Marc Gallardo, profile picture
Uploaded byMarc Gallardo
PPTX, PDF2,024 views

Privacy for tech startups

The document summarizes key points from a presentation on privacy for tech startups. It discusses why privacy is important for startups to consider, providing practical information security controls startups can implement, and new privacy principles from the GDPR that startups should be aware of. Some highlights include: - Privacy should be a priority from the start and can help startups win trust among users and investors. - Practical security controls include encrypting data, patching systems, training employees, and monitoring for vulnerabilities. - The GDPR introduces new principles like data protection by design, security of processing, breach notification requirements, data protection impact assessments, and data protection officers.

Downloaded 16 times
Privacy for Tech Startups Barcelona KnowledgeNet June, 18 - 2014 #iappbcn
IAPP Presentation •Marc Gallardo: Why is Privacy important for a Startup? •Jay Libove: Practical Information Security controls for Startups •Victor Roselló: New Privacy Principles for Startups PART 1: Keynotes •Marta Ruiz (Air Products) •Tiago Henrique (opscaling, gnuine) •Ferran Julià (Undertile) PART 2: Panel Q & A session Program
IAPP Presentation
 Founded in 2000  Over 15,000 members in 83 countries  Largest privacy association in the world  IAPP Europe – created to address the specific needs of European data protection professionals – counts almost 2,000 members IAPP
Members’ opportunities EDUCATE NETWORK CERTIFY
Educational resources IAPP publications keep members up to date on the latest privacy and data protection news worldwide.
Online community  IAPP Privacy List  Web Conferences  Social Buzz  Blogs and Website Resource Center Samples, Tools and Templates Privacy Research Career Center IAPP Articles and Presentations Privacy Glossary Data Protection Authorities Privacy Discussions
Connecting the industry More than a professional association, the IAPP provides a home for privacy professionals around the world to share experiences—working to promote career readiness and improve job effectiveness
Setting the industry standard IAPP certification is the global standard for privacy and data protection professionals. • Launched nearly 10 years ago, the CIPP has become the preeminent credential in the field of privacy and educates on privacy laws and regulations (variants /US, /E, /CA, /G) • The CIPM training demonstrates how to embed privacy into an organization through process and technology • The CIPT is the world’s only privacy certification designed for IT, security and engineering pros
Privacy for Tech Startups In short, think of privacy as a good opportunity to win trust among users and customers
Common attitude of startup founders Privacy and Data Security is usually not a priority from the start ! Respecting Privacy and safeguarding data is a core value and a trust enabler for your customers & investors
Privacy attitudes of consumers • The need to protect personal data online is a consumer priority against the benefits of convenient online services
EMC Privacy Index - June 12, 2014  15.000 consumers from 15 countries  Three Paradoxes emerged: • “We want it all” • “Take no action” • “Social Sharing”  Viewpoints on privacy vary by persona
Be proactive & go beyond compliance • Make privacy top of mind: consumers do care and investors are concerned • Know your data • Be fully transparent: - Simplify the language - Use ‘transparency statements’ - Do as your privacy notice says • Secure your data and train your people
Thank you! marc.gallardo@lexing.es @marc_gallardo
Practical Information Security controls for Startups Or, how to get some useful Data Protection while helping your business …
Practical Approach to Privacy • We have a bad habit in Spain – DP viewed as legal exercise, not business enabler* – L.O.P.D. trailer on website is (not) enough • .. And as much as imitation is the sincerest form of flattery… • So, why would you bother? † • Focus on business: Do security and get compliance – Don’t do “compliance for compliance’s sake” – Do well with practical DP, and if/when you have a problem, you have some defence • Information Security is a part of Privacy/DP, necessary but not sufficient
Organizational • Don’t put privacy/DPO in your Legal department * • Make sure your outside counsel understands your business! ** • Do have an internal IT leader • Have department heads meet regularly, as a group, with your privacy leader (cross-pollenate disciplines) • Fund professional memberships and training/certifications (such as my CISSP, CIPP, CISM) †
Policies, Procedures* (philosophy) • Privacy by Default/ Privacy by Design (operationalize) • Privacy Impact Assessments (operationalize) • Limit your IT Footprint, & only buy what you’ll use • Re-Use, standardise – don’t reinvent † – Open source, commercial Libraries – OWASP libraries – Commercial Emailer services • Stay on Supported Versions
Policies, Procedures* (philosophy, cont’d) • Use 2-Factor/ Multi-Factor/ Strong/ Two-Step authentication wherever practical • Leverage Amazon AWS IAM and similar • Know Before You Go (learn before using, especially OAuth) • Insurance (general business, also “Cyber”)* • Procedures, Checklists for when people leave your company • Change Management
