topic Re: Your Top 5? - GDPR in Privacy

Your Top 5? - GDPR

SeaCISSP — Wed, 15 Nov 2017 02:32:51 GMT

What are your personal 'Top 5' practical tips for implementing GDPR?

For example:

1. Remember that the fundamental purpose of GDPR is to PROTECT the personal data and rights of individual Data Subjects: It's the "General Data *Protection* Regulation. (This sounds obvious but is sometimes forgotten!)

2. Prioritise security awareness - don't leave it as an afterthought for your annual compliance "refresher" training! As soon as possible in the GDPR implementation, start training staff (eg Senior Managers, Project Managers and Security staff) to recognise typical examples of 'personal data' such as different types of personal unique identifiers, data that uniquely identfies an individual because they are the only person who has that Job Title, etc. Also, to always *consider* the extent to which personal data could be involved, from the outset of any project. (Broad statements such as:"There's no personal data involved in this project" usually require further investigation.) Aim to have all your staff trained to understand the Principles and the key Definitions that apply to their own roles by May 25 2018.

4. Unless you are authorised to do so, don't try to 'interpret' the meaning of any aspect of GDPR - check the meaning and its implications with your Data Protection Officer or other authorised data protection/privacy/legal lead.

5. The 'special categories' of personal data (broadly similar to 'sensitive personal data' under current EU legislation) require ADDITIONAL protection on top of any controls that will apply to 'personal data'. Security staff are well-placed to advise on "additional protection" - eg data classification, data handling and other data 'processing' requirements.

Re: Your Top 5? - GDPR

SeaCISSP — Wed, 15 Nov 2017 01:32:38 GMT

.... I deleted Number 3!

3. Ensure your organisation understands the full implications of the Data Controller and Data Processor responsibilities. For instance, Data Controllers have to provide clear instructions to enable their Data Processors to process the personal data entrusted to them securely and with confidence. Data Processors must do likewise if they are allowed to sub-contract any elements of the personal data processing to their own suppliers. This presupposes that everyone will have complete and up-to-date contractual records that easily identify who the Data Processors are and that the communication channels between DCs and their DPs are straightforward and kept up-to-date ....

Re: Your Top 5? - GDPR

flyingboy — Wed, 15 Nov 2017 01:52:05 GMT

Rather than focusing 'Top 5 practical tips for implementing GDPR', I suggest:

Recognise one size does not fit all – consider the level of risk/harm
Assign clearly defined roles for all stages (both internally and externally to the organisation)
Identify an Executive “Champion” or Sponsor if there is none at Broad or the highest management level
Build a robust process with scalability in mind
Communicate and reinforce training at every opportunity

Re: Your Top 5? - GDPR

SeaCISSP — Wed, 15 Nov 2017 02:09:37 GMT

Hi Flyingboy. Thank you for your response.

Sure, organisations have to have robust high-level GRC measures and so on and strongly agree there needs to be an executive sponsor. These are all things that a good security professional should already be aware of.

I suggested 'practical' tips to highlight some of the simple basic details which can easily get overlooked or which people may not have come across yet, if they haven't implemented data protection and privacy measures before.

Anyway, just hoping to learn more about 'what personally works' for everyone - there are no 'right or wrong ' answers!

Re: Your Top 5? - GDPR

flyingboy — Wed, 15 Nov 2017 02:34:04 GMT

Hello AnnaC,

Awareness is one thing, however implementation is another. Sometimes, keeping simple is needed to get the message across. If you are looking for more detailed implementations, you are unlikely to find them within our few short posts - remember my first recommendation - (Recognise one size does not fit all – consider the level of risk/harm). Every organisations or individuals (even for security or privacy professionals) are different or have different circumstances when handling data.

If you are looking for something specific, you can reach out to me directly.

Re: Your Top 5? - GDPR

robertc — Wed, 15 Nov 2017 14:20:15 GMT

1. GDPR is a Good Thing so be positive about it within your organisation. Don't treat it as a tick box exercise or, as I heard someone describe it last week, 'a Great Depressing Pile of Regulation'. It is something we should all be doing anyway.

2. Sort out the basics first. Be sure of your processing activities, legal bases for processing and purposes. I've found that making sure those are rock solid is very helpful as what follows can be looked upon as a bit of an uphill climb. That's a lot more palatable if you have established a solid base camp.

3. Get legal advice. I am not a lawyer. There is no magic compliance checklist. I am a CISSP so have signed a code of ethics that includes not pretending I know everything.

4. Don't assume your only communication path is upwards. While it's important to make sure you get buy-in from the Board, your weak spots will probably lie elsewhere so a comms and awareness raising plan should be inclusive. Trying to strike a balance between shock and awe (we're going to get fined 20m euros) and boring people half to death with yet another reference to GDPR is difficult but not impossible

5. Don't panic

Re: Your Top 5? - GDPR

Early_Adopter — Fri, 17 Nov 2017 18:50:39 GMT

Here's my top five practical, biased and limited thoughts - not comprehensive, caveat emptor, etc.

