Page 1

MAY 2017

A SPECIAL EDITION BY

CYBER WORLD GDPR

THE STORM IS COMING 1 YEAR TO GO - THE EXPERTS SPEAK

Giovanni Buttarelli, European Data Protection Supervisor, EU Dr Simon Rice, Information Commissioner’s Office (ICO) Jonathan Armstrong, Cordery Chris Gould, Secgate John Culkin, Crown Records Management Ivan Blesa, Secgate Emma Butler, Yoti Yasmin Durrani, Zurich Insurance UK Domini Clark, Blackmere Consulting Roger Poole, Secgate Tomas Pluharik, Deloitte Central Europe


CyberWorld.News


Hello. We are proud to announce the first Special Edition of Cyber World, focused exclusively on the upcoming EU General Data Protection Regulation (GDPR). With the GDPR coming into force in May 2018, just over a year from now, we have invited leading experts from diverse backgrounds, including from law firms, regulatory authorities, consultancies, recruitment firms and from industry to provide their insights into the GDPR. Their analyses and expert opinions have been sought to shed light on what the GDPR consists of, what it means for organisations, consumers as well as for information security and data protection professionals, and what challenges and opportunities the GDPR will bring. We present exclusive articles and analyses from Giovanni Buttarelli, the European Data Protection Supervisor; Dr Simon Rice, Technology Group Manager at the Information Commissioner’s Office (ICO), Jonathan Armstrong, Partner at the compliance law firm Cordery; Chris Gould, Head of Consulting at Secgate; John Culkin, Director of Information Management Services at Crown Records Management; Emma Butler, Data Protection Officer at Yoti; Yasmin Durrani, Data Protection Officer at Zurich Insurance in the UK; Tomas Pluharik, Security Consultant at Deloitte Central Europe; Roger Poole, Head of Information Governance at Secgate; and Domini Clark, Managing Principal at Blackmere Consulting. We also have articles on ‘If Captain Sully was a CEO’ and ‘GDPR Becomes Law, But Bigger Changes Lie Ahead’ as well as a product review entitled ‘The Fight Against Cyber Risk And The Birth Of A New Weapon’. We would like to thank all our contributors for their insightful contributions, and our Readers for making our magazine a great success. We hope you enjoy this Special Edition, and that it is of use to you and your organisation, and please feel free to share our magazine with colleagues and friends. As always, your comments and feedback are very welcome.

Laith Gharib, Managing Director

M AY 2 017 • 2


The Six Principles Behind GDPR Giovanni Buttareli

3 • C Y B ER WORLD


About the Author: Mr. Giovanni Buttarelli has been European Data Protection Supervisor since December 2014. He was appointed by a joint decision of the European Parliament and the Council on 4 December 2014 for a term of five years. He previously served as Assistant EDPS, from January 2009 until December 2014. Before joining the EDPS, he worked as Secretary General to the Italian Data Protection Authority, a position he occupied between 1997 and 2009. A member of the Italian judiciary with the rank of Cassation judge, he has attended to many initiatives and committees on data protection and related issues at international level.

The European Union opened a new chapter for

easier for companies operating within EU borders

data protection in 2015. After almost four years of

to comply with data protection policies.

intense negotiation and public debate, the General Data Protection Regulation (GDPR) was adopted in April 2016.

There are six general principles in the regulation that have to be respected when processing personal data: fairness; purpose limitation; data minimisation;

We are now on track to change data protection for

accuracy; storage limitation and security.

the next generation.

Security

The GDPR reinforces a wide range of existing

protection. In fact it is an enabler of data protection.

rights, and establishes new ones for individuals. It is fundamental to find new ways of applying data protection principles to the latest technologies, and the cooperation of businesses is crucial in order to achieve this goal.

is

an

important

principle

of

data

(Information) security provides organisations with control: control to actually behave as they want even in the presence of external factors or threats. It is not a new principle and has always been based, as in any security framework, on the implementation of a mature risk management process. (More

The GDPR comes into force on 25 May 2018, and

information on information security and data

preparations for ensuring compliance require close

protection can be found in EDPS’ publication

attention. The new regulation sets out the need

‘Security Measures for Personal Data Processing -

for a solid data protection policy for firms working

Guidance on Security Measures for Personal Data

within the EU. Such measures include, among

Processing - Article 22 of Regulation 45/2001’)

others: adequate documentation on what personal data is processed, how, for what purpose, and for how long; documented processes and procedures; tackling data protection issues at an early stage when building information systems; responding to a data breach; and the presence of a Data Protection Officer integrated into the organisation. SIX GENERAL PRINCIPLES

At the same time, the GDPR introduces an important new concept into the data protection framework: accountability. The concept first appeared in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and was more recently promoted at the 2009 International Conference of Data Protection and Privacy Commissioners in the ‘Madrid International Standards’, in the ISO draft standard 29100, and in

The GDPR aims to entrench privacy on the ground,

the APEC privacy framework and its cross-border

and allows different sectors to contribute to new

privacy rules. Article 22 of the latest version of the

norms and best practices appropriate to specific

GDPR requires controllers to implement appropriate

circumstances. The GDPR also aims to make it

technical and organisational measures to ensure and M AY 2 017 • 4


...if accountability is incorporated into business activities, it will ensure effectiveness in applying other data protection principles.

demonstrate compliance (the term ‘accountability’

with data protection rules. In concrete terms,

is defined in Article 5(2). Accountability is a common

accountability requires organisations to be able not

principle for organisations across many disciplines.

just to comply with data protection principles, but

The principle embodies the idea that organisations

also to demonstrate how they ensure compliance

live up to expectations, for instance in the delivery

with the GDPR. Therefore, businesses should

of their products and their behaviour towards those

start reviewing their data processing activities and

they interact with. Accountability is already present

implementing proper data protection policies as a

in any IT governance framework, and is also the

new routine, to be able to demonstrate compliance

basis for control and auditing.

with the regulation upon request from individuals (customers) or supervisory authorities.

ACCOUNTABILITY The

GDPR

integrates

accountability

as

a

principle, which requires that organisations put in place appropriate technical and organisational measures, and that they are able to demonstrate those measure – and their effectiveness – when requested. Accountability is the best way to move data protection from theory to practice.

Linked to accountability are the principles of data protection by default and by design, which will also become a legal obligation under the GDPR. Data protection by design can be assimilated to the principle, well known by IT practitioners, that implementing security or data protection is more effective and efficient the sooner it is done. Data protection by default asks organisations to consider

In other words, if accountability is incorporated into

the most data protection-friendly option possible

business activities, it will ensure effectiveness in

when any decision is taken. (To facilitate the

applying other data protection principles. However,

implementation of data protection by design and

in order to ensure that this happens, businesses

by default, the EDPS participates in the Internet

have to change their culture when complying

Privacy Engineering Network (IPEN) whose purpose

5 • C Y B ER WORLD


is to bring together developers and data protection

and to inform and train everyone in the organisation

experts with a technical background from different

on how to implement these policies.

areas in order to launch and support projects that build privacy into everyday tools and develop new tools which can effectively protect and enhance our privacy.) These two principles together with accountability are already a very strong guide when tackling data protection issues.

If they are not already doing so, all businesses, large and small, should be considering the way in which they interact with personal data, and how the GDPR will impact on them and the sector in which they operate. We would not recommend a ‘sit on your hands’ and ‘wait-and-see’ approach.

STRONGER RIGHTS FOR INDIVIDUALS

Ultimately, we believe that GDPR is an opportunity

The GDPR provides individuals with stronger rights,

for businesses, inside and outside the EU.

giving them more control over the processing

The regulation will help firms consolidate personal

of their personal data, such as a stronger right to rectification, a broader right to erasure (also known as the ‘right to be forgotten’), a new right to the restriction of processing in certain circumstances, and so on. Therefore, in order to make this new set of rights effective, it is necessary to both establish

data into an integrated business platform. This constitutes a unique opportunity for businesses to get closer to customer requirements and expectations, in both the digital economy and wider society.

transparent internal data protection and privacy

Giovanni Buttarelli,

policies – approved and actively endorsed at the

European Data Protection Supervisor

highest level of the organisation’s management –

European Union

M AY 2 017 • 6


Your Guide To The GDPR By The Information Commissioner’s Office Dr Simon Rice

About the Author: Dr Simon Rice is Technology Group Manager at the Information Commissioner’s Office (ICO), the UK’s independent body set up to uphold information rights. The ICO regulates the Data Protection Act, Freedom of Information Act, and Privacy and Electronic Communications Regulations. The technology team delivers specialist expertise to the ICO by advising on the technical aspects of complaints received and data breach investigations. We also monitor the technology environment to identify developments that may impact on information rights. Official figures show that there were an estimated

are getting higher. You have probably heard that

two million computer misuse offences in 2016

next May, a new data protection law – the General

– that means once every 15 seconds there was a

Data Protection Regulation (GDPR) – will arrive

potential cyber security incident and a potential

with stricter controls and higher penalties for those

data breach.

who get it wrong.