Awareness • People, Process and Technology – Acceptable Use Policy • Subscribe everyone in your company to – SANS OUCH*, and/or – CyberHeist† newsletter, and/or – Front Page of the New York Times, El Mundo, … • Test your people – Phishing email test – Not just .EXE attachments, but .PDF, even . JPG, .MP3* – USB drive left sitting around with autorun binary on it, … • Check your Credit Card & Bank statements carefully
USB phishing test • Particularly if your company is Ayatollah, Inc.
Techie Things To Do • Change default passwords! • Encrypt everywhere where it’s easy to do – Disks, Android & iOS mobile devices – Network traffic (Web SSL, VPN) – Wi-Fi infrastructure – VoIP / SIP gateways • do Backups*,** • run Anti-Virus • have Vulnerability awareness/ perform Patching
Techie Things To Do (cont’d) • UAC, sudo – Don’t compute as Root! • install Microsoft EMET • if you create Windows code, opt-in to – DEP, SEHOP, SafeSEH, ASLR • buy (and use!) a UTM appliance • enable Logging (& direct to different server)* • consider subscribing to Anti-DDoS protection • give your CFO a separate computer to do on-line banking…
Patching, Vulnerability awareness (desktop/client) • Windows – WSUS, InTune * • Secunia SmallBusiness* (beta), LANDesk Patch Manager*, BeyondTrust Retina free 256-IP edition • Deploy everything you can with auto-updating – More attacks come against apps today than against platforms – But make sure you trust the software vendor† • Choose commonly used, actively maintained products
Patching, Vulnerability awareness (server) • Canonical (ubuntu) Landscape*, RedHat Network* • Qualys free online vulnerability scan • Auto-updating may not be appropriate (but vulnerability management is still critical) • Have a Test environment – Use it for testing patches too
Some Great Free Tools • LastPass † (Freemium model) • Android, iOS Device Encryption* • WSUS • NTP • SSH, RDP • Microsoft EMET • Windows Firewall, Linux iptables
More Great Free Tools • OWASP code libraries (ESAPI) • File Vault 2, TrueCrypt, BitLocker*, Windows 8.1 Device Encryption † • Google Mobile Device Management • EFF’s “HTTPS Everywhere” (Firefox, Chrome, Opera)**
… and some Not-So-Great “Free” tools • Pirated software is NEVER a good idea – It’s illegal, and it should go without saying that you should not do illegal things – You don’t others to steal YOUR stuff – Pirated software very often comes with “extras” • Viruses, Trojan horses • Back doors, Spyware
Synergies • Use the Cloud † – AWS EC2 ELB, etc provides security front-end – Cloud SaaS (anti-virus, IT management; converged services – buy one, more available for small add-on cost) – Backup (Mozy*, Carbonite, …)
Targeted Training • Developers – to avoid common tech errors – Re-review the OWASP Top 10 every year – Send one or two top developers to SANS training • Marketing – to avoid creepy/annoying uses – Meet with people like your presenters today • Data Protection Official (IAPP CIPP, CIPM, CIPT!)
Human Things to To • Use Bookmarks/Favorites – no typos, can include https:// explicitly
Thank you! Jay Libove libove@felines.org
New Privacy principles for Tech Startups So, what’s next?
• Data protection by design & by default (art. 23). • Security of processing (art. 30). • Data breach notification to DPA (art. 31) & to DS (art. 32). • Data Protection Impact Assessment (art. 33). • Data Protection Officer (art. 35). GDPR “new” principles
DP by design •Data controller and processor. • At the time of purposes and means determination. • Appropriate and proportionate technical and organizational measures. • Ensure data subject rights. • Entire lifecycle. • Accuracy, confidentiality, integrity, physical security and deletion of personal data. DP by default • No personal data processing beyond the minimum necessary for a predetermined purpose. Data protection by design & by default
• A level appropriate to the risks. Nature of processing and of personal data (DPIA). • Integrity, confidentiality, availability and resilience of systems. • Reliable Back up process. • Sensitive information? • PII only accessed by authorized personnel. • PII protected against accidental or unlawful destruction. Security of processing
To DPA • No undue delay. • Nature of breach (categories and number of PII affected). • DPO contact details. • Measures recommended to mitigate effects. • Consequences. • Describe measures taken to mitigate effects. • Document and public register. To DS • Notification to DS in case of adverse affect to personal data and privacy. • Comprehensive and clear plain language. Breach notification to DPA and DS
• Analyze potential risks (more than 5000 DS in 12-month period, sensitive PII). • Description of processing operations and purposes of processing. • Proportionality in relation to purposes. • Risks to DS rights. • How to minimize PII to be processed. • Security measures. • Data retention period. • DP by design and by default. • Categories and recipients of personal data. • Data transfers to third countries. • Context of data processing. Data Protection Impact Assessment
• More than 5000 DS in 12-month period. • Regular and systematic monitoring of DS. • Special categories of PD. • Inform and advise controller of processor. • Monitor and implement policies, train staff and audit. • DP by design and by default. • Data breaches. • DPIA. • Co-operate with DPA. • At least two years term. Might be reappointed. Employee or external contractor. Data Protection Officer
Thank you! vrosello@esferalegal.cat @vic_rosello
Panel
Presentation
1.- Privacy as a competitive advantage
2.- Preparing for a data breach
3.- Supplier governance
4.- S.O.S. Compliance Team
Thank you!

