topic Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR) in Privacy

Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

leroux — Mon, 09 Oct 2023 08:17:47 GMT

The (ISC)² EMEA Advisory Council GDPR Task Force has published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.

This document was prepared by members of the (ISC)2 EMEA Advisory Council GDPR Task Force. Lead Contributors: Yves Le Roux, CISSP, CISM; Paul Lanois, CCSK, CIPM, CIPT, CIPP (A, E, US and C), FIP, CISMP and LLM.
Reviewed by Dr. Adrian Davis, MBA, FBCS CITP, CISSP; Sam Berger, CISSP; Michael Christensen, CISSP, CSSLP, CISM, CRISC, CIS LI, EU-GDPR-P; CCM, CCSK, CPSA, ISTQB, PRINCE2, ITIL, COBIT5; Ramon Codina, CISSP; Santosh Krishna Putchala, CISSP

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

jasonlau88 — Sun, 08 Oct 2017 13:26:22 GMT

This is great.

May I ask if you know how I could get involved and be on the, "(ISC)2 EMEA Advisory Council GDPR Task Force"?

I am based in Hong Kong and GDPR is one of the key focus areas of my current work (as well as China Cyber Security Law) and it is impacting many international organizations around the world. I have also presented this topic and cyber security at ISACA's Chapter, and hosted several GDPR events with the company I work for.

Would love to hear from you, to see how I could contribute / assist from an "Asia Pacific" perspective.

Jason Lau

CISSP, CGEIT, CRISC, CISM, CISA, CEH, CNDA, CSM, ITIL

https://www.linkedin.com/in/jasonwklau/

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

2012 — Sun, 08 Oct 2017 17:20:26 GMT

Great summary. Thank you. GDPR is specifically calling out the monitoring/tracking and profiling aspect. I am sure this will impact most organizations using Google Analytics and other tools to gather more stats on page views, time spent in each page ..etc. The cookies used in this case may not "identify" data subjects by theirs ids but do identify the data subjects by their organization, geo location ..etc. Any idea on whether a specific consent has to be obtained for this monitoring? For example, as a Data Processor, the data subject may consent to the use of cookies at the processor's site. But then how about the use of the third party cookies? Any idea whether a special consent has to be obtained for each such third party or the Data Processor can combine them into their own cookie policy by identifying the third parties explicitly or implicitly? Thanks in advance.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

TimG — Sun, 08 Oct 2017 19:07:44 GMT

This is a really good, punchy paper that lays out the implications of the GDPR very nicely. It's also helpful that it comes with the (ISC)2 imprimatur rather than that of an organisation that has a related product or service to sell. Thank you - I shall be putting it to use.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

Robert — Sun, 08 Oct 2017 19:50:13 GMT

Has anyone experience of applying privacy threat models, I have seen LINDDUN referenced but haven't seen an application of it.
https://linddun.org/

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

SteveE — Mon, 09 Oct 2017 08:28:06 GMT

Consent is required for the likes of Google Analytics but this is under the e-Privacy directive. With cookies I think this directive takes precedence over the Electronic Communications Directive. The e-Privacy directive will be a regulation roughly at the same time as the GDPR if the EU has its way...

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

briandrutledge — Mon, 09 Oct 2017 16:29:26 GMT

I also echo jasonlau88's request to see if I could be added to the "(ISC)2 EMEA Advisory Council GDPR Task Force" or participate in discussions. I work for a global cloud-based company that is working to comply with the GDPR as well and would love to work with the group to determine how to approach this regulation.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

fortean — Mon, 09 Oct 2017 19:10:18 GMT

As a service to the Dutch and Flemish communities I prepared a Dutch translation, which I gladly will post wherever the authors feel it is appropriate. Authors, please contact me for further details so we can make arrangements.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

leroux — Tue, 10 Oct 2017 06:53:14 GMT

If you quoted the origin, the GDPR Task Force has decided to authorize any use of this paper for (ISC)² chapters. Consequently, any translation will be apprciated...

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

leroux — Tue, 10 Oct 2017 06:54:53 GMT

It may be interesting to have an open discussion upon GDPR Implementations in this community....

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

fortean — Tue, 10 Oct 2017 15:09:20 GMT

Ah, yes, of course I mentioned the origin. Oddly enough we don't seem to have an upload facility here, or I would have uploaded the document here for further review. I will see if we can get the document posted on our chapter's website, and we may mail it to our chapter members. Thanks!

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

planois — Thu, 12 Oct 2017 15:25:57 GMT

Agreed, an open discussion here on GDPR implementation would be great.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

fortean — Thu, 12 Oct 2017 15:31:10 GMT

Any "open" discussion tends to get unfocused and hence of limited value. So, perhaps we should intentionally limit the discussion somewhat to certain aspects of the GDPR, or implementation for certain types of organisations?

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

Lea_Friend — Fri, 13 Oct 2017 09:39:59 GMT

Dear Heinrich,

That would be welcome and are very glad for your support!

