EU General Data Protection Regulation (GDPR) An inspirational Overview Sven-Erik Vestergaard Security Architecht IBM Security svest@dk.ibm.com September 29, 2015
Legal notices and disclaimers Copyright 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-ibm products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-ibm products. Questions on the capabilities of non-ibm products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at Copyright and trademark information www.ibm.com/legal/copytrade.shtml
Data Protection: Council agrees on a general approach A Regulation is a binding legal act that is applicable in its entirety across the EU. On 15 June 2015, the Council reached a general approach on the general data protection regulation that establishes rules adapted to the digital era. The twin aims of this regulation are to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market. 3 Source: http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection 3
How does the data protection reform strengthen citizens rights? In the 17 years since the current data protection rules were adopted, new ways of communicating such as online social networks have profoundly changed the way people share personal information, while cloud computing means that more data is stored on remote servers instead of personal computers 250 millionpeople now use the internet daily in Europe. In this fast-changing environment, individuals must retain effective control over their personal data. This is a fundamental right for everyone in the EU and must be safeguarded. Source: http://ec.europa.eu/justice/data-protection 4 4
Key facts 63% of Europeans, disclosing personal information is a big issue 70% are concerned that companies may use the information for a different purpose than the one they collected it for only 26% of social media users and 18% of online shoppers feel in complete control of the information disclosed 90% of Europeans think it is important to have the same rights and protection in all EU countries Source http://www.consilium.europa.eu 5 5
What is the Commission proposing? The new rules will ensure that you receive clear and understandable information when your personal data is processed. Whenever your consent is required, it will have to be given explicitly before a company could process your personal data. The European Commission will also strengthen individuals right to be forgotten, which means that if you no longer want your data to be processed, and there is no legitimate reason for a company to keep it, the data shall be deleted Source: http://ec.europa.eu/justice/data-protection 6 6
Terms you need to know Binding corporate rules (BCR): Codes of practice based on European data protection standards, approved by at least one DataProtection Authority, which multi national organisations draw up and follow voluntarily to ensure adequate safeguards for transfers or categories of transfers of personal data between companies that are part of a same corporate group and that are bound by these corporate rules. Controller or Data controller: Natural or legal person, public authority, organisation, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Data Protection Authority (DPA): National supervisory authority, acting with complete independence, responsible for monitoring the application of data protection rules at national level (e.g. handling complaints from individuals, carrying out investigations and inspections of data controllers' activities, engage inlegal proceedings against violations of data protection rules). Source: http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf 7
Terms you need to know Data Protection Impact Assessment (DPIA): A process whereby a conscious and systematic effort is made to assess privacy risks to individuals in the collection, use and disclosure of their personal data. DPIAs help identify privacy risks, foresee problems and bring forward solutions. Data Protection Officer (DPO): A person responsible within a data controller or a data Data subject: processor to supervise and monitor in an independent manner the internal application and therespect of data protection rules.the DPO can be either an internal employee or an externalconsultant. An identified or identifiable person to whom the "personal data" relate. Source: http://ec.europa.eu/justice/data-protection/document/review2012/sec_2012_72_en.pdf 8
Extracts of GDPR in Bullit Form (1) Under the directive, any data by which an individual can be identified was the sole responsibility of the data controller, ie the owner of this data. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties such as cloud providers. The right to be forgotten will help people better manage data-protection risks online. When they no longer want their data to be processed and there are no legitimate grounds for retaining it, the data will be deleted. Whenever consent is required for data processing, it will have to be given explicitly, rather than be assumed. When it comes to profiling data subjects have the right to object to any data profiling Easier access to one s own data and the right of data portability, i.e. easier transfer of personal datafrom one service provider to another. Companies and organisations will have to notify serious data breaches without undue delay, where feasible within 24/72 hours A single set of rules on data protection, valid across the EU. Souce: http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf 9 9
