A SPECIAL EDITION BY
CYBER WORLD GDPR
THE STORM IS COMING 1 YEAR TO GO - THE EXPERTS SPEAK
Giovanni Buttarelli, European Data Protection Supervisor, EU Dr Simon Rice, Information Commissionerâ€™s Office (ICO) Jonathan Armstrong, Cordery Chris Gould, Secgate John Culkin, Crown Records Management Ivan Blesa, Secgate Emma Butler, Yoti Yasmin Durrani, Zurich Insurance UK Domini Clark, Blackmere Consulting Roger Poole, Secgate Tomas Pluharik, Deloitte Central Europe
Hello. We are proud to announce the first Special Edition of Cyber World, focused exclusively on the upcoming EU General Data Protection Regulation (GDPR). With the GDPR coming into force in May 2018, just over a year from now, we have invited leading experts from diverse backgrounds, including from law firms, regulatory authorities, consultancies, recruitment firms and from industry to provide their insights into the GDPR. Their analyses and expert opinions have been sought to shed light on what the GDPR consists of, what it means for organisations, consumers as well as for information security and data protection professionals, and what challenges and opportunities the GDPR will bring. We present exclusive articles and analyses from Giovanni Buttarelli, the European Data Protection Supervisor; Dr Simon Rice, Technology Group Manager at the Information Commissioner’s Office (ICO), Jonathan Armstrong, Partner at the compliance law firm Cordery; Chris Gould, Head of Consulting at Secgate; John Culkin, Director of Information Management Services at Crown Records Management; Emma Butler, Data Protection Officer at Yoti; Yasmin Durrani, Data Protection Officer at Zurich Insurance in the UK; Tomas Pluharik, Security Consultant at Deloitte Central Europe; Roger Poole, Head of Information Governance at Secgate; and Domini Clark, Managing Principal at Blackmere Consulting. We also have articles on ‘If Captain Sully was a CEO’ and ‘GDPR Becomes Law, But Bigger Changes Lie Ahead’ as well as a product review entitled ‘The Fight Against Cyber Risk And The Birth Of A New Weapon’. We would like to thank all our contributors for their insightful contributions, and our Readers for making our magazine a great success. We hope you enjoy this Special Edition, and that it is of use to you and your organisation, and please feel free to share our magazine with colleagues and friends. As always, your comments and feedback are very welcome.
Laith Gharib, Managing Director
M AY 2 017 • 2
The Six Principles Behind GDPR Giovanni Buttareli
3 â€¢ C Y B ER WORLD
About the Author: Mr. Giovanni Buttarelli has been European Data Protection Supervisor since December 2014. He was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 for a term of five years. He previously served as Assistant EDPS, from January 2009 until December 2014. Before joining the EDPS, he worked as Secretary General to the Italian Data Protection Authority, a position he occupied between 1997 and 2009. A member of the Italian judiciary with the rank of Cassation judge, he has attended to many initiatives and committees on data protection and related issues at international level.
The European Union opened a new chapter for
easier for companies operating within EU borders
data protection in 2015. After almost four years of
to comply with data protection policies.
intense negotiation and public debate, the General Data Protection Regulation (GDPR) was adopted in April 2016.
There are six general principles in the regulation that have to be respected when processing personal data: fairness; purpose limitation; data minimisation;
We are now on track to change data protection for
accuracy; storage limitation and security.
the next generation.
The GDPR reinforces a wide range of existing
protection. In fact it is an enabler of data protection.
rights, and establishes new ones for individuals. It is fundamental to find new ways of applying data protection principles to the latest technologies, and the cooperation of businesses is crucial in order to achieve this goal.
(Information) security provides organisations with control: control to actually behave as they want even in the presence of external factors or threats. It is not a new principle and has always been based, as in any security framework, on the implementation of a mature risk management process. (More
The GDPR comes into force on 25 May 2018, and
information on information security and data
preparations for ensuring compliance require close
protection can be found in EDPS’ publication
attention. The new regulation sets out the need
‘Security Measures for Personal Data Processing -
for a solid data protection policy for firms working
Guidance on Security Measures for Personal Data
within the EU. Such measures include, among
Processing - Article 22 of Regulation 45/2001’)
others: adequate documentation on what personal data is processed, how, for what purpose, and for how long; documented processes and procedures; tackling data protection issues at an early stage when building information systems; responding to a data breach; and the presence of a Data Protection Officer integrated into the organisation. SIX GENERAL PRINCIPLES
At the same time, the GDPR introduces an important new concept into the data protection framework: accountability. The concept first appeared in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and was more recently promoted at the 2009 International Conference of Data Protection and Privacy Commissioners in the ‘Madrid International Standards’, in the ISO draft standard 29100, and in
The GDPR aims to entrench privacy on the ground,
the APEC privacy framework and its cross-border
and allows different sectors to contribute to new
privacy rules. Article 22 of the latest version of the
norms and best practices appropriate to specific
GDPR requires controllers to implement appropriate
circumstances. The GDPR also aims to make it
technical and organisational measures to ensure and M AY 2 017 • 4
...if accountability is incorporated into business activities, it will ensure effectiveness in applying other data protection principles.
demonstrate compliance (the term ‘accountability’
with data protection rules. In concrete terms,
is defined in Article 5(2). Accountability is a common
accountability requires organisations to be able not
principle for organisations across many disciplines.
just to comply with data protection principles, but
The principle embodies the idea that organisations
also to demonstrate how they ensure compliance
live up to expectations, for instance in the delivery
with the GDPR. Therefore, businesses should
of their products and their behaviour towards those
start reviewing their data processing activities and
they interact with. Accountability is already present
implementing proper data protection policies as a
in any IT governance framework, and is also the
new routine, to be able to demonstrate compliance
basis for control and auditing.
with the regulation upon request from individuals (customers) or supervisory authorities.
principle, which requires that organisations put in place appropriate technical and organisational measures, and that they are able to demonstrate those measure – and their effectiveness – when requested. Accountability is the best way to move data protection from theory to practice.
Linked to accountability are the principles of data protection by default and by design, which will also become a legal obligation under the GDPR. Data protection by design can be assimilated to the principle, well known by IT practitioners, that implementing security or data protection is more effective and efficient the sooner it is done. Data protection by default asks organisations to consider
In other words, if accountability is incorporated into
the most data protection-friendly option possible
business activities, it will ensure effectiveness in
when any decision is taken. (To facilitate the
applying other data protection principles. However,
implementation of data protection by design and
in order to ensure that this happens, businesses
by default, the EDPS participates in the Internet
have to change their culture when complying
Privacy Engineering Network (IPEN) whose purpose
5 • C Y B ER WORLD
is to bring together developers and data protection
and to inform and train everyone in the organisation
experts with a technical background from different
on how to implement these policies.
areas in order to launch and support projects that build privacy into everyday tools and develop new tools which can effectively protect and enhance our privacy.) These two principles together with accountability are already a very strong guide when tackling data protection issues.
If they are not already doing so, all businesses, large and small, should be considering the way in which they interact with personal data, and how the GDPR will impact on them and the sector in which they operate. We would not recommend a ‘sit on your hands’ and ‘wait-and-see’ approach.
STRONGER RIGHTS FOR INDIVIDUALS
Ultimately, we believe that GDPR is an opportunity
The GDPR provides individuals with stronger rights,
for businesses, inside and outside the EU.
giving them more control over the processing
The regulation will help firms consolidate personal
of their personal data, such as a stronger right to rectification, a broader right to erasure (also known as the ‘right to be forgotten’), a new right to the restriction of processing in certain circumstances, and so on. Therefore, in order to make this new set of rights effective, it is necessary to both establish
data into an integrated business platform. This constitutes a unique opportunity for businesses to get closer to customer requirements and expectations, in both the digital economy and wider society.
transparent internal data protection and privacy
policies – approved and actively endorsed at the
European Data Protection Supervisor
highest level of the organisation’s management –
M AY 2 017 • 6
Your Guide To The GDPR By The Information Commissioner’s Office Dr Simon Rice
About the Author: Dr Simon Rice is Technology Group Manager at the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights. The ICO regulates the Data Protection Act, Freedom of Information Act, and Privacy and Electronic Communications Regulations. The technology team delivers specialist expertise to the ICO by advising on the technical aspects of complaints received and data breach investigations. We also monitor the technology environment to identify developments that may impact on information rights. Official figures show that there were an estimated
are getting higher. You have probably heard that
two million computer misuse offences in 2016
next May, a new data protection law – the General
– that means once every 15 seconds there was a
Data Protection Regulation (GDPR) – will arrive
potential cyber security incident and a potential
with stricter controls and higher penalties for those
who get it wrong.
When it comes to properly protecting the data they
The GDPR builds on the previous Data Protection
hold, the stakes are high for businesses, and they
Act, but provides more protection for consumers
7 • C Y B ER WORLD
and more privacy considerations for organisations.
new right to data portability: the right to obtain
It brings a more 21st century approach to the
and port their personal data for their own purposes
processing of personal data, and puts a responsibility
across different services.
on businesses to change their entire ethos to data protection. CONSUMERS CONTROL THEIR DATA The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. Consumers will have the right to request personal data be deleted or removed if there is no compelling reason for an organisation to carry on processing it. They will also have the brand
The GDPR will include new obligations for organisations as well. Businesses will have to report data breaches that pose a risk to individuals to the ICO, and in some cases to the individuals affected. They will have to ensure that specific protections are in place for transferring data to countries that have not been listed by the European Commission as providing adequate protection, such as Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have obtained it if M AY 2 017 â€˘ 8
When it comes to properly protecting the data they hold, the stakes are high for businesses, and they are getting higher.