When it comes to properly protecting the data they

The GDPR builds on the previous Data Protection

hold, the stakes are high for businesses, and they

Act, but provides more protection for consumers

7 • C Y B ER WORLD


and more privacy considerations for organisations.

new right to data portability: the right to obtain

It brings a more 21st century approach to the

and port their personal data for their own purposes

processing of personal data, and puts a responsibility

across different services.

on businesses to change their entire ethos to data protection. CONSUMERS CONTROL THEIR DATA The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. Consumers will have the right to request personal data be deleted or removed if there is no compelling reason for an organisation to carry on processing it. They will also have the brand

The GDPR will include new obligations for organisations as well. Businesses will have to report data breaches that pose a risk to individuals to the ICO, and in some cases to the individuals affected. They will have to ensure that specific protections are in place for transferring data to countries that have not been listed by the European Commission as providing adequate protection, such as Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have obtained it if M AY 2 017 • 8


“

When it comes to properly protecting the data they hold, the stakes are high for businesses, and they are getting higher.

9 • C Y B ER WORLD


they rely on it for processing data. There are also obligations around appointing data protection officers. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It is about moving away from seeing the law as a box-ticking exercise and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and privacy by design – are now legally required in certain circumstances. It means a change to the culture of an organisation, and it is a crucial part of cyber security. THE STAKES ARE HIGH The days when cyber security was purely an IT function are behind us. Just glancing over the National Cyber Security Centre guidance on preventing a cyber attack makes it clear that data security is as much about staff as it is about software. Sure, there are tips in there around malware protection and the importance of patching software. But advice around password policies, removing default user accounts, and restricting access to information to only staff who need it to do their jobs is about people, and about having a culture of privacy in place in your organisation. The stakes are high. Getting it wrong not only risks enormous reputational damage, but for the most serious violations of the law the ICO will have the power to fine companies up to €20 million, or four per cent of a company’s total annual worldwide turnover for the preceding year. The GDPR gives regulators the power to penalise organisations for failing to put in place: data protection by design, a data protection impact assessment, data protection officers and documentation. If businesses cannot demonstrate that good data protection is a cornerstone of their practices, they are leaving themselves open to a fine

M AY 2 017 • 10


The days when cyber security was purely an IT function are behind us.

or other enforcement action that could damage

living document, adding content on different points

their bank balance and/or their reputation.

as more guidance is produced by us and Article 29.

The ICO remains committed to helping organisations

If you want to stay updated on new guidance

improve their practices and prepare for the GDPR.

our e-newsletter is a good place to start. More

We have recently published an update setting

information, help and advice is available on our

out what guidance organisations can expect. It

website, or you can contact the ICO helpline on

is essential reading and it will help you plan what

0303 123 1113.

areas to address over the next 12 months.

Dr Simon Rice

The central pillar to our guidance is the ‘Overview

Technology Group Manager

of the GDPR’. We are developing the Overview as a

11 • C Y B ER WORLD

Information Commissioner’s Office (ICO)


Identity verification that benefits business and consumers Yoti is the easiest, most secure way to prove identities online and in person. It’s free for consumers and uses NIST approved facial recognition, government issued passport and driving licence, plus biometrics for multifactor authentication.

Simple

Secure

Fast

Brings easy ID verification and removes the need for username and passwords.

Military grade encryption securely stores data in private Tier 3 UK data centres.

Develop 3rd party apps with Yoti’s SDK in under a day and verify customers in seconds.

www.yoti.com hello@yoti.com

M AY 2 017 • 12


Getting Ready for the GDPR Jonathan Armstrong

About the Author: Jonathan Armstrong is a Partner with London-based compliance law firm Cordery. An acknowledged expert on compliance and technology, his practice advises multinational companies on matters involving risk, compliance and technology across Europe. He has handled legal matters in more than 60 countries. Jonathan is a Fellow of The Chartered Institute of Marketing and co-author of the LexisNexis definitive work on technology risk, ‘Managing Risk: Technology & Communications’. He leads on Cordery’s GDPR Navigator subscription service, and is a frequent broadcaster for the BBC and other channels. Jonathan was ranked as the 14th most influential figure in global data security by Onalytica in their 2016 Data Security Top 100 Influencers and Brands survey.

The data protection and data security landscape

one, so if you already comply with current EU data

is all set to change next year with the advent of

protection laws you can build on those foundations.

the new EU General Data Protection Regulation

It is important to take a risk-based approach and plan

(GDPR). The GDPR is not all good news. But it is not

properly, but you also need to be realistic. There is

all bad news either. Many of the organisations we

just a year left before the GDPR takes effect, and

work with are using the GDPR to bring some focus

if you have been slow to act, you cannot afford to

to what they do and improve their security stance.

delay getting up to speed. The team at Cordery has

The new rules are part revolution and part evolution. In many ways, the new system builds on the current 13 • C Y B ER WORLD

been working on GDPR projects since the first draft


came out in 2012. GDPR is a long document but

data and/or undertake data processing. They will

here are some of our highlights:

also apply to businesses outside the EU who target

SECURITY BREACH REPORTING

EU data subjects, even if they don’t take payment from people within the EU. Unlike some US

There is not much change to the obligations

legislation the rules don’t just apply to health and

organisations have to keep personal data secure.

financial data – all sectors and all types of personal

However, one of the most important changes is the

data are covered.

mandatory reporting of security breaches. Breaches must generally be reported to a regulator within 72 hours, and those affected by the breach must usually also be informed. To do this you must have clear, practical, effective and speedy procedures in place. You will also need to get your vendors and suppliers on board – because this is business critical, you cannot afford to get it wrong. REACH

THERE ARE NEW RIGHTS FOR INDIVIDUALS New rights are being introduced and existing ones tweaked, including: •

A new Right to Data Portability;

An extended Right to Be Forgotten (called the Right to Erasure);

A beefed-up Subject Access Right – to be free and with a shorter time to reply.

The GDPR has wider extraterritorial reach. The new rules will apply to all those in the EU who control M AY 2 017 • 14


DATA PROTECTION IMPACT ASSESSMENTS (DPIAS) DPIAs will have to be undertaken for many data processing operations. DPIAs put the compliance assessment burden on those handling personal data – but are used as a wider tool to help get a better handle on your data processes and reduce risk. This should help you build privacy and security into the heart of what you do. This might be the chance for information security teams to get involved in projects at an earlier stage, and for them to be more recognised by management as a valuable part of the process. Information security teams should build their knowledge of the DPIA process and work out how they can add value. There is no set format to a DPIA, but the key aspect is to pick a process that is simple to understand and helps you quickly identify and address the real risks. GREATER PENALTIES Increased enforcement will come about with the new regime, backed up by greater sanctions. There are fines of up to €20 million or four per cent of the global annual revenue of a business (whichever is greater), with a likely result of higher reputational damage and the possibility of civil actions too. This is the big stick for data protection compliance, but getting it right will pre-empt major headaches. To add to the potential consequences, civil actions are becoming more likely following a breach. WHAT DO YOU NEED TO DO NOW? Start preparing now and read our FAQs or watch our film on YouTube for further information and advice. If you don’t have a plan in place already, get started immediately, but make sure your plan is achievable in the short time you have left.

Jonathan Armstrong Partner Cordery

15 • C Y B ER WORLD


Increased enforcement will come about with the new regime, backed up by greater sanctions.

M AY 2 017 • 16


Moving Towards Compliance With The GDPR: Some Practical First Steps Chris Gould

About the Author: Chris Gould is Head of Consulting at Secgate. He is an Information Risk expert with over 25 years experience in assisting organisations throughout the world in assessing and managing technology related risks particularly relating to Information Security, Business Continuity and Crisis Management. Prior to joining Secgate, Chris was a Partner at EY in London, leading its Cybercrime Investigation and Cyber Forensics practice and Partner at PwC in Moscow, where is was CEE Leader for Cyber Security and Forensics.

With a year to go it is safe to say that organisations

the Googles and Amazons of this world that will be

vary widely in their readiness for the GDPR, with the

hit first with any fines.

clear majority being far from confident that they are going to be able to comply with the new Regulation. The clients that I speak to are often still struggling with the basics, let alone thinking about a complete overhaul of their records and data management, access control and other privacy-related processes, as the GDPR actually requires. In a lot of cases there is still a sense of complacency, a belief that it will be 17 • C Y B ER WORLD

When thinking about this article I was tempted to focus on some of the more common and apparent issues that I hear being discussed around independence of data protection officers (DPOs), particularly following the November decision of the Bavarian Data Protection Authority; or on how to contemplate the minefield created by ‘the right to be forgotten’, or even on how to find competent


people in a resource-constrained environment.

KNOW WHERE YOUR PII IS AND WHERE IT

These are all important issues, but there are some

GOES

simple steps that will have a significant impact on

Companies are generally good at cataloguing data

your GDPR programme, and which, if you have not already done so, you must take now: 1. Know what the personally identifiable information (PII) you hold is, where it is located, and where it goes; 2. Plan for what you will do in the event of a breach; 3. Take the opportunity to rationalise and streamline data; and 4. Understand 3rd parties and your mutual dependence on privacy of data.

when it is stored in core systems, and mature organisations have even gone a long way to securing that data. The challenge is, and this is borne out of experience in helping too many companies during and after data breaches, data is almost always existent outside of those core systems as well. Almost every breach I have dealt with has targeted the data that has been outside of those systems – so called ‘Shadow IT’. In a large breach I investigated I found an almost complete copy of the client’s ‘Crown Jewels’, which included PII being stored on an unsecured development web-facing server! The rise of Shadow IT raises a significant problem for security, and in the case of PII is a compliance

M AY 2 017 • 18


nightmare. This means that, as a first step,

organisations need to already be thinking about

organisations need to move quickly to identify all

how they are going to respond. The Regulation not

the locations where the data is being stored and

only requires organisations to report very quickly

understand the flows of PII inside and outside

following a data breach, they also need to clearly

of the organisation. This is almost impossible to

understand the nature and size of the breach,

do without the use of an automated tool that

who was affected, whether individuals need to be

captures data in motion or at rest. This will allow

notified and whether adequate controls to prevent

organisations to prioritise an approach comprising

the breach had been in place.

of both technical and training measures to reduce exposure.