More Related Content

PPT
Lexing Barcelona Conference
byMarc Gallardo
 
PPTX
Web Marketing Wednesday Ottawa Oct 12th 2011
byAntoine Gay
 
PPTX
GDPR and NIS Compliance - How HyTrust Can Help
byJason Lackey
 
PDF
Using Social Business Software and being compliant with EU data protection la...
byBCC - Solutions for IBM Collaboration Software
 
PPTX
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
PPTX
Gdpr compliance. Presentation for Consulegis Lawyers network
byBart Van Den Brande
 
PDF
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
PPTX
Cyber Banking Conference
byEndcode_org
 
Lexing Barcelona Conference
byMarc Gallardo
 
Web Marketing Wednesday Ottawa Oct 12th 2011
byAntoine Gay
 
GDPR and NIS Compliance - How HyTrust Can Help
byJason Lackey
 
Using Social Business Software and being compliant with EU data protection la...
byBCC - Solutions for IBM Collaboration Software
 
GDPR practical info session for development
byTomppa Kuusi (formerly Järvinen)
 
Gdpr compliance. Presentation for Consulegis Lawyers network
byBart Van Den Brande
 
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
Cyber Banking Conference
byEndcode_org
 

What's hot

PPTX
GDPR Presentation slides
byNaomi Holmes
 
PDF
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
byICCA (International Congress and Convention Association)
 
PPTX
social, legal and ethical issues of e-commerce..
byhome based
 
PPTX
Data Protection & Risk Management
byEndcode_org
 
PDF
Legal certainty as a tool for the spread of the internet of things
byGuido Noto La Diega
 
PPT
legal and ethcal issues of e business
byKdnk Kiriti
 
PDF
GDPR: Requirements for Cloud Providers
byIT Governance Ltd
 
PDF
Legal ethical issues E commerce
byWisnu Dewobroto
 
PDF
The Politics of Web 2.0 - E-Government or state surveillance and cyber wars?
byMario Lubenka
 
PPTX
GDPR security services - Areyou ready ?
byFrederick Penaud
 
PPTX
12th July GDPR event slides
byExponential_e
 
PPT
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
byAcquia
 
PPTX
EU Data Protection Legislation, Peter Ridley (HPE)
byNapier University
 
PDF
GDPR - Applift firstscreen june 2016
bySaira Nayak, JD, CIPP/US/E
 
PDF
Using international standards to improve EU cyber security
byIT Governance Ltd
 
PPTX
IT law : the middle kingdom between east and West
byLilian Edwards
 
PDF
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
byFrancoise Gilbert
 
PDF
Consumers' and Citizens' Privacy
byCarolina Rossini
 
PPTX
Social Media & Legal Risk
byEndcode_org
 
PPT
E-Commerce 10
byZarrar Siddiqui
 
GDPR Presentation slides
byNaomi Holmes
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
byICCA (International Congress and Convention Association)
 
social, legal and ethical issues of e-commerce..
byhome based
 
Data Protection & Risk Management
byEndcode_org
 
Legal certainty as a tool for the spread of the internet of things
byGuido Noto La Diega
 
legal and ethcal issues of e business
byKdnk Kiriti
 
GDPR: Requirements for Cloud Providers
byIT Governance Ltd
 
Legal ethical issues E commerce
byWisnu Dewobroto
 
The Politics of Web 2.0 - E-Government or state surveillance and cyber wars?
byMario Lubenka
 
GDPR security services - Areyou ready ?
byFrederick Penaud
 
12th July GDPR event slides
byExponential_e
 
Three Key Steps to Ensure Security Compliance with Drupal in the Cloud
byAcquia
 
EU Data Protection Legislation, Peter Ridley (HPE)
byNapier University
 
GDPR - Applift firstscreen june 2016
bySaira Nayak, JD, CIPP/US/E
 
Using international standards to improve EU cyber security
byIT Governance Ltd
 
IT law : the middle kingdom between east and West
byLilian Edwards
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
byFrancoise Gilbert
 
Consumers' and Citizens' Privacy
byCarolina Rossini
 
Social Media & Legal Risk
byEndcode_org
 
E-Commerce 10
byZarrar Siddiqui
 

Viewers also liked

PPT
Computer hardware component. ppt
byNaveen Sihag
 
PPTX
Feelings and emotions up
byMa O
 
PPTX
Computer Virus powerpoint presentation
byshohrabkhan
 
PPT
Introduction to Basic Computer Concepts Presentation
byAna Tan
 
PPT
Fundamentals Of Computer
byJack Frost
 
PPT
feelings flash cards
bytotomihee
 
PPTX
Kabbadi
byfarris faye
 
PDF
Traditional Indian Dress : Its Origin and Types
byPaul Mattfield
 
PPT
Roll laptop
byEnglish TVTC
 
PPT
La e-reputación en España
byMarc Gallardo
 
PPT
La protection de la e-réputation en Espagne
byMarc Gallardo
 
PPS
Learning From Humor And Insults?
byOH TEIK BIN
 
PPTX
Describing of Emotions
byGabriel Demeter
 
ODP
2
byValeria Sena
 
PPTX
Feelings
bylanayilmaz
 
Computer hardware component. ppt
byNaveen Sihag
 
Feelings and emotions up
byMa O
 
Computer Virus powerpoint presentation
byshohrabkhan
 
Introduction to Basic Computer Concepts Presentation
byAna Tan
 
Fundamentals Of Computer
byJack Frost
 
feelings flash cards
bytotomihee
 
Kabbadi
byfarris faye
 
Traditional Indian Dress : Its Origin and Types
byPaul Mattfield
 
Roll laptop
byEnglish TVTC
 
La e-reputación en España
byMarc Gallardo
 
La protection de la e-réputation en Espagne
byMarc Gallardo
 
Learning From Humor And Insults?
byOH TEIK BIN
 
Describing of Emotions
byGabriel Demeter
 
2
byValeria Sena
 
Feelings
bylanayilmaz
 

Similar to Privacy for tech startups

PPTX
Presentation on Information Privacy
byPerry Slack
 
PPTX
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
PPTX
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
byAggregage
 