Kind regards,

Lea

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

fortean — Fri, 13 Oct 2017 10:09:57 GMT

Okay, so to kick things off: the GDPR is probably a "hot" topic for most bigger companies / organisations. They will mostly have resources to implement the GDPR. But how about the smaller organisations? How can we, the (ISC)2 community, help them to adhere to the new rules?

Some challenges I can imagine that those small(er) companies have w/regard to the GDPR:

limited knowledge and not much funds to hire specialists
they are probably hampered in finding specialists anyway. Firstly, we have a huge shortage on the market. So, if smaller companies actually consider hiring a specialist - well, most of them will be employed by the larger companies. Let's be brutally honest here: if I had to choose between being the (ad interim?) DPO / (C)SO for a top-500 company that pays, let's say, 200 credits per hour, or the DPO for a smaller company that just can afford to pay me 100 credits per hour, I would probably pick the top-500 company, as it pays better, comes with more responsibilities and offers a better perspective for interesting work.
limited knowledge also may imply they can not really judge the quality of the specialists they hire - and properly certified specialists may be too costly for them, so chances are they'll end up with a lesser god;
the illusion that it does not matter to them. "We're a small company. So, okay, we deal with a lot of privacy related information, but we don't make much money, they'll go for the big fish first."
some may not even be aware of the GDPR! We, information security specialists may find that hard to believe, but I've seen some examples..

If you think there are more risks to consider, list them here. Also, I'd like to hear your opions and perhaps we might discuss some solutions.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

planois — Wed, 18 Oct 2017 00:41:26 GMT

I agree with Heinrich and would also add that there is a lit of fearmongering started by "privacy experts" with little or no experience in privacy or information security. I lost count of the number of such "experts" selling their "expertise", yet when you check their background profile, they do not have any experience in privacy or information security: too many of such "experts" were actually, not even 3 months ago, business development managers or salespersons...

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

mganga2k — Thu, 26 Oct 2017 09:53:41 GMT

I have been working at a small NGO managing a website where personal information of individuals giving money online and thirdparty google analytics software is installed. With a team of less than five individuals in the IT/communications department, implementing the GDPR was a constant pain that we still had not figured out on how to become and remain compliant. The discussions here might help.

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

EUGDPR — Thu, 26 Oct 2017 10:12:47 GMT

A good paper, which takes a complex regulation and presents it simply.

I would like to comment on a couple of points: It is stated that:

“It will become mandatory (Article 33 of the GDPR) for an organisation to report any data breach to its

DPA within 72 hours of becoming aware of it”.

It should be noted that the Data Controllers should conduct an assessment of the impact on the data subjects, and if there is no IMPACT, they do not need to report the data breach. For example, if, say, a laptop is lost that contains personal data, that is a data breach. If however the laptop has appropriate encryption, GDPR deems that there will be no impact to the data subjects, and as such the breach does not need to be reported.

The section on the data register quotes the regulation as saying the register must include:

“The name and contact details of the controller and, where applicable, the joint controller, the

controller's representative and the data protection officer”.

The phrase “where applicable” should be emphasised, as not all organisations are required to have a Data Protection Officer (DPO). Without getting bogged down in details, there are many liabilities to having a Data Protection Officer, and if an organisation wanted to have one man in charge, then my suggestion would be now, with GDPR, to give him any title you wish, except calling him the Data Protection Officer.

This rather brings me to agreeing with planois and Heinrich, that quality of resource is an issue, but in some ways “Privacy Professionals” may not offer the complete skillset necessary to implement GDPR.

Consider the reality that in 1984 when the Data Protection Act (DPA) was written into UK law, there was not a lot of computer data about. Organisations by and large regarded the DPA as the digital equivalent to Health&Safety, and I remember, when I first conducted such a project, the absence of executive support. Consequently DPOs were appointed with no real authority to engage their businesses. Even when the EU directive in 95 caused the UK to roll the 84 Act and the 87 Access to Files Act into, what was to become the so-called 98 Act, little really changed.

In my opinion, to implement GDPR compliance, requires a knowledge of GDPR, a knowledge of information security, a knowledge of business continuity, and a knowledge of data architecture, and Privacy Enhanced Technologies (PETS). As this is not likely to be found in one person, the real requirement is excellence in Project and/or Programme management in general, and transformation project management in particular, and only after Executive support is gained.

Best regards,

John McGill

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

Sholaremu — Thu, 26 Oct 2017 10:35:50 GMT

I have read so much about The EU General Data Protection Regulation (GDPR) and the coming into effect in may 2018...its appeared, this is specifically for European ( i stand to be corrected) my question is what role does this play for Africa if at all its might affect it

Re: Getting Started on the Basics: The EU General Data Protection Regulation (GDPR)

EUGDPR — Thu, 26 Oct 2017 11:01:34 GMT

Sholaremu,

The General Data Protection Regulation (GDPR) is focused on the rights to privacy of any living person in the European Union.

Simplistically, if any organisation, worldwide, wants to do business with the EU, it must comply with GDPR.

Additionally, any organisation which processes personal data pertaining to a living individual in the EU, must comply with GDPR. The term “processes” can just mean that it stores that data.

Best regards,

John McGill