Privacy by Design in the Cloud

Similar documents
Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Privacy by Design and Privacy by Default

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

SCHOOL SUPPLIERS. What schools should be asking!

Element Finance Solutions Ltd Data Protection Policy

Data Processing Agreement

General Data Protection Regulation (GDPR)

the processing of personal data relating to him or her.

EU General Data Protection Regulation (GDPR) Achieving compliance

The Role of the Data Protection Officer

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

PRIVACY POLICY PRIVACY POLICY

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Technical Requirements of the GDPR

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Creative Funding Solutions Limited Data Protection Policy

Motorola Mobility Binding Corporate Rules (BCRs)

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Privacy Policy Hafliger Films SpA

Data Processing Clauses

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

PS Mailing Services Ltd Data Protection Policy May 2018

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Rights of Individuals under the General Data Protection Regulation

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Our agenda. The basics

Data Protection Policy

GDPR: A QUICK OVERVIEW

Google Cloud & the General Data Protection Regulation (GDPR)

DATA PROCESSING ADDENDUM

27018, (27017) & Cloud en/of PII protection

General Data Protection Regulation (GDPR) Key Facts & FAQ s

1. Right of access. Last Approval Date: May 2018

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Data Processing Agreement

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Privacy Notice for Business Partners

Adtech and GDPR What to consider when choosing your partner

Subject: Kier Group plc Data Protection Policy

DATA PROCESSING TERMS

Islam21c.com Data Protection and Privacy Policy

NOTICE OF PERSONAL DATA PROCESSING

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

How the GDPR will impact your software delivery processes

Data Processing Agreement for Oracle Cloud Services

GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE FOR DATA PROTECTION

Data Processing Agreement DPA

Designing GDPR compliant software

Strasbourg, 21 December / décembre 2017

Information technology Security techniques Code of practice for personally identifiable information protection

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

This document is a preview generated by EVS

Privacy Statement for Use of the Trust Service of Swisscom IT Services Finance S.E., Austria

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

UWTSD Group Data Protection Policy

GDPR and the Privacy Shield

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Cybersecurity Considerations for GDPR

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

GENERAL DATA PROTECTION REGULATION (GDPR)

GDPR compliance: some basics & practical to do list

Privacy Statement for Use of the Certification Service of Swisscom (sales name: "All-in Signing Service")

Data Management and Security in the GDPR Era

FAQ about the General Data Protection Regulation (GDPR)

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

GDPR: A GUIDE TO READINESS

Online Ad-hoc Privacy Notice

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

Privacy policy SIdP website EU 2016/679

Privacy Policy. MIPS Website Privacy Policy. Document Information. Contact Details. Version 1.0 Version date March 2018.

PRIVACY POLICY OF THE WEB SITE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

General Data Protection Regulation (GDPR)

In this data protection declaration, we use, inter alia, the following terms:

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

PRIVACY POLICY. 1. Introduction

GLOBAL DATA PROTECTION POLICY

Arkadin Data protection & privacy white paper. Version May 2018

I. Name and Address of the Controller

Wonde may collect personal information directly from You when You:

IDENTITY ASSURANCE PRINCIPLES

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

CEM Benchmarking Privacy Policy

GDPR - Are you ready?

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

ADIENT VENDOR SECURITY STANDARD

GDPR: A technical perspective from Arkivum

Accelerate GDPR compliance with the Microsoft Cloud

Transcription:

Privacy by Design in the Cloud - some raffish reflections Ernst O. Wilhelm, Chief Privacy Officer, GFT Belgian Cyber Security Convention, EuroCloud Forum, Mechelen, 25.10.2017

Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 2

1. The Data Protection Challenge Source: Wilhelm 3

1. Data Protection by Design and by Default (GDPR Art 25) (1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement dataprotection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual s intervention to an indefinite number of natural persons. (3) An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article. 26/10/2017 4

1. Privacy by Design Principles Ann Cavoukian: Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization s default mode of operation.[ ] Principles of Privacy by Design may be applied to all types of personal information, but should be applied with special vigour to sensitive data such as medical information and financial data. Cavoukian s 7 Foundational Principles of Privacy by Design Proactive not Reactive, Preventative not Remedial Privacy Embedded into Design Privacy as the Default Setting Full Functionality Positive Sum, not Zero-Sum End-to-End Security, Full Lifecycle Protection Visibility and Transparency, Keep it Open Respect for User Privacy, Keep it User-Centric 26/10/2017 5

