If people entrust your company with their personal data, it is your responsibility to protect it. GDPR provides a good framework even if it doesn’t apply in your geography.
Below is a list of things you can do in no particular order which I use as a cheat sheet when I start up a data protection programme in a company.
Make an inventory of all personal data you hold. Know (and document) what and how you collect, why you collect it, who you share it with and where and how long it is being stored.
Honour the rights of individuals
Develop comprehensive processes to support data subject access requests (right to be informed through consent and notice, right to access and data portability, right to erasure, etc.).
Privacy and security by design
Make privacy, compliance and data protection considerations during product development with regular review and testing. Minimise and don’t store beyond necessary.
Technical security measures
Implement technical controls to protect customer data, for example access control, encryption, logging and monitoring.
Processes for breach response
Establish an end-to-end incident identification and response process to handle security and privacy incidents as part of the broader security strategy.
Awareness and training
Provide data protection and privacy training for staff. Extra points for regular bespoke education and awareness sessions addressing topical issues.
Data Protection Officer
Appoint a data protection officer and get legal support. Perform data identification and classification. Make conducting privacy impact assessments on new projects a habit. Involve relevant stakeholders.
Get on top of data protection addendums to agreements, vendor management, client consent management and cross-border transfer agreements.
I’m proud to be one of the contributors to the newly published Cyber Security: Law and Guidance book.
Although the primary focus of this book is on the cyber security laws and data protection, no discussion is complete without mentioning who all these measures aim to protect: the people.
I draw on my research and practical experience to present a case for the new approach to cyber security and data protection placing people in its core.
Check it out!
What is GDPR?
The General Data Protection Regulation (GDPR) is a new European legislation intended to strengthen personal data protection for European citizens and harmonise personal data protection rules within the European Union. GDPR replaces the 1998 EU Data Protection Directive and the national laws that implemented this Directive. GDPR becomes the law in all EU Member States without the need for further legislation, though in some areas, Member States are allowed to adopt further specific laws on certain topics, for example, in relation to biometric data and employment data.
What is personal data?
Personal data is defined as any information relating to an identified or identifiable living individual. For example, your name, date of birth, home address, personal email address, your tax identification number, fingerprints, phone number, performance data and medical information are all personal data, but it can also be any combination of data that can identify you.
What rights do individuals have?
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
You can find out more on the ICO website. Companies receive the majority of requests in relation to the right to access and right to be forgotten.
What is the Right of Access?
A data subject access request is when an individual requests to have access to their personal data stored by the company. The purpose of the right to access personal data is to enable individuals to be in control of their own personal data (e.g. understand what personal data is processed and verify the lawfulness of processing).
All personal data which is being processed will need to be provided to the data subject, with a few exceptions to protect the data rights of other individuals and commercial secrets. In some cases, where the relevant systems provide for this, the right of access can be complied with by self-service by the data subject.
What is the Right to be Forgotten?
A data subject may make a request for the right to erasure, also known as the right to be forgotten. The right to be forgotten applies when: the individual has withdrawn consent, the data was processed unlawfully, or the data must be erased to comply with legal obligation. Only data items are forgotten for which the company does not have a legal basis (e.g. tax, accounting, employment, legal, etc.) or business purpose to retain.
The extent to which data can be erased depends on the nature of the personal data. For example, an employee cannot request that the fact that he or she worked at the company be deleted. When a data subject enacts their right to be forgotten, their personal data needs to be either deleted or anonymised such that it can no longer be linked back to the individual.
How to automate responding to data subject requests
Below is a high-level diagram of the solution that automates the processes that need to be carried out to comply with the regulation.
This includes collecting data from different systems in order to fulfill a Subject Access Request and instructing systems to delete/anonymise data as part of a Right to be Forgotten request.
Process automation requires that asset inventories and data flows are first documented and personal data processing systems are identified.
The solution then integrates with system APIs and orchestrates data subject requests. It allows the operator (data privacy team) to generate a consumable report and carry out necessary identity verification checks before responding to the request. It also enables the operator to customise the report if needed.
This approach ensures personal data is collected or removed from all the systems in scope and accelerates the process of responding to the requestor within the 30-day period.
Have you seen security controls being implemented just to comply with legal and regulatory requirements? Just like this fence. I’m sure it will pass all the audits: it is functioning as designed, it blocks the path (at least on paper) and it has a bright yellow colour just as specified in the documentation. But is it fit for purpose?
It turns out that many security problems arise from this eager drive to comply: if the regulator needs a fence – it will be added!
Sometimes controls are introduced later, when the project is well passed the design stage. It might be the case that they just don’t align with the real world anymore.
Safety measures, unfortunately, are no exception. The solution may be poorly designed, but more often, safety requirements are included later on with the implementation not fit for purpose.
Same holds for privacy as well. Privacy professionals encourage to adopt the Privacy by Design principle. Is it considered on the image below?
Oxford dictionary defines gamification as the application of typical elements of game playing (e.g. point scoring, competition with others, rules of play) to other areas of activity to encourage engagement with a product or service:
Bringing an element of fun helps to achieve lasting change in human behaviour, as demonstrated by The Fun Theory project. Here are some videos to get an idea how gamification can drive behavioural change to address social and business challenges:
Gamification can also be a powerful learning tool when applied to information security.
For example, CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.
In its interactive environment, CyberCIEGE covers significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.
CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms. It includes identity management components such as biometric scanners and authentication servers. Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems. Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.
Cybersecure: Your Medical Practice is another example of using gamification to educate people but not in the context of the HIPAA regulation compliance.
This web-based security training module uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice. Users choosing the right response earn points and see their virtual medical practices flourish. But users making the wrong security decisions can hurt their virtual practices. In this version, the wrong decisions lead to floods, server outages, fire damage and other poor outcomes related to a lack of contingency planning.
Gamification can also be applied in user awareness training to change the behaviour of users in the organisation. One instance of this might be helping to recognize phishing links.
Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
User studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Studies demonstrate that Anti-Phishing Phil is an effective approach to user education.
There is a free online course on gamification available. This course will teach you the mechanisms of gamification, why it has such tremendous potential, and how to use it effectively.
In the face of cyber attacks managing to breach industries as diverse as multimedia giants, global retailers and online social networks, the importance of securing our personal information has never been more in the spotlight. The growing demand to address these risks has been recognized across the information security field, and I was recently given the opportunity to participate in the launch of my firm’s own global privacy service line.
During this launch, I was lucky enough to meet many experienced privacy practitioners from all over the world, including New Zealand, South Africa, Japan and the USA. These security professionals generously shared their insights with me, based on their diverse experiences and individual challenges. Interestingly, I discovered that although privacy legislation varies country-by-country, the basic principles remain the same.
I was able to attend multiple interactive workshops, in which I learned how to perform privacy impact and maturity assessments. The week concluded with the IAPP Foundation and other certifications.
The experience I gained with data protection laws and the knowledge I obtained during these training sessions helped me to successfully obtain the Certified Information Privacy Manager and Certified Information Privacy Technologist credentials. These certifications will allow me to demonstrate my knowledge and skills and bring value to this truly exciting security arena.
Imagine a fridge that can tell when the food inside it is going off, or an oven that can cook food automatically. A world of everyday items, all smart, all connected – that’s the Internet of Things.
But is this a force for good – or for evil? Do the sacrifices we’ll have to make in terms of privacy and security outweigh the potential benefits?
I shared my view in the KPMG SLAT video