topic Re: GDPR - Does anyone know of plans to create a certification in Privacy

GDPR - Does anyone know of plans to create a certification

Gchanner65 — Wed, 07 Mar 2018 11:16:25 GMT

There has been talk about certification but does anyone know if there are serious plans to go down this route
I am aware that BS 10012:2017 Personal Information Management System is possibly the best option in the short term - interested in your thoughts

Re: GDPR - Does anyone know of plans to create a certification

KRS — Wed, 07 Mar 2018 12:03:54 GMT

Hi,

EU GDPR Practitioner (EU GDPR P) qualification (ISO 17024-certificated).

Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course

Attendees take the EU GDPR P exam at the end of the course – a 90-minute, multiple-choice, ISO 17024-certificated exam set by IBITGQ. There is no extra charge for this exam.

KRS.

Re: GDPR - Does anyone know of plans to create a certification

Gchanner65 — Wed, 07 Mar 2018 12:24:08 GMT

Hi KRS

I am already a EU GDPR-P , I was thinking more on the lines of organizational certification

Re: GDPR - Does anyone know of plans to create a certification

fortean — Wed, 07 Mar 2018 13:41:22 GMT

The gold standard seems to be the IAPP CIPP/E, CIPT or CIPM accreditation. I'm currently working on obtaining IAPP's CIPP/E certification. There is a good free on-line course available to get you started on the GDPR, and I've bought the book "European Data Protection, Law and Practice" edited by Eduardo Ustaran, CIPP/E (available from the IAPP website).

Re: GDPR - Does anyone know of plans to create a certification

Early_Adopter — Wed, 07 Mar 2018 18:04:53 GMT

For the "can I get ISO27001 for GDPR compliance" certification.

There are concepts such as a European Data Protection Seal, but I doubt these will amount to much more than consumer badges of trust. You can have a google, Europrise is the most well-known one.

Re: GDPR - Does anyone know of plans to create a certification

fortean — Wed, 07 Mar 2018 22:49:23 GMT

Hi, @Gchanner65 ..

So, you meant certification: a system to validate the compliance of an organisation with the GDPR, where I understood you meant certification: a system to validate the knowledge of a person about the GDPR

Come to think of it, it strikes me as a bit odd that we should have a certification that assures an organisation's compliance with the Law. They hardly have a choice, do they? To put it bluntly: you can't have any "uncertified" company in the EU, they ALL will have to comply with the Law, or else!

You can, of course, educate people (whom may work in organisations) and test if they understand what it means to comply with the GDPR. And of course, there are certain roles and techniques that not everybody needs to understand, e.g. what a DPO does or how to do a DPIA. So, it makes sense to certify that people that fulfil these roles or use these techniques can be trusted to do so / use them. That's what the IAPP tries to achieve, methinks.

So - why do we need a certification system for compliance with the GDPR?

Re: GDPR - Does anyone know of plans to create a certification

mutin — Thu, 08 Mar 2018 00:58:31 GMT

Hello,

I barely can see such certification. GDPR is very high level. After you study the regulation you will be able to answer to legal questions only. However, it requires implementation and that does not exist in GDPR text. Moreover, there is a lot of confusion around its implementation. The leading misconception on the market is that vendors proposing to implement "security". However, the core of GDPR is "privacy". While security controls should exist in GDPR implementation (see NIST SP800-53 or ISO 27000 or DSS) real implementation requires PRIVACY controls. That is the problem. Security vendors are not ready to do that. They can recommend say a firewall or logs' analysis but what is "Accounting of Disclosure" they have no clue about. That is one of privacy controls you can find in NIST SP800-53, see Revision 4 or Revision 5 Draft. You can also go on our site www.rubos.com to see our DeepSec 2012 presentation (in Research) or the presentation text draft (more informative). That was our response to the challenge "How to implement GDPR". We developed the framework for that. You may be interested to see how high level GDPR is converted in software application development logic. Keep in mind - we did that for GDPR draft. Current regulation may have some differences.

