Motivational Passphrase – the quest for a better password

Use longer passwords. With 15 characters and avoiding obvious words you’ll be quite safe.

Use an easy way to recall your passwords. Use motivational passphrases. (more…)

GDPR – Privacy by design (PbD)

Privacy by design (PbD) is meant to tackle privacy throughout the whole cycle of activities that together allow an organization to handle personal data for their purposes.

The intention is to invest sooner in privacy thus reducing untimely measures to fix personal data misuse.

A brief lookup on the topic will bring up the goal of having privacy by design done to such extent that you actually won’t need to protect personal data at all (because there won’t be any left). Also, there’s some criticism about PbD vagueness. This stems from its origin as a set of principles as we will see next, which to me is a good sign in favor of its usefulness.

The principles

It started in Canada, with Anne Cavoukian, the former Information & Privacy Commissioner of Ontario, and her Pbd principles, known as the Ontario model:

1. Proactive not Reactive; Preventative not Remedial
   Focus on anticipating privacy risks.
2. Privacy as the Default
   Individuals should get maximum possible privacy by default.
3. Privacy Embedded into Design
   Privacy by Design is an explicit part of design and architecture of IT systems and business practices.
4. Full Functionality – Positive-Sum, not Zero-Sum
   The goal is to have full functionality, not using security as an excuse for less.
5. End-to-End Security – Lifecycle Protection
   Secure lifecycle management of information, right from the instant information enters all the way up until is no longer needed.
6. Visibility and Transparency
   Both users and providers can check on how PbD is achieved.
7. Respect for User Privacy
   Users first. Meaning strong privacy defaults, appropriate notice, and empowering user-friendly options.

Whenever we go for principles, actually doing it is not immediate – that’s the point (because, hey, they’re generic and meant to keep in mind – not operational, rather supporting operational decisions).

To focus our initiative we can piggyback on data mapping and privacy impact assessments. These are opportunities to identify the parts where there’s a need to intentionally introduce privacy by design.

Privacy by Design moments of truth

The ICO gives concrete examples where privacy by design should be considered and applied. Specifically,  contexts where things change. Both from inside and outside:

• Building new IT systems for storing or accessing personal data
  • This can be done through a change management process though you may find a better source whenever a funding request comes for new IT systems (or cloud services around your customers).
• Developing legislation, policy or strategies that have privacy implications
  • Make PbD part of the checklist of topics to check.
• Embarking on a data sharing initiative
  • Remember sharing data has never been so easy.
• Using data for new purposes
  • Look out for requests coming from marketing and sales; they know the business, you better know its impact (and express it in such a clear way your family would be proud).

Simplify

Like with security in general, by embedding checks in the right moments we can go a long way without too much extra work. Take these ways to simplify as a starting point in your PbD journey:

• Data minimization – Collect only what you need.
• Purpose limitation – Only use personal data in the way you have permission to, and only if necessary.
• Retention limitation – Don’t store it longer than necessary.
• Early consideration – Incorporate privacy at the thinking stage of a development life cycle, before doing anything.
• Start where you are – Use what you have right now.

As with other efforts, it’s sensible to embed these in existing processes and procedures, which include project management, development, and support codified practices (it’s easy to change existing organizational habits than introducing new ones, wouldn’t you agree?).

Next post I will go for breach notification (and yes, GDPR has fines for this too).

 

GDPR – By reading this you are consenting…

 

Ensuring explicit consent by the individual is one of the key areas to take into account in the GDPR (your organization may face fines up to 20000000€ or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher).

From a customer perspective, proper application of consent gives individuals autonomy and control over their data, resulting in more trust and reputation of the service provider.

Alas, with GDPR obtaining and maintaining consent is now significantly more difficult to achieve so we’ll look at what challenges it poses, the alternatives, when to use it and how to go about it.

Cats don’t like change without their consent. Roger Caras

Consent challenges

On one hand, consent must be given like in “of free will, specific, informed and unambiguous.” In some cases, the entity’s power position makes it unfeasible to use consent (as in the employee/employer relationship that conditions the free will).

On the other hand, the individual can trigger the right to be forgotten (which will have to be fulfilled unless there is a legal basis justifying the need for processing) or may even request deletion of their data because they are no longer needed.

Note that the initiative to request consent may constitute a violation of the right to privacy, as in the case of Honda in the United Kingdom (consent to request consent by email without having records of previous… consent).

Mechanisms for legal processing

For the above reasons, organizations should first determine the legality, under the RGPD, of the use of personal data. And then assess what the best mechanism to sustain legal processing. Of the six possible mechanisms, consent may not be the easiest to apply or the most correct.