9 â€˘ C Y B ER WORLD
they rely on it for processing data. There are also obligations around appointing data protection officers. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It is about moving away from seeing the law as a box-ticking exercise and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances. It means a change to the culture of an organisation, and it is a crucial part of cyber security. THE STAKES ARE HIGH The days when cyber security was purely an IT function are behind us. Just glancing over the National Cyber Security Centre guidance on preventing a cyber attack makes it clear that data security is as much about staff as it is about software. Sure, there are tips in there around malware protection and the importance of patching software. But advice around password policies, removing default user accounts, and restricting access to information to only staff who need it to do their jobs is about people, and about having a culture of privacy in place in your organisation. The stakes are high. Getting it wrong not only risks enormous reputational damage, but for the most serious violations of the law the ICO will have the power to fine companies up to €20 million, or four per cent of a company’s total annual worldwide turnover for the preceding year. The GDPR gives regulators the power to penalise organisations for failing to put in place: data protection by design, a data protection impact assessment, data protection officers and documentation. If businesses cannot demonstrate that good data protection is a cornerstone of their practices, they are leaving themselves open to a fine
M AY 2 017 • 10
The days when cyber security was purely an IT function are behind us.
or other enforcement action that could damage
living document, adding content on different points
their bank balance and/or their reputation.
as more guidance is produced by us and Article 29.
The ICO remains committed to helping organisations
If you want to stay updated on new guidance
improve their practices and prepare for the GDPR.
our e-newsletter is a good place to start. More
We have recently published an update setting
information, help and advice is available on our
out what guidance organisations can expect. It
website, or you can contact the ICO helpline on
is essential reading and it will help you plan what
0303 123 1113.
areas to address over the next 12 months.
Dr Simon Rice
The central pillar to our guidance is the ‘Overview
Technology Group Manager
of the GDPR’. We are developing the Overview as a
11 • C Y B ER WORLD
Information Commissioner’s Office (ICO)
Identity verification that benefits business and consumers Yoti is the easiest, most secure way to prove identities online and in person. Itâ€™s free for consumers and uses NIST approved facial recognition, government issued passport and driving licence, plus biometrics for multifactor authentication.
Brings easy ID verification and removes the need for username and passwords.
Military grade encryption securely stores data in private Tier 3 UK data centres.
Develop 3rd party apps with Yotiâ€™s SDK in under a day and verify customers in seconds.
M AY 2 017 â€˘ 12
Getting Ready for the GDPR Jonathan Armstrong
About the Author: Jonathan Armstrong is a Partner with London-based compliance law firm Cordery. An acknowledged expert on compliance and technology, his practice advises multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries. Jonathan is a Fellow of The Chartered Institute of Marketing and co-author of the LexisNexis definitive work on technology risk, ‘Managing Risk: Technology & Communications’. He leads on Cordery’s GDPR Navigator subscription service, and is a frequent broadcaster for the BBC and other channels. Jonathan was ranked as the 14th most influential figure in global data security by Onalytica in their 2016 Data Security Top 100 Influencers and Brands survey.
The data protection and data security landscape
one, so if you already comply with current EU data
is all set to change next year with the advent of
protection laws you can build on those foundations.
the new EU General Data Protection Regulation
It is important to take a risk-based approach and plan
(GDPR). The GDPR is not all good news. But it is not
properly, but you also need to be realistic. There is
all bad news either. Many of the organisations we
just a year left before the GDPR takes effect, and
work with are using the GDPR to bring some focus
if you have been slow to act, you cannot afford to
to what they do and improve their security stance.
delay getting up to speed. The team at Cordery has
The new rules are part revolution and part evolution. In many ways, the new system builds on the current 13 • C Y B ER WORLD
been working on GDPR projects since the first draft
came out in 2012. GDPR is a long document but
data and/or undertake data processing. They will
here are some of our highlights:
also apply to businesses outside the EU who target
SECURITY BREACH REPORTING
EU data subjects, even if they don’t take payment from people within the EU. Unlike some US
There is not much change to the obligations
legislation the rules don’t just apply to health and
organisations have to keep personal data secure.
financial data – all sectors and all types of personal
However, one of the most important changes is the
data are covered.
mandatory reporting of security breaches. Breaches must generally be reported to a regulator within 72 hours, and those affected by the breach must usually also be informed. To do this you must have clear, practical, effective and speedy procedures in place. You will also need to get your vendors and suppliers on board – because this is business critical, you cannot afford to get it wrong. REACH
THERE ARE NEW RIGHTS FOR INDIVIDUALS New rights are being introduced and existing ones tweaked, including: •
A new Right to Data Portability;
An extended Right to Be Forgotten (called the Right to Erasure);
A beefed-up Subject Access Right – to be free and with a shorter time to reply.
The GDPR has wider extraterritorial reach. The new rules will apply to all those in the EU who control M AY 2 017 • 14
DATA PROTECTION IMPACT ASSESSMENTS (DPIAS) DPIAs will have to be undertaken for many data processing operations. DPIAs put the compliance assessment burden on those handling personal data – but are used as a wider tool to help get a better handle on your data processes and reduce risk. This should help you build privacy and security into the heart of what you do. This might be the chance for information security teams to get involved in projects at an earlier stage, and for them to be more recognised by management as a valuable part of the process. Information security teams should build their knowledge of the DPIA process and work out how they can add value. There is no set format to a DPIA, but the key aspect is to pick a process that is simple to understand and helps you quickly identify and address the real risks. GREATER PENALTIES Increased enforcement will come about with the new regime, backed up by greater sanctions. There are fines of up to €20 million or four per cent of the global annual revenue of a business (whichever is greater), with a likely result of higher reputational damage and the possibility of civil actions too. This is the big stick for data protection compliance, but getting it right will pre-empt major headaches. To add to the potential consequences, civil actions are becoming more likely following a breach. WHAT DO YOU NEED TO DO NOW? Start preparing now and read our FAQs or watch our film on YouTube for further information and advice. If you don’t have a plan in place already, get started immediately, but make sure your plan is achievable in the short time you have left.
Jonathan Armstrong Partner Cordery
15 • C Y B ER WORLD
Increased enforcement will come about with the new regime, backed up by greater sanctions.
M AY 2 017 • 16
Moving Towards Compliance With The GDPR: Some Practical First Steps Chris Gould
About the Author: Chris Gould is Head of Consulting at Secgate. He is an Information Risk expert with over 25 years experience in assisting organisations throughout the world in assessing and managing technology related risks particularly relating to Information Security, Business Continuity and Crisis Management. Prior to joining Secgate, Chris was a Partner at EY in London, leading its Cybercrime Investigation and Cyber Forensics practice and Partner at PwC in Moscow, where is was CEE Leader for Cyber Security and Forensics.
With a year to go it is safe to say that organisations
the Googles and Amazons of this world that will be
vary widely in their readiness for the GDPR, with the
hit first with any fines.
clear majority being far from confident that they are going to be able to comply with the new Regulation. The clients that I speak to are often still struggling with the basics, let alone thinking about a complete overhaul of their records and data management, access control and other privacy-related processes, as the GDPR actually requires. In a lot of cases there is still a sense of complacency, a belief that it will be 17 • C Y B ER WORLD
When thinking about this article I was tempted to focus on some of the more common and apparent issues that I hear being discussed around independence of data protection officers (DPOs), particularly following the November decision of the Bavarian Data Protection Authority; or on how to contemplate the minefield created by ‘the right to be forgotten’, or even on how to find competent
people in a resource-constrained environment.
KNOW WHERE YOUR PII IS AND WHERE IT
These are all important issues, but there are some
simple steps that will have a significant impact on
Companies are generally good at cataloguing data
your GDPR programme, and which, if you have not already done so, you must take now: 1. Know what the personally identifiable information (PII) you hold is, where it is located, and where it goes; 2. Plan for what you will do in the event of a breach; 3. Take the opportunity to rationalise and streamline data; and 4. Understand 3rd parties and your mutual dependence on privacy of data.
when it is stored in core systems, and mature organisations have even gone a long way to securing that data. The challenge is, and this is borne out of experience in helping too many companies during and after data breaches, data is almost always existent outside of those core systems as well. Almost every breach I have dealt with has targeted the data that has been outside of those systems – so called ‘Shadow IT’. In a large breach I investigated I found an almost complete copy of the client’s ‘Crown Jewels’, which included PII being stored on an unsecured development web-facing server! The rise of Shadow IT raises a significant problem for security, and in the case of PII is a compliance
M AY 2 017 • 18
nightmare. This means that, as a first step,
organisations need to already be thinking about
organisations need to move quickly to identify all
how they are going to respond. The Regulation not
the locations where the data is being stored and
only requires organisations to report very quickly
understand the flows of PII inside and outside
following a data breach, they also need to clearly
of the organisation. This is almost impossible to
understand the nature and size of the breach,
do without the use of an automated tool that
who was affected, whether individuals need to be
captures data in motion or at rest. This will allow
notified and whether adequate controls to prevent
organisations to prioritise an approach comprising
the breach had been in place.
of both technical and training measures to reduce exposure.