There are hardly any organisations that I have ever worked with that were able to do this to a

I have focused this article on four things an

satisfactory degree. Recent data breaches have

organisation should be doing right now, as there

demonstrated that organisations are unable to

is not much time left before the GDPR comes into

quickly identify what they have lost. In a GDPR

effect. However, such monitoring tools as described

world that means there is a risk of over- or under-

in this article can also be used on an ongoing basis to

reporting the scale of a breach, not being able to

ensure the continuous monitoring of data transfers,

notify all relevant parties, and thereby opening the

allow for a regular assessment of the effectiveness

door for regulatory sanctions.

of governance systems and structures, and maintain the compliance programme put in place. PLAN FOR WHAT YOU WILL DO IN THE EVENT OF A BREACH – AND PRACTICE IT It is a fact – breaches happen! Regardless of whether those breaches are due to malicious activity or result from a human error, organisations need to be prepared in order to be able to respond to a breach, and respond very quickly. The adage of the 7Ps is very relevant (Proper Planning and Preparation Prevent Poor Performance), and thus

19 • C Y B ER WORLD

Dealing with a breach is a combination of having the right stakeholders involved (Board, Internal and

External

Counsel,

Auditors,

Employees,

Shareholders, Customers, Vendors etc.), not just IT and Security departments/experts. A good response programme provides a consistent, scalable way to deal with breaches and needs to be rehearsed regularly in order to become ‘muscle memory’. Having the right tools in place also helps. Organisations should seek to have a ‘black box’ that provides enough forensic quality data recording capability that, as in airline crash investigations,


will allow you to reconstruct the breach and quickly

and employ some creative thinking to, whether this

understand what data has gone missing, and how.

data is really needed and what alternatives may

Equally importantly is to have a well-rehearsed communications strategy in place - a single voice for the organisation that maintains the confidence of stakeholders and minimises the reputational damage that result from a breach. TAKE THIS OPPORTUNITY TO RATIONALISE YOUR USE OF PII

exist. Could anonymising data suffice? Are all the data elements needed, or could we reduce risk by only keeping limited data elements? Do we need this data at all? This approach needs to be robust and decisions made must be communicated effectively, not just to deal with the status quo, but also to reduce the ongoing risks that people will start to revert back to

I remember listening to a presentation about 10

bad habits such as keeping unnecessary data after

years ago on SAP implementation, the key tenet

the initial GDPR compliance surge is completed.

of which was that if you don’t clean your master

That means creating sustainable solutions that

data before implementing SAP then you are going

will safeguard that organisations will continue to

to have problems. Moreover, this was an important

receive the benefit of the data while reducing the

opportunity for organisations to rationalise and

risks to this data at the same time.

clean up their master data files. I draw parallels between this wisdom and how we address the challenge of PII and the GDPR.

In the same way as the PCI-DSS set of standards has led to many retailers eliminating any card data being held on their networks (at least in Europe, less so in

It is very clear that most organisations are holding

the US), I believe we will see a rise in outsourcing

more PII than they need to, in places they don’t

the capture and use of personal data. PII brokers

need to, and for reasons they don’t understand. The

may seem far-fetched to some, but if you look at

GDPR affords organisations with the opportunity to

the credit scoring industry as an example, we can

take a fresh look at how they use data, to identify

see that organisations have already outsourced

new ways for rationalising data, as well as to reduce

storing and managing sensitive financial data. We

the relevant associated risks.

are likely to see the same happen for PII as part of a

The first steps described above provide insights

risk transferral strategy.

into what data is being held and where it is located. The logical next step would be to critically question, M AY 2 017 • 2 0


UNDERSTAND

3 RD

PARTIES

AND

YOUR

MUTUAL DEPENDENCE ON PRIVACY OF DATA. The topic of PII brokering leads nicely into a discussion about how we need to better understand our third-party relationships and the potential GDPR exposures arising from them. A lesson from more ‘exotic’ jurisdictions is that once penalties increase and start to be enforced, lawsuits will follow. Organisations will start to look to third parties that may have had a duty of care of their data and have handled PII inappropriately. Step 1 outlined above is a good starting point for understanding PII data flows and mapping the third-parties that PII is sent to, received from or processed/stored by. Steps 2 and 3 are also critical in that both are creating and rehearsing incident responses, clearly defining breach notification thresholds, devising communication strategies as well as critically assessing whether each of the thirdparties need PII or whether there are alternatives. I have included this as a separate point as, from my experiences in dealing with breaches, the relationships and dependencies with third parties is very poorly understood. An organisation I worked with recently actually believed that they had no personal data and had outsourced it all to a third party. The reality, however, was that due to a specific and one-off business requirement, there was a full copy of certain PII stored within the company. Following the four steps above will not make you compliant, but they are fundamental steps that each organisation needs to get right on their journey to compliance. If you don’t have taken these early on in your compliance journey, the chances are that you will have a harder time with the GDPR than would need to be the case. They are also steps that ought to be build into an ongoing compliance programme to address the GDPR and information and data security for the longer term. Chris Gould Head of Consulting Secgate 21 • C Y B ER WORLD


Having the right tools in place also helps. Organisations should seek to have a ‘black box’ that provides enough forensic quality data recording capability that, as in airline crash investigations

M AY 2 017 • 22


What is the Difference Between Security and Privacy in the GDPR? John Culkin

About the Author: John Culkin is the Director of Information Management at Crown Records Management, where John is responsible for the full suite of Information Management services, including advisory and digital services. He is a regular commentator in the media and has authored white papers setting out how companies can prepare for the EU GDPR. John’s background is in developing digital solutions for businesses around the world, and he has spent much time in senior roles including as technical consultant in European technology companies, with particular expertise in the field of content management and information governance. “A good place to start any discussion about the

is the breadth of areas it covers, and therefore the

General Data Protection Regulation (GDPR) is an

number of departments and people potentially

appreciation of the difference between security

affected.

and privacy. Both are integral to the legislation. A simple interpretation is that privacy relates to what and why data should be collected and kept in the first place. Security concerns keeping what is stored safe.

A change in mindset will be needed for many people, as customer data is often viewed as belonging to the business once it has been collected or bought. In a GDPR world, considering themselves as guardians of such data may be more useful. You must keep

Why make this distinction? If you believe the GDPR

it safe and secure, but effectively ‘the controller’ is

is just a security issue, then you probably believe

the person whose data you hold. They will have the

there is a technical solution and it falls into the

right to access it, ensure it’s accurate, even erase or

remit of the IT, compliance or security departments.

move it in an agreed format.

There is no technical solution to the GDPR. One of the biggest challenges it poses to organisations

23 • C Y B ER WORLD

As such, it would seem the way we traditionally view data may have to adjust. For some this is a profound


change, for others it is simply good customer service that requires good quality customer data, which must be accurate and fair. It also means you’re not analysing bad, inaccurate data or annoying potential customers with marketing material they don’t want. All of which is actually wasting companies’ money in the short or long term. There are seven principles incorporated into GDPR. 1. Processed fairly, lawfully and in a transparent manner -> Privacy 2. Collected for specific, explicit and legitimate purpose -> Privacy 3. Adequate, relevant and limited to what is necessary to meet the purpose -> Privacy

7. Processed by controllers and able to demonstrate compliance -> Privacy Security is a vital part of the new rules, and concepts such as privacy by design also means security by design. No one can really argue against the above principles – they are all what you would expect to happen to your data when you entrust it to someone else. These principles are effectively the basics of good information governance. They are the minimum of what you should be doing now. It is, however, reasonable to assume some organisations are not doing it, otherwise no one would be concerned about the impact of the GDPR. Either the attention has gone elsewhere, or the alternative is that organisations don’t really care

4. Accurate and up-to-date -> Privacy

about their customers’ information.

5. Must not be kept for longer than necessary

This is where the opportunities of the GDPR

-> Privacy 6. Kept secure to maintain integrity and confidentiality -> Security

need to be considered. Thinking from a customer experience point of view, you are more likely to retain customers if you have accurate data, which they can access and check, or even erase if they want to. Another opportunity is for businesses to M AY 2 017 • 24


“

25 • C Y B ER WORLD

One of the key challenges of the new rules will be providing evidence of common practices and processes.


review processes that have often grown organically

or failing to cooperate in any investigation would

over many years, and see how information flows

be a difficult challenge to overcome for authorities

through the organisation. It could be a catalyst for

with little if any local physical presence. Certainly,

efficiency improvements or departments working

it is unlikely any 72-hour breach notification would

more closely together. Certainly, marketing and

be given in this situation. As a result, any EEA+UK

IT may find having to come up with solutions to

could be seen as having an advantage if customers

manage consent and track customer preferences

want the extra reassurance it would bring.

inevitably brings them closer together.