Extracts of GDPR in Bullit Form (2) Companies will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Individuals will have the right to refer all cases to their home national data protection authority, even when their personal data is processed outside their home country. EU rules will apply to companies not established in the EU, if they offer goods or services in the EU or monitor the online behaviour of citizens.unnecessary administrative burdens such as notification requirements for companies processing personal data will be removed National data protection authorities will be strengthened so they can better enforce the EU rules at home Non-compliance could lead to regular and periodic audits and/or a fine or 2% - 5% of annual worldwide turnover, whichever is greater Souce: http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/1_en.pdf 1 10
How to start: Do not panic! But get Executive sponsorship. Good way to start is with a self assessment or maturity project: How do you collect personal data In what context do you use the data, and how do you store it Who owns the personal data in you organization. Might be several departments Do you ever clean up personal data? Is there any gap between the written processes and the actual daily operation when it comes to personal data? Use the Danish Data Protection law as a starting point and/or ISO 2700X 11 11
Prepare for the worst: Appoint a Data Protection Officer (DPO) if needed, or for smaller business a person with equal responsibilities. Have a plan for when breaches happens. Who should be informed? Internal and External Who should be in the response team Have clear definition of responsibilities for each individual in the response team Have a plan for when a Data Protection Impact Assessment (DPIA) hits you 12
How can IBM Help?
IBM Data Privacy Services helps provide sustainable solutions using these 4 key components IBM s Research 4 Key Components of Data Privacy IBM s Privacy Patents IBM s Data Privacy Services IBM s Privacy and Security experience IBM s Total Privacy Management (TPM) Framework 14
IBM has been working on data privacy issues since 2001 and has applied for numerous Data Privacy patents since, proving its position as a thought leader Example of selected IBM privacy patents which reflects our position as a privacy thought leader 2006-06-27 2011-02-15 2012-03-20 Using a rules model to improve handling of personally identifiable information This helps companies track client personally identifiable information in their systems by using a defined rules set. U.S. Patent 7069427 Method and system controlling access to data via a data-centric security model A method for controlling access to data though a data focused security model. U. S. Patent 7890530 Process and method for classifying structured data A system and method for classifying structured data by automatically suggesting classification labels. U.S. Patent 8140531 IBM s Data Privacy Services 2009-10-13 2011-06-14 2014-04-08 Using a privacy agreement framework to improve handling of personally identifiable information The invention illustrates how to identify opportunities to reduce privacy related risks. U. S. Patent 7603317 Using an object model to improve handling of personally identifiable information By using privacy objects (such as data subject and data user) companies can track their privacy actions in their systems. U.S. Patent 7962962 Data privacy engine How to translate different jurisdictional privacy regulations into rules that IT and Compliance professionals can understand when dealing with cross-border data flows. U.S. Patent 8,695,101 15
IBM s Privacy and Security experience allows us to implement more holistic solutions for our clients IBM is Most trusted for Privacy Privacy Vision IBM s Data Privacy Services For several years IBM has been recognized as the Most Trusted for Privacy in the technology industry in North America IBM s record in data protection and privacy is exemplary, stretching back over five decades when IBM was one of the first companies in the world to adopt a global privacy code. IBM works closely with regulators and standards bodies to develop privacy controls IBM holds multiple patents in the area of privacy innovation IBM s patented Privacy Architecture: IBM has developed a robust privacy architecture which helps organizations understand the data uses in their environment. This was developed in 2002 and has been consistently enhanced and refined since that time. Extensive Expertise In 2000, IBM hired one of the first Chief Privacy Officers in the US. We have been addressing global privacy issues for over 15 years and have more than 1200 dedicated risk professionals Over 30 dedicated professionals who address privacy issues, including a past Chief Privacy Officer from a Fortune 500 company Over 400 consultants who have worked on privacy projects IBM s expertise across Security Services and Security Products One Security IBM s wide range of security products Consulting teams ability to help provide an integrated, holistic solution Recognized Leader by multiple secondary sources such as Gartner and Forrester IBM has 75+ CIPP certified consultants 16