There are hardly any organisations that I have ever worked with that were able to do this to a
I have focused this article on four things an
satisfactory degree. Recent data breaches have
organisation should be doing right now, as there
demonstrated that organisations are unable to
is not much time left before the GDPR comes into
quickly identify what they have lost. In a GDPR
effect. However, such monitoring tools as described
world that means there is a risk of over- or under-
in this article can also be used on an ongoing basis to
reporting the scale of a breach, not being able to
ensure the continuous monitoring of data transfers,
notify all relevant parties, and thereby opening the
allow for a regular assessment of the effectiveness
door for regulatory sanctions.
of governance systems and structures, and maintain the compliance programme put in place. PLAN FOR WHAT YOU WILL DO IN THE EVENT OF A BREACH – AND PRACTICE IT It is a fact – breaches happen! Regardless of whether those breaches are due to malicious activity or result from a human error, organisations need to be prepared in order to be able to respond to a breach, and respond very quickly. The adage of the 7Ps is very relevant (Proper Planning and Preparation Prevent Poor Performance), and thus
19 • C Y B ER WORLD
Dealing with a breach is a combination of having the right stakeholders involved (Board, Internal and
Shareholders, Customers, Vendors etc.), not just IT and Security departments/experts. A good response programme provides a consistent, scalable way to deal with breaches and needs to be rehearsed regularly in order to become ‘muscle memory’. Having the right tools in place also helps. Organisations should seek to have a ‘black box’ that provides enough forensic quality data recording capability that, as in airline crash investigations,
will allow you to reconstruct the breach and quickly
and employ some creative thinking to, whether this
understand what data has gone missing, and how.
data is really needed and what alternatives may
Equally importantly is to have a well-rehearsed communications strategy in place - a single voice for the organisation that maintains the confidence of stakeholders and minimises the reputational damage that result from a breach. TAKE THIS OPPORTUNITY TO RATIONALISE YOUR USE OF PII
exist. Could anonymising data suffice? Are all the data elements needed, or could we reduce risk by only keeping limited data elements? Do we need this data at all? This approach needs to be robust and decisions made must be communicated effectively, not just to deal with the status quo, but also to reduce the ongoing risks that people will start to revert back to
I remember listening to a presentation about 10
bad habits such as keeping unnecessary data after
years ago on SAP implementation, the key tenet
the initial GDPR compliance surge is completed.
of which was that if you don’t clean your master
That means creating sustainable solutions that
data before implementing SAP then you are going
will safeguard that organisations will continue to
to have problems. Moreover, this was an important
receive the benefit of the data while reducing the
opportunity for organisations to rationalise and
risks to this data at the same time.
clean up their master data files. I draw parallels between this wisdom and how we address the challenge of PII and the GDPR.
In the same way as the PCI-DSS set of standards has led to many retailers eliminating any card data being held on their networks (at least in Europe, less so in
It is very clear that most organisations are holding
the US), I believe we will see a rise in outsourcing
more PII than they need to, in places they don’t
the capture and use of personal data. PII brokers
need to, and for reasons they don’t understand. The
may seem far-fetched to some, but if you look at
GDPR affords organisations with the opportunity to
the credit scoring industry as an example, we can
take a fresh look at how they use data, to identify
see that organisations have already outsourced
new ways for rationalising data, as well as to reduce
storing and managing sensitive financial data. We
the relevant associated risks.
are likely to see the same happen for PII as part of a
The first steps described above provide insights
risk transferral strategy.
into what data is being held and where it is located. The logical next step would be to critically question, M AY 2 017 • 2 0
MUTUAL DEPENDENCE ON PRIVACY OF DATA. The topic of PII brokering leads nicely into a discussion about how we need to better understand our third-party relationships and the potential GDPR exposures arising from them. A lesson from more ‘exotic’ jurisdictions is that once penalties increase and start to be enforced, lawsuits will follow. Organisations will start to look to third parties that may have had a duty of care of their data and have handled PII inappropriately. Step 1 outlined above is a good starting point for understanding PII data flows and mapping the third-parties that PII is sent to, received from or processed/stored by. Steps 2 and 3 are also critical in that both are creating and rehearsing incident responses, clearly defining breach notification thresholds, devising communication strategies as well as critically assessing whether each of the thirdparties need PII or whether there are alternatives. I have included this as a separate point as, from my experiences in dealing with breaches, the relationships and dependencies with third parties is very poorly understood. An organisation I worked with recently actually believed that they had no personal data and had outsourced it all to a third party. The reality, however, was that due to a specific and one-off business requirement, there was a full copy of certain PII stored within the company. Following the four steps above will not make you compliant, but they are fundamental steps that each organisation needs to get right on their journey to compliance. If you don’t have taken these early on in your compliance journey, the chances are that you will have a harder time with the GDPR than would need to be the case. They are also steps that ought to be build into an ongoing compliance programme to address the GDPR and information and data security for the longer term. Chris Gould Head of Consulting Secgate 21 • C Y B ER WORLD
Having the right tools in place also helps. Organisations should seek to have a ‘black box’ that provides enough forensic quality data recording capability that, as in airline crash investigations
M AY 2 017 • 22
What is the Difference Between Security and Privacy in the GDPR? John Culkin
About the Author: John Culkin is the Director of Information Management at Crown Records Management, where John is responsible for the full suite of Information Management services, including advisory and digital services. He is a regular commentator in the media and has authored white papers setting out how companies can prepare for the EU GDPR. John’s background is in developing digital solutions for businesses around the world, and he has spent much time in senior roles including as technical consultant in European technology companies, with particular expertise in the field of content management and information governance. “A good place to start any discussion about the
is the breadth of areas it covers, and therefore the
General Data Protection Regulation (GDPR) is an
number of departments and people potentially
appreciation of the difference between security
and privacy. Both are integral to the legislation. A simple interpretation is that privacy relates to what and why data should be collected and kept in the first place. Security concerns keeping what is stored safe.
A change in mindset will be needed for many people, as customer data is often viewed as belonging to the business once it has been collected or bought. In a GDPR world, considering themselves as guardians of such data may be more useful. You must keep
Why make this distinction? If you believe the GDPR
it safe and secure, but effectively ‘the controller’ is
is just a security issue, then you probably believe
the person whose data you hold. They will have the
there is a technical solution and it falls into the
right to access it, ensure it’s accurate, even erase or
remit of the IT, compliance or security departments.
move it in an agreed format.
There is no technical solution to the GDPR. One of the biggest challenges it poses to organisations
23 • C Y B ER WORLD
As such, it would seem the way we traditionally view data may have to adjust. For some this is a profound
change, for others it is simply good customer service that requires good quality customer data, which must be accurate and fair. It also means you’re not analysing bad, inaccurate data or annoying potential customers with marketing material they don’t want. All of which is actually wasting companies’ money in the short or long term. There are seven principles incorporated into GDPR. 1. Processed fairly, lawfully and in a transparent manner -> Privacy 2. Collected for specific, explicit and legitimate purpose -> Privacy 3. Adequate, relevant and limited to what is necessary to meet the purpose -> Privacy
7. Processed by controllers and able to demonstrate compliance -> Privacy Security is a vital part of the new rules, and concepts such as privacy by design also means security by design. No one can really argue against the above principles – they are all what you would expect to happen to your data when you entrust it to someone else. These principles are effectively the basics of good information governance. They are the minimum of what you should be doing now. It is, however, reasonable to assume some organisations are not doing it, otherwise no one would be concerned about the impact of the GDPR. Either the attention has gone elsewhere, or the alternative is that organisations don’t really care
4. Accurate and up-to-date -> Privacy
about their customers’ information.
5. Must not be kept for longer than necessary
This is where the opportunities of the GDPR
-> Privacy 6. Kept secure to maintain integrity and confidentiality -> Security
need to be considered. Thinking from a customer experience point of view, you are more likely to retain customers if you have accurate data, which they can access and check, or even erase if they want to. Another opportunity is for businesses to M AY 2 017 • 24
25 â€˘ C Y B ER WORLD
One of the key challenges of the new rules will be providing evidence of common practices and processes.
review processes that have often grown organically
or failing to cooperate in any investigation would
over many years, and see how information flows
be a difficult challenge to overcome for authorities
through the organisation. It could be a catalyst for
with little if any local physical presence. Certainly,
efficiency improvements or departments working
it is unlikely any 72-hour breach notification would
more closely together. Certainly, marketing and
be given in this situation. As a result, any EEA+UK
IT may find having to come up with solutions to
could be seen as having an advantage if customers
manage consent and track customer preferences
want the extra reassurance it would bring.
inevitably brings them closer together.
Some of the most complex challenges are those
A long-standing gripe from IT departments is the
such as complying with the right to erasure. Firstly,
proliferation of shadow IT, especially in areas such
you have to know what data you have and where
as marketing. An ongoing training programme
it is, and have the processes in place to do this –
to help educate the whole company about data
not to mention having someone to physically do
privacy and security could help manage potential
it if it is not automated; all whilst complying with
personal data being accessed or stored in ways it
other regulations, e.g. keeping financial records. It
should not be.
may come to be that very few customers actually invoke the rights such as the one to data portability
in the short term. But the costs of meeting even a
The European Commission is also aiming to adopt
few requests could be relatively high. Which means
the new ePrivacy Regulation at the same time as
the earlier you can build this into your systems and
the GDPR comes into force in May next year. This
processes, the better.
would potentially bring ‘over the top’ (OTT) services, cookies and direct marketing through electronic communications
regulations. This reinforces the notion that IT and marketing are going to have to learn more about the work and skills of the other whilst considering the privacy of personal data. One of the key challenges of the new rules will be providing evidence of common practices and processes. This means, how are you going to track who has given what consent, when, and how and what information they gave at the time. It may be common practice now for marketing to buy in a list of targeted customers. The providence of this information is often not checked and the assumption is made it is from a reliable source. This is already proving inadequate under current legislation, for example when not cross-checked against the telephone preference service.
A vital area not to forget is the data beyond your organisation’s walls, i.e. knowing where data has come from and where it is going. Especially if it involves third parties or subcontractors, or even the cloud-based systems they are using in turn. A pragmatic but well-documented and thought through policy in this area is essential. The GDPR means digging deep into organisations’ systems and processes, as well as going across departments or divisions. It will raise many questions and challenges leading to a better understanding of information flowing through the organisation. On the whole, this is no bad thing. Trying to amass everything that comes in and keeping it forever is not the best data management strategy. It involves too many costs and risks. Regarding the GDPR as a customer data programme that can potentially add value, instead of a technical security problem, is sensible.
