information GDPR changes
 Who needs a DPO?
The controller The processor
Processing is carried out by public authority
Required by a national law
Processing operations requiring monitoring
Business of personal data at large scale
Included hospitals for health data, marketing agency for
where the customer web data, surveillance companies
Excluded payroll for a commercial company, heath data
core by a
single doctor
Activity is Processing operations requiring monitoring
to; of sensitive personal data at large scale
relating to criminal convictions and offences
 What does a DPO do?
Foster the data protection culture
Guide the GDPR implementation and monitor its compliance
Make recommendations in meetings where decisions with data
protection implications are taken
Cooperate and liaison with the supervisory authorities

Independence to ensuring compliance

Employee or external consultant based on a service contract
Expertise in national and European data protection laws
Knowledge of the business sector and of the organisation of
the controller
Professional ethics and lack of conflict of interests
Groups may designate a single DPO
Step 3: Relevant processes
Scope
Business functions
Understand areas dealing
with personal information
3 parties processing personal
rd

information
Get priorities
Define deadlines in the
roadmap
What is personal information?

Any information

… relating to an
identified or
identifiable …

natural person
the data subject!
 How data is identifiable?
A Bulgarian +7 M
 How data is identifiable?
A Bulgarian female 3.5M
 How data is identifiable?
A Bulgarian female born in 2000 29k
 How data is identifiable?
…. born 8th January 1942 comes from the
Rhodope Mountains, born in Arda,
Rhodopean
Smolyan Province,
folk songs
singing 1
How data is identifiable?

1 identifier 1 or +
factors
Name
ID, passport, driver, Physical
social security and Physiological
tax Economic
numbers Cultural
Cookies and online Social
Mental
IDs
Phone numbers Genetic
Location
data
How data is identifiable?

1 identifier 1 or +
factors
Pseudonymous
Coded data linked by
a secure and
separated key to re-
identify a data
subject
What is pseudonymisation?
Name Code

J Hansen Kl23!lsw=
Name Bank
Account A Jensen 45der_f2!

Code Bank
Account
J Hansen DD99234
A Jensen DD99432
Kl23!lsw= DD99234
45der_f2! DD99432

Replacing the sensitive data by a random code

Using a table in a separated server to link the
random code to the original sensitive data
What is encryption?
Name Encrypted
Info
Name Bank
Account J Hansen Kl23!lsw=
A Jensen 45der_f2!

J Hansen DD99234
A Jensen DD99432 Encryption key

It is an algorithm to scramble and unscramble data

Transforming the original data with an encryption
key
 Which data is sensitive?
Health Biometric Genetic

Trade
Racial Political
union

Religion Sex life

Special categories → generally cannot be processed, except given explicit consent and
necessary for employment and other well defined circumstances
Other personal data stored?

Website visitors
Email servers
Marketing databases
Customer loyalty programs
Patient/client databases
Performance reviews
Personnel files
Legal documents
Credit card statements
Cameras and fingerprints for access control
Phone books
End-user apps, downloads, shared folders
Step 3: Compile a data inventory

What personal data do we hold?

What applications do we have

Where is it?

What is it being used for?

How secure is it?

Step 3: Compile a data inventory

Departments to cover by meeting or

questionnaire
Commercial, marketing, advertising, customer
care, complains system
HR, payroll, health & pension insurance,
recruitment
Procurement, A/R and treasury
Legal, including the whistleblowing line
Support: compliance, IT, process experts
Step 3: Compile a data inventory
are the data subjects?
Who has access to their personal data?

the personal data is stored?

Where the personal data is transfered?

the personal data is under the company control?

Why
the personal data is kept until?
When Is shared with third-parties?

safety mechanisms and controls are is place?

What
 Step 3: Practice
Examples from “when” to “what”

When visitors access to the company website

IP location, cookies, device information, browser
information (e.g. language), behavior information
When clients shop from the company website
name, address, email, bank/credit card details
When clients contact the company by website
name, address, organisation, phone number
 Step 3: Practice
Ideas for the “what”?