Some of the most complex challenges are those

A long-standing gripe from IT departments is the

such as complying with the right to erasure. Firstly,

proliferation of shadow IT, especially in areas such

you have to know what data you have and where

as marketing. An ongoing training programme

it is, and have the processes in place to do this –

to help educate the whole company about data

not to mention having someone to physically do

privacy and security could help manage potential

it if it is not automated; all whilst complying with

personal data being accessed or stored in ways it

other regulations, e.g. keeping financial records. It

should not be.

may come to be that very few customers actually invoke the rights such as the one to data portability

EPRIVACY REGULATION

in the short term. But the costs of meeting even a

The European Commission is also aiming to adopt

few requests could be relatively high. Which means

the new ePrivacy Regulation at the same time as

the earlier you can build this into your systems and

the GDPR comes into force in May next year. This

processes, the better.

would potentially bring ‘over the top’ (OTT) services, cookies and direct marketing through electronic communications

into

the

scope

of

specific

regulations. This reinforces the notion that IT and marketing are going to have to learn more about the work and skills of the other whilst considering the privacy of personal data. One of the key challenges of the new rules will be providing evidence of common practices and processes. This means, how are you going to track who has given what consent, when, and how and what information they gave at the time. It may be common practice now for marketing to buy in a list of targeted customers. The providence of this information is often not checked and the assumption is made it is from a reliable source. This is already proving inadequate under current legislation, for example when not cross-checked against the telephone preference service.

A vital area not to forget is the data beyond your organisation’s walls, i.e. knowing where data has come from and where it is going. Especially if it involves third parties or subcontractors, or even the cloud-based systems they are using in turn. A pragmatic but well-documented and thought through policy in this area is essential. The GDPR means digging deep into organisations’ systems and processes, as well as going across departments or divisions. It will raise many questions and challenges leading to a better understanding of information flowing through the organisation. On the whole, this is no bad thing. Trying to amass everything that comes in and keeping it forever is not the best data management strategy. It involves too many costs and risks. Regarding the GDPR as a customer data programme that can potentially add value, instead of a technical security problem, is sensible.

The extra jurisdictional nature of the GDPR means it would apply to EU citizens no matter where they

John Culkin

are located. However, enforcing the rules in some

Director of Information Management

jurisdictions could be a challenge for any data

Crown Records Management

protection authority. Simply ignoring any sanction M AY 2 017 • 26


Product Review

The Fight Against Cyber Risk And The Birth Of A New Weapon Cyber attacks may be a relatively new risk to

THE HIGHEST PRIORITY CYBER RISK IS THAT

organisations, but the statistics are staggering:

OF A DATA BREACH

according to UK government figures, in 2016 two

The institute of Risk Management defines cyber risk

thirds of all UK-based large businesses reported a cyber attack or cyber breach, and the cost of cyber attacks to the global economy is predicted to reach US$6 trillion by 2021. Today, we would like to take you through the same

as: “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems”. This is an extremely broad definition, and highlights how the concept of cyber risk is an umbrella term to

journey that our company went through to create

describe a series of individual risks.

VisDa, our unique data transfer risk management

Tackling risk is not a one-size-fits-all approach.

solution. In doing so we will examine cyber risk, make the argument for prioritising the risk of data theft over other aspects of cyber risk, and finally propose a new tool that allows companies to monitor and mitigate these risks to ultimately reduce the number of successful attacks launched.

Different types of cyber risk require different groups of controls to mitigate them, and so to help lower the risk profiles of business we need to make this definition more granular. For the sake of this article I’d like to break this definition down into two subrisks – risks to a company’s network infrastructure (this maps to availability within the Confidentiality,

27 • C Y B ER WORLD


Integrity and Availability (CIA) triangle; it’s the idea

Thus, if we were to prioritise the risks to a business

that financial loss and reputational damage occur

it would be prudent to place data theft through

if the business can’t operate due to the network

cyber attack as the highest. This correlates with the

not being able to perform as required), and risks

trends we see in the media; most attacks reported

to a company’s data (this maps to the concepts of

by journalists involve the theft of corporate data,

integrity and confidentiality within the CIA triangle;

and in January this year the Identity Theft Resource

data is valuable).

Centre reported data breaches in the US were up by

A paper published in 2015 by Tavish Vaidya of Georgetown University looked to analyse major cyber attacks that had occurred between 2001 and 2013, and the conclusions are interesting. The paper observes that a large majority of attacks analysed were motivated by the desire to steal corporate data – in fact more than twice as many attacks were

40% in 2016 when compared with 2015. DATA EXFILTRATION REQUIRES A DATA TRANSFER TO TAKE PLACE Now that we have identified what the priority risk is to corporations across the globe, we can begin to dissect just how this risk materialises.

aimed at exfiltrating data from the target networks

A second paper, published by Ryan C. Van Antwerp

than disrupting networks. The only other attack

and the University of Delaware, examined the

motivation that occurred almost as frequently as

methods of exfiltrating data out of a network.

data theft was cyber espionage.

The paper identifies 14 different methods of data M AY 2 017 • 28


exfiltration from a corporate network, and describes the biggest difficulty in detecting malicious data exfiltration as distinguishing malicious exfiltration from legitimate data transfers. If we switch our attention to accidental data breaches, this challenge is even more apparent (think of the typical example of an employee sending an email full of confidential data to the wrong recipient) – how can we distinguish an accidental data leak from a legitimate business data transfer? The short answer is that we can’t easily distinguish between the two. DATA LOSS PREVENTION (DLP) SOFTWARE DO NOT GIVE YOU THE HOLISTIC PICTURE In their simplest form, DLP solutions work by either scanning documents for key words or by looking for flags attached to the data when it was created. Using these pieces of information, they aim to either stop or allow data to leave the corporate network. DLP has encountered many challenges. Requiring large amounts of infrastructure to implement (servers to enforce policies, scan data transmissions etc), DLP implementations are costly. DLP solutions also cause network performance issues due to their lack of network transparency, and require large teams of analysts to monitor the alerts being raised to ensure that the correct policies are being enforced. To compound these challenges, several DLP solutions require a human element to tag files (the tagging of files is rarely consistent), and any malicious user would know that by encrypting the file they are trying to exfiltrate they can beat the DLP solution relatively easily. These challenges have led to a relatively poor adoption of DLP solutions, and arguably the only benefit a DLP solution poses to a business is to reduce the number of accidental transmissions of data outside of the corporate network – malicious data exfiltration will just use encryption to beat the solution. The same results, a decline in accidental data leaks, could arguably be achieved through a

29 • C Y B ER WORLD


strong training and awareness programme, which

GDPR AND THE FUTURE

would cost a fraction of the price of a DLP solution.

Data transfers and the risk of data breaches from

Most importantly, DLP solutions are too granular.

data transfers take centre stage in the GDPR. With

They do not give you the bigger picture with respect to how data is being transferred both internally within your company and externally. They don’t follow a risk-based approach. VISDA VisDa is a tool that gives companies three main capabilities. The first is the ability to map out all their data transfers both internally and externally on their network, allowing them to spot malicious connections. The second is the ability to visualise and quantify their complete risk exposure when it comes to data transfers. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on the network. Using VisDa, we monitor a network for data transfers and then apply a risk score to each data transfer based on several features – these include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the transfer. The risk score calculations are highly adaptable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows companies to then approve (and preapprove) expected data transfers, and investigate data transfers that seem malicious. The next generation dashboards convey your company’s global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their risk exposure when it comes to data transfers.

the largest fines (four per cent of global turnover or €20 million, whichever is larger) being aimed at companies not in control of their data transfers to external parties, there is now a pressing regulatory need for a solution such as VisDa. To help companies better manage their data transfers with regards to GDPR, VisDa also contains tailored workflows and reports aimed at monitoring GDPR compliance. As a solution VisDa not only helps to satisfy the regulatory requirement of managing data transfers, but also helps speed up the reporting element after a data breach. Under GDPR, companies must report data breaches to regulatory bodies within 72 hours of being made aware of the breach – VisDa provides a ‘black box’ of information that analysts and forensic experts can use to rapidly find out exactly what happened with regards to the incident, adding information and context to the report to the regulatory body. VisDa is a solution that gives companies a fresh new way of monitoring data transfers and quantifying their global risk of a data breach – it is a complete data transfer risk management solution. Giving companies the ability to spot malicious data transfers and providing actionable business intelligence for companies to lower their risk profile is a valuable tool in the fight against cyber crime. Alongside this, VisDa helps to satisfy regulatory pressures from the incoming GDPR in a way that no other tool currently can. To

find

out

more,

please

contact

info@secgate.co.uk.

Designed for high throughput networks (VisDa has been installed on networks running at 1 terabit per second), the tool is completely transparent and will

Secgate Research & Innovation

have no impact on network performance.