PDF
Toreon adding privacy by design in secure application development oss18 v20...
bySebastien Deleersnyder
 
PDF
9 Best Enterprise Data Security and Privacy Practices in 2025_compressed (1).pdf
byHawkShield
 
PDF
How to Build a Privacy Program
bysecratic
 
PPTX
Global Threats| Cybersecurity|
bypaul young cpa, cga
 
PPTX
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
PPTX
Privacies are Coming
byErnest Staats
 
PPTX
Presentation 10.pptx
bymishogelashvili28
 
PPTX
Privacies are coming
byErnest Staats
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PDF
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
byAIIM International
 
PPTX
Automatski - The Internet of Things - Privacy Standards
byautomatskicorporation
 
PPTX
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
byAurélie Pols
 
PDF
Presentation
bySenaka(Sam) Hettiarachchi, CPA, Executive MBA
 
PDF
Mark Goldstein Value Proposition
byuke5wvTp
 
DOCX
Maintain data privacy during software development
byMuhammadArif823
 
PPT
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
byPerficient, Inc.
 
PDF
Where In The World Is Your Sensitive Data?
byDruva
 
Presentation on Information Privacy
byPerry Slack
 
Securing your digital world cybersecurity for sb es
bySonny Hashmi
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
byAggregage
 
Toreon adding privacy by design in secure application development oss18 v20...
bySebastien Deleersnyder
 
9 Best Enterprise Data Security and Privacy Practices in 2025_compressed (1).pdf
byHawkShield
 
How to Build a Privacy Program
bysecratic
 
Global Threats| Cybersecurity|
bypaul young cpa, cga
 
Securing your digital world - Cybersecurity for SBEs
bySonny Hashmi
 
Privacies are Coming
byErnest Staats
 
Presentation 10.pptx
bymishogelashvili28
 
Privacies are coming
byErnest Staats
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
byAIIM International
 
Automatski - The Internet of Things - Privacy Standards
byautomatskicorporation
 
Storm on the Horizon: Data Governance & Security vs. Employee Privacy
byAurélie Pols
 
Presentation
bySenaka(Sam) Hettiarachchi, CPA, Executive MBA
 
Mark Goldstein Value Proposition
byuke5wvTp
 
Maintain data privacy during software development
byMuhammadArif823
 
Managing Privacy Risk and Promoting Ethical Culture in the Digital Age
byPerficient, Inc.
 
Where In The World Is Your Sensitive Data?
byDruva
 

More from Marc Gallardo

PDF
Internet of Things
byMarc Gallardo
 
PDF
Derechos Humanos en la Era Digital
byMarc Gallardo
 
PPTX
Lexing spain.dataprotection
byMarc Gallardo
 
PPTX
Lexing spain.cookies
byMarc Gallardo
 
PDF
Privacy on the Internet
byMarc Gallardo
 
PDF
Privacy on the Internet
byMarc Gallardo
 
Internet of Things
byMarc Gallardo
 
Derechos Humanos en la Era Digital
byMarc Gallardo
 
Lexing spain.dataprotection
byMarc Gallardo
 
Lexing spain.cookies
byMarc Gallardo
 
Privacy on the Internet
byMarc Gallardo
 
Privacy on the Internet
byMarc Gallardo
 

Recently uploaded

PDF
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
PDF
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
PDF
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
PDF
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
PDF
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
PDF
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
PDF
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
PDF
MathML Core in WebKit
byIgalia
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PDF
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PDF
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
TrustArc Webinar - It’s Time to Rethink Privacy
byTrustArc
 
MicroPython presentation - PyConFr Lyon 2025 - Amine Bendahmane
byAmine Bendahmane
 
Upskill to Agentic Automation - Working Smarter with AI: Real-World Tools for...
byDianaGray10
 
The Future-Ready PMO: Unlocking Project Success with Copilot and AI Innovatio...
byWellingtone
 
Q8 DIGITAL IDENTITY HUB - WSO2 Oxygenate Italy 2025
byProfesia Srl, Lynx Group
 
GDG Boise - Innovating with Google Cloud Artificial Intelligence
byJoey Brown
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
byTridens
 
RR B.Ed. educational trust. Ashish Tiwari
byat386834
 
MathML Core in WebKit
byIgalia
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Transform Your Online Store with AltiusNxt AI Enriched data
byAltiusNxt Technologies
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Control Access to Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 

