SlideShare a Scribd company logo

GDPR and Security.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001, profile picture
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

The document provides an overview of GDPR and information security issues. It highlights key topics such as appropriate security, data protection by design and by default, security of processing, personal data breaches, and the differences between DPO and CISO roles. The document contains recommendations for technical and organizational security measures organizations should implement to comply with GDPR principles and ensure an appropriate level of data security. These include implementing privacy by design principles, conducting risk assessments, access management, encryption, backups, and incident response processes.

Presentations & Public Speaking
1 of 81
Downloaded 113 times
1
2
3
4
5
6
7
8
Most read
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Most read
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
GDPR and Security Andrey Prozorov, CIPP/E, CISM v2, 2020-04-26
2 Andrey Prozorov, CIPP/E, CISM Information Security Methodology Manager 15 years experience in information security and data protection • My patreon (ISMS and GDPR toolkits) - https://www.patreon.com/AndreyProzorov • My blog (in Russian) - http://80na20.blogspot.com
About this presentation • It’s an overview presentation about GDPR and information security issues. The presentation highlights and details key topics, additional recommendations and best practices. • This presentation is designed for: data protection officers, privacy consultants and lawyers, IT managers and information security managers. 3
What’s new in the revision 2? • New design • 21 slides -> 81 slides • Language: Russian -> English • New topics, recommendations and comments 4
Agenda 5 1. Intro - Appropriate security (new principle) - Information Security terms - Key security topics - Guidelines and recommendations 2. Data protection by design and by default 3. Security of processing 4. Anonymisation and pseudonymization 5. Personal data breach 6. DPO vs CISO 7. Certification, standards and frameworks 8. Accountability 9. Employee monitoring vs privacy in working life 10. Profiling
1.Intro 6
GDPR: General Data Protection Regulation 7
8 Directive 95/46/EC (old) GDPR Article 1. Object of the Directive 1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Article 1. Subject-matter and objectives 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2.This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3.The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
New principle: Appropriate security GDPR Article 5. Principles relating to processing of personal data 1. Personal data shall be: … (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 9
Terms (by ISO 27000) • Information security: preservation of confidentiality, integrity and availability of information • Confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processes • Integrity: property of accuracy and completeness • Availability: property of being accessible and usable upon demand by an authorized entity 10
Comments by DPC (Ireland) In other words, controllers must ensure that their security measures adequately protect against accidental or deliberate harm, loss, or dissemination of the personal data they process. These security measures should cover not only cybersecurity but also physical and organisational security measures. Organisations must also routinely check that their security measures are up-to-date and effective. 11
Data subjects often complain about the security * 12 12
Key security topics • Appropriate security (principle) • Data Protection by Design and by Default, Art.25 • Security of processing, Art.32 • Personal data breach notification , Art.33, 34 • Data Protection Impact Assessment (DPIA), Art.35, 36 • DPO vs CISO • Certification, Art.42 • Accountability • Employee monitoring 13
Guidelines and recommendations • Guide to the GDPR (by ICO) - https://ico.org.uk/for-organisations/guide- to-data-protection/guide-to-the-general-data-protection-regulation-gdpr • Security outcomes (by ICO) - https://ico.org.uk/for- organisations/security-outcomes • Data Security Guidance for Microenterprises (by DPC) - https://www.dataprotection.ie/en/guidance-landing/data-security- guidance-microenterprises • Security of personal data (by CNIL) - https://www.cnil.fr/en/new-guide- regarding-security-personal-data • Guidelines 4/2019 on Article 25 Data Protection by Design and by Default - version for public consultation (by EDPB) • Other EDPB and DPAs’ recommendation about anonymisation and pseudonymization, DPIA, breach notification… 14
2.Data protection by design and by default 15
GDPR Article 25. Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. 16
What is data protection by design? Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. As expressed by the GDPR, it requires you to: • put in place appropriate technical and organisational measures designed to implement the data protection principles; and • integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights. In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices. 17 Comment by ICO (UK)
Examples by ICO (UK) Data protection by design has broad application. Examples include: • developing new IT systems, services, products and processes that involve processing personal data • developing organisational policies, processes, business practices and/or strategies that have privacy implications • physical design • embarking on data sharing initiatives; or • using personal data for new purposes… 18 Comment by ICO (UK)
What is data protection by default? Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation. You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. 19 Comment by ICO (UK)
What you need to do depends on the circumstances of your processing and the risks posed to individuals. Nevertheless, you must consider things like: • adopting a ‘privacy-first’ approach with any default settings of systems and applications • ensuring you do not provide an illusory choice to individuals relating to the data you will process • not processing additional data unless the individual decides you can • ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and • providing individuals with sufficient controls and options to exercise their rights 20 Comment by ICO (UK)
Examples by the European Commission Data protection by design The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them) Data protection by default A social media platform should be encouraged to set users’ profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons 21
ICO (UK) recommendations Some examples of how you can do this include: • minimising the processing of personal data • pseudonymising personal data as soon as possible • ensuring transparency in respect of the functions and processing of personal data • enabling individuals to monitor the processing; and • creating (and improving) security features 22 Comment by ICO (UK)
Privacy by design The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years. Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design is based on seven "foundational principles": 1. Proactive not reactive; preventive not remedial 2. Privacy as the default setting 3. Privacy embedded into design 4. Full functionality – positive-sum, not zero-sum 5. End-to-end security – full lifecycle protection 6. Visibility and transparency – keep it open 7. Respect for user privacy – keep it user-centric The principles have been cited in over five hundred articles referring to the Privacy by Design in Law, Policy and Practice white paper by Ann Cavoukian. 23
3.Security of processing 24
GDPR Article 32. Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. … 25
… 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. 26