When candidates apply for a job

name, address, email, phone, age, places of employment
When employees are hired
name, date of birth, address, Aadhar number, bank
details, salary, vital records, photo, family details, health,
tax and retirement number, passport, car license plate
When clients take part in a prize draw
name, phone
 Step 3: Practice
Ideas for the “what”?

When visitors are video monitored at the lobby

Images, activity
When fingers are scanned for door access
fingerprints (biometric)
When visitors follow company social media
data according to Facebook or LinkedIn policies
 Step 3: Practice
Ideas for the “what”?

When suppliers are

created
Names, phones, addresses, emails, executives,
transaction records, tax number, financial data
When employee users are created
PC IP address, mobile device, activity, password
When visitors get a company parking permit
license plate, name
Step 3: What should not be done
 Path, Processing and Payload
• GDPR articles can reveal unknown data processing issues
• Is data used for the right purpose?
– map the data flow of the process
• Article 30; controller maintains record of process/actions
• Organise process records around purpose
– rather than data flow
• Mistake: create registers on each object in dataset
• Using data for specific purposes under article 5 (Principles
relating to processing of personal data)
• Therefore know the 3 P's (path, processing & payload)
 Step 4: Clean the house!
The GDPR is an opportunity to improve data practices

De-risk! Start clean!

Create an inventory of data and documents
Stop asking for personal data which is not needed
Delete personal data after it is no longer needed
Restructure databases to avoid redundancies in personal data
Centralise channels to receive personal information
Anonymise data, erasure copies and links
Opt out in email lists
Remove duplicate, out-of-date or inaccurate records
Be conservative: there are no fines for over-deleting
Step 4: Discussion case
UK pub chain
deleted their
customer emails
from marketing
database in Jun
2017
Contacts are now
by Twitter and
Facebook
They suffered a
breach of 665k
emails in 2015
Step 4: Discussion case
Pros
Less intrusive?
No need to keep
track of consents?
Cons
Communication of
offers
Step 4: An example
 Step 5: Create a privacy policy

Best practices based on the ISO 27001

Set the information security objectives
provide access of information only to authorised employees and 3rd parties
protect the confidentiality, availability and integrity of information assets
implement annual information security awareness training
Support from upper management
Policy approved by CEO, IS compliance reports to board
Responsibilities to data owners, data users, IT, risk
management and internal audit
Communicated across the company and to 3rd parties
Regularly updated
 Step 5: Create a privacy policy

Recommended chapters
Company privacy vision
Define data categories
Organisation of
applicable policies
Data retention,
information security,
recognise GDPR rights
Define general principles
and roles to limit:
the collection
how the consents are
ensured, when risk
impacts are conducted
the use
how data is secured and
given access to
the disclosing
define circumstances for disclosure, complaints and requests,
notification of breaches
Step 6 : Create a privacy policy

Organisational
data breach incident
Policy on Privacy management
Management duty of disclosure
classification and acceptable
Operational
use of information assets
Hierarchy

backup & business continuity

access control by password
handling international transfers
Supporting policies on clear desk and clear screen
policy
use of network services
software development
data processing
agreements
Privacy policy
Security strategy
Part of the business
ethics
Risk tolerance based on
the customer trust

Data security policy

Objectives
Privacy policy
Privacy program
Supporting policies
 Step 6: Removable media
Removable media is a common route for the introduction of
malware and the accidental or deliberate export of
sensitive data
Employees should not use removable media as a default
mechanism to store or transfer information → offer
alternatives
Media ports should be approved for few users
All removable media should be provided by the company
Sensitive information should be encrypted at rest on media
Educate employees to maintain awareness
Step 6: Discussion case
6 Principles

Processed lawfully, Processed in a manner

fairly and that ensures
transparently appropriate security

Collected for specified, Accurate and, where

explicit and legitimate necessary, kept up to
purposes date

Adequate, relevant
Kept for no longer than
and limited to what is
is necessary
necessary
 Principles

the controller be able to

demonstrate accountability

Being able to demonstrate best efforts to comply

with the GDPR principles
Proactive approach to properly manage personal
data and to address privacy risks by a structured
privacy management program
 Principles
Proportionality
processing only if necessary for the
attainment of the stated purpose