Privacy for tech startups

  • 1.
    Privacy for TechStartups Barcelona KnowledgeNet June, 18 - 2014 #iappbcn
  • 2.
    IAPP Presentation •Marc Gallardo:Why is Privacy important for a Startup? •Jay Libove: Practical Information Security controls for Startups •Victor Roselló: New Privacy Principles for Startups PART 1: Keynotes •Marta Ruiz (Air Products) •Tiago Henrique (opscaling, gnuine) •Ferran Julià (Undertile) PART 2: Panel Q & A session Program
  • 3.
  • 4.
     Founded in2000  Over 15,000 members in 83 countries  Largest privacy association in the world  IAPP Europe – created to address the specific needs of European data protection professionals – counts almost 2,000 members IAPP
  • 5.
  • 6.
    Educational resources IAPP publicationskeep members up to date on the latest privacy and data protection news worldwide.
  • 7.
    Online community  IAPPPrivacy List  Web Conferences  Social Buzz  Blogs and Website Resource Center Samples, Tools and Templates Privacy Research Career Center IAPP Articles and Presentations Privacy Glossary Data Protection Authorities Privacy Discussions
  • 8.
    Connecting the industry Morethan a professional association, the IAPP provides a home for privacy professionals around the world to share experiences—working to promote career readiness and improve job effectiveness
  • 9.
    Setting the industrystandard IAPP certification is the global standard for privacy and data protection professionals. • Launched nearly 10 years ago, the CIPP has become the preeminent credential in the field of privacy and educates on privacy laws and regulations (variants /US, /E, /CA, /G) • The CIPM training demonstrates how to embed privacy into an organization through process and technology • The CIPT is the world’s only privacy certification designed for IT, security and engineering pros
  • 10.
    Privacy for TechStartups In short, think of privacy as a good opportunity to win trust among users and customers
  • 11.
    Common attitude ofstartup founders Privacy and Data Security is usually not a priority from the start ! Respecting Privacy and safeguarding data is a core value and a trust enabler for your customers & investors
  • 12.
    Privacy attitudes ofconsumers • The need to protect personal data online is a consumer priority against the benefits of convenient online services
  • 13.
    EMC Privacy Index- June 12, 2014  15.000 consumers from 15 countries  Three Paradoxes emerged: • “We want it all” • “Take no action” • “Social Sharing”  Viewpoints on privacy vary by persona
  • 14.
    Be proactive &go beyond compliance • Make privacy top of mind: consumers do care and investors are concerned • Know your data • Be fully transparent: - Simplify the language - Use ‘transparency statements’ - Do as your privacy notice says • Secure your data and train your people
  • 15.
  • 16.
    Practical Information Security controlsfor Startups Or, how to get some useful Data Protection while helping your business …
  • 17.
    Practical Approach toPrivacy • We have a bad habit in Spain – DP viewed as legal exercise, not business enabler* – L.O.P.D. trailer on website is (not) enough • .. And as much as imitation is the sincerest form of flattery… • So, why would you bother? † • Focus on business: Do security and get compliance – Don’t do “compliance for compliance’s sake” – Do well with practical DP, and if/when you have a problem, you have some defence • Information Security is a part of Privacy/DP, necessary but not sufficient
  • 18.
    Organizational • Don’t putprivacy/DPO in your Legal department * • Make sure your outside counsel understands your business! ** • Do have an internal IT leader • Have department heads meet regularly, as a group, with your privacy leader (cross-pollenate disciplines) • Fund professional memberships and training/certifications (such as my CISSP, CIPP, CISM) †
  • 19.
    Policies, Procedures* (philosophy) •Privacy by Default/ Privacy by Design (operationalize) • Privacy Impact Assessments (operationalize) • Limit your IT Footprint, & only buy what you’ll use • Re-Use, standardise – don’t reinvent † – Open source, commercial Libraries – OWASP libraries – Commercial Emailer services • Stay on Supported Versions
  • 20.
    Policies, Procedures* (philosophy,cont’d) • Use 2-Factor/ Multi-Factor/ Strong/ Two-Step authentication wherever practical • Leverage Amazon AWS IAM and similar • Know Before You Go (learn before using, especially OAuth) • Insurance (general business, also “Cyber”)* • Procedures, Checklists for when people leave your company • Change Management
  • 21.
    Awareness • People, Processand Technology – Acceptable Use Policy • Subscribe everyone in your company to – SANS OUCH*, and/or – CyberHeist† newsletter, and/or – Front Page of the New York Times, El Mundo, … • Test your people – Phishing email test – Not just .EXE attachments, but .PDF, even . JPG, .MP3* – USB drive left sitting around with autorun binary on it, … • Check your Credit Card & Bank statements carefully
  • 22.
    USB phishing test •Particularly if your company is Ayatollah, Inc.
  • 23.