‘CIA triad’: confidentiality, integrity and availability Resilience refers to: • whether your systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident; and • your ability to restore them to an effective state. 27
ICO (UK) about technical measures 1 28 When considering physical security, you should look at factors such as: When considering cybersecurity, you should look at factors such as: • the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV; • how you control access to your premises, and how visitors are supervised; • how you dispose of any paper and electronic waste; and • how you keep IT equipment, particularly mobile devices, secure. • system security – the security of your network and information systems, including those which process personal data; • data security – the security of the data you hold within your systems, eg ensuring appropriate access controls are in place and that data is held securely; • online security – eg the security of your website and any other online service or application that you use; and • device security – including policies on Bring-your-own-Device (BYOD) if you offer it. Comment by ICO (UK)
ICO (UK) about technical measures 2 Whatever you do, you should remember the following: • your cybersecurity measures need to be appropriate to the size and use of your network and information systems; • you should take into account the state of technological development, but you are also able to consider the costs of implementation; • your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security; and • your measures must be appropriate to the nature of the personal data you hold and the harm that might result from any compromise. A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials (or other framework, see below) 29 Comment by ICO (UK)
EDPB’s comments about metrics • These measures must be appropriate, meaning that they must be suited to achieve the intended purpose, i.e. they must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects. The requirement to appropriateness is thus closely related to the requirement of effectiveness. • Effectiveness is at the heart of the concept of data protection by design. The requirement to implement the principles in an effective manner means that controllers must be able to demonstrate that they have implemented dedicated measures to protect these principles, and that they have integrated specific safeguards that are necessary to secure the rights and freedoms of data subjects. • Controllers must be able to demonstrate that they have implemented measures and safeguards to achieve the desired effect in terms of data protection. To do so, the controller may determine appropriate key performance indicators to demonstrate compliance. 30 Comment by EDPB
Key design and default elements • Information security management system (ISMS) • Risk analysis • Resilience • Access management • Secure transfers • Secure storage • Backups/logs (for audits and event monitoring) • Special protection (special categories of personal data should be protected with adequate measures and, when possible, be kept separated from the rest of the personal data) • Pseudonymization (for example using hashing or encryption ) • Security incident response management • Personal data breach handling • Maintenance and development (regular review and test software to uncover vulnerabilities of the systems supporting the processing) 31 Comment by EDPB Also see information about Certification, Standards and frameworks (below)…
4.Anonymisation and pseudonymisation 32
Comments and recommendations • Anonymisation and pseudonymization (by DPC) - https://www.dataprotection.ie/en/guidance-landing/anonymisation-and- pseudonymisation • Introduction to the hash function as a personal data pseudonymisation technique (by AEPD and EDPS) - https://edps.europa.eu/data-protection/our- work/publications/papers/introduction-hash-function-personal-data_en • Pseudonymisation techniques and best practices (by ENISA) - https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and- best-practices • Opinion 05/2014 on Anonymisation Techniques (by WP29) - https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp216_en.pdf 33
Key terms 34 "Anonymisation" of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. "Pseudonymisation" of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.
GDPR term ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person 35
Data which has been irreversibly anonymised ceases to be “personal data”, and processing of such data does NOT require compliance with the Data Protection law. 36 Comment by DPC
Anonymisation techniques There are, broadly speaking, two different families of anonymisation technique: “randomisation” and “generalisation”. Other techniques, such as “masking” or “pseudonymisation”, which are aimed solely at removing certain identifiers, may also play a role in reducing the risk of identification. In many cases, these techniques work best when used together, so as to combat different types of identification risk. 37
5.Personal data breach 38
Why it is important? GDPR (85): A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non- material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned… 39
GDPR term Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. !!! It’s not only about confidentiality 40
Incident management The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with GDPR Good practice: Incident management + Breach notification Notifications: • Processor (without undue delay) -> to the Controller • Controller -> to the Supervisory Authority (SA) • Controller -> to the Data Subject (DS) 41
Notification and Communication 42 To the SA (Art.33) To the DS (Art.34) UNLESS the personal data breach is UNLIKELY to result in a risk to the rights and freedoms of natural persons When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons Shall not be required if • the controller has implemented appropriate measures (such as encryption) • the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise • it would involve disproportionate effort Without undue delay and not later than 72 hours after having become aware of it Without undue delay
Notification • Description of the nature of the PD breach including where possible: • categories and approximate number of data subjects concerned • the categories and approximate number of personal data records concerned • Name and contact details of the DPO (or other contact point) • Description of the likely consequences of the personal data breach • Description of the measures taken or proposed to be taken including, where appropriate, measures to mitigate its possible adverse effects 43 !!! Clear and plain language
6.DPO vs CISO 44
DPO GDPR Article 37 Designation of the data protection officer The controller and the processor shall designate a data protection officer in any case where: • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. 45
GDPR Article 39 Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; • to cooperate with the supervisory authority; • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 46
Comments by DPC (Ireland) Relevant skills and expertise for the DPO role include: • Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR • In-depth understanding of how their organisation processes personal data • Understanding of information technologies and data security • Thorough knowledge of their organisation and the business sector in which it operates • Ability to promote a data protection culture within the organisation 47
48
DPO vs CISO Finnish Data Protection Ombudsman: ”The Data Protection Officer must be independent and cannot have conflicts of interest with the duties of the Data Protection Officer. As every organisation is different, such conflicts of interest must be evaluated on a case-by-case basis. The Data Protection Officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the Data Protection Officer.” https://tietosuoja.fi/en/faq-dpos 49