Personal data must be adequate, relevant and not

excessive in relation to the purposes
By the data processor and controller
Requires to use the less intrusive means of
processing
 When is processing lawful?
• Data subject gives consent for one or more
specific purposes
• Processing is necessary to meet contractual
obligations entered into by the data subject
• Processing is necessary to comply with legal
obligations of the controller
• Processing is necessary to protect the vital interests of
the data subject
• Processing is necessary for tasks in the public
interest or exercise of authority vested in the
controller
• Purposes of the legitimate interests pursued by
the controller
Rights

To access data To data portability

request access to personal common format, even directly
data to verify lawfulness of transmitted between
processing controllers

To rectify and be To object by controller

forgotten when unjustified by either
when no longer necessary or "public interest" or "legitimate
consent is withdrawn interests

To restrict processing To limit profiling

limiting the data use or right to not be subjected to
transfer automated individual decision
making
 Discussion case
ABC contacted via text message a number of
former employees of subcontractor XYZ, who
represents ABC as their customer service.
ABC wanted to recruit employees who have
been terminated or resigned at XYZ, after the
company has chosen to move offices from
the city where ABC has its headquarters.
The employees have been contacted directly
by text message ABC, despite having not
been employed by the group.
 Discussion case
Has ABC complied with
the GDPR by using
contact information on
employees of a
subcontractor in this
context?
Can personal information
given in another context
be used to ensure
terminated employees a
job opportunity?
 Discussion case
If ABC has obtained the
information on
legitimate terms in
relation to their
cooperation with XYZ,
can ABC use employee
data and commitments
that are submitted in a
different context and be
in conflict with GDPR
rules?
 Discussion case
How could ABC have
used personal data given
for other purposes to be
GDPR compliant?
Let´s discuss other
alternatives than to
invite the employees to a
meeting where the
employees could sign up
 Discussion case
Can a company contact
former employees of a
subcontractor directly
when the company has
daily cooperation with
and is in daily contact
with the employees and
thus has contact
information on them?
Let´s discuss the overall principles in
relation to GDPR, the company must ask its
subcontractors and partners they cooperate
with, but where the daily management lies
the partners/subcontractors.
Difference

Privacy notices Consents

Data subject Formal permit to

right to be
informed on fair process
processing personal
information by
Legal basis, type
of information, 3rd the data subject
parties recipients
and retention
period
 Step 2: Review consents
How consents should be given?
Plain language Opt-Out

Explicit purpose of processing Genuine choice to withdraw any time

Scope and consequences Affirmative actions: silence, pre-ticked
List of rights boxes and inactivity are inadequate
Separated from other

Updated Minors

Reviewed when the use of data change Parental authorisation for children
When the data controller changes (or bellow the age of 16
the contact details) Reasonable means to verify parental
Being able to demonstrate consent
 Review Consents
Focus on ‘explicit consents’ for sensitive data and
international transfers
Link the consents to the personal data inventory
Confirm that the consents are given freely, are
clear and transparent
Update the data subject rights
Audit how the consents are documented and
retained
Audit if the op-outs are processed on time
http://www.copenhagencompliance.com/news/issueXXXVI/Consent-the-GDPR-way-is-free-accurate-informed-and-unambiguous-approval-to-process-personal-data.p
hp
 Consent example
• Do you agree to the consent declaration below?

When submitting your information to [The Company] you accept and consent to the
following:

Collection of Personal Data

[The Company] is an equal opportunity employer and makes all employment-related
decisions entirely on merit and qualifications. Consequently, you should only include
information relevant for the review of your application and not include information about
your race or ethnic origin, religion or belief, political opinion or sexual orientation or your
union memberships. Please do also not include your social security number.
Personal Information held by [The Company] The personal information is held on an
externally hosted database in the United States. Personal information is also held in
manual form and on other computer systems. Personal information includes all
information submitted by you.
Purposes for which Personal Information is used by [The Company] Personal
information about you may be held and processed by [The Company] for the purpose of
recruitment.
 Consent example
Disclosures of Personal Information Personal information will be disclosed only in the
following circumstances:
• Personal information will be disclosed to the extent required for the purposes listed above to
[The
Company]’s affiliates worldwide, including affiliates located in countries outside of Europe.
• Personal information may be disclosed to public authorities and law enforcement agencies as
permitted by law.
Security Measures [The Company] ensures that adequate security measures to safeguard
your information are in place throughout [The Company], its affiliates and vendors, and also
ensures that adequate safeguards are in place to protect your personal information if it is
subsequently transferred to other [The Company] entities or third parties.
Accurate Information and Deletion [The Company] is committed to keeping data about you
accurate and up to date. Therefore please advise [The Company] of relevant changes to your
details. [The Company] will erase all information after 2 years.
Your rights You may access the personal information held about you by or on behalf of [The
Company] in order to review, edit, erase or to ascertain the purposes for which it is
processed subject to certain criteria being met. Please contact [The Company] HR for
further information if you wish to obtain insight in your personal information.
Statistics Your information may be used for anonymous statistics for internal purposes in
which case the information will be used collectively. All personal data will be anonymised.
Further information For further information on [The Company]’ Disclaimer and Privacy
Policy please visit: www.novonordisk.com/utils/disclaimer.html
Step 3: Prepare to deal with requests

1 month to comply with requests from data subjects

Many requests are received → extended to additional 2 months
Flood of data requests post-GDPR?
Request is a key part of the implementation strategy
Prepare a protocol, train caseworkers and test how it works
Tool to copy insulated personal data in standard format
All info: electronic + on paper + archived data
Understandable format
Structured, common and machine-readable → CVS, HTML, PDF, MPEG/videos, TIFF Add
reference tables when parameters and codes are used
Format “in writing”
Letter, email, customer contact, social media → use a standard form
Reasonable requests → free
Repetitive or unreasonable requests → fee-based on administrative costs
Disproportionate or expensive requests (proven) → refuse
 Requests
Before acting, control that data requests are
accurate and fully completed,
fees are paid, and
The identity of data requesters (representative) is/are validated
Once controlled, act promptly
In particular, when third parties have personal data
Refine the scope: offer to focus the research when the
request is extremely wide and involve large volume of data
Centralise and prioritise requests according to complexity
Use a document management system
 Validate data transfers
Flows-in the organisation
• Who input the personal information
• Collected personal data fields
• Storage location
Flows-out (data transfer or display)
• Categories of recipients in EU or non-EU countries
• Security measures on the transfer (e.g. encryption
standard)
How is personal data processed?

Collect Use Destroy

Record Transmit Restrict

Change

Display
Electronically Manually
GDPR covers personal information processed wholly or partly by automated means
 Processing Authority
Controller Processor

Who decides Who processes

why the personal the data
Service provider, cloud
data is needed services, outsourcing firms,
e-commerce platforms

Natural or legal person

including the
government
… but, where?

in the EU ouside the EU

When personal
When personal data of EU citizen
data of is processed by
a non-EU
individual living company
in the EU offering goods
(citizens or not) is and services in
the EU (not paid
processed in the EU)
 Binding Corporate Rules
Contract between group companies to transfer information,
covering:
specify the purposes of the transfer and affected categories
of data
reflect the requirements of the GDPR
confirm that the EU-based data exporters accept liability on
behalf of the entire group
explain complaint procedures
provide mechanisms for ensuring compliance (e.g., audits)
Model pre-approved clauses to reduce compliance burden
 Review contracts

Controller Processor
Data exporter when processing is
outside de EU

Review data processing agreements: clear responsibilities and use of sub-

contracts
Audits and certifications
There are “model clauses” for data exports
Negotiate the cost of GDPR compliance in fees
Foresee dispute resolutions and compensation clauses
Data controller responsibilities
• able to demonstrate compliance with the GDPR
• ensure personal data is:
processed fairly and lawfully and in accordance with the
principles of the GDPR
is carried out under a contract
processed by the data processor only on clear and lawful
instructions based on the contract
• exercise overall control
– Data protection by design and by default
• notify breaches
Data processor responsibilities
• process personal information on behalf of the data
controller client
• act only on instructions from the data controller
– comply with a clear standard
– impose a confidentiality obligation to its employee dealing with
controller`s information
• provide sufficient guarantees to demonstrate compliance
– in respect of the technical and organisational security measures
governing the processing
• Allow a data controller audits
– on premises, systems, procedures, documents and staff
• Delete or return data at the end of the contract
Step 5: How to notify a data
breach?
Data breach When to notify