    Techie Things ToDo • Change default passwords! • Encrypt everywhere where it’s easy to do – Disks, Android & iOS mobile devices – Network traffic (Web SSL, VPN) – Wi-Fi infrastructure – VoIP / SIP gateways • do Backups*,** • run Anti-Virus • have Vulnerability awareness/ perform Patching
  • 24.
    Techie Things ToDo (cont’d) • UAC, sudo – Don’t compute as Root! • install Microsoft EMET • if you create Windows code, opt-in to – DEP, SEHOP, SafeSEH, ASLR • buy (and use!) a UTM appliance • enable Logging (& direct to different server)* • consider subscribing to Anti-DDoS protection • give your CFO a separate computer to do on-line banking…
  • 25.
    Patching, Vulnerability awareness (desktop/client) •Windows – WSUS, InTune * • Secunia SmallBusiness* (beta), LANDesk Patch Manager*, BeyondTrust Retina free 256-IP edition • Deploy everything you can with auto-updating – More attacks come against apps today than against platforms – But make sure you trust the software vendor† • Choose commonly used, actively maintained products
  • 26.
    Patching, Vulnerability awareness (server) •Canonical (ubuntu) Landscape*, RedHat Network* • Qualys free online vulnerability scan • Auto-updating may not be appropriate (but vulnerability management is still critical) • Have a Test environment – Use it for testing patches too
  • 27.
    Some Great FreeTools • LastPass † (Freemium model) • Android, iOS Device Encryption* • WSUS • NTP • SSH, RDP • Microsoft EMET • Windows Firewall, Linux iptables
  • 28.
    More Great FreeTools • OWASP code libraries (ESAPI) • File Vault 2, TrueCrypt, BitLocker*, Windows 8.1 Device Encryption † • Google Mobile Device Management • EFF’s “HTTPS Everywhere” (Firefox, Chrome, Opera)**
  • 29.
    … and someNot-So-Great “Free” tools • Pirated software is NEVER a good idea – It’s illegal, and it should go without saying that you should not do illegal things – You don’t others to steal YOUR stuff – Pirated software very often comes with “extras” • Viruses, Trojan horses • Back doors, Spyware
  • 30.
    Synergies • Use theCloud † – AWS EC2 ELB, etc provides security front-end – Cloud SaaS (anti-virus, IT management; converged services – buy one, more available for small add-on cost) – Backup (Mozy*, Carbonite, …)
  • 31.
    Targeted Training • Developers– to avoid common tech errors – Re-review the OWASP Top 10 every year – Send one or two top developers to SANS training • Marketing – to avoid creepy/annoying uses – Meet with people like your presenters today • Data Protection Official (IAPP CIPP, CIPM, CIPT!)
  • 32.
    Human Things toTo • Use Bookmarks/Favorites – no typos, can include https:// explicitly
  • 33.
  • 34.
    New Privacy principles forTech Startups So, what’s next?
  • 35.
    • Data protectionby design & by default (art. 23). • Security of processing (art. 30). • Data breach notification to DPA (art. 31) & to DS (art. 32). • Data Protection Impact Assessment (art. 33). • Data Protection Officer (art. 35). GDPR “new” principles
  • 36.
    DP by design •Datacontroller and processor. • At the time of purposes and means determination. • Appropriate and proportionate technical and organizational measures. • Ensure data subject rights. • Entire lifecycle. • Accuracy, confidentiality, integrity, physical security and deletion of personal data. DP by default • No personal data processing beyond the minimum necessary for a predetermined purpose. Data protection by design & by default
  • 37.
    • A levelappropriate to the risks. Nature of processing and of personal data (DPIA). • Integrity, confidentiality, availability and resilience of systems. • Reliable Back up process. • Sensitive information? • PII only accessed by authorized personnel. • PII protected against accidental or unlawful destruction. Security of processing
  • 38.
    To DPA • Noundue delay. • Nature of breach (categories and number of PII affected). • DPO contact details. • Measures recommended to mitigate effects. • Consequences. • Describe measures taken to mitigate effects. • Document and public register. To DS • Notification to DS in case of adverse affect to personal data and privacy. • Comprehensive and clear plain language. Breach notification to DPA and DS
  • 39.
    • Analyze potentialrisks (more than 5000 DS in 12-month period, sensitive PII). • Description of processing operations and purposes of processing. • Proportionality in relation to purposes. • Risks to DS rights. • How to minimize PII to be processed. • Security measures. • Data retention period. • DP by design and by default. • Categories and recipients of personal data. • Data transfers to third countries. • Context of data processing. Data Protection Impact Assessment
  • 40.
    • More than5000 DS in 12-month period. • Regular and systematic monitoring of DS. • Special categories of PD. • Inform and advise controller of processor. • Monitor and implement policies, train staff and audit. • DP by design and by default. • Data breaches. • DPIA. • Co-operate with DPA. • At least two years term. Might be reappointed. Employee or external contractor. Data Protection Officer
  • 41.
  • 42.
  • 43.
  • 44.
    1.- Privacy asa competitive advantage
  • 45.
    2.- Preparing fora data breach
  • 46.
  • 47.
  • 49.