50 CISO DPO 1. Conduct information security risk assessment 2. Implement technical and organizational measures for ensuring the security of the processing 3. Manage information security incidents (e.g. data breaches) 4. Consult on information security issues 1. Review and update the list of legislative requirements and recommendations 2. Design Data Protection Policy and Data Protection Framework 3. Prepare and conduct data protection awareness trainings 4. Consult on data protection issues. 5. Notify of data breaches 6. Report to the top management; 7. Communicate an cooperate with the supervisory authorities 8. Monitor compliance with the data protection legislation 9. Respond to request from the data subjects
7.Certification, standards and frameworks 51
52 GDPR Article 42 Certification 1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account. … 3. The certification shall be voluntary and available via a process that is transparent.
Certification 53 • ISO 27001 • ISO 27701 • BS 10012 • PCI DSS • EU-U.S. Privacy Shield • Cyber Essentials / Cyber Essentials PLUS • NIST Privacy Framework • ISO 27018 • CSA STAR • SOC 2 The mechanism of certification is not fully defined... but everybody uses the following standards:
54
ISO 27001 and ISO 27002 ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls 55 https://www.iso.org/standard/54534.html
56
ISO 27701 ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. 57 https://www.iso.org/standard/71670.html
58
BS 10012 BS 10012:2017+A1:2018 Data protection. Specification for a personal information management system 59 https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management It shows organizations how to implement a Personal Information Management System (PIMS). This will help them reach a good standard of information governance and comply with legal personal data protection requirements.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements 60 https://www.pcisecuritystandards.org
61
EU-U.S. Privacy Shield The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. • Self-Certification • 5287 Total Organizations (27.03.2020) • Privacy Shield List - www.privacyshield.gov/list 62 https://www.privacyshield.gov/welcome
Privacy Shield Framework 63 Privacy Shield Principles Privacy Shield Supplemental Principles • Notice • Choice • Accountability for Onward Transfer • Security • Data Integrity and Purpose Limitation • Access • Recourse, Enforcement, and Liability • Sensitive Data • Journalistic Exceptions • Secondary Liability • Performing Due Diligence and Conducting Audits • The Role of the Data Protection Authorities • Access • Self-Certification • Verification • Human Resources Data • Obligatory Contracts for Onward Transfers • Dispute Resolution and Enforcement • Choice -- Timing of Opt-Out • Travel Information • Pharmaceutical and Medical Products • Public Record and Publicly Available Information • Access Requests by Public Authorities
Cyber Essentials Government backed scheme that can help to protect organisations, whatever its size, against a whole range of the most common cyber attacks. There are two levels of certification: 1. Cyber Essentials (self-assessment) Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. Cyber Essentials shows you how to address those basics and prevent the most common attacks. 2. Cyber Essentials Plus Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out. 64 https://www.ncsc.gov.uk/cyberessentials/overview
NIST Privacy Framework The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. Aligned with the NIST Cybersecurity Framework 65 https://www.nist.gov/privacy-framework
66
Other frameworks 67 Cybersecurity Privacy • NIST Cybersecurity Framework • Guideline “State of the art” (IT Security Association Germany and ENISA) • The CIS Critical Security Controls for Effective Cyber Defense (SANS) • COBIT 5 for Information Security • IT-Grundschutz (BSI GE) • OECD Privacy Guidelines • Privacy by Design • APEC Privacy Framework • Australian Privacy Principles (APPs) • The Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
Technical and organisational measures (TOMs) 68 Guideline “State of the art” (IT Security Association Germany and ENISA), 2020 Technical measures Organisational measures • Password strength assessment • Enforcing strong passwords • Multi-factor authentication • Cryptographic procedures • Disk encryption • Encryption of files and folders • E-mail encryption • Securing electronic data communication with PKI • Use of VPNs (layer 3) • Layer 2 encryption • Cloud-based data exchange • Data storage in the cloud • Use of mobile voice and data services • Communication through instant messenger • Mobile Device Management • Router security • Network monitoring using Intrusion Detection System • Web traffic protection • Web application protection • Remote network access/ remote maintenance • Server hardening • Endpoint Detection & Response Platform • Using internet with web isolation • Standards and norms • Processes • Secure software development • Audits and certification • Vulnerability and patch management
8.Accountability 69
What is accountability? By ICO (UK): There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance. 70
Accountability Security point of view 1. Information security risk management records 2. DPIA records 3. Information Security Policy, ISMS documentation and other appropriate technical and organisational measures 4. Data protection by design and by default records 5. Personal data breaches records 6. NDAs and other contracts with Processors and Sub-Processors (and documented instructions) 7. Information security audit records 8. Information security and privacy metrics and KPIs 9. Certification (e.g. ISO 27001, ISO 27701, Cyber Essentials) (if applicable) 71
9.Employee monitoring vs Privacy in working life 72
In case of using employee monitoring tools, there is a danger of violation of vulnerable subjects' rights… 73
Problem areas (examples) • Email monitoring (e.g. DLP, UEBA/UBA) • Monitoring of internet using (e.g. Web-proxy, NGWF, CASB) • Working time tracking • Profiling (e.g. UEBA/UBA, Psychotests) • Mobile Security, BYOD and Remote working • Log management and SIEM • Keyloggers • Audio and Video recording (e.g. CCTV, Screenshots, Webcam recording) • Biometric scanners • … 74
Employee monitoring good principles • Necessity: An employer must be able to demonstrate that the monitoring is really necessary and to explain purposes and scope. • Legitimacy: An employer must have lawful grounds for collecting and using the personal data and, if appropriate, sensitive personal data, and the processing must be fair. • Proportionality: Any monitoring that takes place must be proportionate to the issue that the employer is dealing with. • Transparency: An employer must clearly inform employees of the monitoring (and its techniques) that will be carried out. • Integrity and confidentiality: An employer must ensure minimization of rights and access control 75
My recommendations 1. Conduct DPIAs 2. Choose blocking not monitoring (if applicable) 3. Implement Four-eyes principle (access control) 4. Discuss solutions with the representatives before implementation 5. Follow the requirements for profiling (GDPR Art.22, if applicable) 76
10.Profiling 77
GDPR term ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements 78
GDPR Article 22. Automated individual decision-making, including profiling 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. 79
The last slide • Information security (and data protections) is not easy • There are many requirements and recommendations, standards and best practices (e.g. ISO 27001) • ISMS implementation is the key element of compliance. Important processes and topics: • Data protection by design and by default • Access management • Incident management and breach notification • Accountability 80
Thanks! Andrey Prozorov, CIPP/E, CISM • My patreon (ISMS and GDPR toolkits): https://www.patreon.com/AndreyProzorov • My blog (in Russian): http://80na20.blogspot.com • My email: prozorov.info@gmail.com