M AY 2 017 • 3 0


Vis

Take control

31 • C Y B ER WORLD


sDa

l of your data

M AY 2 017 • 32


33 • C Y B ER WORLD


VisDa Unlocking your data transfers; mitigating your risk. Information and data is the lifeblood of companies today. Whole industries rely on the rapid sharing of information to generate revenue. As a result, huge volumes of data move from network to network, company to company, every day, non-stop. This presents organisations with a challenge - with so much data being transferred in and out of a company’s network, and with 2 out of every 3 large businesses in the UK experiencing a cyber-attack or breach in 2016, how can you keep track of which transfers are legitimate and which are malicious? Compound this challenge with regulatory drivers such as the general data protection regulation (GDPR) and the need for a coherent solution to monitor and mitigate data transfer risks to your business is clear. VisDa is a revolutionary solution that gives you the capability to track, trace, monitor, visualise, and analyse your organization’s data transfers without impacting the performance of your business. Sitting transparently on your network, VisDa allows you to understand what, where, when and how data is moving, both internally within your network and externally to third parties. Developed by world-renowned records management consultants, risk consultants, cyber security experts and technologists, VisDa has been designed from the ground up to quantify the data transfer risk that your organisation is exposed to. Risks are displayed on our next generation dashboards; each dashboard is tailored to your individual operational risk framework and risk appetite. From senior executives to operational level users, keep your entire team informed.

M AY 2 017 • 3 4


VisDa Visualising your data. VisDa is a tool that equips your network teams with three new capabilities. The first is the ability to map out all the data transfers occurring both internally and externally on your network, allowing malicious connections to be identified and blocked. The second is the ability to visualise and quantify your complete risk exposure caused by data transfers, giving your board mission critical business intelligence with regards to their risk exposure. The third is the ability to add context and information to security events quickly and efficiently by acting as a ‘black box’ on your network. VisDa passively monitors your network for data transfers and then applies a risk score to each data transfer based upon several features – these features include the amount of data sent in the transfer, the types of files the data is contained in, the time and day the transfer was sent and the destination IP address of the data transfer. The risk score calculations are highly configurable and can be configured to map to an organisation’s individual risk framework and operational environment. VisDa allows you to then approve (and pre-approve) data transfers that are expected and investigate data transfers that seem malicious. The next generation dashboards convey your companies global risk in a quantifiable way, giving your board of directors an easy to understand and easy to digest report of their data transfer risk exposure. VisDa is a solution that gives you a fresh new way of monitoring data transfers and quantifying your global risk of a data breach – it is a complete data transfer risk management solution. Whether you need a solution to help you mitigate data transfer risk, or help you to achieve regulatory compliance with regulations such as the general data protection regulation (GDPR), VisDa is the solution for you.

35 • C Y B ER WORLD


M AY 2 017 • 36


Vis

A fresh new way of monitoring data transfers an it is a complete data transfer risk management you mitigate data transfer risk, or help you to a such as GDPR, VisDa i Contact us for a demo

37 • C Y B ER WORLD


sDa

nd quantifying your global risk of a data breach – t solution. Whether you need a solution to help achieve regulatory compliance with regulations is the solution for you. at: Info@secgate.co.uk

M AY 2 017 • 3 8


If Captain Sully Was a CEO Ivan Blesa

39 • C Y B ER WORLD


About the Author: Ivan Blesa is Director and Head of Technology at Secgate. Prior to joining Secgate, Ivan was Global Product Manager at Clearswift. He is a passionate professional with broad cyber security experience over a wide variety of sectors. Having worked with top international companies in strategic transformational projects, he has a deep understanding of the challenges organisations face when dealing with their cyber security strategy. The definition, development and launch of several security products has been aligned with these needs, which has driven their success.

Captain Sully was an experienced pilot for US

negligence, would he have the correct evidence to

Airways. What should have been a normal flight on

support his claims? Probably not! The recent events

a bright day turned out to be a series of unfortunate

at Talk Talk and what happened to their CEO is a

events, as after taking off the plane went through

classic example.

a flock of birds, which made two of the engines fail. After quickly evaluating the situation, Captain Sully realised he wouldn’t be able to make it to an airport, and decided to land on the Hudson River. Surprisingly – and mostly due to his extensive flying experience – he managed to land the plane on the river, saving all lives on board. Though the public saw him as a hero, his nightmare started when he was accused of negligence by the authorities, and had to go through a trial to prove his innocence. The standard procedure in flight incidents is to detect the black box (which is actually orange) and analyse cockpit activity data held within it. Luckily for Captain Sully, the black box was recovered, the facts were revealed and the sequence of events evaluated; the results supported his statement of being incapable of reaching any airport during the incident, and thus proved his innocence. Imagine for a second that Captain Sully was the CEO or CISO of an organisation. And that he was about to fly his company through very severe and unexpected turbulence that forced his organisation to crash or make an emergency landing, and that this turbulence was called GDPR!

This is a common case: in almost every security investigation, there is no place to quickly look for facts. Instead, if you are lucky enough, there might be a trail of clues that need to be deeply investigated to try and understand what happened. This is like trying to understand prehistoric facts based on a set of bones being identified in a specific area. You can try to recreate what happened, but it would only be an educated guess. If only you had a camera that could show what happened… or a black box to support your case… The good news is that this black box exists, and is called VisDa. VisDa is the black box of your organisation, the safeguard, the repository of facts that brings certainty to the uncertain GDPR world. Secgate has built a revolutionary complete track-and-trace tool that visualises and analyses data transfers to understand what, how, when and where information is moving, helping to achieve regulatory compliance. Because the unexpected happens and certainty is your best defence, VisDa protects you and your reputation. At the end of the day, as with Captain Sully, we want you to be the hero, without any trace of doubt.

VISDA IS YOUR BLACK BOX Would Captain Sully have enough facts and react correctly should this happen to his organisation? And if he does the right things, but was accused of

Ivan Blesa Technical Director Secgate

M AY 2 017 • 4 0


GDPR: Hard Sell or Information Governance Opportunity? Emma Butler

41 • C Y B ER WORLD


About the Author: Emma Butler is data protection officer at Yoti, before which she spent four years as DPO at RELX for both UK LexisNexis businesses. Previously, Emma led the international team at the Information Commissioner’s Office (ICO), where she worked with other regulators and the Article 29 Working Party, and advised on UK, EU and international data protection legislation. She has a languages degree, an LLM in Information Rights Law and Practice, an ISEB data protection certificate, CIPP/E and CIPP/M and is also an IAPP FIP.

A lot has already been written about the GDPR.

effort between privacy and information security

For the information security community, the focus

professionals. While the information security

has largely been on the data mapping or data

experts are concerned with securing all information,

inventory elements. In many companies these have

and privacy professionals are specifically focused

been handed to technology/IT departments – but

on the handling of personal information, we are all

for large companies and those with many legacy

aiming for the same outcomes: finding out what

systems, it’s a challenging issue.

information we have, what to do with it, where it

The GDPR demands a change in approach to privacy, but it also provides an opportunity for better information governance. GDPR requires companies

resides, how it moves around, how long we keep it, who has access to it, and how we protect it against unauthorised access, use or disclosure.

to look holistically at how they ‘do’ privacy, and to

Taking a holistic view of the information you have

embed it in their systems, processes and cultures.

as a business allows both information security and

In some ways it is catching up with information

privacy professionals to get on with their respective

security, which has been an integral part of business

roles of protecting that information, ensuring and

for some time. GDPR presents an opportunity for

tracking compliance, introducing efficiencies, and

privacy and information security professionals to

responding to requests for information or statistics

pool expertise and resources, and achieve better

from company boards, business operations teams,

information governance for their companies.

customers or consumers. Working together – based

Good information governance is more than a compliance tick-box exercise. It reduces risk, focuses and prioritises company efforts, and demonstrates

on a mutual understanding of shared outcomes and a willingness to support one another – can achieve this.

to shareholders, customers and consumers that

It starts with a vision: what do privacy and security

your company takes privacy and security seriously.

mean for your company? Are you looking to achieve

Good information governance increases trust and

only minimum required compliance, or to become a

enhances a company’s brand, especially at a time

leader in your sector? Are you trying to make it your

where security breaches are reported on an almost

USP? If you need to build the case for the board

daily basis in the news.

you can do that together. Use and build on what

TAKE A HOLISTIC VIEW; HAVE A VISION

has already been done for GDPR planning (such as systems or asset inventories, or DLP stats), and use

So yes, the data mapping part is important, and in my

GDPR requirements to improve how you do things

view it is a foundation for so many other aspects of

to achieve this vision.

GDPR. But seeking to understand what information an organisation holds needs to be a collaborative M AY 2 017 • 42


USE GDPR FOR COMPETITIVE ADVANTAGE

the process. Done right, you will not only meet a

GDPR requires data minimisation and encourages

multitude of GDPR requirements, but probably

‘pseudonymisation’

and

encryption.

It

also

requires a privacy risk assessment when personal data is involved, and for documented evidence of assessments, decisions and implementation solutions. A typical example of a business request is for a particular function to gain access to certain information held by the business. Usually the assumption is that all staff need all data and it’s as simple as getting the IT department to flick a switch. By working together, privacy and information security experts can assess all the risks of the request, discuss its technical implementation, and

many of your own KPIs as well. These can often be reactive scenarios, but a more holistic approach would look at the bigger picture to find answers to such pressing questions as: how is access determined, managed and kept upto-date; how does it relate to the new starter and leaver process; how do staff go about asking for and being granted access to data, and how is that process managed, documented and approved? Getting these things right from both a privacy and information security perspective is crucial in order to avoid constantly being in reactive, fire-fighting

consider how best to achieve the desired outcome

mode.

in a way that keeps everyone happy. This leads to

This may all sound obvious, but sometimes it

documented evidence of a risk assessment with both privacy and security requirements built into 4 3 • C Y B ER WORLD

doesn’t work like this, and in my view GDPR is a


real opportunity to take a step back and look at how

to review if you have adopted the right approach,

you approach privacy and information governance,

and then to do it better.