Editor's Notes

  • #5 The IAPP is the largest privacy association in the world and a leader in the privacy industry, facilitating conversations/debates and collaboration among key industry leaders and organizations. The organization provides resources to support practitioners to develop and advance their careers while helping professionals and businesses navigate the complexities of the evolving environment. Starting with just a handful of dedicated professionals, today the organization has more than 14,000 members across 83 countries Membership has tripled in the last five years and the growth rate has been over 20 percent in each of the last two years
  • #7 Daily Dashboard: The IAPP’s FREE daily e-newsletter, that summarizes the day’s top stories from around the world with links to the full articles—sent direct to your desktop each weekday! Privacy Advisor: The Privacy Advisor, the IAPP’s digital monthly member newsletter featuring news and analysis of privacy issues worldwide from leading experts. Privacy Tracker: Privacy Tracker is a member-only blog featuring the latest legislative developments and expert analysis .
  • #8 Online Community IAPP offers online educational and networking opportunities for those located in regions outside of in-person events IAPP Privacy List Connect with the IAPP community online to exchange ideas, share best practices and discuss privacy issues and concerns. The provides a friendly forum for the exchange of ideas and information related to a broad scope of subjects. Social Buzz The IAPP is active on Twitter (@DailyDashboard has 1,450 followers), LinkedIn (1,222 followers) and Facebook (1,803 Likes). Blogs Privacy Perspectives and Privacy Tracker Resource Center—members-only content on the IAPP website Tools, templates, research, articles, job board and more.
  • #9 More than a professional association, the IAPP provides a home for privacy professionals around the world to gather and share experiences - working to promote career readiness and improve job effectiveness Several global events/conferences providing education and networking opportunities including the IAPP Global Privacy Summit, annual event held for the last 13 years; the IAPP Privacy Academy; IAPP Canada Privacy Symposium; IAPP Europe Data Protection Congress, IAPP Europe Data Protection Intensive Events continue to attract industry thought leaders and policy makers, for example at the most recent Global Summit FTC Chairwoman Edith Ramirez made her first remarks in her new role Navigate event brings academics, industry thought-leaders and others together for intellectual provocation and debate to shape the future of privacy
  • #10 Launched nearly 10 years ago, the CIPP is the introductory training that educates on U.S. privacy laws and regulations and understanding of the legal requirements for the responsible transfer of sensitive personal data to/from the United States. The new CIPM training demonstrates how to embed privacy into an organization through process and technology The CIPT is the world’s only privacy certification designed for IT, security and engineering pros Proof Points: Starting with just a handful of dedicated professionals, today the organization has more than 12,000 members across 78 countries Membership has tripled in the last five years and the growth rate has been over 20 percent in each of the last two years Currently there are more than 5000 certified privacy professionals According to the latest IAPP Privacy Professionals Role, Function and Salary Survey professionals with their CIPP certification saw an increase in salary in 2013, outpacing even those with MBA’s
  • #11 Privacy and more particularly ‘Personal Data Protection’ is a growing concern at this moment in our history. Tech startups have to think of it very seriously from the beginning of their project. This can provide a huge competitive advantage and not many are taking advantage of it today. At the same time you can expect investors to seek confirmation that you are privacy-savvy from the start. Therefore, as a startup founder, think of privacy as not only a regulatory issue, which it certainly is, but as a human issue as well. People around the world are developing a real fear that they are losing control of their personal data, and politicians are reacting by increasing restrictions on what companies can do with the data they collect. To approach privacy in this context can put you in a position to become a future market leader.
  • #12 When you start up your business your main goals are signing up users and raising money … Privacy and Data Security is not top of mind !!! This is wrong … privacy and data security must be strategic.
  • #15 Understand your business model and know what data you are collecting. Don’t settle for open-ended or vague responses like ‘nothing sensitive’ or ‘no personal data’. Someone needs to understand exactly what data is being collected and why. But do not use intuition, the distinction between what is personal data and not can be very tricky and highly technical. As Jay and Victor will explain later on using tools to properly secure data and be proactive by implementing PbD and other new principles is the way to get it right, meaning not only to be compliant but also to seize the opportunity to win trust from your users or customers.
  • #18 * Spain and southern Europe in general have the bad habit of approaching privacy as a legal, checkbox, paper exercise, driven by fear of the Regulator (and how the LOPD is used by Consumer organizations to invoke the power of the Regulator), rather than as pro-business risk management for enablement. (The George Washington Law Review, Vol. 81:1529 - Privacy in Europe: Initial Data on Governance Choices and Corporate Practices, SSRN 2328877, Bamberger & Mulligan, 08/2013) Copying someone else’s privacy statement is a very bad idea. They’re probably not as good at it as you think, and your business is probably different from theirs, so your copy of their privacy statement is unlikely to represent your information practices. † You might want to get a large(r) round of investment or sell the company; then, the investors’/buyers’ due diligence will require them to look at your practical data protection posture!
  • #19 * Most people in the company try to avoid talking with Law departments and with Lawyers, but you want Privacy to be Operational and integrated, so your DPO must be somewhere and someone who people will want to talk to, and you must instill a sense of information “ownership” in your managers whose business function gets the most value from each database. ** An outside lawyer is not part of your company. He does not understand you. So he cannot be practical in helping you do Data Protection. SP Contest example. Operationalizing anything – general IT, privacy, data protection/ security, makes it more efficient and reliable. If you don’t have an IT Operations role, it will be difficult to operationalize information governance. Your HR head probably doesn’t understand IT, who thinks HR just gets in the way; they must work together to facilitate what HR needs to do with data, while allowing for compliance. † Yeah, I know, no time/money. In reality, it’s cheaper to fund this than to waste time searching for and reinventing that which is already readily available, if only your IT/privacy/developer guy knew about it from professional associations and conferences.