1.Download the Law - read it, if nothing else it's a formidable work of legal minds, also read a few of the legal company references, the new e-Privacy Regulation and look at the WP29 opinions. Lastly with GDPR make sure your DPO/General Counsel doesn't forget the APEC Privacy Framework and all the other national privacy regulations that apply to you, your privacy program will have better longevity and be less brittle if it's addressing the broad issues.

2. Look at sending your guys on courses with IAPP(DPO Ready) and ITGovenance(GDPR F/P) - I've attended both and would say that IAPP offers more for the top end of town, whilst ITGovernance is interesting from a practitioner's standpoint. Both sets of training have value, there may also be others. Once they are trained, please share. If not build your own training program.

3.Get your privacy terms of reference defined and promulgated in your company/organization in a jargon busting way. Should I Gap Analyze my PIMS when set against my PIA or ensure that i practice PDB on my BCRs so they harmonize my Model Contracts? It will only be clear what the team knows what it all means, when this is done - if you are exposed, and you probably are then a CEO email linking the resource and emphasizing his/her commitment really helps.

4.Do your data mapping, focus on what is processed in priority order and take the elements of personal data you have (and because the is the ISC2) work with your friendly DLP, tagging, complince and monitoring guys to help. Security tools can't do all, or even most of the work but I feel they can really help look for spills. Focus them on the live processing first, before you try to boil the ocean crawling your databases and file stores;

5. Avoid, or dial down the weight of opinions of those offering certainty, there is as yet no GDPR case law as yet so we're really not sure what will happen - maybe it will be like just like Benny Hill, with all the supervisory authorities chasing Google, Facebook and Microsoft... and, hilarity ensues.

Re: Your Top 5? - GDPR

SeaCISSP — Mon, 20 Nov 2017 11:51:29 GMT

Hi Early_Adopter. Great post.

As you say, there is no case law for GDPR as yet and some organisations appear to be adopting a 'wait and see'/'let's stay under the radar' approach as a result of this. This may be a short-sighted approach, in particular for organisations that have resided in the EU for some time and are already subject to the decades-long privacy legislation that pre-dates GDPR.

Although there is no 'certainty' as yet, there are privacy legislative precedents and "history" to refer to and learn from. The EU's privacy community (eg Courts, Regulators, DPOs and other long-standing Data Protection Practitioners) will not regard GDPR as "new" or a completely fresh start with a level playing field. To them, GDPR is at least the "second wave" of privacy legislation, with the latest changes constituting about 30% of the Regulation and including carefully-worded clauses that address some of the problematic grey areas and potential legal loopholes that arose in the past. The responses to other GDPR changes, such as those associated with new technology, will be less predictable, leaving more opportunities for interpretation and challenge.

From a risk perspective, perhaps the most volatile and unpredictable aspects of GDPR in the long run will be associated with the world's political climate and fluctuating attitudes to privacy as a fundamental right. We shall see!

Re: Your Top 5? - GDPR

Early_Adopter — Mon, 20 Nov 2017 14:06:49 GMT

Absolutely agree with you - just because there is no case law for GDPR only adds to uncertainty in rulings - 'how much will it hurt...maybe I can get away..?' Is in my view a going out of business model.

Wait and see is really going to hurt if you have a breach or a supervisory authority comes calling can't prove you had considered the principles, privacy by design/default, legitimate grounds for transfer, hired a DPO, inventoried/mapped personal data and implemented 'appropriate technical and organizational controls', etc...

Just under thirty supervisory authorities all with slightly different goals and agendas an all wanting success won't make for a slow roll out IMHO.

Re: Your Top 5? - GDPR

flyingboy — Tue, 21 Nov 2017 03:17:03 GMT

Hello Both,

Even though there is no case law mentioned GDPR directly, there are court decisions started referencing some GDPR approaches:

Right to be forgotten (RTBF) - Google
CJEU concluded recently that dynamic IP addresses are personal data while the current EU Data Protection Directive or national laws have not considered specifically - Breyer

Let's work towards compliance and do not allow opportunities for regulators to make an example of us.