Accidental or unlawful… Not latter than 72 hours after having

unauthorised disclosure or access + become aware of it
destruction, loss, alteration … Undue delays should be justified
of personal data transmitted,
stored or
processed

What to notify
Type and number of data records and
subjects compromised (aprox)
DPO contact info
Likely consequences and mitigation
measures
Whom to notify
Supervising authority
Each data subject is likely to result in a
high risk for the right of unencrypted
data
 How to detect a data breach?

Indication of compromise
notification from public authorities
FBI knocks at the door
from users
oops, I opened a “funny attached file”
alerts from 3rd parties
hosting vendor informed they had a malware
continuous monitoring solutions
this server is transferring out a lot of amount of data
Incident response protocol
Investigate “when” the breach was done
Get the investigation team
Investigate the level of compromise
Data breach scenario planning

Before After

• Managing IT risk
and • What can we
vulnerabilities do to
• How to improve
breach contain the
prevention,
detection and damage
response • How can we
• What to expect
in move on from
the future this breach
Step 5: Data security program
Encryption of personal
data
Key element in GDPR standard
No always feasible: depending on costs
and risks, impact on performance
Encryption of stored (eg. hard disk)
and in transit data (e.g. calls)
Resilience
Restore data availability and access in
case of breach
Redundancy and back and facilities
Incidence response plan
Security measures
Ongoing review (e.g. access audis)
Importance of two-factor
authentication, ISO 27001,
compartmentalisation and firewalls
Patches for malware & ransomware
Regular security
testing
Assessment of the effectiveness of
security practices and solutions
Penetration, network and application
security testing
Data Breach Discussion case
Maintain Compliance
What training is needed?
How can I detect and mitigate
new privacy risks?
What people should be
consulted on privacy risks?
How to audit GDPR
compliance?
Do I need a certification?
Train the staff
Discussion case
Step 1: Discussion case

How could you

develop training
for this risk?
How could you
document your
training efforts?
Privacy Impact Assessment
Process to identify, analyse, evaluate, consult, communicate and plan the
treatment of potential privacy impacts with regard to the processing of personal
information (ISO 29134:2017 Guidelines for PIA) → Goal: avoid a data breach
Framed within the general risk management framework of the organisation
Mandatory for the data controller to early identify required control measures
Only for new and high-risk activities or projects in processing personal data:
large sensitive data,
e.g. healthcare providers and insurance companies
extensive profiling, or
e.g. financial institutions for automated loan approvals, e-recruiting, online marketing companies, and
search engines with target marketing facilities
monitoring public places
e.g. local authorities, CCTV in all public areas, leisure industry operator
One PIA for each type of processing
Identify the flows
Process map start from the process or
project documentation

Identify personal information in the

process map

Consult with experts how personal

information is collected, transferred,
used and stored
for existing and future purposes
Consult on risks and controls

Consult all involved parties to have a

360º view, link risks to owners

Include current controls in the

process map

Assess the impact and frequency in a

heat map (recommended), risk
assessment in ISO 27001 (under 29100)
Impact: fines, business continuity costs, loss
of clients, reputational damage
 People to consult
Data protection officer (usually leading
the PIA)
Project management leaders and
developers
Internal CIO, CISO and other IT experts
Compliance officer
Legal department
Internal audit executive
Risk management officer
Future or current users
Senior managers
External Potential data processors and vendors
Experts
Tips for risk identification
GDPR rights Consequences
Access Collect Impact
Inventory Rectification Quantitate
Restriction
Store Qualitative
Portability Most probable
Profiling Objection
limitation scenario
Scope