“

By working together, privacy and information security experts can assess all the risks of the request, discuss its technical implementation, and consider how best to achieve the desired outcome in a way that keeps everyone happy.

GDPR can be a hard sell. At first glance it seems to be yet another list of onerous things you have to do to avoid a fine. However, an enlightened company will see this as a chance to embed privacy and information security at its operational core, and use it as competitive advantage to increase trust in their brand. It’s time to move away from seeing privacy and information security as just compliance cost centres, to seeing it as a way to ensure everyone wins.

Emma Butler Data Protection Officer Yoti

M AY 2 017 • 4 4


GDPR: Forget The Fines, Explore The Opportunities! Yasmin Durrani

About the Author: Yasmin Durrani is the Data Protection Officer for Zurich Insurance plc (UK). Yasmin is a member of the Data Protection Forum, the International Association of Privacy Professional (IAPP), the Data Protection and Finance Group, the Data Protection Working Party Association of British Insurers, and the Data Protection Committee Member of British Standards Institute. Yasmin’s other areas of expertise include financial crime and cross-border business. WHAT ARE THE POSITIVES OF GDPR?

etc. The GDPR adds to this list, and is all about

So far, we have been hearing mainly about how the

personal data. It includes information provisions

high fines under the GDPR can make life difficult for businesses. However, the GDPR is here to stay – so let’s concentrate on the positives and how to make the regulation work for us.

for individuals, contract requirements for third parties, and achieving clarity in communications. In order to meet these GDPR requirements, organisations will have to enhance interactions between their departments and experts, and

CUSTOMERS FIRST

create the evidence trail to achieve the best

Financial organisations are likely to be overseen

outcomes for their customers.

by multiple regulators. There are a range of common themes that financial regulators such as the Financial Conduct Authority have been focusing on for many years, including topics such as ‘treating customers fairly’, ‘good customer outcomes’, ‘fair contractual terms’ 45 • C Y B ER WORLD

SECURITY MEASURES While the GDPR is exclusively applicable to ‘personal data’, there is no reason why such good governance cannot be extended to all data. It makes sense for organisations to protect


personal as well as commercially valuable data.

GDPR clears the path for you to consult your data

So why not apply the same standards and best

protection authority.

practice instead of enacting parallel processes labelled the GDPR? It would make commercial sense. RISK-BASED APPROACH Many examples of a risk-based approach can be found in the GDPR. In fact, it uses language such as ‘where appropriate’, ‘nature, scope and context’, ‘likelihood’ and ‘severity’. This is a positive for businesses, as they are taking calculated risks all the time and are familiar with the application of risk management principles. The same principles stated in the GDPR take into account the impact on individuals. Don’t forget these individuals are your customers, potential third parties and your employees, so decide the level of risk you want to take – but not at the expense of these individuals’ rights and freedoms. If you are unsure,

There are three examples of high-risk activities under Article 33 of the GDPR: 1) systematic and extensive automated profiling that significantly affects individuals; 2) large-scale processing of special category data; and 3) large-scale systematic monitoring of a publicly accessible area. If these high-risk activities are taking place in your organisation, then you should carry out a privacy impact assessment and consider whether the processing is leading to discrimination, economic or social disadvantage. Remember, the disadvantage does not have to be only in financial terms – it also relates, for example, to revealing individuals’ intimate and personal details. RECORD KEEPING GDPR requires certain records to be kept by organisations. However, it does not burden organisations such as micro, small and medium M AY 2 017 • 4 6


In order to meet these GDPR requirements, organisations will have to enhance interactions between their departments and experts, and create the evidence trail to achieve the best outcomes for their customers.

sized enterprises and organisations employing

to whether or not it wants to notify individuals.

fewer than 250 employees.

However, there is currently no flexibility

CONTROLLERS BASED OUTSIDE THE EU Where data controllers are based outside of the EU offering goods and services to, and monitor behaviour of, individuals in the EU within the scope of the GDPR, organisations may be required to designate representatives within the EU. However, there is some flexibility around this requirement and data controllers based outside the EU should be assessing whether data processing only happens ‘occasionally’. This does not include the processing of large-scale special categories (we know this as sensitive data) and is unlikely to result in a risk to the rights and freedoms of the individual. NOTIFICATION

OF

BREACHES

authorities. Don’t forget there are 50 or so flexibilities in the GDPR text that member states have discretion to build into secondary legislation, so watch out for consultations from the Department of Culture, Media and Sport (DCMS). CALCULATION OF FINES UNDER THE GDPR Fines under the GDPR will ultimately be calculated by the data protection authority depending on the type of data breach, and taking into account several factors such as how much control the parent company has over a subsidiary. Under Article 83 of the GDPR, the basis of calculation for fines will be

TO

INDIVIDUALS Under the GDPR certain affected individuals should be notified of a breach. This obligation is risk-based. If the breach is ‘unlikely to result in a risk for the rights and freedoms of the individuals’, there is no requirement to notify them. The same is the case if encryption is applied to the lost data, which is likely to reduce the risk of identity theft to the individual. In such a scenario, the firm can make a decision as 47 • C Y B ER WORLD

with regards to notifying the data protection

an organisation’s ‘worldwide annual turnover of the preceding financial year’. Let us look more closely at what an undertaking is and how subsidiaries may or may not be captured. In Recital 150 of the GDPR it states that, ‘where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Article 101 and 102 TFEU for those purposes’. This outlines how an undertaking is defined in competition terms with reference to case law. As opposed to a legal entity


structure, undertaking is a single economic unit that

1. Competition calculations are concerned with

can be comprised of parent companies and their

the relevant turnover of a relevant product

wholly owned subsidiaries.

market and relevant geographic market,

It is not clear how GDPR fines will actually work in practice, as competition fines are calculated

whereas significant data protection breaches in the GDPR may be a challenge to compare.

in terms of when the ‘relevant turnover’ is the

2. If it is too complex in theory, it will also be

turnover of the undertaking in the relevant product

difficult for data protection authorities to

market and relevant geographic market affected by

impose fines without challenge from the

the infringement. The ‘relevant market’ is always

fined organisation.

going to be open to debate and requires some economic analysis in each case. In the Akzo Nobel NV case, the European Court of Justice ruled that it is sufficient for the EU Commission to prove that the subsidiary is wholly owned by the parent company in order to presume that the parent exercises a decisive influence over the commercial policy of the subsidiary. The EU Commission will be able to regard the parent company as jointly and severally liable for the payment of the fine imposed on its subsidiary, unless the parent company, with the burden of proof of rebutting the presumption, adduces sufficient evidence to show that its subsidiary acts independently in the market. It may be difficult to prove the level of control that the parent company has in terms of the position where the parent company is represented on the subsidiary’s boards. Two points can be deduced:

Note that the reputational risk attached to data breaches remains the same. The higher threshold of four per cent or €20m for breaches relating to data subject rights, basic principles of processing data, and transfer of data to third country recipients. This means these are the high-risk areas where organisations should be able to demonstrate compliance. Advice for organisations would be to make the GDPR part of your business processes, rather than approaching it as a pure compliance requirement. GDPR projects driven by fear of fines as opposed to achieving good governance will look very different in practice, and achieve different outcomes. Yasmin Durrani Data Protection Officer Zurich Insurance

M AY 2 017 • 4 8


Information Governance Services With the GDPR storm arriving in less than a year, our information governance practice at Secgate can help you manage, process and govern your information and data to allow you to unlock your company's true value. Whether in a physical or electronic format our team helps review and implement policies, processes, and controls to enable compliance with regulation and to increase the efficiency and security with which data is processed and managed. Within our information governance service line, we have particular expertise in the areas of data management and analyses (we help manage and analyse both structured and unstructured data at any volume), records management, data protection and data privacy. Our information governance expertise has propelled clients to achieve: ● ● ●

significant cost savings and operational efficiencies through the streamlining of data storage and data consolidation processes; regulatory compliance and the successful implementation of required processes for the collection of evidence; a higher level of data privacy, data security and incident detection/monitoring maturity.

Our information governance team is in a unique position in the market – we provide both consulting expertise, and, if needed, best in class software solutions to deliver our clients maximum results in minimum time. Our information governance team consists of professionals who have spent months researching and helping clients become compliant with GDPR. Our team includes experts who are part of the BSI (British Standards Institution) Committee which has recently re-written the updated British Data Protection Standard (BS10012) to reflect the GDPR requirements. Roger Poole, Head of Information Governance at Secgate. Email: Roger@secgate.co.uk

49 • C Y B ER WORLD


Our in-house built technology products complement our consulting services, providing you with unique solutions to tackle GDPR

M AY 2 017 • 50


How GDPR Impacts On The Cyber Security Talent Gap Domini Clark

51 • C Y B ER WORLD


About the Author: Domini Clark is the founder of InfoSec Connect, the industry’s first hassle-free recruitment communication platform exclusively serving the information security community. She is also Managing Principal at Blackmere Talent Acquisition & Consulting, a specialty Talent Acquisition Firm with a focus on the information security sector. Domini has been involved in professional recruiting for over fifteen years working in both technical and operational recruiting for Fortune 10 organizations, small and medium sized businesses and federal government contractors. She sits on the Board of Directors for ISSA (Information Systems Security Association) Utah and recently received the Luminary award from the International ISSA Women In Security Group.