1. Privacy Design Strategies Jaap-Henk Hoepman: A design strategy describes a fundamental approach to achieve a certain design goal, that has certain properties that allow it to be distinguished from other (basic) approaches that achieve the same goal. [ ] A natural starting point to derive some privacy preserving strategies is to look at when and how privacy is violated,and then consider how these violations can be prevented. Hoepman s 8 Privacy Design Strategies MINIMIZE The amount of personal information that is processed should be minimal. HIDE Any personal information that is processed should be hidden from plain view. SEPARATE The processing of personal information should be done in a distributed fashion whenever possible. AGGREGATE Personal information should be processed at the highest level of aggregation and with the least possible detail in which it is (still) useful. Inform Data subjects should be adequately informed whenever personal information is processed. CONTROL Data subjects should have agency over the processing of their personal information. ENFORCE A privacy policy compatible with legal requirements should be in place and should be enforced. DEMONSTRATE Demonstrate compliance with the privacy policy and any applicable legal requirements. 6

1. Completeness vs. Concreteness of Vision 7 Foundational Principles of Privacy by Design Completeness of Vision 8 Privacy Design Strategies Concreteness of Vision Source: Wilhelm 7

Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 8

2. The Software Development Challenge What the client has dreamt of What has been defined as client requirements What has been designed as solution by the architect What has been delivered in the first place What is finally delivered after painful discussions with the client! 9

2. The Basic Software Development Model Code Fix Characteristics: Developer knows what the user needs Emphasis on individuals (heroes) Knowledge is represented by people No project management No documentation No testing or done by the user Very high variance in time,cost and quality Low scalability (complex projects tend to fail) Validation by user experience 10

2. The Waterfall Software Development Model Characteristics: reduction of complexity by subsequent phases with separations of concerns emphasis on process and project management increased scalability knowledge is represented by documents requirements document knows what the user needs approved artefacts are pre-requisites for transition to the subsequent phase (waterfall) late validation in verification phase by comparing requirements definition and delivery low capability for integrating change requests still high variance in time, cost and quality maintenance phase has to bridge the gap between the delivery and the expectation of the user 11

2. The Iterative Software Development Model Characteristics: Integrates aspects of waterfall software development Additional reduction of complexity by iterative development cycles Increased capability for integrating change requests between development cycles Requirements Document is approximating to what the user needs Emphasis on release planning and risk management Incremental validation by prototyping Maintenance phase eliminated Still significant variance in time, cost and quality 12

2. Agile Software Development Model Characteristics: Emphasis on visibility and values Value of individuals and interactions over processes and tools Value of working software over comprehensive documentation Value of customer collaboration over contract negotiation Value of responding to change over following a plan High capability for integrating change requests Focus on vital requirements first and fast ROI Fast validation by incremental delivery Minimum variance in time, cost and quality 13

2. The Devil s Triangle in Software Development Cost Schedule Scope Data Protection Requirements software development is not a repetition of standard steps like in hardware manufacturing software development involves constant invention, accurate effort estimation is impossible attempts to constrain all factors at the same time yield high uncertainty and high risk to customer satisfaction risk is minimized if only one variable is constrained 14

2. Privacy by Design in Agile Software Development Source: Terbu, Hötzendorfer, Leitner, Bonitz, Vogl, Zehetbauer 15

Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 16

3. The Cloud Challenge 26/10/2017 17

3. The Cloud Privacy Standard (ISO 27018) ISO/IEC 27018: Code of Practice for protection of PII in public clouds acting as PII processor, 2014 With special emphasis of commissioned processing of personal data in a public cloud environment, this guidance helps the DPO of a cloud service customer: to comply with applicable obligations with special emphasis on processing of personal data to select a well-governed cloud service provider on basis of transparent criteria to enter into a contractual agreement with the cloud service provider on basis of standardized requirements to establish a common understanding regarding a mechanism for exercising audit and compliance rights and responsibilities Note: Certification for this standard is not available directly but can be considered within an ISO 27001 certification. 26/10/2017 18

3. Essential Structure of ISO 27018 ISO 27018 (Protection of PII in public in public clouds) 0 Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Overview 5 Information security policies 6 Organization of information security organization 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information Security Incident Management 17 Information security aspects of business continuity management 18 Compliance Annex A: Public cloud PII processor extended control set for PII protection ISO 27002 (Information Security Controls) 0 Introduction 1 Scope 2 Normative references 3 Terms and definitions 4 Structure of this Standard 5 Information security policies 6 Organization of information security organization 7 Human resource security 8 Asset management 9 Access control 10 Cryptography 11 Physical and environmental security 12 Operations security 13 Communications security 14 System acquisition, development and maintenance 15 Supplier relationships 16 Information Security Incident Management 17 Information security aspects of business continuity management 18 Compliance 26/10/2017 19