More Related Content

PDF
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
PDF
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
ISO 27701
UtkarshDhiman4
 
PDF
12 Best Privacy Frameworks
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
DOCX
Soal try out Sertifikasi Pengadaan Barang Jasa Pemerintah tingkat Dasar v4
Nurul Angreliany
 
PDF
Employee Introduction PowerPoint Presentation Slides
SlideTeam
 
PDF
8100771-ISO12207-2017.pdf
Álvaro Muñoz
 
Data Protection Predictions for 2023.pdf
DarylBallesteros3
 
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27701
UtkarshDhiman4
 
12 Best Privacy Frameworks
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Soal try out Sertifikasi Pengadaan Barang Jasa Pemerintah tingkat Dasar v4
Nurul Angreliany
 
Employee Introduction PowerPoint Presentation Slides
SlideTeam
 
8100771-ISO12207-2017.pdf
Álvaro Muñoz
 

What's hot (20)

PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PPTX
Training privacy by design
Tommy Vandepitte
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
PDF
GDPR for Dummies
Caroline Boscher
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
Data Protection Officer Dashboard | GDPR
Corporater
 
PDF
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
PDF
ISO 27001
n|u - The Open Security Community
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PDF
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
PDF
NQA - ISO 27001 Implementation Guide
NA Putra
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
PPTX
ISMS User_Awareness Training.pptx
Mukesh Pant
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Training privacy by design
Tommy Vandepitte
 
Presentation on GDPR
DipanjanDey12
 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR for Dummies
Caroline Boscher
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
Introduction to GDPR
Priyab Satoshi
 
Data Protection Officer Dashboard | GDPR
Corporater
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
ISO 27001
n|u - The Open Security Community
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
Common Practice in Data Privacy Program Management
Eryk Budi Pratama
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
NQA - ISO 27001 Implementation Guide
NA Putra
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
ISMS User_Awareness Training.pptx
Mukesh Pant
 
Ad

Similar to GDPR and Security.pdf (20)

PPTX
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
PPTX
Vuzion Love Cloud GDPR Event
Vuzion
 
PDF
GDPR: The Application Security Twist
Security Innovation
 
PDF
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
PDF
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
PDF
pr Privacy Principles 230405 small.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
PPTX
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPTX
ICS_Unit-I_Foundations of Information Security
KartikMaski
 
PDF
Balancing Data Protection and Artificial Intelligence
Giovanni Maria Riccio
 
PDF
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
PPTX
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
PPTX
How MongoDB can accelerate a path to GDPR compliance
MongoDB
 
PDF
Security Industry Association Privacy Framework
- Mark - Fullbright
 
PPTX
12 security policies
Saqib Raza
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
PDF
50 Most Asked Interview Questions for DPO
InfosecTrain
 
PDF
50 Most Asked Interview Questions for Data Protection Officer (DPO).pdf
infosec train
 
PDF
50 Asked Interview Questions for Data Protection Officer
priyanshamadhwal2
 
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
Vuzion Love Cloud GDPR Event
Vuzion
 
GDPR: The Application Security Twist
Security Innovation
 
5 key steps for SMBs for reaching GDPR Compliance
Gabor Farkas
 
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
pr Privacy Principles 230405 small.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
The general data protection act overview
Roy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
ICS_Unit-I_Foundations of Information Security
KartikMaski
 
Balancing Data Protection and Artificial Intelligence
Giovanni Maria Riccio
 
Information System Security Policy Studies as a Form of Company Privacy Prote...
Editor IJCATR
 
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
How MongoDB can accelerate a path to GDPR compliance
MongoDB
 
Security Industry Association Privacy Framework
- Mark - Fullbright
 
12 security policies
Saqib Raza
 
BigID GDPR Compliance Automation Webinar Slides
Dimitri Sirota
 
50 Most Asked Interview Questions for DPO
InfosecTrain
 
50 Most Asked Interview Questions for Data Protection Officer (DPO).pdf
infosec train
 
50 Asked Interview Questions for Data Protection Officer
priyanshamadhwal2
 
Ad

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
pr ISMS Documented Information (lite).pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO Survey 2022: ISO 27001 certificates (ISMS)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001 How to accelerate the implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
How to use ChatGPT for an ISMS implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO Survey 2021: ISO 27001.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Employee Monitoring and Privacy.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR RACI.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
GDPR EU Institutions and bodies.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Data protection RU vs EU
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
IS Awareness in practice, isaca moscow 2019 10
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Про работу на Западе (Прозоров)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
About TM for CISO (rus)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
pr ISMS Documented Information (lite).pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
From NIST CSF 1.1 to 2.0.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 How to accelerate the implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
How to use ChatGPT for an ISMS implementation.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO Survey 2021: ISO 27001.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Supply management 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Employee Monitoring and Privacy.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR RACI.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR and Personal Data Transfers 1.1.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
GDPR EU Institutions and bodies.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Data protection RU vs EU
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
IS Awareness in practice, isaca moscow 2019 10
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Про работу на Западе (Прозоров)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
About TM for CISO (rus)
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