The extra jurisdictional nature of the GDPR means it would apply to EU citizens no matter where they
are located. However, enforcing the rules in some
Director of Information Management
jurisdictions could be a challenge for any data
Crown Records Management
protection authority. Simply ignoring any sanction M AY 2 017 • 26
The Fight Against Cyber Risk And The Birth Of A New Weapon Cyber attacks may be a relatively new risk to
THE HIGHEST PRIORITY CYBER RISK IS THAT
organisations, but the statistics are staggering:
OF A DATA BREACH
according to UK government figures, in 2016 two
The institute of Risk Management defines cyber risk
thirds of all UK-based large businesses reported a cyber attack or cyber breach, and the cost of cyber attacks to the global economy is predicted to reach US$6 trillion by 2021. Today, we would like to take you through the same
as: “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems”. This is an extremely broad definition, and highlights how the concept of cyber risk is an umbrella term to
journey that our company went through to create
describe a series of individual risks.
VisDa, our unique data transfer risk management
Tackling risk is not a one-size-fits-all approach.
solution. In doing so we will examine cyber risk, make the argument for prioritising the risk of data theft over other aspects of cyber risk, and finally propose a new tool that allows companies to monitor and mitigate these risks to ultimately reduce the number of successful attacks launched.
Different types of cyber risk require different groups of controls to mitigate them, and so to help lower the risk profiles of business we need to make this definition more granular. For the sake of this article I’d like to break this definition down into two subrisks – risks to a company’s network infrastructure (this maps to availability within the Confidentiality,
27 • C Y B ER WORLD
Integrity and Availability (CIA) triangle; it’s the idea
Thus, if we were to prioritise the risks to a business
that financial loss and reputational damage occur
it would be prudent to place data theft through
if the business can’t operate due to the network
cyber attack as the highest. This correlates with the
not being able to perform as required), and risks
trends we see in the media; most attacks reported
to a company’s data (this maps to the concepts of
by journalists involve the theft of corporate data,
integrity and confidentiality within the CIA triangle;
and in January this year the Identity Theft Resource
data is valuable).
Centre reported data breaches in the US were up by
A paper published in 2015 by Tavish Vaidya of Georgetown University looked to analyse major cyber attacks that had occurred between 2001 and 2013, and the conclusions are interesting. The paper observes that a large majority of attacks analysed were motivated by the desire to steal corporate data – in fact more than twice as many attacks were
40% in 2016 when compared with 2015. DATA EXFILTRATION REQUIRES A DATA TRANSFER TO TAKE PLACE Now that we have identified what the priority risk is to corporations across the globe, we can begin to dissect just how this risk materialises.
aimed at exfiltrating data from the target networks
A second paper, published by Ryan C. Van Antwerp
than disrupting networks. The only other attack
and the University of Delaware, examined the
motivation that occurred almost as frequently as
methods of exfiltrating data out of a network.
data theft was cyber espionage.
The paper identifies 14 different methods of data M AY 2 017 • 28
exfiltration from a corporate network, and describes the biggest difficulty in detecting malicious data exfiltration as distinguishing malicious exfiltration from legitimate data transfers. If we switch our attention to accidental data breaches, this challenge is even more apparent (think of the typical example of an employee sending an email full of confidential data to the wrong recipient) – how can we distinguish an accidental data leak from a legitimate business data transfer? The short answer is that we can’t easily distinguish between the two. DATA LOSS PREVENTION (DLP) SOFTWARE DO NOT GIVE YOU THE HOLISTIC PICTURE In their simplest form, DLP solutions work by either scanning documents for key words or by looking for flags attached to the data when it was created. Using these pieces of information, they aim to either stop or allow data to leave the corporate network. DLP has encountered many challenges. Requiring large amounts of infrastructure to implement (servers to enforce policies, scan data transmissions etc), DLP implementations are costly. DLP solutions also cause network performance issues due to their lack of network transparency, and require large teams of analysts to monitor the alerts being raised to ensure that the correct policies are being enforced. To compound these challenges, several DLP solutions require a human element to tag files (the tagging of files is rarely consistent), and any malicious user would know that by encrypting the file they are trying to exfiltrate they can beat the DLP solution relatively easily. These challenges have led to a relatively poor adoption of DLP solutions, and arguably the only benefit a DLP solution poses to a business is to reduce the number of accidental transmissions of data outside of the corporate network – malicious data exfiltration will just use encryption to beat the solution. The same results, a decline in accidental data leaks, could arguably be achieved through a
29 • C Y B ER WORLD
strong training and awareness programme, which
GDPR AND THE FUTURE
would cost a fraction of the price of a DLP solution.
Data transfers and the risk of data breaches from
Most importantly, DLP solutions are too granular.
data transfers take centre stage in the GDPR. With
They do not give you the bigger picture with respect to how data is being transferred both internally within your company and externally. They don’t follow a risk-based approach. VISDA VisDa is a tool that gives companies three main capabilities. The first is the ability to map out all their data transfers both internally and externally on their network, allowing them to spot malicious connections. The second is the ability to visualise and quantify their complete risk exposure when it comes to data transfers. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on the network. Using VisDa, we monitor a network for data transfers and then apply a risk score to each data transfer based on several features – these include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the transfer. The risk score calculations are highly adaptable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows companies to then approve (and preapprove) expected data transfers, and investigate data transfers that seem malicious. The next generation dashboards convey your company’s global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their risk exposure when it comes to data transfers.
the largest fines (four per cent of global turnover or €20 million, whichever is larger) being aimed at companies not in control of their data transfers to external parties, there is now a pressing regulatory need for a solution such as VisDa. To help companies better manage their data transfers with regards to GDPR, VisDa also contains tailored workflows and reports aimed at monitoring GDPR compliance. As a solution VisDa not only helps to satisfy the regulatory requirement of managing data transfers, but also helps speed up the reporting element after a data breach. Under GDPR, companies must report data breaches to regulatory bodies within 72 hours of being made aware of the breach – VisDa provides a ‘black box’ of information that analysts and forensic experts can use to rapidly find out exactly what happened with regards to the incident, adding information and context to the report to the regulatory body. VisDa is a solution that gives companies a fresh new way of monitoring data transfers and quantifying their global risk of a data breach – it is a complete data transfer risk management solution. Giving companies the ability to spot malicious data transfers and providing actionable business intelligence for companies to lower their risk profile is a valuable tool in the fight against cyber crime. Alongside this, VisDa helps to satisfy regulatory pressures from the incoming GDPR in a way that no other tool currently can. To
Designed for high throughput networks (VisDa has been installed on networks running at 1 terabit per second), the tool is completely transparent and will
Secgate Research & Innovation
have no impact on network performance.
M AY 2 017 • 3 0
31 â€¢ C Y B ER WORLD
l of your data
M AY 2 017 â€¢ 32
33 â€¢ C Y B ER WORLD
VisDa Unlocking your data transfers; mitigating your risk. Information and data is the lifeblood of companies today. Whole industries rely on the rapid sharing of information to generate revenue. As a result, huge volumes of data move from network to network, company to company, every day, non-stop. This presents organisations with a challenge - with so much data being transferred in and out of a companyâ€™s network, and with 2 out of every 3 large businesses in the UK experiencing a cyber-attack or breach in 2016, how can you keep track of which transfers are legitimate and which are malicious? Compound this challenge with regulatory drivers such as the general data protection regulation (GDPR) and the need for a coherent solution to monitor and mitigate data transfer risks to your business is clear. VisDa is a revolutionary solution that gives you the capability to track, trace, monitor, visualise, and analyse your organizationâ€™s data transfers without impacting the performance of your business. Sitting transparently on your network, VisDa allows you to understand what, where, when and how data is moving, both internally within your network and externally to third parties. Developed by world-renowned records management consultants, risk consultants, cyber security experts and technologists, VisDa has been designed from the ground up to quantify the data transfer risk that your organisation is exposed to. Risks are displayed on our next generation dashboards; each dashboard is tailored to your individual operational risk framework and risk appetite. From senior executives to operational level users, keep your entire team informed.
M AY 2 017 â€˘ 3 4
VisDa Visualising your data. VisDa is a tool that equips your network teams with three new capabilities. The first is the ability to map out all the data transfers occurring both internally and externally on your network, allowing malicious connections to be identified and blocked. The second is the ability to visualise and quantify your complete risk exposure caused by data transfers, giving your board mission critical business intelligence with regards to their risk exposure. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on your network. VisDa passively monitors your network for data transfers and then applies a risk score to each data transfer based upon several features – these features include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the data transfer. The risk score calculations are highly configurable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows you to then approve (and pre-approve) data transfers that are expected and investigate data transfers that seem malicious. The next generation dashboards convey your companies global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their data transfer risk exposure. VisDa is a solution that gives you a fresh new way of monitoring data transfers and quantifying your global risk of a data breach – it is a complete data transfer risk management solution. Whether you need a solution to help you mitigate data transfer risk, or help you to achieve regulatory compliance with regulations such as the general data protection regulation (GDPR), VisDa is the solution for you.
35 • C Y B ER WORLD
M AY 2 017 â€¢ 36
A fresh new way of monitoring data transfers an it is a complete data transfer risk management you mitigate data transfer risk, or help you to a such as GDPR, VisDa i Contact us for a demo
37 â€˘ C Y B ER WORLD
nd quantifying your global risk of a data breach â€“ t solution. Whether you need a solution to help achieve regulatory compliance with regulations is the solution for you. at: Info@secgate.co.uk
M AY 2 017 â€˘ 3 8
If Captain Sully Was a CEO Ivan Blesa
39 â€¢ C Y B ER WORLD
About the Author: Ivan Blesa is Director and Head of Technology at Secgate. Prior to joining Secgate, Ivan was Global Product Manager at Clearswift. He is a passionate professional with broad cyber security experience over a wide variety of sectors. Having worked with top international companies in strategic transformational projects, he has a deep understanding of the challenges organisations face when dealing with their cyber security strategy. The definition, development and launch of several security products has been aligned with these needs, which has driven their success.
