Privacy by Design in the Cloud

Transcription

1 Privacy by Design in the Cloud - some raffish reflections Ernst O. Wilhelm, Chief Privacy Officer, GFT Belgian Cyber Security Convention, EuroCloud Forum, Mechelen,

2 Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 2

3 1. The Data Protection Challenge Source: Wilhelm 3

4 1. Data Protection by Design and by Default (GDPR Art 25) (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement dataprotection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual s intervention to an indefinite number of natural persons. (3) An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. 26/10/2017 4

5 1. Privacy by Design Principles Ann Cavoukian: Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization s default mode of operation.[ ] Principles of Privacy by Design may be applied to all types of personal information, but should be applied with special vigour to sensitive data such as medical information and financial data. Cavoukian s 7 Foundational Principles of Privacy by Design Proactive not Reactive, Preventative not Remedial Privacy Embedded into Design Privacy as the Default Setting Full Functionality Positive Sum, not Zero-Sum End-to-End Security, Full Lifecycle Protection Visibility and Transparency, Keep it Open Respect for User Privacy, Keep it User-Centric 26/10/2017 5

6 1. Privacy Design Strategies Jaap-Henk Hoepman: A design strategy describes a fundamental approach to achieve a certain design goal, that has certain properties that allow it to be distinguished from other (basic) approaches that achieve the same goal. [ ] A natural starting point to derive some privacy preserving strategies is to look at when and how privacy is violated,and then consider how these violations can be prevented. Hoepman s 8 Privacy Design Strategies MINIMIZE The amount of personal information that is processed should be minimal. HIDE Any personal information that is processed should be hidden from plain view. SEPARATE The processing of personal information should be done in a distributed fashion whenever possible. AGGREGATE Personal information should be processed at the highest level of aggregation and with the least possible detail in which it is (still) useful. Inform Data subjects should be adequately informed whenever personal information is processed. CONTROL Data subjects should have agency over the processing of their personal information. ENFORCE A privacy policy compatible with legal requirements should be in place and should be enforced. DEMONSTRATE Demonstrate compliance with the privacy policy and any applicable legal requirements. 6

7 1. Completeness vs. Concreteness of Vision 7 Foundational Principles of Privacy by Design Completeness of Vision 8 Privacy Design Strategies Concreteness of Vision Source: Wilhelm 7

8 Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 8

9 2. The Software Development Challenge What the client has dreamt of What has been defined as client requirements What has been designed as solution by the architect What has been delivered in the first place What is finally delivered after painful discussions with the client! 9

10 2. The Basic Software Development Model Code Fix Characteristics: Developer knows what the user needs Emphasis on individuals (heroes) Knowledge is represented by people No project management No documentation No testing or done by the user Very high variance in time,cost and quality Low scalability (complex projects tend to fail) Validation by user experience 10

11 2. The Waterfall Software Development Model Characteristics: reduction of complexity by subsequent phases with separations of concerns emphasis on process and project management increased scalability knowledge is represented by documents requirements document knows what the user needs approved artefacts are pre-requisites for transition to the subsequent phase (waterfall) late validation in verification phase by comparing requirements definition and delivery low capability for integrating change requests still high variance in time, cost and quality maintenance phase has to bridge the gap between the delivery and the expectation of the user 11

12 2. The Iterative Software Development Model Characteristics: Integrates aspects of waterfall software development Additional reduction of complexity by iterative development cycles Increased capability for integrating change requests between development cycles Requirements Document is approximating to what the user needs Emphasis on release planning and risk management Incremental validation by prototyping Maintenance phase eliminated Still significant variance in time, cost and quality 12

13 2. Agile Software Development Model Characteristics: Emphasis on visibility and values Value of individuals and interactions over processes and tools Value of working software over comprehensive documentation Value of customer collaboration over contract negotiation Value of responding to change over following a plan High capability for integrating change requests Focus on vital requirements first and fast ROI Fast validation by incremental delivery Minimum variance in time, cost and quality 13

14 2. The Devil s Triangle in Software Development Cost Schedule Scope Data Protection Requirements software development is not a repetition of standard steps like in hardware manufacturing software development involves constant invention, accurate effort estimation is impossible attempts to constrain all factors at the same time yield high uncertainty and high risk to customer satisfaction risk is minimized if only one variable is constrained 14

15 2. Privacy by Design in Agile Software Development Source: Terbu, Hötzendorfer, Leitner, Bonitz, Vogl, Zehetbauer 15

16 Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/

17 3. The Cloud Challenge 26/10/

18 3. The Cloud Privacy Standard (ISO 27018) ISO/IEC 27018: Code of Practice for protection of PII in public clouds acting as PII processor, 2014 With special emphasis of commissioned processing of personal data in a public cloud environment, this guidance helps the DPO of a cloud service customer: to comply with applicable obligations with special emphasis on processing of personal data to select a well-governed cloud service provider on basis of transparent criteria to enter into a contractual agreement with the cloud service provider on basis of standardized requirements to establish a common understanding regarding a mechanism for exercising audit and compliance rights and responsibilities Note: Certification for this standard is not available directly but can be considered within an ISO certification. 26/10/

19 3. Essential Structure of ISO ISO (Protection of PII in public in public clouds) 0 Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Overview 5 Information security policies 6 Organization of information security organization 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information Security Incident Management 17 Information security aspects of business continuity management 18 Compliance Annex A: Public cloud PII processor extended control set for PII protection ISO (Information Security Controls) 0 Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Structure of this Standard 5 Information security policies 6 Organization of information security organization 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information Security Incident Management 17 Information security aspects of business continuity management 18 Compliance 26/10/

20 3. Special Privacy Requirements in ISO Anne x A: Public cloud PII processor extended control set for PII protection A.1 Consent and choice A.1.1 Obligation to co-operate regarding PII principals rights A.2 Purpose legitimacy and specification A.2.1 Public cloud PII processor s purpose A.2.2 Public cloud PII processor s commercial use A.3 Collection limitation A.4 Data minimization A.4.1 Secure erasure of temporary files A.5 Use, retention and disclosure limitation A.5.1 PII disclosure notification A.5.2 Recording of PII disclosures A.6 Accuracy and quality A.7 Openness, transparency and notice A.7.1 Disclosure of sub-contracted PII processing A.8 Individual participation and access A.9 Accountability A.9.1 Notification of a data breach involving PII A.9.2 Retention period for administrative security policies and guidelines A.9.3 PII return, transfer and disposal A.10 Information security A.10.1 Confidentiality or non-disclosure agreements A.10.2 Restriction of the creation of hardcopy material A.10.3 Control and logging of data restoration A.10.4 Protecting data on storage media leaving the premises A.10.5 Use of unencrypted portable storage media and devices A.10.6 Encryption of PII transmitted over public data-transmission networks A.10.7 Secure disposal of hardcopy materials A.10.8 Unique use of user IDs A.10.9 Records of authorized users A User ID management A Contract measures A Sub-contracted PII processing A Access to data on pre-used data storage space A.11 Privacy compliance A.11.1 Geographical location of PII A.11.2 Intended destination of PII 26/10/

21 3. The Cloud Privacy Agreement (CSA) Cloud Security Alliance: Privacy Level Agreement [V2]: A Compliance Tool for Providing Cloud Services in the EU, 2015 The PLA may be used by the DPO as a template for a description of the level of privacy protection to be provided by the Cloud Service Provider: While Service Level Agreements ( SLA ) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal data protection practices. The PLA similar to SLA should represent an appendix to a Cloud Services Agreement. The PLA provides the DPO of the Cloud Service Customers with a tool to identify a baseline of mandatory personal data protection legal requirements across the EU and to evaluate the level of personal data protection offered by different Cloud Service Providers The PLA offers Cloud Service Providers with guidance for achieving a baseline of compliance with mandatory personal data protection legislation across the EU and disclose, in a structured way, the level of personal data protection that they offer to customers. 26/10/

22 3. Essential Structure of the Cloud Privacy Agreement 26/10/2017 Source: CSA 22

23 3. Special Privacy Requirements in the Cloud Privacy Agreement 1. IDENTITY OF THE CSP (AND OF REPRESENTATIV E IN THE EU AS APPLICABLE), ITS ROLE, AND THE CONTACT INFORMATION FOR THE DATA PROTECTION INQUIRIES 2. WAYS IN WHICH THE DATA WILL BE PROCESSED 2.1. Personal data location 2.2. Subcontractors 2.3. Installation of softw are on cloud customer s system 3. DATA TRANSFER 4. DATA SECURITY MEASURES 5. MONITORING 6. PERSONAL DATA BREACH NOTIFICATION 7. DATA PORTABILITY, MIGRATION, AND TRANSFER BACK ASSISTANCE 8. DATA RETENTION, RESTITUTION AND DELETION 8.1. Data retention policy 8.2. Data retention for compliance w ith legal requirements 8.3. Data restitution and/or deletion 9. ACCOUNTABILITY 10. COOPERA TION 11. LEGALLY REQUIRED DISCLOSURE 26/10/2017 Source: CSA 23

24 Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/

25 4. Sanction Thresholds in the GDPR Lower Threshold (2% of worldwide annual turnover or 10 million euros) Fines in the lower threshold are assessed for most provisions including most notably violations of: Obtaining a child s consent according to the applicable conditions Notifying the supervisory authority of a personal data breach Notifying the data subject of a personal data breach Designating a data protection officer Higher Threshold (4 % of worldwide annual turnover or 20 million euros) Fines in the higher threshold are assessed for more serious violations of: Basic principles for processing data including consent Data subjects rights Data transfer provisions Obligations to country specific laws Non-compliance with an order by a supervisory authority 26/10/

26 4. Setting the Focus on the Rights of the Data Subject Article 7 Article 12 Article 13 Article 14 Article 15 Article 16 Article 17 Article 18 Article 19 Article 20 Article 21 Article 22 Right to withdraw consent Transparent information, communication and modalities for the exercise of the rights of the data subject Information to be provided where personal data are collected from the data subject Information to be provided where personal data have not been obtained from the data subject Right of access by the data subject Right to rectification Right to erasure ( right to be forgotten ) Right to restriction of processing Notification obligation regarding rectification or erasure of personal data or restriction of processing Right to data portability Right to object Automated individual decision-making, including profiling 26

27 4. High risk indicators for data subjects rights in the Cloud Evaluation or scoring, including profiling and predicting, especially from aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing legal effects concerning the natural person or which similarly significantly affects the natural person Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through a systematic monitoring of a publicly accessible area Sensitive data: this includes special categories of data as defined in Article 9 as well as personal data relating to criminal convictions or offences. Data processed on a large scale: considering the number of data subjects concerned, the volume of data and/or the range of different data items being processed, the duration or permanence of the data processing activity, the geographical extent of the processing activity Source: WP

28 4. High risk indicators for data subjects rights in the Cloud Datasets that have been matched or combined, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject Data concerning vulnerable data subjects: increased power imbalance between the data subject and the data controller Innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control Data transfer across borders outside the European Union taking into consideration the envisaged country or countries of destination, the possibility of further transfers or the likelihood of transfers based on derogations for specific situations When the processing in itself prevents data subjects from exercising a right or using service or a contract e.g. processings performed in a public area that people passing by cannot avoid, or processings that aims at allowing, modifying or refusing data subjects access to a service or entry into a contract. Source: WP /10/

29 4. Data Protection Risk and Impact Assessment Violation of data subject rights Source: ISO Source: WP

30 4. Games of Data Subject Rights GDPR Art 7, 12ff GDPR Art 35, Rec 78 Data Subject is entitled to rights Cloud Service Client respects the rights of DS Cloud Service Provider acts on behalf of CSC SCC Third Party Beneficiary Clause Source: Wilhelm 27/10/

31 4. Legal Provisions with Impact on the Cloud Service Provider GDPR Article 35: Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. [ ] GDPR Recital 78: [ ] When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders. SCC Third Party Beneficiary Clause: The data subject can enforce against the data importer this Clause [ ] in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 26/10/

32 Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/

33 5. Bringing the Unicorn down the Trenches 7 Foundational Principles of Privacy by Design Completeness of Vision 8 Privacy Design Strategies 5 Core Privacy Design Gears Concreteness of Vision 33

34 5. Core Privacy Design Gears S S G Self Service Gateway Art 7, 15, 16, 17, 22 R S H Subject Request Handler N S P Subject Notification Processor Art 12, 13, 14, 19, 22 Art 7, 12, 15, 16, 17, 18, 20, 21, 22 E R M Art 17, 18, 19 Retention and Erasure Manager 27/10/2017 P S I Art 15, 20 Standardized Portability Interface Source: Wilhelm 34

35 5. Sample: Retention and Erasure Manager in a HR Cloud Service Name Country Contract Start End Erase? Thibaut Courtois Belgium Part Time Dries Mertens Belgium Temporary Robert Lewandowski Poland Full Time Andreas Granqvist Sweden Full Time Adrian Mutu Romania Full Time /10/2017 Source: Wilhelm 35

36 5. First Order Retention Schedule BEL BEL BEL Source: Iron Mountain 36

37 5. Second Order Retention Schedule Source: Iron Mountain 37

38 5. Retention and Erasure Workflow Source: Wilhelm 38

39 Shaping the future of digital business Ernst O. Wilhelm Chief Privacy Officer GFT Technologies SE Schelmenwasenstraße Stuttgart Germany