Sophisticated attacks require sophisticated defense, but ultimately, sensitive data should be protected with a layered approach. Sensitive Data Data servers Hacker (Rogue Sources) Auth server Web servers App server User Customer Business Partner Employee Contractor QRadar Web servers DoS Antispoofing Port Scanning Web Server Known Vulnerabilities Patternbased Attack Network servers IDS/IPS Security Cross Site Scripting Parameter Tampering Cookie Poisoning App server Privileged User (DBAs,developers) Guardium Data Servers Intranet DMZ Sensitive Data Unauthorized Access Suspicious Activity SQL Injection 17
Organizations are moving towards virtualization & cloud computing Build data protection in from the start IBM InfoSphere Guardium can help with: Automatic discovery and classification of cloud data Virtualized security Database activity monitoring, database vulnerability assessments, data redaction and data encryption Static and dynamic data masking to ensure a least privileged access model to cloud resources Automated compliance reports customized for different regulations to demonstrate compliance in the cloud 18 18
InfoSphere Data Security and Privacy Solutions Comprehensive data protection for cloud, virtual & physical infrastructures Discover Location of Sensitive Data Automating the detection of sensitive data and enterprise data relationships Strengths: Discover hidden data relationships to define business groupings of data Automate detection of sensitive data Reverse engineer transformation logic and prototype data consolidation rules InfoSphere Discovery & InfoSphere Guardium Mask data in nonproduction environments Protect sensitive structured data in non-production environments (for dev, testing, offshore dev) Strengths: Best practice for protecting sensitive data and supporting the testing process Mask information in 1 or many places using realistic values Reduce impact of internal and external data breaches InfoSphere Optim Data Masking Monitor databases, assess vulnerabilities, dynamic masking Provide essential safeguards to protect high value databases across heterogeneous environments Strengths: Continuous, realtime database access and activity monitoring Policy-based controls to detect unauthorized or suspicious activity Vulnerability assessment, change auditing & blocking InfoSphere Guardium DAM & VA Solution Satisfy compliance and regulatory mandates Encrypt files in database environments High performance data encryption Strengths: Encrypt files with no application, database or network impact Separation of duties for role efficiency DBA vs IT Security Unified policy and key management for central administration InfoSphere Guardium Encryption Expert Redact unstructured data in documents Protect standalone or embedded unstructured sensitive data in forms and documents Strengths: Support redaction of textual, graphical, and form based data Increase efficiency via automation and reduce cost of manual redaction Control the data viewed by each user with policy rules InfoSphere Guardium Data Redaction 19
Guardium database security Comprehensive data protection for virtual and cloud infrastructures Administer databases End User Access applications DBA Application Servers Virtual Servers Database Activity Monitor Database Vulnerability Assessment Data Encryption Data Redaction Dynamic Data Masking File Repository Manage security policies Security administrator 20
Test Data Management and Masking Solutions Automate creation of right size test data in private cloud Virtual Server Production Subset/ Compare Subset & Mask Subset/ Compare Test Dev Functional & Performance Testing Refresh test data Tester Unit Testing PeopleSoft / Any DB Refresh test data Developer 21
IBM QRadar Security Intelligence Platform Providing actionable intelligence INTELLIGENT Correlation, analysis and massive data reduction AUTOMATED Driving simplicity and accelerating time-tovalue IBM QRadar Security Intelligence Platform INTEGRATED Unified architecture delivered in a single console 22
Embedded intelligence offers automated offense identification INTELLIGENT Security devices Servers and mainframes Network and virtual activity Data activity Application activity Configuration information Vulnerabilities and threats Users and identities Global threat intelligence Automated Offense Identification Unlimited data collection, storage and analysis Built in data classification Automatic asset, service and user discovery and profiling Real-time correlation and threat intelligence Activity baselining and anomaly detection Detects incidents of the box Embedded Intelligence Prioritized Incidents Suspected Incidents 23