Captain Sully was an experienced pilot for US
negligence, would he have the correct evidence to
Airways. What should have been a normal flight on
support his claims? Probably not! The recent events
a bright day turned out to be a series of unfortunate
at Talk Talk and what happened to their CEO is a
events, as after taking off the plane went through
a flock of birds, which made two of the engines fail. After quickly evaluating the situation, Captain Sully realised he wouldn’t be able to make it to an airport, and decided to land on the Hudson River. Surprisingly – and mostly due to his extensive flying experience – he managed to land the plane on the river, saving all lives on board. Though the public saw him as a hero, his nightmare started when he was accused of negligence by the authorities, and had to go through a trial to prove his innocence. The standard procedure in flight incidents is to detect the black box (which is actually orange) and analyse cockpit activity data held within it. Luckily for Captain Sully, the black box was recovered, the facts were revealed and the sequence of events evaluated; the results supported his statement of being incapable of reaching any airport during the incident, and thus proved his innocence. Imagine for a second that Captain Sully was the CEO or CISO of an organisation. And that he was about to fly his company through very severe and unexpected turbulence that forced his organisation to crash or make an emergency landing, and that this turbulence was called GDPR!
This is a common case: in almost every security investigation, there is no place to quickly look for facts. Instead, if you are lucky enough, there might be a trail of clues that need to be deeply investigated to try and understand what happened. This is like trying to understand prehistoric facts based on a set of bones being identified in a specific area. You can try to recreate what happened, but it would only be an educated guess. If only you had a camera that could show what happened… or a black box to support your case… The good news is that this black box exists, and is called VisDa. VisDa is the black box of your organisation, the safeguard, the repository of facts that brings certainty to the uncertain GDPR world. Secgate has built a revolutionary complete track-and-trace tool that visualises and analyses data transfers to understand what, how, when and where information is moving, helping to achieve regulatory compliance. Because the unexpected happens and certainty is your best defence, VisDa protects you and your reputation. At the end of the day, as with Captain Sully, we want you to be the hero, without any trace of doubt.
VISDA IS YOUR BLACK BOX Would Captain Sully have enough facts and react correctly should this happen to his organisation? And if he does the right things, but was accused of
Ivan Blesa Technical Director Secgate
M AY 2 017 • 4 0
GDPR: Hard Sell or Information Governance Opportunity? Emma Butler
41 â€¢ C Y B ER WORLD
About the Author: Emma Butler is data protection officer at Yoti, before which she spent four years as DPO at RELX for both UK LexisNexis businesses. Previously, Emma led the international team at the Information Commissioner’s Office (ICO), where she worked with other regulators and the Article 29 Working Party, and advised on UK, EU and international data protection legislation. She has a languages degree, an LLM in Information Rights Law and Practice, an ISEB data protection certificate, CIPP/E and CIPP/M and is also an IAPP FIP.
A lot has already been written about the GDPR.
effort between privacy and information security
For the information security community, the focus
professionals. While the information security
has largely been on the data mapping or data
experts are concerned with securing all information,
inventory elements. In many companies these have
and privacy professionals are specifically focused
been handed to technology/IT departments – but
on the handling of personal information, we are all
for large companies and those with many legacy
aiming for the same outcomes: finding out what
systems, it’s a challenging issue.
information we have, what to do with it, where it
The GDPR demands a change in approach to privacy, but it also provides an opportunity for better information governance. GDPR requires companies
resides, how it moves around, how long we keep it, who has access to it, and how we protect it against unauthorised access, use or disclosure.
to look holistically at how they ‘do’ privacy, and to
Taking a holistic view of the information you have
embed it in their systems, processes and cultures.
as a business allows both information security and
In some ways it is catching up with information
privacy professionals to get on with their respective
security, which has been an integral part of business
roles of protecting that information, ensuring and
for some time. GDPR presents an opportunity for
tracking compliance, introducing efficiencies, and
privacy and information security professionals to
responding to requests for information or statistics
pool expertise and resources, and achieve better
from company boards, business operations teams,
information governance for their companies.
customers or consumers. Working together – based
Good information governance is more than a compliance tick-box exercise. It reduces risk, focuses and prioritises company efforts, and demonstrates
on a mutual understanding of shared outcomes and a willingness to support one another – can achieve this.
to shareholders, customers and consumers that
It starts with a vision: what do privacy and security
your company takes privacy and security seriously.
mean for your company? Are you looking to achieve
Good information governance increases trust and
only minimum required compliance, or to become a
enhances a company’s brand, especially at a time
leader in your sector? Are you trying to make it your
where security breaches are reported on an almost
USP? If you need to build the case for the board
daily basis in the news.
you can do that together. Use and build on what
TAKE A HOLISTIC VIEW; HAVE A VISION
has already been done for GDPR planning (such as systems or asset inventories, or DLP stats), and use
So yes, the data mapping part is important, and in my
GDPR requirements to improve how you do things
view it is a foundation for so many other aspects of
to achieve this vision.
GDPR. But seeking to understand what information an organisation holds needs to be a collaborative M AY 2 017 • 42
USE GDPR FOR COMPETITIVE ADVANTAGE
the process. Done right, you will not only meet a
GDPR requires data minimisation and encourages
multitude of GDPR requirements, but probably
requires a privacy risk assessment when personal data is involved, and for documented evidence of assessments, decisions and implementation solutions. A typical example of a business request is for a particular function to gain access to certain information held by the business. Usually the assumption is that all staff need all data and it’s as simple as getting the IT department to flick a switch. By working together, privacy and information security experts can assess all the risks of the request, discuss its technical implementation, and
many of your own KPIs as well. These can often be reactive scenarios, but a more holistic approach would look at the bigger picture to find answers to such pressing questions as: how is access determined, managed and kept upto-date; how does it relate to the new starter and leaver process; how do staff go about asking for and being granted access to data, and how is that process managed, documented and approved? Getting these things right from both a privacy and information security perspective is crucial in order to avoid constantly being in reactive, fire-fighting
consider how best to achieve the desired outcome
in a way that keeps everyone happy. This leads to
This may all sound obvious, but sometimes it
documented evidence of a risk assessment with both privacy and security requirements built into 4 3 • C Y B ER WORLD
doesn’t work like this, and in my view GDPR is a
real opportunity to take a step back and look at how
to review if you have adopted the right approach,
you approach privacy and information governance,
and then to do it better.
By working together, privacy and information security experts can assess all the risks of the request, discuss its technical implementation, and consider how best to achieve the desired outcome in a way that keeps everyone happy.
GDPR can be a hard sell. At first glance it seems to be yet another list of onerous things you have to do to avoid a fine. However, an enlightened company will see this as a chance to embed privacy and information security at its operational core, and use it as competitive advantage to increase trust in their brand. Itâ€™s time to move away from seeing privacy and information security as just compliance cost centres, to seeing it as a way to ensure everyone wins.
Emma Butler Data Protection Officer Yoti
M AY 2 017 â€˘ 4 4
GDPR: Forget The Fines, Explore The Opportunities! Yasmin Durrani
About the Author: Yasmin Durrani is the Data Protection Officer for Zurich Insurance plc (UK). Yasmin is a member of the Data Protection Forum, the International Association of Privacy Professional (IAPP), the Data Protection and Finance Group, the Data Protection Working Party Association of British Insurers, and the Data Protection Committee Member of British Standards Institute. Yasmin’s other areas of expertise include financial crime and cross-border business. WHAT ARE THE POSITIVES OF GDPR?
etc. The GDPR adds to this list, and is all about
So far, we have been hearing mainly about how the
personal data. It includes information provisions
high fines under the GDPR can make life difficult for businesses. However, the GDPR is here to stay – so let’s concentrate on the positives and how to make the regulation work for us.
for individuals, contract requirements for third parties, and achieving clarity in communications. In order to meet these GDPR requirements, organisations will have to enhance interactions between their departments and experts, and
create the evidence trail to achieve the best
Financial organisations are likely to be overseen
outcomes for their customers.
by multiple regulators. There are a range of common themes that financial regulators such as the Financial Conduct Authority have been focusing on for many years, including topics such as ‘treating customers fairly’, ‘good customer outcomes’, ‘fair contractual terms’ 45 • C Y B ER WORLD
SECURITY MEASURES While the GDPR is exclusively applicable to ‘personal data’, there is no reason why such good governance cannot be extended to all data. It makes sense for organisations to protect
personal as well as commercially valuable data.
GDPR clears the path for you to consult your data
So why not apply the same standards and best
practice instead of enacting parallel processes labelled the GDPR? It would make commercial sense. RISK-BASED APPROACH Many examples of a risk-based approach can be found in the GDPR. In fact, it uses language such as ‘where appropriate’, ‘nature, scope and context’, ‘likelihood’ and ‘severity’. This is a positive for businesses, as they are taking calculated risks all the time and are familiar with the application of risk management principles. The same principles stated in the GDPR take into account the impact on individuals. Don’t forget these individuals are your customers, potential third parties and your employees, so decide the level of risk you want to take – but not at the expense of these individuals’ rights and freedoms. If you are unsure,
There are three examples of high-risk activities under Article 33 of the GDPR: 1) systematic and extensive automated profiling that significantly affects individuals; 2) large-scale processing of special category data; and 3) large-scale systematic monitoring of a publicly accessible area. If these high-risk activities are taking place in your organisation, then you should carry out a privacy impact assessment and consider whether the processing is leading to discrimination, economic or social disadvantage. Remember, the disadvantage does not have to be only in financial terms – it also relates, for example, to revealing individuals’ intimate and personal details. RECORD KEEPING GDPR requires certain records to be kept by organisations. However, it does not burden organisations such as micro, small and medium M AY 2 017 • 4 6
In order to meet these GDPR requirements, organisations will have to enhance interactions between their departments and experts, and create the evidence trail to achieve the best outcomes for their customers.
sized enterprises and organisations employing
to whether or not it wants to notify individuals.
fewer than 250 employees.
However, there is currently no flexibility
CONTROLLERS BASED OUTSIDE THE EU Where data controllers are based outside of the EU offering goods and services to, and monitor behaviour of, individuals in the EU within the scope of the GDPR, organisations may be required to designate representatives within the EU. However, there is some flexibility around this requirement and data controllers based outside the EU should be assessing whether data processing only happens ‘occasionally’. This does not include the processing of large-scale special categories (we know this as sensitive data) and is unlikely to result in a risk to the rights and freedoms of the individual. NOTIFICATION
authorities. Don’t forget there are 50 or so flexibilities in the GDPR text that member states have discretion to build into secondary legislation, so watch out for consultations from the Department of Culture, Media and Sport (DCMS). CALCULATION OF FINES UNDER THE GDPR Fines under the GDPR will ultimately be calculated by the data protection authority depending on the type of data breach, and taking into account several factors such as how much control the parent company has over a subsidiary. Under Article 83 of the GDPR, the basis of calculation for fines will be
INDIVIDUALS Under the GDPR certain affected individuals should be notified of a breach. This obligation is risk-based. If the breach is ‘unlikely to result in a risk for the rights and freedoms of the individuals’, there is no requirement to notify them. The same is the case if encryption is applied to the lost data, which is likely to reduce the risk of identity theft to the individual. In such a scenario, the firm can make a decision as 47 • C Y B ER WORLD
with regards to notifying the data protection
an organisation’s ‘worldwide annual turnover of the preceding financial year’. Let us look more closely at what an undertaking is and how subsidiaries may or may not be captured. In Recital 150 of the GDPR it states that, ‘where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Article 101 and 102 TFEU for those purposes’. This outlines how an undertaking is defined in competition terms with reference to case law. As opposed to a legal entity
structure, undertaking is a single economic unit that
1. Competition calculations are concerned with
can be comprised of parent companies and their
the relevant turnover of a relevant product
wholly owned subsidiaries.
market and relevant geographic market,
It is not clear how GDPR fines will actually work in practice, as competition fines are calculated
whereas significant data protection breaches in the GDPR may be a challenge to compare.
in terms of when the ‘relevant turnover’ is the
2. If it is too complex in theory, it will also be
turnover of the undertaking in the relevant product
difficult for data protection authorities to
market and relevant geographic market affected by
impose fines without challenge from the
the infringement. The ‘relevant market’ is always
going to be open to debate and requires some economic analysis in each case. In the Akzo Nobel NV case, the European Court of Justice ruled that it is sufficient for the EU Commission to prove that the subsidiary is wholly owned by the parent company in order to presume that the parent exercises a decisive influence over the commercial policy of the subsidiary. The EU Commission will be able to regard the parent company as jointly and severally liable for the payment of the fine imposed on its subsidiary, unless the parent company, with the burden of proof of rebutting the presumption, adduces sufficient evidence to show that its subsidiary acts independently in the market. It may be difficult to prove the level of control that the parent company has in terms of the position where the parent company is represented on the subsidiary’s boards. Two points can be deduced:
Note that the reputational risk attached to data breaches remains the same. The higher threshold of four per cent or €20m for breaches relating to data subject rights, basic principles of processing data, and transfer of data to third country recipients. This means these are the high-risk areas where organisations should be able to demonstrate compliance. Advice for organisations would be to make the GDPR part of your business processes, rather than approaching it as a pure compliance requirement. GDPR projects driven by fear of fines as opposed to achieving good governance will look very different in practice, and achieve different outcomes. Yasmin Durrani Data Protection Officer Zurich Insurance
M AY 2 017 • 4 8
Information Governance Services With the GDPR storm arriving in less than a year, our information governance practice at Secgate can help you manage, process and govern your information and data to allow you to unlock your company's true value. Whether in a physical or electronic format our team helps review and implement policies, processes, and controls to enable compliance with regulation and to increase the efficiency and security with which data is processed and managed. Within our information governance service line, we have particular expertise in the areas of data management and analyses (we help manage and analyse both structured and unstructured data at any volume), records management, data protection and data privacy. Our information governance expertise has propelled clients to achieve: ● ● ●
significant cost savings and operational efficiencies through the streamlining of data storage and data consolidation processes; regulatory compliance and the successful implementation of required processes for the collection of evidence; a higher level of data privacy, data security and incident detection/monitoring maturity.
Our information governance team is in a unique position in the market – we provide both consulting expertise, and, if needed, best in class software solutions to deliver our clients maximum results in minimum time. Our information governance team consists of professionals who have spent months researching and helping clients become compliant with GDPR. Our team includes experts who are part of the BSI (British Standards Institution) Committee which has recently re-written the updated British Data Protection Standard (BS10012) to reflect the GDPR requirements. Roger Poole, Head of Information Governance at Secgate. Email: Roger@secgate.co.uk
49 • C Y B ER WORLD
Our in-house built technology products complement our consulting services, providing you with unique solutions to tackle GDPR
M AY 2 017 â€˘ 50
How GDPR Impacts On The Cyber Security Talent Gap Domini Clark
51 â€¢ C Y B ER WORLD
About the Author: Domini Clark is the founder of InfoSec Connect, the industry’s first hassle-free recruitment communication platform exclusively serving the information security community. She is also Managing Principal at Blackmere Talent Acquisition & Consulting, a specialty Talent Acquisition Firm with a focus on the information security sector. Domini has been involved in professional recruiting for over fifteen years working in both technical and operational recruiting for Fortune 10 organizations, small and medium sized businesses and federal government contractors. She sits on the Board of Directors for ISSA (Information Systems Security Association) Utah and recently received the Luminary award from the International ISSA Women In Security Group.
The General Data Protection Regulation (GDPR)
of the position description, here are some general
will go into effect on 25 May 2018, and will have
guidelines to follow when searching for yours:
an important impact on business operations around the world. Data protection is at the heart of any business, encompassing everything from
Experts in data protection regulations
Industry specific knowledge in accordance with both the size of the data processor or
employment and emails to commercial contracts
controller, as well as the sensitivity of data
and corporate restructuring. Since this legislation
will apply to most companies doing business with the EU, as we consider the impact these changes will have on business, the increased need for talent must be at the top of the list. A recent study indicates that businesses will need to add at least 28,000 Data Protection Officers in the EU alone to support the GDPR. While this is an enormous amount of new talent to bring into the market, the real issue is brought into sharp focus through the current state of Cyber Security Workforce Trends and Challenges for 2017. ISACA, the
and Control Association, indicates that 55% of organisations take more than three months to fill their current open cyber positions. In addition, 30% of companies in the EU are completely unable to fill their open cyber security positions. Although we are navigating through already troubled cyber talent waters, it is important to understand that many companies affected by the GDPR will be required to hire, appoint or contract a Data Protection Officer (DPO). Let’s get started with what a Data Protection Officer looks like. While there are differing opinions on the specifics
The ability to inspect, consult, document and log file analysis
Ensure that technical and operational groups comply with procedures
The Data Protection Officer will be responsible for raising awareness of data privacy as well as implementing,
applying policies and procedures, and verifying compliance. This will also be the person responsible for notifying data protection authorities in the event of a data breach. Essentially, this will be an expert in privacy and data protection with the ability to truly understand and balance the risks for data processing. A very important factor to consider as you plan your GDPR programme is the protected status of an internal (employee) Data Protection Officer. In other words, the GDPR prevents dismissal for performance of related tasks, with the aim of ensuring there are no penalties for ‘whistle blowing’. While this protection will insulate against retaliation terminations, it can also tie the hands of employers when navigating through a ‘bad hire’ situation. This M AY 2 017 • 52
caveat may ultimately create more opportunities
find their CV on CareerBuilder or LinkedIn, so you’ll
for law firms or specialty consulting firms offering
need to leverage your best networking skills and
Data Protection Officer services.
hardcore power-searching techniques. Consider
Of course, the best approach to cyber security is to prevent hacks, attacks and breaches before they happen. Prevention requires a strong cyber security team, which will expand with the new regulations. The GDPR’s intent is to ensure compliance and raise awareness of data privacy and protection. We will very quickly need to determine HOW we are going to attract the right talent to our organisations. Here are a few tips to consider as you recruit for your Data Protection Officer (or any other cyber talent, for that matter): A BREED APART The best cyber security professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defences. You likely won’t 53 • C Y B ER WORLD
utilising industry specific job boards such as ISSA, SANS or InfoSec Connect. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply, as they will not click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you. IT’S NOT A POSTING, IT’S A PITCH The
InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association, indicating that about half of cyber security professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and
requirements, it will wash out amongst all the other
Do more than just scratch the surface – offer them opportunities not only to look under the hood, but also to take some deep dives
In today’s market you have to court talent, and that
into your systems. Give them the authority
is especially true of cyber security professionals.
to make a true impact on your organisation.
Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what
Have the option to work remotely. Your
your company needs, and focus instead on what
organisation may cling to traditional models,
will engage the interest of your target audience.
but if virtual options give you an edge in the talent war, then it’s time to loosen up.
APPEAL TO THE HOT BUTTONS In general, cyber security professionals want to: •
Take on intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.
threat landscape. If you’ve got the coolest technology, executive buy-in and a penchant for innovation, your pitch should highlight those perks.
