Cyberdemocracy

This week I went to an event aptly dedicated to “Cyberdefense and cybersecurity”. These topics are fashionable and for good reasons.

The cyber suffix is more and more a reality and needs to enter our lexicon fast. Otherwise, we will soon be swept over by a world under a not so bright new order.

Beyond the obvious fears and calls to action, I captured these, starting from the one I think we all can do something about it:

• Education – Surprise! Everyone, and especially the youth, as to step up on their awareness for the cultural and democracy shift brought by the post-Internet world. I place my bet here for informed people are wiser. Here’s one free online introductory course. Cybersecurity education resources can be found too.
• Regulation – A need for a net of cooperation institutions from all sectors to bring order to the new wild west. Or face being ruled by big corporations as nations sovereignty keep declining. There’s hope from the UK. Also,  an informative report from ENISA.
• Artificial Intelligence – Like other disrupting technologies, it did not bother knocking first before entering our lives. Really fast. It is already being used for cyberattacks.

 

GDPR – Individual’s rights [part two]

As seen in the previous post, individual’s rights under GDPR are:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

For this post, we will look at the last four listed above (you can check the first ones in the aforementioned post).

The right to restrict processing

Erasure is not always the right (no pun intended) thing to do. As when the original reason for process ends, there may be a legal obligation to hold that personal data (see picture below).

It’s also useful for controllers whenever data is inaccurate or when the legitimate basis for processing cannot be immediately proven.

GDPR for SAP: How to restrict personal data processing? by Michael Rakutko

You will be required to restrict the processing of personal data if:

• An individual contests the accuracy of his personal data, you should restrict the processing until you have verified the accuracy of the personal data.
• When processing is unlawful and the individual opposes erasure and requests restriction instead.
• If you no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual.

Examples of methods to restrict processing are given in Recital 67.  For instance, you can mark the personal data that has restrict processing over it.

Two communication obligations for controllers are:

• impacted individuals must be informed by the controller before restricted processing is lifted.
• If you have disclosed the personal data in question to third parties, you must inform them about the restriction on the processing of the personal data (except if it is impossible or involves disproportionate effort to do so).

Exceptions

Processing may be restricted but still possible when:

• The individual explicitly consents
• For establishment, exercise or defence of legal claims
• For the protection of the rights of another natural or legal person
• For reasons of important public interest of the Union or of a Member State.

The right to data portability

The data subject has the right to receive personal data he/she has provided to a controller.

The personal data must be in a structured, commonly used and machine-readable format (ICO gives as an example the ubiquitous CVS format) and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

This right applies when these two conditions are met:

1. The processing is carried out by automated means
2. The processing is based on consent given by an individual or it is necessary for the performance of a contract

The individual may request that the controller sends the personal data directly to another organization (if technically feasible). Note that the controller does not have to adopt or maintain processing systems that are technically compatible with other organizations.

Data portability is a new right under GDPR.

Exceptions

Data portability does not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.

The right to object

The data subject has the right to object when processing relates to:

• Legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
• Direct marketing (including profiling)
  • In this case, the right to object should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
• Scientific/historical research and statistics
  • unless the processing is necessary for the performance of the task carried out for reasons of public interest.

If this processing is carried out online, then the controller must offer a way for individuals to object online.

Rights in relation to automated decision making and profiling

GDPR includes safeguarding individuals against the risk that a potentially damaging decision is taken without human intervention.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” – GDPR, Art.22 (1)

Here we have new rights for the individuals regarding profiling.

Individual safeguards for the individual

In any case, such processing should be subject to suitable safeguards, which should:

• include specific information to the data subject and the right to obtain human intervention
• to express his or her point of view to obtain an explanation of the decision reached after such assessment
• and to challenge the decision.

Fair and transparent processing

In order to ensure fair and transparent processing in respect of the data subject (including preventing discriminatory effects on a natural person), the controller should:

• use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised

Exceptions

The automated processing is allowed if one of these is true:

• is necessary for entering into, or performance of, a contract between the data subject and a data controller
• is authorized by Union or local Member State law to which the controller is subject (which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests). The referred authorization may include fraud and tax-evasion monitoring and prevention purposes
• the data subject gave his/her explicit consent.