Use
Other factors Causes
Contractual obligations Frequency
Code of conduct Probability
Privacy policy Transfe of occurrence in a
Know vulnerability r defined time horizon
Previous breaches
Destroy
 Generic risks and controls
Objective Risk Lifecycle Component Controls
Availability Loss, theft or Processing Data, Redundancy, protection,
authorized removal Transfer systems, repair & back ups
Loss of access rights processes

Integrity Unauthorized Processing Data Compare hash values

modification Transfer
Systems Limit access, access review
Confidentiality Unauthorized access Storage Data, systems Encryption
Processes Rights and roles, training,
audits
Ensuring Unauthorized or Processing Data Anonymity, pseudoanymity
unlinkability inappropriate linking
Processing Systems Separation of stored data
Compliance Excessive or authorised Collection Data Purpose verification, opt-
collection out, data minimization, PIAs
Processing, sharing or Processing Data Review of consents, logs
re-purposing without workflow for consent
consent withdrawals

Excessive retention Storage Data Data retention policy

 Example of risk registry
Event Root cause Consequences Impact Probability Treatment Monitoring Owner and
due date

Customer Failures to Loss of clients High Medium Insurance Action plan Noah Nilsen
personal design policy progress Mkt Director
information privacy in GDPR 100 M EUR 15% in Q3 2017
breached CMS enforcement 3 years Training
applicatio
ns Business Security
interruption scanning
Espionage
Requests to MS
Lack of delete data integrations
maturity in project
privacy Loss of
program commercial
opportunities
Follow-up
Communicate to stakeholders,
bottom-up and top-down

Advance with action plans and

document implementation measures

Regular post-implementation reviews

to assess if risks are mitigated and to
ensure that solutions identified have
been adopted
Toolbox

Data Protection Impact

Assessment template by
the GDPR Institute
Privacy…
• By default
By design
•The protection of personal data
must be a default property of
Privacy and data protection must be a
systems and services
key consideration in the early stages of
•Strictest privacy settings any project and then throughout its
automatically must be applied once a lifecycle
customer acquires a new product or
Proactively control adherence to GRPD
service
principles when designing for new
•Personal information must by products, services or business
default only be kept for the amount processes
of time necessary to provide the
Appropriate technical and
product or service
organizational measures
Design compliant policies, procedures
and systems
 Code of conduct & certification

Platform for data controllers, processors and

stakeholders
to ensure a structured and efficient means for GDPR
compliance
Significant administrative and documentation
burdens
Establish and maintain compliance with code of
conduct or earning certification status
These costs can be offset by reducing
audit costs and automation
 Code of conduct & certification

Certification can serve as marketing tool, allowing

data subjects to choose controllers to signal GDPR
compliance
Plays a significant role in facilitating cross-border
data transfers
Certification mechanisms can create business
opportunities for new third party administrators
and programs as effective means for determining
binding promises by controllers and processors
In general. GDPR Compliance
•The legal basis of IT and cyber security compliance
•How is data collected, used, abused or misused?
•Use of data exactly for the purpose it was collected
•Consent from data subjects for secondary processing
•Review change processes in processing personal data
•Address violations, and remedies for correction
•Regular reviews of data flow mapping, audits, risk
assessments to ensure the legal basis has not changed

•GDPR is not privacy by choice, follow the privacy data!

•Does not give the individual full control over the data
•The reform simplifies and adds compliance complexity
•The code-of-conduct and certification mechanism
provides a platform for data controllers and processors
to ensure structured & efficient means for compliance.
The GDPR Law
General provisions
Chapter 1 (Art. 1 – 4)
Principles
Chapter 2 (Art. 5 – 11)
Data subject rights
Chapter 3 (Art. 12 – 23)
Controller and processor
Chapter 4 (Art. 24 – 43)
Transfers
Chapter 5 (Art. 44 – 50)
Direct obligation
Meta rule
•Supervisory authorities
• Chapter 6 (Art. 51 – 59)
•Cooperation and
consistency
• Chapter 7 (Art. 60 – 76)
•Remedies, liability &
•penalties
• Chapter 8 (Art. 77 – 84)
•Specific processing
situations
• Chapter 9 (Art. 85 – 91)
•Other rules
• Chapters 10/11 (Art. 92 – 93)
• https://gdpr-info.eu
Thank You