  • #20 * Few, simple, and really teach your people about them, and evaluate their performance. Dusty policy books on the shelf which nobody ever reads are worse-than-useless. PbD, PIA – One before, the other after, every project. Footprint - The fewer different things you have, the less time you have to waste training, patching/updating. Only custom develop that which is core to your business model. Re-use (open source, buy) everything else. Yes, even OpenSSL. † Reinventing - Almost everyone who thinks they can implement their own Widget to save money ends up with a poor quality, expensive widget. - Staray S125, S325 encrypted hard drives http://www.h-online.com/security/features/Cracking-budget-encryption-746225.html - Lexar JumpDrives (ca. CY2004) stored PIN retrievably on the drive - OWASP Enterprise Security API (ESAPI) - Session State Management – use the functions built-in to your chosen framework (ASP .NET, PHP, J2EE, …) - HTML Purifier to help avoid XSS in user-provided HTML code - Zend Framework ZendInputFilter, ZendFilter, ZendValidate - PHP PEAR - Django for Python Commercial Emailers give you functionality (who opened it) as well as unsubscription management (avoids/defends spam complaints). Unsupported software – Staying on XP or Java 1.5 or PHP 5.1 or … sounds like “If it ain’t broke, don’t fix it”. Until it breaks (or suffers a new, never-to-be-patched vulnerability).
  • #21 2-Factor – The biggest single technical weakness is passwords. IAM, etc – reduce privilege. Also, EC2 firewall rules, instance monitoring and alerting (is that CPU or bandwidth spike just business or is it an attack?) OAuth – GREAT tool. Frequently implemented wrong, provoking risks *to others*. * When you first look at buying insurance which would help you in case of a “Cyber” incident, you probably won’t qualify! .. But the process of learning why you don’t quality will be instructive to you.
  • #22 People come first. Process helps People do right. Technology helps Process and limits People’s ability to screw up. * SANS Ouch, April 2014 “You (yes, you) Are a Target”! Not because you’re so interesting, but just because you have stuff that the attackers can use to attack others. Phishing tests are available cheaply from several security awareness vendors. Phishing plays on trust. We’re wired to trust. So we must verify, always. † KnowBe4 publishes the CyberHeist newsletter, and offers phishing tests (one free, then subscription). * In fact, almost any file attachment could be launched by a handler with a data format vulnerability, so you must mistrust all file types of learning why you don’t quality will be instructive to you.
  • #23 Stuxnet, anybody?
  • #24 VPNs help you test “From” anywhere (CDNs, latency) and also protect you against evil Wi-Fi access points and Man-in-the-Middle attacks. * Security is traditionally described as Confidentiality, Integrity and Availability. Of these business is usually most concerned with Availability. Backups keep you available (Disaster Recovery); Ransomware, Technology failure, Finger “oops”! … ** Those Finger “oops!” being actually the most common, use a (cloud) Backup solution which keeps multiple versions of files!
  • #25 * Separate management domains between core operations and supporting systems like the Logging server, so that a compromise of the core system cannot also easily destroy the log data which you would need in order to investigate the incident.
  • #26 * - commercial products/ services Auto-updating: The fear was always that an update would break something operational. In truth this happens rarely, whereas hacks of unpatched software happens daily. Anything that patches itself, you don’t have to waste your time patching. - Adobe Flash Player, Adobe Reader, Firefox, Chrome, Java, iTunes, QuickTime, KMPlayer † Mobile Apps especially. Auto-updating there gets you a constant stream of new features. Somewhat
  • #27 * - commercial products/ services
  • #28 † LastPass’ free version is excellent, including for businesses. It’s premium (personal) and enterprise (business) versions are even better. There’s no excuse to not use it! * Note that not all Android variants encrypt all data, especially removable SD cards, and iOS has different “levels” of encryption. Be sure to read the manual, so to speak!
  • #29 * BitLocker is only available on “Pro” and above Windows Vista/7 versions. † Windows 8.1 Device Encryption is completely automatic, but only on very new hardware which meets requirements. ** HTTPS Everywhere is great in theory; in practice I have found it can cause websites to malfunction, so approach with caution/ only for very technical users. But hopefully it will get better!
  • #31 † Yes, we know, the Cloud may provoke regulatory concerns. But if it’s going to do security better than you otherwise would (despite Luke Skywalker’s success – twice – against the Death Star, unless your enemy is using the Force, Señor Vader igualmente como Señor Google, Señor Amazon y Señor Microsoft will have better security on their cloud-hosted Death Star than you will in anything you run yourself!), and it’s speed and cost efficiency will let you do more business, and more secure business, that’s Practical, and more defensible than having not done it. * Some backup services, such as Mozy, allow you to control the Encryption Key.
  • #45 Tech startups and SMEs have a long list of to-dos. Data security is one of them. Tinder, the popular dating app, recently aknowledged flaws in its software that would let hackers pinpoint the exact locations of people using the service. Kickstarter, the crowdfunding site, also said that hackers had gained access to customers’ data, including passwords and phone numbers. Half joking we can add: for many companies, a security breach would almost be a nice problem to have in some cases; it means you have enough customers for someone to care. (Except that we know that many breaches are opportunistic, so you don’t have to have enough customers for someone to care, in order for someone to care…!)
  • #47 It’s a legal requirement. But more importantly, you want to maintain control over what they can do with your valuable data asset, so they don’t use it for their own gain, where you should have been getting that advantage yourself!