Recently uploaded (20)

PPTX
Introduction to Effective Communication.pptx
AnithaT18
 
PDF
Media Training for Authors: Producing Videos & Nailing Interviews
Paula Rizzo
 
PDF
Enhancing Bambara Groundnut Production Through Improved Agronomic Practices
Francois Stepman
 
PPTX
Presentation of Project of Enterprenuership topic- "Green Gaurdian"
vinay patel
 
PPTX
What is Clause, definition and structure
DidinDaengLiong
 
PPTX
business communication final draftt.pptx
jiyasharma1701
 
PPTX
Caption Text about Social Media Post in Internet
DidinDaengLiong
 
PPTX
Assam' Vibrant Bihu Festival Bihu presentation.pptx
rpmsbarman
 
PPTX
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
PDF
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
PDF
protein structure and function for basics .pdf
RakeshKumar508211
 
PPTX
2025-08-03 Joseph 01 (shared slides).pptx
Dale Wells
 
PPTX
Information Security and Risk Management.pptx
prembasnet12
 
PPTX
Selecting relevant value chain/s for Impactful Development Policies
Francois Stepman
 
PPTX
PHILIPPINE LITERATURE DURING SPANISH ERA
AllizaJoyMendigoria
 
PPTX
Bob Stewart Journey to Rome 07 30 2025.pptx
FamilyWorshipCenterD
 
PPTX
Postmodernism notes for literature students
POORNIMAN26
 
PPTX
IBA DISTRICT PIR PRESENTATION.POWERPOINT
ROGELIOLADIERO1
 
PPTX
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
PPTX
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 
Introduction to Effective Communication.pptx
AnithaT18
 
Media Training for Authors: Producing Videos & Nailing Interviews
Paula Rizzo
 
Enhancing Bambara Groundnut Production Through Improved Agronomic Practices
Francois Stepman
 
Presentation of Project of Enterprenuership topic- "Green Gaurdian"
vinay patel
 
What is Clause, definition and structure
DidinDaengLiong
 
business communication final draftt.pptx
jiyasharma1701
 
Caption Text about Social Media Post in Internet
DidinDaengLiong
 
Assam' Vibrant Bihu Festival Bihu presentation.pptx
rpmsbarman
 
Role and Responsibilities of Bangladesh Coast Guard Base, Mongla Challenges
Tasnim Alam Safin
 
Parts of Speech Prepositions Presentation in Colorful Cute Style_20250724_230...
ShomailahRashid
 
protein structure and function for basics .pdf
RakeshKumar508211
 
2025-08-03 Joseph 01 (shared slides).pptx
Dale Wells
 
Information Security and Risk Management.pptx
prembasnet12
 
Selecting relevant value chain/s for Impactful Development Policies
Francois Stepman
 