Re: Your Top 5? - GDPR

Early_Adopter — Tue, 21 Nov 2017 04:42:10 GMT

Agreed, we know the velocity of the decisions in the EU, and Germany in particular is pretty good example of how strong it could be with their Federal Data Protection Act:

https://iapp.org/media/pdf/resource_center/Eng-trans-Germany-DPL.pdf

For a great round-up of the pre-existing(non-GDPR) case law I recommend taking a look at this:

https://ec.europa.eu/anti-fraud/sites/antifraud/files/caselaw_2001_2015_en.pdf

Re: Your Top 5? - GDPR

flyingboy — Tue, 21 Nov 2017 05:36:04 GMT

While you have mentioned Germany, it helps to remind me of another regulator's decision on Data Protection Officer (DPO) aligning with Article 37, 38 and 39 under the GDPR during late 2016 while referencing the FDPA:

https://blogs.orrick.com/trustanchor/2016/12/01/data-protection-officer-and-it-manager-two-jobs-that-do-not-match/

Re: Your Top 5? - GDPR

Early_Adopter — Tue, 21 Nov 2017 12:03:57 GMT

Totally, that's a no brainer on a conflict of interest, plus a IT Manager does not reach anywhere high enough in the organisation. From the link you referenced:

V. Recommendation

Companies required to appoint a DPO are thus well advised to carefully consider candidates that are free from conflicts of interest. While it does not appear necessary to preclude a DPO from having other corporate functions, the designated individual should not be in charge of, or have a personal stake in, significant decision-making relating to IT. One potential solution may be to “firewall” DPOs from such decision-making processes. Suffice it to say that this aspect of GDPR/BDSG compliance will be scrutinized heavily by German (and likely other) data protection authorities in the coming months and years.

DPOs advise this separation, so this is good advice.

There is also a school of thought I've come across that says don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation. Not the best reason IMHO, but this was from some lawyers.

Re: Your Top 5? - GDPR

flyingboy — Tue, 21 Nov 2017 12:59:51 GMT

You have rightfully pointed out, Early_Adopter, "... don't call your DPO a DPO, unless you are mandated to have one under GDPR or other frameworks as there might be a heavier burden of expectation...". The role is a compliance role rather than a risk management function. An IT Manager is more of a risk management or operation role and does not have a legal mandate like the DPO has under GDPR. It creates conflict of interest due to its operative nature as demonstrated in the German authority's opinion.

While you will find others like Singapore embedded DPO in its data protection regulatory rules back in 2014 and not as loudly as GDPR demands, Hong Kong continues advocating the role as a best practice and South Korea as well as Philippines have revised their regulations to accommodate the data protection role legally without mentioning DPO directly.

With GDPR being so descriptive and likely to set a 'gold' standard for the role, we will find these is likely to create a norm or increase expectations for the regulatory environment across the globe in years to come.

Re: Your Top 5? - GDPR

SeaCISSP — Tue, 21 Nov 2017 14:50:07 GMT

Other than outlaw.com:

https://www.out-law.com/

.... Does anyone know of any legal/media sites that are centralising and tracking privacy-related items and court cases?

('The Register' tracks security news items but it can be quite partisan.)

Re: Your Top 5? - GDPR

SeaCISSP — Tue, 21 Nov 2017 14:53:00 GMT

Definitely - and there's always the possibility that the organisation 'waiting and seeing' could be the subject of a regulatory investigation or court case itself, privacy data breaches being the far-reaching and sometimes unpredictable things they are.

Re: Your Top 5? - GDPR

Early_Adopter — Tue, 21 Nov 2017 15:37:28 GMT

IAPP has some good jumping off points:

https://iapp.org

Re: Your Top 5? - GDPR

dnn — Tue, 21 Nov 2017 15:52:05 GMT

1. Make it cross-department effort, it is not just IT, just Legal, etc. Include Legal, IT, InfoSec, Compliance, perhaps Risk

2. Understand the data-flows and contracts in place - map the data-flows, review the contracts and consent for processing data.

3. Create a process for Privacy Risk Assessment and integrate it into the System Acquisition and Deployment, and Vendor Management processes

4. Implement Records Management practice that will enable the organisation to discover data based on an individual's names or unique identifier.

5. Deploy Threat Detection and Response capability to detect and respond to breaches if they occur

And below are the 5 stages I saw recently in a presentation:

Re: Your Top 5? - GDPR

flyingboy — Wed, 22 Nov 2017 11:46:52 GMT

While I am unsure of a website that offers a centralised view about privacy tracking or court cases, I find this article quite useful if you like to know the data protection or privacy enforcement actions taken across the globe, not just EU:

https://www.lexology.com/library/detail.aspx?g=4ba24232-056e-4a6a-8e4a-1d76a0300105&utm_source=lexology+daily+newsfeed&utm_medium=html+email+-+body+-+general+section&utm_campaign=lexology+subscriber+daily+feed&utm_content=lexology+daily+newsfeed+2017-11-22&utm_term=

Re: Your Top 5? - GDPR

robertc — Mon, 27 Nov 2017 00:26:31 GMT

My number 6 would be don't be taken in by the snakeoil salesmen punting GDPR certification 🙂