There has been talk about certification but does anyone know if there are serious plans to go down this route
I am aware that BS 10012:2017 Personal Information Management System is possibly the best option in the short term - interested in your thoughts
Nope, it was a simple typo
ETA: though I must admit that it nicely correlates with "something being a treat" - because a charactertread can be, and often is, a treat!
In this age of Intelligence, digital transformation and the driving demand for "trust" and verification. It might be seen to be inevitable, especially if cyber insurance organisations are becoming more involved and expect "warranties" from vendors. The demand may arise for countries, outside of the EU i.e. Cloud Providers as verification they comply with the TOMs and via contracts etc.
Caute-Cautim
Excellent point! Indeed, it may be useful for non-EU based organisations willing to adhere to this new standard.
@fortean wrote:Excellent point! Indeed, it may be useful for non-EU based organisations willing to adhere to this new standard.
The reason it may be inevitable is like the case of Lloyds Bank in UK, some time back they outsourced entirely to India their back ends. More and more organisations will go for the cheapest resources, including cloud providers etc. Plus the other driver is AI, predictive analytics, Big Data and the requirement to share statistics and other related information in this digital economy.
We simply have to trust each other, in order make this information age or phase 5 - Intelligence actually work.
However, on the other side, we have the other economy, within the Dark Web, willing to exploit it and sell data records to the highest bidder etc.
Caute_Cautim
Barclays is (still) an EU based organisation and hence is bound to adhere to the Law (GDPR). But even if they were not, they will most probably have to handle PI from EU 'data subjects' which reside on EU territory and as Barclays offers services - the GDPR applies.
A big question is, of course, how the EU can enforce their Laws outside the EU. However, given the economical importance of the EU, most companies will gladly adhere to the EU rules, especially if - as is the case in the UK - the culture and habits are quite similar to those of many countries in the EU.
I'm currently doing a course on the GDPR (preparing for CIPP/E, actually) and one of the students (Richard Cooke) pointed me towards this IMHO very helpful figure:
A quote from the course I'm currently taking:
Data protection certification mechanisms, seals and marks (Article 42) can also be used as evidence to demonstrate compliance with the GDPR. Certification is voluntary and available via a transparent process. Criteria for certification are approved by competent supervisory authorities and certification is issued by accredited certification bodies or competent supervisory authorities.
The general idea seems to be that these mechanisms will be used to ascertain compliancy of data processors and data controllers with the GDPR. As I stated before all and every EU based organisation SHOULD be GDPR-compliant - the GDPR is Law, after all. But many smaller and very small companies may have doubts if they really comply with the GDPR (bigger companies have law departments, controllers, internal auditors and such to guide them) and may find it re-assuring to know they are compliant within the bounds of reasonable doubt. In such situations certification bodies may issue seals of approval (certifications) that may help them.
And, as said before: it also helps to certify bodies that formally do not have to comply with the GDPR but simply want to and want some independent proof they do.
Hello,
Thank you for all your replies. If you are interested in continuing the discussion (I'm always pro) then it would be better over regular email. I'm not sure if people are interested in details of our conversation.
So, our presentations reflect our style - minimal pictures and maximum information. The reason is very practical - in a case we do not publish article and/or it will be several months later we provide people as much as possible information to consider. In publications of our presentations we work closely with DeepSec and giving guys the chance to publish what they first provided the ground to present. So far they published two (actually three) or our presentations.
So, you found the draft - no, unfortunately we did not published "clean" article. And frankly, we still do not have time for. Unless DeepSec will agree to return to our presentation in question as EU faces big yet to fail event - Compliance Day.
Concerning controls and implementation. Security controls - they should be like DSS or NIST, but NOT HIPAA style. People should not scratch heads what exactly to do. It should be up to the level like "Two-Factor Authentication" and thus if a person understands the meaning then there are no other questions.
That is not going to happen to NIST Privacy Controls nor to GDPR. The implementation is very complex and in our Draft we provided an example as "framework". We may do mistakes and being somewhere incorrect in complex logic, but the most important is to show if it is possible to do and what it generally means.
If you have more questions or comments let's do over mutin@rubos.com
Thank you again for your input!!!
Mikhail
PS: we are now deeeeep in Malicious Hypervisor APT
On 11-28-2017, I published in this GDPR Discussion the following news:
"ENISA report: Concepts and recommendations on European Data Protection Certification mechanisms"
you may perhaps read this report
Thank you nice one!!
@lerouxwrote:On 11-28-2017, I published in this GDPR Discussion the following news:
"ENISA report: Concepts and recommendations on European Data Protection Certification mechanisms"
you may perhaps read this report