PHILIPPINE LITERATURE DURING SPANISH ERA
AllizaJoyMendigoria
 
Bob Stewart Journey to Rome 07 30 2025.pptx
FamilyWorshipCenterD
 
Postmodernism notes for literature students
POORNIMAN26
 
IBA DISTRICT PIR PRESENTATION.POWERPOINT
ROGELIOLADIERO1
 
Understanding-Communication-Berlos-S-M-C-R-Model.pptx
JommelVienne
 
Non-Verbal-Communication .mh.pdf_110245_compressed.pptx
ansarihussainh
 

GDPR and Security.pdf

  • 1. GDPR and Security Andrey Prozorov, CIPP/E, CISM v2, 2020-04-26
  • 2. 2 Andrey Prozorov, CIPP/E, CISM Information Security Methodology Manager 15 years experience in information security and data protection • My patreon (ISMS and GDPR toolkits) - https://www.patreon.com/AndreyProzorov • My blog (in Russian) - http://80na20.blogspot.com
  • 3. About this presentation • It’s an overview presentation about GDPR and information security issues. The presentation highlights and details key topics, additional recommendations and best practices. • This presentation is designed for: data protection officers, privacy consultants and lawyers, IT managers and information security managers. 3
  • 4. What’s new in the revision 2? • New design • 21 slides -> 81 slides • Language: Russian -> English • New topics, recommendations and comments 4
  • 5. Agenda 5 1. Intro - Appropriate security (new principle) - Information Security terms - Key security topics - Guidelines and recommendations 2. Data protection by design and by default 3. Security of processing 4. Anonymisation and pseudonymization 5. Personal data breach 6. DPO vs CISO 7. Certification, standards and frameworks 8. Accountability 9. Employee monitoring vs privacy in working life 10. Profiling
  • 8. 8 Directive 95/46/EC (old) GDPR Article 1. Object of the Directive 1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. Article 1. Subject-matter and objectives 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2.This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3.The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
  • 9. New principle: Appropriate security GDPR Article 5. Principles relating to processing of personal data 1. Personal data shall be: … (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 9
  • 10. Terms (by ISO 27000) • Information security: preservation of confidentiality, integrity and availability of information • Confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processes • Integrity: property of accuracy and completeness • Availability: property of being accessible and usable upon demand by an authorized entity 10
  • 11. Comments by DPC (Ireland) In other words, controllers must ensure that their security measures adequately protect against accidental or deliberate harm, loss, or dissemination of the personal data they process. These security measures should cover not only cybersecurity but also physical and organisational security measures. Organisations must also routinely check that their security measures are up-to-date and effective. 11
  • 13. Key security topics • Appropriate security (principle) • Data Protection by Design and by Default, Art.25 • Security of processing, Art.32 • Personal data breach notification , Art.33, 34 • Data Protection Impact Assessment (DPIA), Art.35, 36 • DPO vs CISO • Certification, Art.42 • Accountability • Employee monitoring 13
  • 14. Guidelines and recommendations • Guide to the GDPR (by ICO) - https://ico.org.uk/for-organisations/guide- to-data-protection/guide-to-the-general-data-protection-regulation-gdpr • Security outcomes (by ICO) - https://ico.org.uk/for- organisations/security-outcomes • Data Security Guidance for Microenterprises (by DPC) - https://www.dataprotection.ie/en/guidance-landing/data-security- guidance-microenterprises • Security of personal data (by CNIL) - https://www.cnil.fr/en/new-guide- regarding-security-personal-data • Guidelines 4/2019 on Article 25 Data Protection by Design and by Default - version for public consultation (by EDPB) • Other EDPB and DPAs’ recommendation about anonymisation and pseudonymization, DPIA, breach notification… 14
  • 15. 2.Data protection by design and by default 15
  • 16. GDPR Article 25. Data protection by design and by default 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. 3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. 16
  • 17. What is data protection by design? Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. As expressed by the GDPR, it requires you to: • put in place appropriate technical and organisational measures designed to implement the data protection principles; and • integrate safeguards into your processing so that you meet the GDPR's requirements and protect the individual rights. In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices. 17 Comment by ICO (UK)
  • 18. Examples by ICO (UK) Data protection by design has broad application. Examples include: • developing new IT systems, services, products and processes that involve processing personal data • developing organisational policies, processes, business practices and/or strategies that have privacy implications • physical design • embarking on data sharing initiatives; or • using personal data for new purposes… 18 Comment by ICO (UK)
  • 19. What is data protection by default? Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation. You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. 19 Comment by ICO (UK)
  • 20. What you need to do depends on the circumstances of your processing and the risks posed to individuals. Nevertheless, you must consider things like: • adopting a ‘privacy-first’ approach with any default settings of systems and applications • ensuring you do not provide an illusory choice to individuals relating to the data you will process • not processing additional data unless the individual decides you can • ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and • providing individuals with sufficient controls and options to exercise their rights 20 Comment by ICO (UK)
  • 21. Examples by the European Commission Data protection by design The use of pseudonymisation (replacing personally identifiable material with artificial identifiers) and encryption (encoding messages so only those authorised can read them) Data protection by default A social media platform should be encouraged to set users’ profile settings in the most privacy-friendly setting by, for example, limiting from the start the accessibility of the users’ profile so that it isn’t accessible by default to an indefinite number of persons 21
  • 22. ICO (UK) recommendations Some examples of how you can do this include: • minimising the processing of personal data • pseudonymising personal data as soon as possible • ensuring transparency in respect of the functions and processing of personal data • enabling individuals to monitor the processing; and • creating (and improving) security features 22 Comment by ICO (UK)
  • 23. Privacy by design The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years. Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design is based on seven "foundational principles": 1. Proactive not reactive; preventive not remedial 2. Privacy as the default setting 3. Privacy embedded into design 4. Full functionality – positive-sum, not zero-sum 5. End-to-end security – full lifecycle protection 6. Visibility and transparency – keep it open 7. Respect for user privacy – keep it user-centric The principles have been cited in over five hundred articles referring to the Privacy by Design in Law, Policy and Practice white paper by Ann Cavoukian. 23
  • 25. GDPR Article 32. Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. … 25
  • 26. … 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law. 26
  • 27. ‘CIA triad’: confidentiality, integrity and availability Resilience refers to: • whether your systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident; and • your ability to restore them to an effective state. 27
  • 28. ICO (UK) about technical measures 1 28 When considering physical security, you should look at factors such as: When considering cybersecurity, you should look at factors such as: • the quality of doors and locks, and the protection of your premises by such means as alarms, security lighting or CCTV; • how you control access to your premises, and how visitors are supervised; • how you dispose of any paper and electronic waste; and • how you keep IT equipment, particularly mobile devices, secure. • system security – the security of your network and information systems, including those which process personal data; • data security – the security of the data you hold within your systems, eg ensuring appropriate access controls are in place and that data is held securely; • online security – eg the security of your website and any other online service or application that you use; and • device security – including policies on Bring-your-own-Device (BYOD) if you offer it. Comment by ICO (UK)