KEEP YOUR SOCIAL MEDIA BUZZ FRESH This is good general recruiting advice, but definitely important for this group. The content doesn’t have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand. They also increase the likelihood that hard-to-find candidates will stumble across your company.
M AY 2 017 • 5 4
Share great insights and ideas your team has, and be
of asking for five to seven years of experience, ask
sure some of your efforts target the cyber security
for three to five and highlight the opportunity for
community — it’s not ALL underground. Join cyber
security forums and GDPR discussion groups, for example. Encourage your existing cyber security talent and ranking IT leaders to write blog posts and white papers on the topic. HANG LOOSE There are specific qualities to look for in cyber security candidates, but you can’t run an effective search if you focus only on screening people out. The pool’s just too small. Given that security threats are constantly evolving, a degree probably isn’t as important as current experience. Or consider recruiting recent graduates to work with your Data Protection Officer by offering the opportunity to gain valuable hands-on experience (an ounce of future planning never hurt!) Another tactic: instead 55 • C Y B ER WORLD
You can try retraining existing IT staff, but keep in mind that success in cyber security takes a certain mindset. Ideally, you have a system administrator who can channel her inner cyber risk analyst and ask, “What would I do if I wanted to get past our own security measures?” REACH OUT Another
programmes that engage new hires, women and minorities. According to the Wall Street Journal, big banks such as J.P. Morgan Chase and Citigroup are getting results through programmes targeting different groups. Some have even started ‘re-entry’ programmes to attract women who took a career break to care for dependants or others. Getting
involved with organisations such as the Women
per cent. While this data is pulled from the US, the
in Security special interest group within ISSA
preliminary numbers out of the EU do not appear to
International, or the International Consortium of
be any more promising.
Minority Cyber Security Professionals (ICMCP), will help you. WELCOME EVERYONE Take a long, hard look at your organisation. Even if there is no active discrimination, lack of diversity can make cyber security departments look like good ol’ boys’ clubs, further discouraging members of under-represented groups from pursuing careers in this space. Keep in mind that of the employed population, the National Cyber Security Institute reports that women make up only about 20 per cent of that profession, while African-Americans, Hispanics and Asian-Americans combined make up only 12
Since the best approach is to prevent the hacks, attacks and breaches from occurring in the first place, talent leadership needs to be a big part of your GDPR programme. However, as you are aware, talented cyber security professionals are in serious short supply. They’re a bit of a unique beast, so you’ll need a recruitment approach for engaging cyber security talent that’s different from the ones you’re using with other positions — even other IT positions. Domini Clark Founder, InfoSec Connect Managing Principal, Blackmere Consulting M AY 2 017 • 56
GDPR Becomes Law, But Bigger Changes Lie Ahead When Edward Snowden revealed US and UK
Chiara Rustici is an author and researcher on EU
spy agency secrets, French and German leaders
privacy and GDPR.
were alarmed by what they learned about US government spying operations in Europe, including on their own governments. There was talk of a ‘wall’ that would be built around the EU, requiring EU and international cloud companies to keep EU citizens’ data within the w Union.
‘In purely legal terms, the GDPR does not ask processors (cloud and co-location providers fall mostly into this category) to keep EU-based individuals’ personal data on EU soil,’ she says. ‘What it does ask is the flipside of that: in whichever country
Rackspace, Microsoft, Google and Amazon rushed
personal data is stored, that data will need to be
to build data centres in the EU, while stating their
offered all the safeguards of the GDPR… If you want
efforts were meeting the requirements of customer
a starker image, for the sake of simplicity, don’t think
compliance with locality laws. Amazon, for example,
of the EU as wishing to attract the global cloud
said customers would have ‘complete control over
business onto EU soil. Think of it, instead, as the
the geographic locations where their content can
EU trying to export its idea – that data protection is
be stored and accessed.’ But it all seems to have
a universal human right – to the rest of the globe.’
been a waste of time. The new EU General Data Protection Regulation (GDPR) does not require this.
In particular the GDPR allows companies outside of the EU to process data of EU citizens outside the Union as long as the processors adhere to EU
57 • C Y B ER WORLD
privacy and data protection requirements. These
obtain any further authorisation, if the Commission
are called Model Clause agreements. However, this
has decided that such third country ensures an
will not always work, as the German attorney at
adequate level of data protection (an “adequate
Planit Legal in Hamburg, Bernhard Freund, explains:
jurisdiction”). The basis for this principle is that such
‘In some scenarios it is not possible’, because under
jurisdictions provide sufficient protection for the
German law certain sensitive data (such as health
rights and freedoms of data subjects without the
data) cannot be taken outside the country. Freund
need for further safeguards.’
says that the GDPR includes ‘opening clauses’ that allow member nations to make changes to certain sections of the law. This is in spite of the law theoretically being designed to bring all of the EU under one set of rules. The US relationship with the EU is the exception, and the US is forging its own agreement with the EU called the EU-US Privacy Shield. According to White & Case: ‘Cross-border data transfers to a recipient in a
If you read the legalese on Microsoft’s, Google’s and Amazon’s websites, they state cloud businesses all comply with that. But will any of this stick? When President Trump signed an executive order that, “excludes persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” he stepped into an already fragile legal framework, causing further concern.
third country may take place, without a need to M AY 2 017 • 58
EVEN GOOD IDEAS CAN POSE TECHNICAL
The goal is to have that law’s passage coincide with
the implementation day for the GDPR.’
The GDPR does not address all issues related to
The ePrivacy Regulation includes: ‘the right to
privacy. There is also the ePrivacy directive. This directive will cause computer companies to have to change some computer code. Eva Škorničková is a lawyer based in the Czech Republic, specialising in privacy and data protection. Talking via telephone, she explained that the very definition of the age of consent can vary by member state. According to Škorničková, ‘the ePrivacy Regulation was adopted by the EU commission in January 2017. It is slated for approval by EU Parliament in April or May 2018.
59 • C Y B ER WORLD
be forgotten’ (otherwise known as the right to erasure), the right to transport personal data from one company to another, the requirement for children to obtain parental permission to join social media sites, and, depending on the final form the law will take, the right for children to delete items that will embarrass them or complicate their search for employment in the future. The International Association of Privacy Professionals (IAPP) states that with ‘Article 89, controllers will not have to erase or rectify data after the data subject has withdrawn consent.’
age by which parental consent is required is one of
companies. Instead of simply lying about their age
those.’ Currently, the Czech Republic has no social
to join Instagram, 13-year-olds might have to get
media consent age, while in the UK it is 13.
permission from their parents in order to join via an email opt-in sent to their parents. In terms of referential integrity, any programmer knows you cannot remove a record from a database that is connected to other records. So if a child writes a comment in the middle of a Facebook thread that they wish to later delete, Facebook will have to either delete the whole thread, or write code to remove that one line and then stitch the rest of the thread back together.
Another issue is data portability. This is particularly difficult, because it is unclear how a company is going to be able to transfer a person’s data from one firm to another. The rules call for establishing common interfaces for data transfers – but data cannot be easily deleted. For example, how could Google Docs physically remove documents from their system and hand them over to another company? Google Docs does not share data, except in the case of a user losing access to their domain.
As an added complication, Škorničková notes, ‘the
You can export all your Google docs to a Microsoft
implementation allows member countries to write
equivalent such as .doc, .ppt, and .xls files. Will this
their own rules for some of the 50 articles. The
manual process by the user suffice for data transfer? M AY 2 017 • 6 0
ADVERTISERS WORRY Advertising companies are worried about how EU regulations are going to affect the gathering of data with cookies. They are concerned that even good ideas such as privacy can often end up being
regulations. He notes that because of existing EU law, many clients are on the way to being compliant already. He says, ‘usually there is no organisation that is 100% compliant, [but] you do not start from scratch.’
distorted and not meeting their original objectives
Freund cites the case of an EU-based company
when implemented. We have already seen this
using Amazon for their cloud services. Amazon
with the advent of pop-ups on websites asking for
runs support for their data centres 24-hours a
permission to collect data using cookies. The new
day. But while the US or Europe might be running
law proposes that browsers give users control over
support for their centres during the day, this activity
cookies (something already done with plugins such
switches to India at night – where model contracts
as Ghostery), yet none of that control operates on
might not be in place.
iPhone or Android apps that do not use a browser.
So it remains to be seen what the fallout will be of
Digital agency DigiDay believes this requirement
all this. What technical changes to applications will
will lead to even more silliness; instead of having
have to be made? And how will relations between
one annoying pop-up to click through, there will be
cloud providers and their customers change? So far
many more. It is now becoming common to ask the
there are no visible signs of changes on Facebook
user permission to gather certain data, similar to
(particularly regarding privacy by default) or in
how ad blocking pop-ups are used.
cookie collection by ad companies. There is not a
Norway’s Vivaldi told Quartz Media they see an opening for their browser because of this change: ‘If we can bring more transparency and control to the user in a way that they can understand, there’s definitely an opportunity.’ TEARING UP CLOUD CONTRACTS
lot of time left for companies to meet these new requirements if the ePrivacy directive comes into force by March 2018. Meanwhile, meeting the GDPR would be better handled by implementing simple changes such as encrypting data in transit and seeking approval of procedures and policies from EU regulators.
Freund believes that tech companies in the EU are thinking about the GDPR more than they are about ePrivacy. Clients are coming to his law firm to run gap analyses to identify current practices that need to change in order to comply with the new 61 • C Y B ER WORLD
Secgate Research & Innovation
Cordery helps manage the ever-increasing compliance burden.
Cordery www.corderycompliance.com Tel: +44 (0)207 118 2700
Cordery provides innovative ways of helping General Counsel, compliance professionals and heads of legal across industries manage compliance. Using the expertise of seasoned compliance professionals and the content and technology capabilities of LexisNexis UK we provide expert advice and develop compliance products.
Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority. SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520. Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom. SA-0417-058. M AY 2 017 â€˘ 62
Cyber Security – What Is Its Relationship With Records And Data Management? Roger Poole
About the Author: Roger Poole is the Head of Information Governance at Secgate. Roger is a highly experienced records and data management, data privacy and information governance professional and programme manager. Roger has held senior positions both within industry and Big 4 consulting firms, and primarily works on strategic and complex change initiatives within the financial services and large corporates sectors.
Cyber security is one of the most important areas
To protect against a cyber attack, you have to know
of focus for organisations today – and the criticality
what kind of information and data you have, and
of guarding against cyber attacks has never been
where it is located. In a world of big data, maintaining
greater. It is estimated that companies are now
and managing ever-increasing volumes of data is
spending 6% of their budgets on Cyber security.
already a big challenge for organisations, and data
Unfortunately, there are regular headlines in the
is more often than not managed by a multitude of
press advising us of “yet another” cyber attack.
people and teams rather than handled centrally. But
solely a technical challenge. Cyber security is not just a technical challenge, however, but a challenge which can, and should, be addressed as part of an organisation-wide Programme. The Programme should encompass work streams from IT and Information Governance (to include, Data Management, Records Management and Data Protection). 6 3 • C Y B ER WORLD
effectively securing this dispersed data is another league altogether. THE APPROACH An organisation then has to be able to answer 5 main categories of questions in order to be able to implement a secure information protection programme – the what, where, how, why and who of their company’s data.
1. What data do you have that needs protecting? 2. Where does this data sit? Where does it go? Where does it come from? 3. How should this data be protected? Is the priority confidentiality, integrity or availability? 4. Why do you have to protect it? Is it valuable? How valuable? 5. Who is responsible for the data? Who will own the controls that protect the data? The above questions need input from records management professionals and business owners in order to be accurately answered. This is where cyber security and records management start to
be surprised how often consultants come across businesses that cannot answer this question. If your business does not have an information asset register that clearly defines the exact data, including data volumes, that it stores and processes then this question has not been fully answered. This question also has a flipside – in the event that your security controls are circumvented and your data is lost, you need to be able to say exactly what data you have lost and what impact this will have on your business. The answer to this question is imperative to providing this information. THE WHERE: WHERE DOES THIS DATA SIT? So now you know what data you need to protect,
where does this data sit? Where has this data come
THE WHAT: WHAT DATA DO YOU HAVE THAT
discovery exercise and requires input primarily from
records management professionals.
As already mentioned, in order to properly secure
Knowing where your data sits and flows to and
anything in this world you need to know what you are securing. This sounds obvious but you would
from? Where does this data flow to? This is a data
from is important for two main reasons. The first reason is the obvious one – in order to protect M AY 2 017 • 6 4
something, you need to know where you need to
controls which by definition impact the availability
put the controls. The second reason is so that you
of the data.
can ensure controls are provided throughout the whole of the data’s lifecycle. There is no point in encrypting a database at rest if you are going to send the data via an unsecured connection to a third party (yes, we have seen this happen). THE HOW: HOW SHOULD YOU PROTECT YOUR DATA? One of the key concepts within cyber security and information protection is the CIA triangle. Cyber security controls have one objective - to protect the confidentiality, integrity and availability of your company’s data and information systems. This sounds easy, but often a compromise is required. Protecting the confidentiality of data usually involves putting in place controls such as encryption or strong access management controls; 65 • C Y B ER WORLD
Therefore, before you decide to encrypt every single database on your company’s network and cause both severe network latency (data will become tediously slow to access) and access issues (if you give everyone the key to decrypt the data then is the data actually encrypted) you need to decide which of the three principles you want to prioritise. Records management professionals play a significant role here. With a world dictated by regulation and with each business demanding different CIA requirements, it takes a records management professional to properly define the levels of protection that the data requires and an information security professional to then provision the controls.
With a world dictated by regulation and with each business demanding different CIA requirements it takes a records management professional to properly define the levels of protection that the data requires…
THE WHY: WHY SHOULD YOU INVEST IN
will be responsible for ensuring that the controls
PROTECTING THIS DATA?
are implemented? Who will be responsible for
Protecting data costs money. In order to secure
ensuring that the controls are maintained? Who
funding, you have to be able to provide the business with a reason to invest. Both records management and information protection professionals can help here – records management professionals are able to dissect and translate the complex regulatory requirements of data storage and processing into real business requirements and information security professionals are able to advise the business on the risks and impacts of not securing their data. The combination of both of these should give your business a real incentive to protect its data. THE WHO: WHO WILL BE RESPONSIBLE FOR PROTECTING THE DATA? Finally, we have the who. Once you have defined
will be responsible for monitoring the controls and reporting any issues that occur? CONCLUSION The above questions should be answered by every business in order to ensure that their records management and information security programmes are as comprehensive and secure as can be, and the questions require both input from records management professionals and cyber security professionals. Roger Poole Head of Information Governance Secgate
the data and levels of protection required, who M AY 2 017 • 6 6
GDPR: Why Smart Solutions Are The Way Forward Thomas Pluharik
67 â€¢ C Y B ER WORLD
About the Author: Tomas Pluharik is a long-term innovation and security enthusiast and professional, currently working as security consultant for Deloitte Central Europe. He has worked in both start-ups and global corporations all around the world, and he has been a guest lecturer at several universities (VSE, CEVRO institute). Tomas is also the founder of the start-up Humainn, which specialises in open data and data integration principles applied in practice.
For some businesses, the GDPR might look a bit
like a new EU-driven digital Armageddon. The
To identify the data you need smart solutions that
Regulation looks so tough that many companies are very concerned whether they will be able to meet the stringent new requirements, and many technology companies are making changes to their products in an attempt to appease Brussel and comply with the GDPR. While the new Regulation is clearly revolutionary, don’t panic! Let’s look at the technological options (and especially the smart ones) available to companies to help them meet the GDPR. The Regulation itself is relatively vague with regard to technologies. Even the authors had trouble describing how technological solutions should be implemented. Which is good news and bad news. Bad news in that, at least in the beginning, we have to count on structured and unstructured data as a target for our solution. One common problem, for example, is that client contracts or other data is frequently left on shared drives. The good news is that this lack of technological standards creates greater space for smart and practical solutions. It also provides an impetus for managers to justify investing significant time and resources in resolving issues with data and role classification - a common problem for organisations. The challenge is that sensitive data located all over the infrastructure requires tools to find, convert, operate and audit/control it. This article looks at
will scan your infrastructure – but be aware since such solutions usually create indexes that will be full of sensitive personal data. So the hope is that process-based protection will be acceptable to the regulatory authorities. Solutions will also have to be smart enough to look for integrations/ linkages between data sources, which will need to be reflected in any reports they produce. This is the tricky part for organisations using numerous reports, custom spreadsheet machines crunching data on local machines etc. Solutions that monitor operations and utilise deep packet inspection might then be a good way forward to approach this problem. CONVERT/MIGRATE Once you have identified all the data that you have to convert, you have to choose your strategy. How will you convert frequently used dynamic/operational data, and how will you handle that generic data you store for ‘just in case’ scenarios (called archives)? Legacy data can be a big issue, especially in the case of backups. Again, the GDPR is not able to clearly answer the ‘backup question’, and in some cases it will not even be technically possible to convert backups. It is also useful to know that you cannot keep older versions of databases purely for ‘just in case’ scenarios.
how this can be handled.
M AY 2 017 • 6 8
demonstrates that you have done so! Hence, yes,
You have to look for smart solutions that can combine
there is a little chicken and egg problem with those
data integration and encryption/decryption of
requirements, but safely stored indexes and audit
database fields fast enough not to interfere with
logs should spare you any trouble.
your operations. Unfortunately, this will lead to
Vendors of solutions will provide some tools for
process and role changes. You will probably not be able to keep your good old root account, and any solution will create massive indexes of sensitive data. This is a problem because there is something known as the ‘right to be forgotten’. You will not only have to control access to personal data and
their own systems, but not many will help you with integration. The hope is that software vendors will soon come up with solutions, and also the open source community is beginning to rise to the challenge (such as, for example, OpenGDPR.eu).
provide ‘proper data protection’, you also have to
provide a service that deletes sensitive personal
Integration is also tricky on the level of control
data from your records on request; and you have to able to provide appropriate audit information that 69 • C Y B ER WORLD
and audit, as companies have to be able to control employees’ handling of data and provide proper
audit trails for future checks. The problem is that
common operation practices that are not compliant
audit trails tend to contain a lot of sensitive personal
with the Regulation. It presents a huge opportunity
data, and so again solutions have to either encrypt
for organisations to make the right architectural
them or split and store them with limited access.
Deep packet inspection tools, integration platforms
Implementation of integration platforms may
and process monitoring can help with monitoring
help business development and transformation to
daily activities. Smart solutions are also a must for
achieve more secure and flexible IT.
unstructured data handling. When analysing data to identify sensitive information, it is better to apply big data analyticsâ€™ principles and work with probability rather than attempt 100% precision. In a nutshell, the GDPR will not just be about process changes and consulting. Technical implementations
Tomas Pluharik Security Consultant Deloitte Central Europe
will require creativity. It will also include tons of smart solutions to sort out unstructured data and M AY 2 017 â€˘ 70
Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on firstname.lastname@example.org
71 â€˘ C Y B ER WORLD
About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clientsâ€™ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.
Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom
M AY 2 017 â€˘ 72
73 â€¢ C Y B ER WORLD
Published on May 10, 2017
Special Edition of Cyber World magazine, focused exclusively on the upcoming EU General Data Protection Regulation (GDPR).