Re: GDPR - Does anyone know of plans to create a certification

fortean — Thu, 08 Mar 2018 07:50:16 GMT

@mutin- interesting. I somewhat disagree with the notion that there are no implementation details (at all) in the GDPR, at least the concepts of a DPO and DPIA are given, for example. And, for example, Article 30 clearly indicates - in great detail - which data is to be kept by who (the controller). So, at least the 'what' is specified, and sometimes the 'how' is also quite clear. The GDPR refers to well known concepts in the information security world, e.g. Article 35 (d) refers to doing risk analysis, which has been one of the cornerstones of the infosec field for decades and for which we have a kazillion methodologies ( selecting one involves taking a risk in itself, methinks )

But I will check out the framework, thanks for the pointer!

Re: GDPR - Does anyone know of plans to create a certification

fortean — Thu, 08 Mar 2018 08:22:23 GMT

BTW, sorry to have to say this @mutin, but I find your site a great example of unneccesary obfuscation of possibly usable information. You and I seem to share a character treat: we tend to use too many words to get our point across .

The slides in your presentation contain a lot of data - actually, they read as if you dumped a paper into powerpoint - and I find it hard to find the core, usable, applicable information. It seems you (or your group) did some good work, for example the comparison between various regulations / laws. The conclusion seems to underline my perception that much that is needed is already available (a core theme in all my work): [...] our analysis has shown that there is a very strong correlation between privacy controls. In fact, NIST standards supersede old HIPAA, and represent more concrete outcome of EU GDPR.

But maybe the presentation is not the best source for your work - is there a paper we can download and discuss?

ETA-1: just found it!

ETA-2: but it's still a draft, is there a finished version?

Re: GDPR - Does anyone know of plans to create a certification

Early_Adopter — Thu, 08 Mar 2018 11:20:54 GMT

@fortean 100%. Privacy has a very strong correlation with regards to the appropriate controls for nearly all laws globally.

Is a 'Character Treat' a cornucopia of pre-conjugated irregular verbs for the delectation of those who wish to obviate the need for obfuscation by steganographic praxis misapplication of a heliocentric orbital Kepler interpretation? I think we should be told.

Re: GDPR - Does anyone know of plans to create a certification

fortean — Thu, 08 Mar 2018 12:08:19 GMT

Nope, it was a simple typo

ETA: though I must admit that it nicely correlates with "something being a treat" - because a charactertread can be, and often is, a treat!

Re: GDPR - Does anyone know of plans to create a certification

Caute_cautim — Thu, 08 Mar 2018 19:39:20 GMT

In this age of Intelligence, digital transformation and the driving demand for "trust" and verification. It might be seen to be inevitable, especially if cyber insurance organisations are becoming more involved and expect "warranties" from vendors. The demand may arise for countries, outside of the EU i.e. Cloud Providers as verification they comply with the TOMs and via contracts etc.

Caute-Cautim

Re: GDPR - Does anyone know of plans to create a certification

fortean — Thu, 08 Mar 2018 19:49:54 GMT

Excellent point! Indeed, it may be useful for non-EU based organisations willing to adhere to this new standard.

Re: GDPR - Does anyone know of plans to create a certification

Caute_cautim — Thu, 08 Mar 2018 19:56:51 GMT

@fortean wrote:
Excellent point! Indeed, it may be useful for non-EU based organisations willing to adhere to this new standard.

The reason it may be inevitable is like the case of Lloyds Bank in UK, some time back they outsourced entirely to India their back ends. More and more organisations will go for the cheapest resources, including cloud providers etc. Plus the other driver is AI, predictive analytics, Big Data and the requirement to share statistics and other related information in this digital economy.
We simply have to trust each other, in order make this information age or phase 5 - Intelligence actually work.

However, on the other side, we have the other economy, within the Dark Web, willing to exploit it and sell data records to the highest bidder etc.