  • 29. ICO (UK) about technical measures 2 Whatever you do, you should remember the following: • your cybersecurity measures need to be appropriate to the size and use of your network and information systems; • you should take into account the state of technological development, but you are also able to consider the costs of implementation; • your security must be appropriate to your business practices. For example, if you offer staff the ability to work from home, you need to put measures in place to ensure that this does not compromise your security; and • your measures must be appropriate to the nature of the personal data you hold and the harm that might result from any compromise. A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials (or other framework, see below) 29 Comment by ICO (UK)
  • 30. EDPB’s comments about metrics • These measures must be appropriate, meaning that they must be suited to achieve the intended purpose, i.e. they must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects. The requirement to appropriateness is thus closely related to the requirement of effectiveness. • Effectiveness is at the heart of the concept of data protection by design. The requirement to implement the principles in an effective manner means that controllers must be able to demonstrate that they have implemented dedicated measures to protect these principles, and that they have integrated specific safeguards that are necessary to secure the rights and freedoms of data subjects. • Controllers must be able to demonstrate that they have implemented measures and safeguards to achieve the desired effect in terms of data protection. To do so, the controller may determine appropriate key performance indicators to demonstrate compliance. 30 Comment by EDPB
  • 31. Key design and default elements • Information security management system (ISMS) • Risk analysis • Resilience • Access management • Secure transfers • Secure storage • Backups/logs (for audits and event monitoring) • Special protection (special categories of personal data should be protected with adequate measures and, when possible, be kept separated from the rest of the personal data) • Pseudonymization (for example using hashing or encryption ) • Security incident response management • Personal data breach handling • Maintenance and development (regular review and test software to uncover vulnerabilities of the systems supporting the processing) 31 Comment by EDPB Also see information about Certification, Standards and frameworks (below)…
  • 33. Comments and recommendations • Anonymisation and pseudonymization (by DPC) - https://www.dataprotection.ie/en/guidance-landing/anonymisation-and- pseudonymisation • Introduction to the hash function as a personal data pseudonymisation technique (by AEPD and EDPS) - https://edps.europa.eu/data-protection/our- work/publications/papers/introduction-hash-function-personal-data_en • Pseudonymisation techniques and best practices (by ENISA) - https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and- best-practices • Opinion 05/2014 on Anonymisation Techniques (by WP29) - https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2014/wp216_en.pdf 33
  • 34. Key terms 34 "Anonymisation" of data means processing it with the aim of irreversibly preventing the identification of the individual to whom it relates. "Pseudonymisation" of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified.
  • 35. GDPR term ‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person 35
  • 36. Data which has been irreversibly anonymised ceases to be “personal data”, and processing of such data does NOT require compliance with the Data Protection law. 36 Comment by DPC
  • 37. Anonymisation techniques There are, broadly speaking, two different families of anonymisation technique: “randomisation” and “generalisation”. Other techniques, such as “masking” or “pseudonymisation”, which are aimed solely at removing certain identifiers, may also play a role in reducing the risk of identification. In many cases, these techniques work best when used together, so as to combat different types of identification risk. 37
  • 39. Why it is important? GDPR (85): A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non- material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned… 39
  • 40. GDPR term Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. !!! It’s not only about confidentiality 40
  • 41. Incident management The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with GDPR Good practice: Incident management + Breach notification Notifications: • Processor (without undue delay) -> to the Controller • Controller -> to the Supervisory Authority (SA) • Controller -> to the Data Subject (DS) 41
  • 42. Notification and Communication 42 To the SA (Art.33) To the DS (Art.34) UNLESS the personal data breach is UNLIKELY to result in a risk to the rights and freedoms of natural persons When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons Shall not be required if • the controller has implemented appropriate measures (such as encryption) • the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise • it would involve disproportionate effort Without undue delay and not later than 72 hours after having become aware of it Without undue delay
  • 43. Notification • Description of the nature of the PD breach including where possible: • categories and approximate number of data subjects concerned • the categories and approximate number of personal data records concerned • Name and contact details of the DPO (or other contact point) • Description of the likely consequences of the personal data breach • Description of the measures taken or proposed to be taken including, where appropriate, measures to mitigate its possible adverse effects 43 !!! Clear and plain language
  • 45. DPO GDPR Article 37 Designation of the data protection officer The controller and the processor shall designate a data protection officer in any case where: • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. 2. A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. 7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority. 45
  • 46. GDPR Article 39 Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: • to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; • to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; • to cooperate with the supervisory authority; • to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing. 46
  • 47. Comments by DPC (Ireland) Relevant skills and expertise for the DPO role include: • Expertise in national and European data protection laws and practices including an in-depth understanding of the GDPR • In-depth understanding of how their organisation processes personal data • Understanding of information technologies and data security • Thorough knowledge of their organisation and the business sector in which it operates • Ability to promote a data protection culture within the organisation 47
  • 48. 48
  • 49. DPO vs CISO Finnish Data Protection Ombudsman: ”The Data Protection Officer must be independent and cannot have conflicts of interest with the duties of the Data Protection Officer. As every organisation is different, such conflicts of interest must be evaluated on a case-by-case basis. The Data Protection Officer cannot hold a position or duty that requires him or her to define the purposes and methods of the processing of personal data. Defining the purposes and methods of personal data processing is the controller's responsibility. Conflicts of interest may arise if, for example, an information security officer or senior manager is designated as the Data Protection Officer.” https://tietosuoja.fi/en/faq-dpos 49
  • 50. 50 CISO DPO 1. Conduct information security risk assessment 2. Implement technical and organizational measures for ensuring the security of the processing 3. Manage information security incidents (e.g. data breaches) 4. Consult on information security issues 1. Review and update the list of legislative requirements and recommendations 2. Design Data Protection Policy and Data Protection Framework 3. Prepare and conduct data protection awareness trainings 4. Consult on data protection issues. 5. Notify of data breaches 6. Report to the top management; 7. Communicate an cooperate with the supervisory authorities 8. Monitor compliance with the data protection legislation 9. Respond to request from the data subjects