Decisions taken from personal data profiling shall not be based on special categories of personal data (e.g. racial, ethnic, or religious information) unless:

• there’s explicit consent from the data subject (except where prohibited by Union law or National Law)
• or processing is necessary for substantial public interest.

Next topic will address minors rights.

GDPR – Data breach reporting

For this third post on GDPR, we will cover the who and what of data breach reporting obligations. It is a good candidate for building up on existing event and incident activities.

The definition of a data breach within GDPR is:

“Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. – Art.4(12)

In case of a personal data breach, the controller shall without undue delay, and where feasible, no later than 72 hours after becoming aware of it,  notify the personal data breach to the competent supervisory authority.

The GDPR details mandatory information to be included in the personal data breach notification (check what items comprise that mandatory information at the end of this post).

Regarding timing and completeness of the notification, Recital 85 states: “Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.”

This obligation applies only when the data breach may result in a risk to the rights and freedoms of natural persons I suggest you double check those rights and freedoms with legal. Even better, ask the supervisory authority.

Retaining wall breach – by Hefin Richards

Furthermore, the processor shall notify the controller without undue delay after becoming aware of a personal data (the Regulation does not enforce a hard deadline for the processor to controller notification).

Beware that, for the first time, the processors will also now be subject to penalties and civil claims by data subjects.

Operationally, for all this to work, a prior assessment of the impact of processing operations on personal data will provide reliable criteria for which and when to notify data breaches (also, that assessment – known as a Data Protection Impact Assessment  in GDPR  – pinpoints what needs to be monitored for breaches).

What about the affected data subjects?

The controller should, as soon as reasonably possible and in close cooperation with the supervisory authority (for instance, prompt communication for if there’s an immediate risk of damage), communicate to the impacted data subjects:

• the nature of the personal breach
• recommendations for the natural person concerned to mitigate potential adverse effects.

Data breaches must be documented

The controller must document any personal data breaches (what happened, effects and remedial action taken). This documentation shall enable the supervisory authority to verify compliance with the data breach notification GDPR article 33. Clearly, there’s a need for people and a management system to support it (both may currently exist in the organization, due to other information security requirements).

Piggybacking on existing practices

If the organization already has procedures for handling information security incidents, then they should be reviewed for specific treatment of the personal data ones, including how to properly documenting them should supervisory authority (or legal authorities) demand it, how to notify the supervisory authority, and getting processor data breach notifications.

From CNIL, the French supervisory authority, Notifications d’incidents de sécurité aux autorités de régulation : comment s’organiser et à qui s’adresser ? provides guidance on notification of security incidents.

Where to start?

Being compliant with what GDPR regulates for data breach notification has a significant impact on organizations, including raising awareness on handling data breaches; procedures for detecting, documenting and notifying data breaches; reviewing and checking on third party entities processing personal data for your organization; communication with both supervisory authority and the data subjects.

Introducing these changes costs money, you will need to build a business case towards a data breach reporting initiative in order to secure funds. Consider this:

Personal data breaches seem to be more damaging to companies than other security breaches.

Campbell et al. (2003) found that security breaches in which personal data was accessed had a significant impact on a company’s stock market valuation (please check References below for source). People relate more with personal data security breaches (“Hey, that could have happened to me!”).

Next post will tackle the reason why GDPR exists: individuals’ rights.

References

Art. 33 GDPR Notification of a personal data breach to the supervisory authority (Recitals 85, 86 and 87 are relevant for further clarification)

Karyda, Maria & Mitrou, Lilian. (2016). DATA BREACH NOTIFICATION: ISSUES AND CHALLENGES FOR SECURITY MANAGEMENT.

Annex – What’s goes into the data breach notification?

The notification shall at least include:

• the nature of the personal data breach including where possible: the categories of data subjects and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer or other contact point where more information can be obtained;
• the likely consequences of the personal data breach;
• the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

GDPR – Privacy by design (PbD)

Privacy by design (PbD) is meant to tackle privacy throughout the whole cycle of activities that together allow an organization to handle personal data for their purposes.