Caute_Cautim

Re: GDPR - Does anyone know of plans to create a certification

fortean — Thu, 08 Mar 2018 20:17:56 GMT

Barclays is (still) an EU based organisation and hence is bound to adhere to the Law (GDPR). But even if they were not, they will most probably have to handle PI from EU 'data subjects' which reside on EU territory and as Barclays offers services - the GDPR applies.

A big question is, of course, how the EU can enforce their Laws outside the EU. However, given the economical importance of the EU, most companies will gladly adhere to the EU rules, especially if - as is the case in the UK - the culture and habits are quite similar to those of many countries in the EU.

I'm currently doing a course on the GDPR (preparing for CIPP/E, actually) and one of the students (Richard Cooke) pointed me towards this IMHO very helpful figure:

Re: GDPR - Does anyone know of plans to create a certification

fortean — Fri, 09 Mar 2018 14:00:56 GMT

A quote from the course I'm currently taking:

Certification mechanisms

Data protection certification mechanisms, seals and marks (Article 42) can also be used as evidence to demonstrate compliance with the GDPR. Certification is voluntary and available via a transparent process. Criteria for certification are approved by competent supervisory authorities and certification is issued by accredited certification bodies or competent supervisory authorities.

The general idea seems to be that these mechanisms will be used to ascertain compliancy of data processors and data controllers with the GDPR. As I stated before all and every EU based organisation SHOULD be GDPR-compliant - the GDPR is Law, after all. But many smaller and very small companies may have doubts if they really comply with the GDPR (bigger companies have law departments, controllers, internal auditors and such to guide them) and may find it re-assuring to know they are compliant within the bounds of reasonable doubt. In such situations certification bodies may issue seals of approval (certifications) that may help them.

And, as said before: it also helps to certify bodies that formally do not have to comply with the GDPR but simply want to and want some independent proof they do.

Re: GDPR - Does anyone know of plans to create a certification

mutin — Tue, 13 Mar 2018 01:43:53 GMT

Hello,

Thank you for all your replies. If you are interested in continuing the discussion (I'm always pro) then it would be better over regular email. I'm not sure if people are interested in details of our conversation.

So, our presentations reflect our style - minimal pictures and maximum information. The reason is very practical - in a case we do not publish article and/or it will be several months later we provide people as much as possible information to consider. In publications of our presentations we work closely with DeepSec and giving guys the chance to publish what they first provided the ground to present. So far they published two (actually three) or our presentations.

So, you found the draft - no, unfortunately we did not published "clean" article. And frankly, we still do not have time for. Unless DeepSec will agree to return to our presentation in question as EU faces big yet to fail event - Compliance Day.

Concerning controls and implementation. Security controls - they should be like DSS or NIST, but NOT HIPAA style. People should not scratch heads what exactly to do. It should be up to the level like "Two-Factor Authentication" and thus if a person understands the meaning then there are no other questions.

That is not going to happen to NIST Privacy Controls nor to GDPR. The implementation is very complex and in our Draft we provided an example as "framework". We may do mistakes and being somewhere incorrect in complex logic, but the most important is to show if it is possible to do and what it generally means.

If you have more questions or comments let's do over mutin@rubos.com

Thank you again for your input!!!

Mikhail

PS: we are now deeeeep in Malicious Hypervisor APT

Re: GDPR - Does anyone know of plans to create a certification

leroux — Sat, 17 Mar 2018 09:42:24 GMT

On ‎11-28-2017, I published in this GDPR Discussion the following news:

"ENISA report: Concepts and recommendations on European Data Protection Certification mechanisms"

you may perhaps read this report

Re: GDPR - Does anyone know of plans to create a certification

Caute_cautim — Sun, 18 Mar 2018 20:44:25 GMT

Thank you nice one!!

@lerouxwrote:
On ‎11-28-2017, I published in this GDPR Discussion the following news:
"ENISA report: Concepts and recommendations on European Data Protection Certification mechanisms"
you may perhaps read this report