There are five other alternatives to consent, which may be more appropriate for your organization:

• Processing is required:
  i) In relation to a contract that the individual has accepted; or
  ii) because the individual has asked that something is done so that he can accept a contract.
• Processing is required due to applicable legal obligation (except an obligation imposed by a contract).
• Processing is necessary to protect the “vital interests” of the individual. This condition applies only to life and death cases, such as when an individual’s medical history is made available to an emergency department at a hospital for treatment after a major road accident.
• Processing is necessary to administer justice or to perform statutory, governmental or other public functions.
• Processing is done according to the “legitimate interests” condition.

Of these alternatives, processing due to legal obligation is a practical approach, identifying existing legal basis that supports the processing needs of the organization is a good starting point. A concrete example, in the area of human resources, derives from the obligation to maintain information about the employee for social security. Just keep in mind that personal data should be limited to the minimum necessary for the processing for which it is intended.

Another alternative is the use “legitimate interests” to justify the processing of personal data, such as keeping the employee’s bank account to use for payment of wages.

When to use the consent mechanism?

Consent is appropriate when:

• There is use of special categories of data (such as sensitive health data)
• Processing restriction (there is reason not to process and only store personal data – for example when the individual disputes the accuracy of their data)
• Automatic decision making (criterion should be transparent)
• Bank transfers (be careful when existing safeguards are insufficient)

Consent best practices

The GDPR requirements for consent are: being specific, granular, clear, prominent, optin, documented and easily withdrawn.

From ICO (Information Commissioner’s Office) we’ve got the following guidance in the application of the consent mechanism:

• Separation: Consent requests must be separate from other terms and conditions. Consent cannot be a precondition for subscribing to a service unless it is required for the same service.
• Explicit subscription: Clear and positive action is required; Pre-filled boxes are not allowed.
• Granular: Each different form of processing must have its own means of registration.
• Assignment: It should be specific to all organizations, including other processors that will process the data.
• Easy to cancel: Provide clear means of canceling consent at any time.
• Relationship Balance: Obvious imbalances as employers/employees will result in forced consent, which is not acceptable.
• Documentation: Auditable consent records must be maintained.

For a simple list of support for the use of consent consult the document Consultation: GDPR consent guidance from ICO.

In the next post, we will go through data protection by design, a way of addressing data protection risk at the right time.

Resources

• An Article on when to use consent
• The Recitals from EU give insight on consent

Resume – Books, doing and breathing

Summer Sky near by Alqueva

I want you to benefit from some starting points below. I’ll get better at it, promise.

Books

Two half a meter book piles are now beside my bed. I may need shelves before they dangerously rival Pisa’s tower. Better have less books around I guess. Three quite different suggestions:

• (To read) The new Kevin Kelly: The inevitable. His “What Technology Wants” book had so much to think upon I had to stop reading it because I was reading too fast.
• (Reread) 18 minutes (shot video on this wonderful run-walk “tip”) from Peter Bregman.
• (Reading) I keep coming book to Terry Pratchett. I started with Wyrd sisters and reading his books keep jolting my “new bark“. This is delicious (from Moving Pictures, I think it’s at page 35 at the paperback edition – It’s my current non-technical read and I’ve been learning a lot):

“Of course, it is very important to be sober when you take an exam. Many worthwhile careers in the street-cleansing, fruit-picking and subway-guitar-playing industries have been founded on a lack of understanding of this simple fact.”

Doing

Things I am doing and… improving:

• (Drawing) A drawing a day. Started back in 29th February (it is a leap… year). Almost 100 hundred drawings now ranging from 10 seconds fast and furious drafts to one page comics that took me rewarding hours.
• (Habits) Getting good at acquiring and letting go habits (drawing is one I’ve acquired). They say it’s easier to change existing habits. I found it true at least for eating and reading (Duhigg’s book is an excellent read and may prompt you to tackle habits in a purposeful and conscious way).
• (Second life) I think it has to do with aging; I am now less tolerant with entropy and actively looking for ways to make significant change happen (yes I am talking about myself – seems a sensible place to start). I understand way better now what Peter Drucker wrote on this (the “second life” and beyond daily work-as-usual, whatever that is for each of us).

Breathing

I’ve used the word fast too many times in this post. I suggest you try this if you ever feel like going too fast and under too much stress than you can handle.

I will be doing this with a [non-frequent] newsletter format (so one can either keep them coming or opt-out!). Working on topics and focus so it’s beyond a ego-list of things I love  (like what really has worked for me).

Be Well. Até já.

100th

Seth has written more than 5000 posts ranging from great to… remarkable 🙂

To get a more specific perspective, Rob England said not long ago we wrote more than 1100 posts…

I have now reached my hundredth post.

Humbling.

Life is short. I do what I want: Draw, share, explain for you.

Obrigado.

Thank you.

Gracias.

Merci.

Kiitos Paljon.

Terima Kasih.

You guys and gals rock.

2013 – on the road again

Back again.

Olhão – at Algarve, Portugal

Topics I find interesting – thus candidates to deeper understanding and writing this year:

• BPMN 2.0 – Visual standard from OMG that allows existing or revamped/new processes capture. Allows for convenient representation of collaborating roles, events for timers and notification, decisions and tasks. More on this here and a blog and a poster!
• Infosec and Service Management fusion – Pushed by ISOs (ISO 20000, ISO 27001 and guidance on integrated implementation of both: ISO 27013).
• Seamless process and content – On one side venerable content centric ECM. On the other corner not-so-new process centric BPM (ACM lurking nearby). Ways to blend both wanted.
• Social knowledge – Tagging and searching go a long way towards knowledge sharing. How can we tap into this torrent and extract meaningful wisdom?
• Mobile/BYOD/BYOE – Bring Your Own Everything… this ties back to information security and is a big issue now. Mobile Device Management (MDM – hooray! Another 3 letter buzzword!) coming of age.

I may draw on these topics as I did before mostly with ITIL. Lets see how it goes this time.

My wishes for you gentle readers: Go for your dreams this year. Remember life is short – the sooner the better. And laugh a lot – oxygen and endorphin for free!

2010 in review {thanks to WordPress guys!}

The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

The Blog-Health-o-Meter™ reads Wow.

Crunchy numbers

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 73,000 times in 2010. If it were an exhibit at The Louvre Museum, it would take 3 days for that many people to see it.

 

In 2010, there were 35 new posts, growing the total archive of this blog to 73 posts. There were 45 pictures uploaded, taking up a total of 9mb. That’s about 4 pictures per month.

The busiest day of the year was August 23rd with 386 views. The most popular post that day was The RACI Matrix – Who’s Responsible, Accountable, Consulted… and kept Informed.

Where did they come from?

The top referring sites in 2010 were linkedin.com, informit.com, google.com, google.co.in, and ow.ly.

Some visitors came searching, mostly for raci matrix, itil v3, itil v3 processes, itil raci, and itil processes.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

1

The RACI Matrix – Who’s Responsible, Accountable, Consulted… and kept Informed April 2007
4 comments

2

ITIL v3 Processes along the Service Lifecycle Diagram (Français, English, Português) October 2007
5 comments

3

Service Portfolio and Service Catalogue and… – ITIL v3 July 2007
10 comments

4

ITIL v3 Overview – Excellent summary. And free… November 2007
5 comments

5

What’s new on ITIL v3 (from Sharon Taylor Axios whitepaper) – part II May 2007
1 comment

Back and Delay

Back and Delay (curlies conveying not-shipping-blues)

I’m back — boy, do I miss this.

Sorry for Mush and Room book. I promised it for September but didn’t ship.

Mush and Room going back to paper

Kids drawings (a skeleton and a water drop), a comic book from my younger brother, novels, management and self-help books, Wired magazine and the Moleskine where I draw those pesty Mush and Room fungus

Babauta, Covey, Godin, Guillebeau, Henmeier Hansson (and so many more) got it right and shared: Keep it simple, focus – live now. Just do it (Nike got it too).

For more than 20 years I wanted to write and publish a book.

It always depended on me and now it is as easy as it gets – no more excuses.

Uniball VISION ELITE gel pen, made in Japan (Mush and Room inking)

This September Mush and Room will come out in their original form: Organic, touchable, convenient paper.

Até já,

Rui

Ah! Read their magic books:

Leo Babauta: The power of less

Stephen R. Covey: The 7 Habits of highly effective people

Seth Godin: Linchpin

Chris Guillebeau: A brief guide to world domination

David Henmeier Hansson (with Jason Fried): Rework

ITGI (CobiT, ValIT, Risk IT,…) supports IT Governance (ISO 38500)

Gary Hardy from ITGI wrote the article “ITGI Enables ISO/IEC 38500:2008 Adoption” (available only to ISACA members) putting the case for using mostly CobiT and ValIT from ITGI portfolio in order to enable IT Governance according to ISO 38500 (it goes through all the six principles and three main tasks described on the standard).

[Found it reading the crystal clear and highly recommended “The journey towards enterprise governance of IT” by Geoff Harmer]