The intention is to invest sooner in privacy thus reducing untimely measures to fix personal data misuse.

A brief lookup on the topic will bring up the goal of having privacy by design done to such extent that you actually won’t need to protect personal data at all (because there won’t be any left). Also, there’s some criticism about PbD vagueness. This stems from its origin as a set of principles as we will see next, which to me is a good sign in favor of its usefulness.

The principles

It started in Canada, with Anne Cavoukian, the former Information & Privacy Commissioner of Ontario, and her Pbd principles, known as the Ontario model:

1. Proactive not Reactive; Preventative not Remedial
   Focus on anticipating privacy risks.
2. Privacy as the Default
   Individuals should get maximum possible privacy by default.
3. Privacy Embedded into Design
   Privacy by Design is an explicit part of design and architecture of IT systems and business practices.
4. Full Functionality – Positive-Sum, not Zero-Sum
   The goal is to have full functionality, not using security as an excuse for less.
5. End-to-End Security – Lifecycle Protection
   Secure lifecycle management of information, right from the instant information enters all the way up until is no longer needed.
6. Visibility and Transparency
   Both users and providers can check on how PbD is achieved.
7. Respect for User Privacy
   Users first. Meaning strong privacy defaults, appropriate notice, and empowering user-friendly options.

Whenever we go for principles, actually doing it is not immediate – that’s the point (because, hey, they’re generic and meant to keep in mind – not operational, rather supporting operational decisions).

To focus our initiative we can piggyback on data mapping and privacy impact assessments. These are opportunities to identify the parts where there’s a need to intentionally introduce privacy by design.

Privacy by Design moments of truth

The ICO gives concrete examples where privacy by design should be considered and applied. Specifically,  contexts where things change. Both from inside and outside:

• Building new IT systems for storing or accessing personal data
  • This can be done through a change management process though you may find a better source whenever a funding request comes for new IT systems (or cloud services around your customers).
• Developing legislation, policy or strategies that have privacy implications
  • Make PbD part of the checklist of topics to check.
• Embarking on a data sharing initiative
  • Remember sharing data has never been so easy.
• Using data for new purposes
  • Look out for requests coming from marketing and sales; they know the business, you better know its impact (and express it in such a clear way your family would be proud).

Simplify

Like with security in general, by embedding checks in the right moments we can go a long way without too much extra work. Take these ways to simplify as a starting point in your PbD journey:

• Data minimization – Collect only what you need.
• Purpose limitation – Only use personal data in the way you have permission to, and only if necessary.
• Retention limitation – Don’t store it longer than necessary.
• Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything.
• Start where you are – Use what you have right now.

As with other efforts, it’s sensible to embed these in existing processes and procedures, which include project management, development, and support codified practices (it’s easy to change existing organizational habits than introducing new ones, wouldn’t you agree?).

Next post I will go for breach notification (and yes, GDPR has fines for this too).

 

GDPR – By reading this you are consenting…

 

Ensuring explicit consent by the individual is one of the key areas to take into account in the GDPR (your organization may face fines up to 20000000€ or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).

From a customer perspective, proper application of consent gives individuals autonomy and control over their data, resulting in more trust and reputation of the service provider.

Alas, with GDPR obtaining and maintaining consent is now significantly more difficult to achieve so we’ll look at what challenges it poses, the alternatives, when to use it and how to go about it.

Cats don’t like change without their consent. Roger Caras

Consent challenges

On one hand, consent must be given like in “of free will, specific, informed and unambiguous.” In some cases, the entity’s power position makes it unfeasible to use consent (as in the employee/employer relationship that conditions the free will).

On the other hand, the individual can trigger the right to be forgotten (which will have to be fulfilled unless there is a legal basis justifying the need for processing) or may even request deletion of their data because they are no longer needed.

Note that the initiative to request consent may constitute a violation of the right to privacy, as in the case of Honda in the United Kingdom (consent to request consent by email without having records of previous… consent).

Mechanisms for legal processing

For the above reasons, organizations should first determine the legality, under the RGPD, of the use of personal data. And then assess what the best mechanism to sustain legal processing. Of the six possible mechanisms, consent may not be the easiest to apply or the most correct.

There are five other alternatives to consent, which may be more appropriate for your organization:

• Processing is required:
  i) In relation to a contract that the individual has accepted; or
  ii) because the individual has asked that something is done so that he can accept a contract.
• Processing is required due to applicable legal obligation (except an obligation imposed by a contract).
• Processing is necessary to protect the “vital interests” of the individual. This condition applies only to life and death cases, such as when an individual’s medical history is made available to an emergency department at a hospital for treatment after a major road accident.
• Processing is necessary to administer justice or to perform statutory, governmental or other public functions.
• Processing is done according to the “legitimate interests” condition.

Of these alternatives, processing due to legal obligation is a practical approach, identifying existing legal basis that supports the processing needs of the organization is a good starting point. A concrete example, in the area of human resources, derives from the obligation to maintain information about the employee for social security. Just keep in mind that personal data should be limited to the minimum necessary for the processing for which it is intended.

Another alternative is the use “legitimate interests” to justify the processing of personal data, such as keeping the employee’s bank account to use for payment of wages.

When to use the consent mechanism?

Consent is appropriate when:

• There is use of special categories of data (such as sensitive health data)
• Processing restriction (there is reason not to process and only store personal data – for example when the individual disputes the accuracy of their data)
• Automatic decision making (criterion should be transparent)
• Bank transfers (be careful when existing safeguards are insufficient)

Consent best practices

The GDPR requirements for consent are: being specific, granular, clear, prominent, optin, documented and easily withdrawn.

From ICO (Information Commissioner’s Office) we’ve got the following guidance in the application of the consent mechanism:

• Separation: Consent requests must be separate from other terms and conditions. Consent cannot be a precondition for subscribing to a service unless it is required for the same service.
• Explicit subscription: Clear and positive action is required; Pre-filled boxes are not allowed.
• Granular: Each different form of processing must have its own means of registration.
• Assignment: It should be specific to all organizations, including other processors that will process the data.
• Easy to cancel: Provide clear means of canceling consent at any time.
• Relationship Balance: Obvious imbalances as employers/employees will result in forced consent, which is not acceptable.
• Documentation: Auditable consent records must be maintained.

For a simple list of support for the use of consent consult the document Consultation: GDPR consent guidance from ICO.

In the next post, we will go through data protection by design, a way of addressing data protection risk at the right time.

Resources

• An Article on when to use consent
• The Recitals from EU give insight on consent

On security for IT services

Security by Loopzilla at flickr - some rights reserved

[from: http://www.flickr.com/photos/loopzilla/2073400408/]

How should one go about regarding security for IT services?

One can look at it taking in account the service lifecycle approach from ITIL and concentrate on the Design phase, when we can invest early in order to achieve that honorable goal of having the minimum (avoidable) surprises and rework when service finally goes live. In other words, reduce operational costs by designing services right.

Some ideas (in no particular order):

1. Ensure external partners and suppliers that contribute to the services know and formally agree to their responsibilities (Underpinning Contracts)
2. Also get internal groups/teams formally agree on their responsibilities (Operational Level Agreements)
3. Changes to the services must include security impact assessment
4. A procedure for receiving and acting on security vulnerabilities reported from vendors of components that support the service
5. Include an explicit security section regarding security requisites in the initial analysis phase for new or changed services
6. Link the security requisites to service level targets so the SLA covers them
7. Check those requisites with customer when feasible (or at least with yourself if you’re a good candidate for using the service)
8. Make sure security tests are covered in the test plan
9. Then, while transitioning the service, perform the security tests
10. Have experts trying to break your service from outside and inside
11. Use the tools. There are technical tools and best practices you can apply thus avoiding reinventing the wheel or forgetting important checks
12. If a security incident happens is it clear for everybody who must be involved and what to do?

Yes, some of these will happen in the Transition and Operation phases even though their planning occurs before.

Love to hear about more ideas!

Mush and Room #9: Security and C.I.A.

Security and C.I.A. (secrets between Mush and Room)