3. Special Privacy Requirements in ISO 27018 Anne x A: Public cloud PII processor extended control set for PII protection A.1 Consent and choice A.1.1 Obligation to co-operate regarding PII principals rights A.2 Purpose legitimacy and specification A.2.1 Public cloud PII processor s purpose A.2.2 Public cloud PII processor s commercial use A.3 Collection limitation A.4 Data minimization A.4.1 Secure erasure of temporary files A.5 Use, retention and disclosure limitation A.5.1 PII disclosure notification A.5.2 Recording of PII disclosures A.6 Accuracy and quality A.7 Openness, transparency and notice A.7.1 Disclosure of sub-contracted PII processing A.8 Individual participation and access A.9 Accountability A.9.1 Notification of a data breach involving PII A.9.2 Retention period for administrative security policies and guidelines A.9.3 PII return, transfer and disposal A.10 Information security A.10.1 Confidentiality or non-disclosure agreements A.10.2 Restriction of the creation of hardcopy material A.10.3 Control and logging of data restoration A.10.4 Protecting data on storage media leaving the premises A.10.5 Use of unencrypted portable storage media and devices A.10.6 Encryption of PII transmitted over public data-transmission networks A.10.7 Secure disposal of hardcopy materials A.10.8 Unique use of user IDs A.10.9 Records of authorized users A.10.10 User ID management A.10.11 Contract measures A.10.12 Sub-contracted PII processing A.10.13 Access to data on pre-used data storage space A.11 Privacy compliance A.11.1 Geographical location of PII A.11.2 Intended destination of PII 26/10/2017 20

3. The Cloud Privacy Agreement (CSA) Cloud Security Alliance: Privacy Level Agreement [V2]: A Compliance Tool for Providing Cloud Services in the EU, 2015 The PLA may be used by the DPO as a template for a description of the level of privacy protection to be provided by the Cloud Service Provider: While Service Level Agreements ( SLA ) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal data protection practices. The PLA similar to SLA should represent an appendix to a Cloud Services Agreement. The PLA provides the DPO of the Cloud Service Customers with a tool to identify a baseline of mandatory personal data protection legal requirements across the EU and to evaluate the level of personal data protection offered by different Cloud Service Providers The PLA offers Cloud Service Providers with guidance for achieving a baseline of compliance with mandatory personal data protection legislation across the EU and disclose, in a structured way, the level of personal data protection that they offer to customers. 26/10/2017 21

3. Essential Structure of the Cloud Privacy Agreement 26/10/2017 Source: CSA 22

3. Special Privacy Requirements in the Cloud Privacy Agreement 1. IDENTITY OF THE CSP (AND OF REPRESENTATIV E IN THE EU AS APPLICABLE), ITS ROLE, AND THE CONTACT INFORMATION FOR THE DATA PROTECTION INQUIRIES 2. WAYS IN WHICH THE DATA WILL BE PROCESSED 2.1. Personal data location 2.2. Subcontractors 2.3. Installation of softw are on cloud customer s system 3. DATA TRANSFER 4. DATA SECURITY MEASURES 5. MONITORING 6. PERSONAL DATA BREACH NOTIFICATION 7. DATA PORTABILITY, MIGRATION, AND TRANSFER BACK ASSISTANCE 8. DATA RETENTION, RESTITUTION AND DELETION 8.1. Data retention policy 8.2. Data retention for compliance w ith legal requirements 8.3. Data restitution and/or deletion 9. ACCOUNTABILITY 10. COOPERA TION 11. LEGALLY REQUIRED DISCLOSURE 26/10/2017 Source: CSA 23

Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 24

4. Sanction Thresholds in the GDPR Lower Threshold (2% of worldwide annual turnover or 10 million euros) Fines in the lower threshold are assessed for most provisions including most notably violations of: Obtaining a child s consent according to the applicable conditions Notifying the supervisory authority of a personal data breach Notifying the data subject of a personal data breach Designating a data protection officer Higher Threshold (4 % of worldwide annual turnover or 20 million euros) Fines in the higher threshold are assessed for more serious violations of: Basic principles for processing data including consent Data subjects rights Data transfer provisions Obligations to country specific laws Non-compliance with an order by a supervisory authority 26/10/2017 25