  • 52. 52 GDPR Article 42 Certification 1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account. … 3. The certification shall be voluntary and available via a process that is transparent.
  • 53. Certification 53 • ISO 27001 • ISO 27701 • BS 10012 • PCI DSS • EU-U.S. Privacy Shield • Cyber Essentials / Cyber Essentials PLUS • NIST Privacy Framework • ISO 27018 • CSA STAR • SOC 2 The mechanism of certification is not fully defined... but everybody uses the following standards:
  • 54. 54
  • 55. ISO 27001 and ISO 27002 ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature. ISO/IEC 27002:2013 Information technology — Security techniques — Code of practice for information security controls 55 https://www.iso.org/standard/54534.html
  • 56. 56
  • 57. ISO 27701 ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines This document specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. This document specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing. This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations, which are PII controllers and/or PII processors processing PII within an ISMS. 57 https://www.iso.org/standard/71670.html
  • 58. 58
  • 59. BS 10012 BS 10012:2017+A1:2018 Data protection. Specification for a personal information management system 59 https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management It shows organizations how to implement a Personal Information Management System (PIMS). This will help them reach a good standard of information governance and comply with legal personal data protection requirements.
  • 60. PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Below is a high-level overview of the 12 PCI DSS requirements 60 https://www.pcisecuritystandards.org
  • 61. 61
  • 62. EU-U.S. Privacy Shield The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. • Self-Certification • 5287 Total Organizations (27.03.2020) • Privacy Shield List - www.privacyshield.gov/list 62 https://www.privacyshield.gov/welcome
  • 63. Privacy Shield Framework 63 Privacy Shield Principles Privacy Shield Supplemental Principles • Notice • Choice • Accountability for Onward Transfer • Security • Data Integrity and Purpose Limitation • Access • Recourse, Enforcement, and Liability • Sensitive Data • Journalistic Exceptions • Secondary Liability • Performing Due Diligence and Conducting Audits • The Role of the Data Protection Authorities • Access • Self-Certification • Verification • Human Resources Data • Obligatory Contracts for Onward Transfers • Dispute Resolution and Enforcement • Choice -- Timing of Opt-Out • Travel Information • Pharmaceutical and Medical Products • Public Record and Publicly Available Information • Access Requests by Public Authorities
  • 64. Cyber Essentials Government backed scheme that can help to protect organisations, whatever its size, against a whole range of the most common cyber attacks. There are two levels of certification: 1. Cyber Essentials (self-assessment) Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place. Cyber Essentials shows you how to address those basics and prevent the most common attacks. 2. Cyber Essentials Plus Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but for Cyber Essentials Plus a hands-on technical verification is carried out. 64 https://www.ncsc.gov.uk/cyberessentials/overview
  • 65. NIST Privacy Framework The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. Aligned with the NIST Cybersecurity Framework 65 https://www.nist.gov/privacy-framework
  • 66. 66
  • 67. Other frameworks 67 Cybersecurity Privacy • NIST Cybersecurity Framework • Guideline “State of the art” (IT Security Association Germany and ENISA) • The CIS Critical Security Controls for Effective Cyber Defense (SANS) • COBIT 5 for Information Security • IT-Grundschutz (BSI GE) • OECD Privacy Guidelines • Privacy by Design • APEC Privacy Framework • Australian Privacy Principles (APPs) • The Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada)
  • 68. Technical and organisational measures (TOMs) 68 Guideline “State of the art” (IT Security Association Germany and ENISA), 2020 Technical measures Organisational measures • Password strength assessment • Enforcing strong passwords • Multi-factor authentication • Cryptographic procedures • Disk encryption • Encryption of files and folders • E-mail encryption • Securing electronic data communication with PKI • Use of VPNs (layer 3) • Layer 2 encryption • Cloud-based data exchange • Data storage in the cloud • Use of mobile voice and data services • Communication through instant messenger • Mobile Device Management • Router security • Network monitoring using Intrusion Detection System • Web traffic protection • Web application protection • Remote network access/ remote maintenance • Server hardening • Endpoint Detection & Response Platform • Using internet with web isolation • Standards and norms • Processes • Secure software development • Audits and certification • Vulnerability and patch management
  • 70. What is accountability? By ICO (UK): There are two key elements. First, the accountability principle makes it clear that you are responsible for complying with the GDPR. Second, you must be able to demonstrate your compliance. 70
  • 71. Accountability Security point of view 1. Information security risk management records 2. DPIA records 3. Information Security Policy, ISMS documentation and other appropriate technical and organisational measures 4. Data protection by design and by default records 5. Personal data breaches records 6. NDAs and other contracts with Processors and Sub-Processors (and documented instructions) 7. Information security audit records 8. Information security and privacy metrics and KPIs 9. Certification (e.g. ISO 27001, ISO 27701, Cyber Essentials) (if applicable) 71
  • 72. 9.Employee monitoring vs Privacy in working life 72
  • 73. In case of using employee monitoring tools, there is a danger of violation of vulnerable subjects' rights… 73
  • 74. Problem areas (examples) • Email monitoring (e.g. DLP, UEBA/UBA) • Monitoring of internet using (e.g. Web-proxy, NGWF, CASB) • Working time tracking • Profiling (e.g. UEBA/UBA, Psychotests) • Mobile Security, BYOD and Remote working • Log management and SIEM • Keyloggers • Audio and Video recording (e.g. CCTV, Screenshots, Webcam recording) • Biometric scanners • … 74
  • 75. Employee monitoring good principles • Necessity: An employer must be able to demonstrate that the monitoring is really necessary and to explain purposes and scope. • Legitimacy: An employer must have lawful grounds for collecting and using the personal data and, if appropriate, sensitive personal data, and the processing must be fair. • Proportionality: Any monitoring that takes place must be proportionate to the issue that the employer is dealing with. • Transparency: An employer must clearly inform employees of the monitoring (and its techniques) that will be carried out. • Integrity and confidentiality: An employer must ensure minimization of rights and access control 75
  • 76. My recommendations 1. Conduct DPIAs 2. Choose blocking not monitoring (if applicable) 3. Implement Four-eyes principle (access control) 4. Discuss solutions with the representatives before implementation 5. Follow the requirements for profiling (GDPR Art.22, if applicable) 76
  • 78. GDPR term ‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements 78
  • 79. GDPR Article 22. Automated individual decision-making, including profiling 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. 4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place. 79
  • 80. The last slide • Information security (and data protections) is not easy • There are many requirements and recommendations, standards and best practices (e.g. ISO 27001) • ISMS implementation is the key element of compliance. Important processes and topics: • Data protection by design and by default • Access management • Incident management and breach notification • Accountability 80
  • 81. Thanks! Andrey Prozorov, CIPP/E, CISM • My patreon (ISMS and GDPR toolkits): https://www.patreon.com/AndreyProzorov • My blog (in Russian): http://80na20.blogspot.com • My email: [email protected]