Expanding Audit Information collection for QRadar SIEM Challenge Integrate database and data source audit information with SIEM forensics Formatting information from heterogeneous data sources is tedious and requires expertise Solution Leverage Guardium unintrusive audit log collection for several data sources to feed QRadar with normalized audit logs Guardium side: Sending custom reports via syslog to QRadar SIEM with extra data to match SIEM format Custom audit reports have richer context than native audit logs QRadar SIEM side: Ensure correct format is mapped through template File Shares Big Data Normalized Enriched Audit Reports (syslog) Data Warehouse Databases Other * Sources Audit Logs 24
An integrated, unified architecture in a single web-based console INTEGRATED Log Management Security Intelligence Network Activity Monitoring Risk Management Vulnerability Management Network Forensics 25
Guardium & QRadar Security Intelligence QRadar target use case Complex threat detection Malicious activity identification User activity monitoring Compliance monitoring Fraud detection and data loss prevention Network and asset discovery InfoSphere Guardium complementary capabilities Alert on sensitive data access without affecting performance Identify DB infrastructure vulnerability level for asset classification Block and alert on suspicious data access Monitor all traffic to/from data repositories, including content and metadata Identify anomalous behavior from end-users, privileged users, system IDs Prevent malicious access to sensitive data Monitor privileged and regular end-user data access activity in real time Create policies that granularly restrict access Alert on suspicious behavior Centralized and normalized granular audit of all data activities without impact to resources Automation of audit report review process Report templates for major regulations Direct visibility into data traffic (metadata and content) Policies for detection of fraudulent data access activity Blocking and quarantining of users with suspicious data access patterns Automatically discover all databases, sensitive data, and its entitlements Classify data for policy enforcement and alert on findings Identify vulnerability posture for database infrastructure 26
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 27
Key Aspects of the Regulation The proposed legislation is a General Data Protection Regulation (GDPR) Unlike the existing 1995 Data Protection Directive (95/46/EC), the Regulation will create a unified data protection law for all 28 European Countries. It will also have international reach applying to organizations that handle personal data of any EU resident (data subjects) Formal approval and publication is expected by Spring 2016, with a two-year transitional period for compliance The objectives of the GDPR are twofold: To enhance the level of personal data protection for EU residents To modernize the law in line with existing and emerging technologies (e.g. social networks and cloud computing) and to clarify responsibility for the handling and storage of data, making it easier for organizations to comply and avoid fines. Non-compliance could lead to regular and periodic audits and/or a fine of up to 100 million or 2% of annual worldwide turnover, whichever is greater 9/29/201 28
Brief PowerPoint Guidance > Text Guidance The Regulation provides additional benefits and rights for data subjects Key definitions have been augmented to include online identifiers (e.g. IP addresses, cookies etc.) and new terms such as location data, biometric data and genetic data have been introduced Higher standard for obtaining consent from implied to express consent Easier access to data expands the set of information to be provided to individuals and removes the right for controllers to charge a fee for SARs Erasure of data data subjects have the right to request that all data held by controllers and processors be erased Portability controllers must enable the transfer of structured and/or raw data to another organisation through a commonly used electronic format if requested by the data subject 2 9/29/201 Profiling data subjects have the right to object to any data profiling 29
Brief PowerPoint Guidance > Text Guidance New and enhanced obligations on data controllers and processors have been imposed Controllers will be responsible for carrying out a Data Protection Impact Assessment (DPIA) and a risk analysis of the potential impact any intended processing could have on the rights or freedoms of data subjects Implementation by controllers and processors of appropriate technical and organizational security measures appropriate to the risks presented by the processing and the DPIA Building a Data Protection by Design and Default process enabling the review of the entire lifecycle management of personal data with particular focus on procedural safeguards regarding the accuracy, confidentiality, integrity, physical security and deletion of data. Breach notification requirements in the event of a data incident Increased rules on the transfer of data outside the EEA or to international organizations, including possible prior approval from the supervisory authority 3 9/29/201 30