4. Setting the Focus on the Rights of the Data Subject Article 7 Article 12 Article 13 Article 14 Article 15 Article 16 Article 17 Article 18 Article 19 Article 20 Article 21 Article 22 Right to withdraw consent Transparent information, communication and modalities for the exercise of the rights of the data subject Information to be provided where personal data are collected from the data subject Information to be provided where personal data have not been obtained from the data subject Right of access by the data subject Right to rectification Right to erasure ( right to be forgotten ) Right to restriction of processing Notification obligation regarding rectification or erasure of personal data or restriction of processing Right to data portability Right to object Automated individual decision-making, including profiling 26

4. High risk indicators for data subjects rights in the Cloud Evaluation or scoring, including profiling and predicting, especially from aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements Automated-decision making with legal or similar significant effect: processing that aims at taking decisions on data subjects producing legal effects concerning the natural person or which similarly significantly affects the natural person Systematic monitoring: processing used to observe, monitor or control data subjects, including data collected through a systematic monitoring of a publicly accessible area Sensitive data: this includes special categories of data as defined in Article 9 as well as personal data relating to criminal convictions or offences. Data processed on a large scale: considering the number of data subjects concerned, the volume of data and/or the range of different data items being processed, the duration or permanence of the data processing activity, the geographical extent of the processing activity Source: WP 248 27

4. High risk indicators for data subjects rights in the Cloud Datasets that have been matched or combined, for example originating from two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subject Data concerning vulnerable data subjects: increased power imbalance between the data subject and the data controller Innovative use or applying technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control Data transfer across borders outside the European Union taking into consideration the envisaged country or countries of destination, the possibility of further transfers or the likelihood of transfers based on derogations for specific situations When the processing in itself prevents data subjects from exercising a right or using service or a contract e.g. processings performed in a public area that people passing by cannot avoid, or processings that aims at allowing, modifying or refusing data subjects access to a service or entry into a contract. Source: WP 248 26/10/2017 28

4. Data Protection Risk and Impact Assessment Violation of data subject rights Source: ISO 29134 Source: WP 248 29

4. Games of Data Subject Rights GDPR Art 7, 12ff GDPR Art 35, Rec 78 Data Subject is entitled to rights Cloud Service Client respects the rights of DS Cloud Service Provider acts on behalf of CSC SCC Third Party Beneficiary Clause Source: Wilhelm 27/10/2017 30

4. Legal Provisions with Impact on the Cloud Service Provider GDPR Article 35: Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. [ ] GDPR Recital 78: [ ] When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders. SCC Third Party Beneficiary Clause: The data subject can enforce against the data importer this Clause [ ] in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 26/10/2017 31

Agenda 1. The Data Protection Challenge 2. The Software Development Challenge 3. The Cloud Challenge 4. A new Focus on Privacy in the Cloud 5. Bringing the Unicorn down the Trenches 26/10/2017 32

5. Bringing the Unicorn down the Trenches 7 Foundational Principles of Privacy by Design Completeness of Vision 8 Privacy Design Strategies 5 Core Privacy Design Gears Concreteness of Vision 33

5. Core Privacy Design Gears S S G Self Service Gateway Art 7, 15, 16, 17, 22 R S H Subject Request Handler N S P Subject Notification Processor Art 12, 13, 14, 19, 22 Art 7, 12, 15, 16, 17, 18, 20, 21, 22 E R M Art 17, 18, 19 Retention and Erasure Manager 27/10/2017 P S I Art 15, 20 Standardized Portability Interface Source: Wilhelm 34

5. Sample: Retention and Erasure Manager in a HR Cloud Service Name Country Contract Start End Erase? Thibaut Courtois Belgium Part Time 01.01.2005 31.09.2010 Dries Mertens Belgium Temporary 01.06.2012 31.12.2012 Robert Lewandowski Poland Full Time 01.04.1977 31.06.1978 Andreas Granqvist Sweden Full Time 01.01.2005 31.09.2010 Adrian Mutu Romania Full Time 01.04.1977 31.06.1978 27/10/2017 Source: Wilhelm 35

5. First Order Retention Schedule BEL BEL BEL Source: Iron Mountain 36

5. Second Order Retention Schedule Source: Iron Mountain 37

5. Retention and Erasure Workflow Source: Wilhelm 38

Shaping the future of digital business Ernst O. Wilhelm Chief Privacy Officer GFT Technologies SE Schelmenwasenstraße 34 70567 Stuttgart Germany

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback