EU GENERAL DATA PROTECTION REGULATION IN 30 MINUTES

MORE PRACTICAL INFO SESSION FOR SOFTWARE DEVELOPMENT

DIRECTIVE SAYS ”WHAT”, WE NEED TO DEFINE ”HOW”

TOMI JÄRVINEN – SECURITY SPECIALIST

03/05/2023 1COPYRIGHT © ADITRO. ALL RIGHTS RESERVED.

Personal data

The definition is meant to be broad. "Personal data" : when someone is able to link the information to individual person, directly or indirectly.

Credit card number, bank statements, medical record (just mention about rare decease) Full name, photo, phone number, birth date, e-mail address, car number plate, physical characteristics…and IP address.

The definition is also technology neutral. It does not matter how the personal data is stored – on paper, on an whatever IT system, on a CCTV system, photographs, etc

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2

https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdfEU Court of Justice ruled that IP addresses are protected personal data https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular

Roles from legislation point of view: Data Controller, Processor and Data SubjectThe data controller is the natural person, company, association or other entity that is factually in control of the processing of personal data and is empowered to take the essential decisions on the purposes and mechanisms of such processing including the applicable security measures. “Who is responsible and owns Data Subjects information”.A processor becomes a controller if he or she uses data for his or her own purposes, not following the instructions of a controller (Think about Google and targeted advertising)”

Data Processor: Directive: “The natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive” If an organization holds or processes personal data, but does not exercise responsibility for or control over the personal data, then this organization is a "processor." Examples of processors include payroll companies, accountants and market research companies, call centres of telecom or financial companies, all of which could hold or process personal information on behalf of someone else.

Data Subject: The natural person a personal data relates to. One individual person(Directive goal, to give full control and knowledge about storing and handling his/hers personal data)03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3

GDPR says “WHAT” , It doesn’t say “HOW”

Nothing about:» specific tools to use» specific processes to use» specific standards to use» examples or templates for solutions» Best practices for development or guidelines

actual ”privacy engineering (privacy by default)”

Specs from GDPR??

GDPR Demands (what) to system design (how)

At the moment guidelines are mostly at this level*» “Proactive not Reactive; Preventative not Remedial”» “Privacy as the Default Setting”» “Privacy Embedded into Design”» “End-to-End Security — Full Lifecycle Protection”» “Respect for User Privacy — Keep it User-Centric”

Not so practical or useful for system owners or application developers

Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, CanadaP r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 5

Design principles – typical view and proposals

» Article 23 – “Data protection by design and by default”» Minimise

» collect only a limited set of attributes» Select before collect» Anonymization and pseudonyms

» Hide» hidden from application view if not necessary, e.g. technical admins login can not open data content

view» use of encryption of data (when stored, or when in transit, key management -> encrypted back-ups)

» Control» User centric identity management and end-to-end encryption support control. » Providing users direct control over their own personal data

» Enforce» A privacy policy compatible with legal requirements, and technical protection mechanisms that prevent

violations of the privacy policy. » Demonstrate

» In case of complaints or problems, controllers must immediately be able to determine the extent of any possible privacy breaches

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 6

https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design

Personal Data Flow – subcontractor management (example)

7

Cloud based storage in USAApplication

server in Finland

Administration and support in

India

Remote connections to systems

API

Data analytics

HTTPS / SSL encryption

Finland USA

EU India

API

Contractor

Vendor

Vendors subsidiary

In all boxes, note:• Data retention

(Right to erasure)• Minimisation• Agreements

Application development

partner

Outside EU/ETA

Aditro’s Customer

Aditro

Data Subject

HTTPS / SSL encryption, EULA, Input forms

8

I mage: Based on PrivaOn presentation

* https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET)

• ”Privacy by Design” is today undefined• Official privacy by design will be defined aftre precedent legal

cases

Privacy requirements

Security requirements

PET*a

Evidence collection for accountability, technology (log, authentication) process (test reports, memos)

BacklogP-I-A

Privacy Architecture

Threat analyzesSecurity testingImplementation

AuditingCertification

Data access processData retention

Backups

Privacy inside application development process

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 9

X

http://privacypatterns.org/patterns/https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-designGuide to Privacy by Design Documentation for Software Engineershttp://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.htmlhttps://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdfhttps://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF

Excerpts from GDPR (total amount 85 Articles)Article 30: “appropriate organisational and technical measures”

What is appropriate organizational and technical measures?

» Article 32 “Security of processing” “ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data”. The ability to restore the availability and access to “data in a timely manner”.To do: e.g. Documented security implementation, credible documented fault tolerance

» Breach notification process (article 33), For processor: ”alert and inform controllers immediately”, no exact time in last regulation proposal. “without undue delay”. From Controller to data subject time is 72hr.To do : e.g. Every customer agreement must have exact timeNo panic, communication: ” unless the personal data breach is unlikely to result a risk” vs. “breach is likely to result in a high risk” = Encryption?

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 10

Practical implementations

» Article 35 Data protection impact assessment (P-I-A)» To do: Formal risk analysis” “Privacy impact assesment” taken into account data

confidentiality” To do: e.g. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk

» Article 28 “Processor”, “processor shall not enlist another processor without the prior specific or general written consent of the controller.” , transfer data without the approval of the organization originally supplying the dataTo do: e.g. subcontractor management and contract requirements

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 11

http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

Practical implementations

» Article 17 “right to erasure” (known as forgotten)To do:

» Systems must have option to search and delete individual user data, remove data away from “operative level”, not from backups, logs, etc.

» Personal data segregation (sensitive/general), retention time/data type, automated processes to delete data (e.g. 10 years in bookkeeping)

» But no panic button needed! Note 1: ” taking account of available technology” , note 2: “data retention for compliance with a legal obligation”

» Generally, sanctioning. GDPR gives data subjects a private right of action in EU courts. Data subjects will have a right to money damages from either controllers or processors for harm caused by processing personal data. Every article have Sanctions 10/20 M€ or 2/4% turnover. no panic here, (scale is for Google, Microsoft…

Accountability by Design for Privacy http://prescient-project.eu/prescient/inhalte/download/3-Butin.pdf03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 12

Practical implementations

» Article 14, “Right of access for the data subject (‘s personal data)”data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed”To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content?

» Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 13

http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

Practical implementations

» Article 14, “Right of access for the data subject (‘s personal data)”data subject shall have the right to obtain:.. are being processed, where processed, purpose of processing…”, “the recipients or categories of recipients to whom the personal data have been or will be disclosed”To do: Log management, at the moment no one knows exact requirements. After 2018, after first legal cases there will be final answers. But, good educated guesses can be done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single person or organization, Only data content?

» Article 22: ”be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”To do: Evidence* proof information security, updated systems, modern firewall, malware protection, documentation, formal documented risk management, ISMS, ISO 27001, demonstrate somehow to be compliant

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 14

http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

The Fines

» The GDPR has increased fines for both data controllers and data processors who are prosecuted for data protection breaches. Between 2 to 4% of global annual turnover.

» Fines can be levied for an infringement of the data controller’s or data processor’s obligations under the GDPR and not just for data security breaches.

» NOTE: will be based upon the seriousness of the infringement and the circumstances of the case, including : (next slide)

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 15

“Circumstances”

» The nature, gravity and duration of the infringement» The purpose of the processing concerned» The number of data subjects affected» The level of damage suffered by data subjects (including infringement of their rights)» Whether the infringement was intentional or negligent» Any action taken by the controller or processor to mitigate the damage suffered by data subjects» The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented» Any relevant previous infringements» The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects» The categories of personal data affected by the infringement» The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what

extent» Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with» Whether approved codes of conduct or approved certification mechanisms were in place» Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement.» Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place.

These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained.* The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority.

03/05/2023 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 16