The General Data Protection Regulation (GDPR)

of the position description, here are some general

will go into effect on 25 May 2018, and will have

guidelines to follow when searching for yours:

an important impact on business operations around the world. Data protection is at the heart of any business, encompassing everything from

Experts in data protection regulations

Industry specific knowledge in accordance with both the size of the data processor or

employment and emails to commercial contracts

controller, as well as the sensitivity of data

and corporate restructuring. Since this legislation

being processed

will apply to most companies doing business with the EU, as we consider the impact these changes will have on business, the increased need for talent must be at the top of the list. A recent study indicates that businesses will need to add at least 28,000 Data Protection Officers in the EU alone to support the GDPR. While this is an enormous amount of new talent to bring into the market, the real issue is brought into sharp focus through the current state of Cyber Security Workforce Trends and Challenges for 2017. ISACA, the

International

Information

Systems

Audit

and Control Association, indicates that 55% of organisations take more than three months to fill their current open cyber positions. In addition, 30% of companies in the EU are completely unable to fill their open cyber security positions. Although we are navigating through already troubled cyber talent waters, it is important to understand that many companies affected by the GDPR will be required to hire, appoint or contract a Data Protection Officer (DPO). Let’s get started with what a Data Protection Officer looks like. While there are differing opinions on the specifics

The ability to inspect, consult, document and log file analysis

Ensure that technical and operational groups comply with procedures

The Data Protection Officer will be responsible for raising awareness of data privacy as well as implementing,

monitoring,

documenting

and

applying policies and procedures, and verifying compliance. This will also be the person responsible for notifying data protection authorities in the event of a data breach. Essentially, this will be an expert in privacy and data protection with the ability to truly understand and balance the risks for data processing. A very important factor to consider as you plan your GDPR programme is the protected status of an internal (employee) Data Protection Officer. In other words, the GDPR prevents dismissal for performance of related tasks, with the aim of ensuring there are no penalties for ‘whistle blowing’. While this protection will insulate against retaliation terminations, it can also tie the hands of employers when navigating through a ‘bad hire’ situation. This M AY 2 017 • 52


caveat may ultimately create more opportunities

find their CV on CareerBuilder or LinkedIn, so you’ll

for law firms or specialty consulting firms offering

need to leverage your best networking skills and

Data Protection Officer services.

hardcore power-searching techniques. Consider

Of course, the best approach to cyber security is to prevent hacks, attacks and breaches before they happen. Prevention requires a strong cyber security team, which will expand with the new regulations. The GDPR’s intent is to ensure compliance and raise awareness of data privacy and protection. We will very quickly need to determine HOW we are going to attract the right talent to our organisations. Here are a few tips to consider as you recruit for your Data Protection Officer (or any other cyber talent, for that matter): A BREED APART The best cyber security professionals think like the criminals they oppose. That enables them to anticipate what hackers might try, and to identify weak points in system defences. You likely won’t 53 • C Y B ER WORLD

utilising industry specific job boards such as ISSA, SANS or InfoSec Connect. If your quarries think like a criminal, you have to think like Sherlock Holmes to track them down. Don’t email them a link to apply, as they will not click on a link from an unknown source (and neither should you). Send them a PDF with instructions for connecting with you. IT’S NOT A POSTING, IT’S A PITCH The

demand

they’re

for

constantly

such

professionals

hearing

from

means

recruiters.

InformationWeek’s DarkReading.com cites new research by Enterprise Strategy Group and the Information Systems Security Association, indicating that about half of cyber security professionals are contacted by a recruiter at least once a week. If you post a standard HR job description of duties and


requirements, it will wash out amongst all the other

background noise.

Do more than just scratch the surface – offer them opportunities not only to look under the hood, but also to take some deep dives

In today’s market you have to court talent, and that

into your systems. Give them the authority

is especially true of cyber security professionals.

to make a true impact on your organisation.

Don’t think of it as a job posting, think of it as a sales pitch. Resist the ingrained habit of listing what

Have the option to work remotely. Your

your company needs, and focus instead on what

organisation may cling to traditional models,

will engage the interest of your target audience.

but if virtual options give you an edge in the talent war, then it’s time to loosen up.

APPEAL TO THE HOT BUTTONS In general, cyber security professionals want to: •

Take on intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.

Stay

current

with

the

ever-evolving

threat landscape. If you’ve got the coolest technology, executive buy-in and a penchant for innovation, your pitch should highlight those perks.

KEEP YOUR SOCIAL MEDIA BUZZ FRESH This is good general recruiting advice, but definitely important for this group. The content doesn’t have to be about job openings (although you should push those out, too). Instead, think of social media as digital pheromones that make your company attractive. Blogs and tweets help establish your company as a thought leader, enhancing your brand. They also increase the likelihood that hard-to-find candidates will stumble across your company.

M AY 2 017 • 5 4


Share great insights and ideas your team has, and be

of asking for five to seven years of experience, ask

sure some of your efforts target the cyber security

for three to five and highlight the opportunity for

community — it’s not ALL underground. Join cyber

career growth.

security forums and GDPR discussion groups, for example. Encourage your existing cyber security talent and ranking IT leaders to write blog posts and white papers on the topic. HANG LOOSE There are specific qualities to look for in cyber security candidates, but you can’t run an effective search if you focus only on screening people out. The pool’s just too small. Given that security threats are constantly evolving, a degree probably isn’t as important as current experience. Or consider recruiting recent graduates to work with your Data Protection Officer by offering the opportunity to gain valuable hands-on experience (an ounce of future planning never hurt!) Another tactic: instead 55 • C Y B ER WORLD

You can try retraining existing IT staff, but keep in mind that success in cyber security takes a certain mindset. Ideally, you have a system administrator who can channel her inner cyber risk analyst and ask, “What would I do if I wanted to get past our own security measures?” REACH OUT Another

strategy

is

to

promote

outreach

programmes that engage new hires, women and minorities. According to the Wall Street Journal, big banks such as J.P. Morgan Chase and Citigroup are getting results through programmes targeting different groups. Some have even started ‘re-entry’ programmes to attract women who took a career break to care for dependants or others. Getting


involved with organisations such as the Women

per cent. While this data is pulled from the US, the

in Security special interest group within ISSA

preliminary numbers out of the EU do not appear to

International, or the International Consortium of

be any more promising.

Minority Cyber Security Professionals (ICMCP), will help you. WELCOME EVERYONE Take a long, hard look at your organisation. Even if there is no active discrimination, lack of diversity can make cyber security departments look like good ol’ boys’ clubs, further discouraging members of under-represented groups from pursuing careers in this space. Keep in mind that of the employed population, the National Cyber Security Institute reports that women make up only about 20 per cent of that profession, while African-Americans, Hispanics and Asian-Americans combined make up only 12

Since the best approach is to prevent the hacks, attacks and breaches from occurring in the first place, talent leadership needs to be a big part of your GDPR programme. However, as you are aware, talented cyber security professionals are in serious short supply. They’re a bit of a unique beast, so you’ll need a recruitment approach for engaging cyber security talent that’s different from the ones you’re using with other positions — even other IT positions. Domini Clark Founder, InfoSec Connect Managing Principal, Blackmere Consulting M AY 2 017 • 56


GDPR Becomes Law, But Bigger Changes Lie Ahead When Edward Snowden revealed US and UK

Chiara Rustici is an author and researcher on EU

spy agency secrets, French and German leaders

privacy and GDPR.

were alarmed by what they learned about US government spying operations in Europe, including on their own governments. There was talk of a ‘wall’ that would be built around the EU, requiring EU and international cloud companies to keep EU citizens’ data within the w Union.

‘In purely legal terms, the GDPR does not ask processors (cloud and co-location providers fall mostly into this category) to keep EU-based individuals’ personal data on EU soil,’ she says. ‘What it does ask is the flipside of that: in whichever country

or

jurisdiction

EU-based

individuals’

Rackspace, Microsoft, Google and Amazon rushed

personal data is stored, that data will need to be

to build data centres in the EU, while stating their

offered all the safeguards of the GDPR… If you want

efforts were meeting the requirements of customer

a starker image, for the sake of simplicity, don’t think

compliance with locality laws. Amazon, for example,

of the EU as wishing to attract the global cloud

said customers would have ‘complete control over

business onto EU soil. Think of it, instead, as the

the geographic locations where their content can

EU trying to export its idea – that data protection is

be stored and accessed.’ But it all seems to have

a universal human right – to the rest of the globe.’

been a waste of time. The new EU General Data Protection Regulation (GDPR) does not require this.

In particular the GDPR allows companies outside of the EU to process data of EU citizens outside the Union as long as the processors adhere to EU

57 • C Y B ER WORLD


privacy and data protection requirements. These

obtain any further authorisation, if the Commission

are called Model Clause agreements. However, this

has decided that such third country ensures an

will not always work, as the German attorney at

adequate level of data protection (an “adequate

Planit Legal in Hamburg, Bernhard Freund, explains:

jurisdiction”). The basis for this principle is that such

‘In some scenarios it is not possible’, because under

jurisdictions provide sufficient protection for the

German law certain sensitive data (such as health

rights and freedoms of data subjects without the

data) cannot be taken outside the country. Freund

need for further safeguards.’

says that the GDPR includes ‘opening clauses’ that allow member nations to make changes to certain sections of the law. This is in spite of the law theoretically being designed to bring all of the EU under one set of rules. The US relationship with the EU is the exception, and the US is forging its own agreement with the EU called the EU-US Privacy Shield. According to White & Case: ‘Cross-border data transfers to a recipient in a

If you read the legalese on Microsoft’s, Google’s and Amazon’s websites, they state cloud businesses all comply with that. But will any of this stick? When President Trump signed an executive order that, “excludes persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” he stepped into an already fragile legal framework, causing further concern.

third country may take place, without a need to M AY 2 017 • 58


EVEN GOOD IDEAS CAN POSE TECHNICAL

The goal is to have that law’s passage coincide with

DIFFICULTIES

the implementation day for the GDPR.’

The GDPR does not address all issues related to

The ePrivacy Regulation includes: ‘the right to

privacy. There is also the ePrivacy directive. This directive will cause computer companies to have to change some computer code. Eva Škorničková is a lawyer based in the Czech Republic, specialising in privacy and data protection. Talking via telephone, she explained that the very definition of the age of consent can vary by member state. According to Škorničková, ‘the ePrivacy Regulation was adopted by the EU commission in January 2017. It is slated for approval by EU Parliament in April or May 2018.

59 • C Y B ER WORLD

be forgotten’ (otherwise known as the right to erasure), the right to transport personal data from one company to another, the requirement for children to obtain parental permission to join social media sites, and, depending on the final form the law will take, the right for children to delete items that will embarrass them or complicate their search for employment in the future. The International Association of Privacy Professionals (IAPP) states that with ‘Article 89, controllers will not have to erase or rectify data after the data subject has withdrawn consent.’


All

this

causes

complications

for

computer

age by which parental consent is required is one of

companies. Instead of simply lying about their age

those.’ Currently, the Czech Republic has no social

to join Instagram, 13-year-olds might have to get

media consent age, while in the UK it is 13.

permission from their parents in order to join via an email opt-in sent to their parents. In terms of referential integrity, any programmer knows you cannot remove a record from a database that is connected to other records. So if a child writes a comment in the middle of a Facebook thread that they wish to later delete, Facebook will have to either delete the whole thread, or write code to remove that one line and then stitch the rest of the thread back together.

Another issue is data portability. This is particularly difficult, because it is unclear how a company is going to be able to transfer a person’s data from one firm to another. The rules call for establishing common interfaces for data transfers – but data cannot be easily deleted. For example, how could Google Docs physically remove documents from their system and hand them over to another company? Google Docs does not share data, except in the case of a user losing access to their domain.

As an added complication, Škorničková notes, ‘the

You can export all your Google docs to a Microsoft

implementation allows member countries to write

equivalent such as .doc, .ppt, and .xls files. Will this

their own rules for some of the 50 articles. The

manual process by the user suffice for data transfer? M AY 2 017 • 6 0


ADVERTISERS WORRY Advertising companies are worried about how EU regulations are going to affect the gathering of data with cookies. They are concerned that even good ideas such as privacy can often end up being

regulations. He notes that because of existing EU law, many clients are on the way to being compliant already. He says, ‘usually there is no organisation that is 100% compliant, [but] you do not start from scratch.’

distorted and not meeting their original objectives

Freund cites the case of an EU-based company

when implemented. We have already seen this

using Amazon for their cloud services. Amazon

with the advent of pop-ups on websites asking for

runs support for their data centres 24-hours a

permission to collect data using cookies. The new

day. But while the US or Europe might be running

law proposes that browsers give users control over

support for their centres during the day, this activity

cookies (something already done with plugins such

switches to India at night – where model contracts

as Ghostery), yet none of that control operates on

might not be in place.

iPhone or Android apps that do not use a browser.

So it remains to be seen what the fallout will be of

Digital agency DigiDay believes this requirement

all this. What technical changes to applications will

will lead to even more silliness; instead of having

have to be made? And how will relations between

one annoying pop-up to click through, there will be

cloud providers and their customers change? So far

many more. It is now becoming common to ask the

there are no visible signs of changes on Facebook

user permission to gather certain data, similar to

(particularly regarding privacy by default) or in

how ad blocking pop-ups are used.

cookie collection by ad companies. There is not a

Norway’s Vivaldi told Quartz Media they see an opening for their browser because of this change: ‘If we can bring more transparency and control to the user in a way that they can understand, there’s definitely an opportunity.’ TEARING UP CLOUD CONTRACTS

lot of time left for companies to meet these new requirements if the ePrivacy directive comes into force by March 2018. Meanwhile, meeting the GDPR would be better handled by implementing simple changes such as encrypting data in transit and seeking approval of procedures and policies from EU regulators.

Freund believes that tech companies in the EU are thinking about the GDPR more than they are about ePrivacy. Clients are coming to his law firm to run gap analyses to identify current practices that need to change in order to comply with the new 61 • C Y B ER WORLD

Secgate Research & Innovation


Cordery helps manage the ever-increasing compliance burden.

Cordery www.corderycompliance.com Tel: +44 (0)207 118 2700

Cordery provides innovative ways of helping General Counsel, compliance professionals and heads of legal across industries manage compliance. Using the expertise of seasoned compliance professionals and the content and technology capabilities of LexisNexis UK we provide expert advice and develop compliance products.

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority. SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520. Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom. SA-0417-058. M AY 2 017 • 62


Cyber Security – What Is Its Relationship With Records And Data Management? Roger Poole

About the Author: Roger Poole is the Head of Information Governance at Secgate. Roger is a highly experienced records and data management, data privacy and information governance professional and programme manager. Roger has held senior positions both within industry and Big 4 consulting firms, and primarily works on strategic and complex change initiatives within the financial services and large corporates sectors.

Cyber security is one of the most important areas

To protect against a cyber attack, you have to know

of focus for organisations today – and the criticality

what kind of information and data you have, and

of guarding against cyber attacks has never been

where it is located. In a world of big data, maintaining

greater. It is estimated that companies are now

and managing ever-increasing volumes of data is

spending 6% of their budgets on Cyber security.

already a big challenge for organisations, and data

Unfortunately, there are regular headlines in the

is more often than not managed by a multitude of

press advising us of “yet another” cyber attack.

people and teams rather than handled centrally. But

Many

organisations

view

cyber

security

as

solely a technical challenge. Cyber security is not just a technical challenge, however, but a challenge which can, and should, be addressed as part of an organisation-wide Programme. The Programme should encompass work streams from IT and Information Governance (to include, Data Management, Records Management and Data Protection). 6 3 • C Y B ER WORLD

effectively securing this dispersed data is another league altogether. THE APPROACH An organisation then has to be able to answer 5 main categories of questions in order to be able to implement a secure information protection programme – the what, where, how, why and who of their company’s data.


1. What data do you have that needs protecting? 2. Where does this data sit? Where does it go? Where does it come from? 3. How should this data be protected? Is the priority confidentiality, integrity or availability? 4. Why do you have to protect it? Is it valuable? How valuable? 5. Who is responsible for the data? Who will own the controls that protect the data? The above questions need input from records management professionals and business owners in order to be accurately answered. This is where cyber security and records management start to

be surprised how often consultants come across businesses that cannot answer this question. If your business does not have an information asset register that clearly defines the exact data, including data volumes, that it stores and processes then this question has not been fully answered. This question also has a flipside – in the event that your security controls are circumvented and your data is lost, you need to be able to say exactly what data you have lost and what impact this will have on your business. The answer to this question is imperative to providing this information. THE WHERE: WHERE DOES THIS DATA SIT? So now you know what data you need to protect,

merge.

where does this data sit? Where has this data come

THE WHAT: WHAT DATA DO YOU HAVE THAT

discovery exercise and requires input primarily from

NEEDS PROTECTING?

records management professionals.

As already mentioned, in order to properly secure

Knowing where your data sits and flows to and

anything in this world you need to know what you are securing. This sounds obvious but you would

from? Where does this data flow to? This is a data

from is important for two main reasons. The first reason is the obvious one – in order to protect M AY 2 017 • 6 4


something, you need to know where you need to

controls which by definition impact the availability

put the controls. The second reason is so that you

of the data.

can ensure controls are provided throughout the whole of the data’s lifecycle. There is no point in encrypting a database at rest if you are going to send the data via an unsecured connection to a third party (yes, we have seen this happen). THE HOW: HOW SHOULD YOU PROTECT YOUR DATA? One of the key concepts within cyber security and information protection is the CIA triangle. Cyber security controls have one objective - to protect the confidentiality, integrity and availability of your company’s data and information systems. This sounds easy, but often a compromise is required. Protecting the confidentiality of data usually involves putting in place controls such as encryption or strong access management controls; 65 • C Y B ER WORLD

Therefore, before you decide to encrypt every single database on your company’s network and cause both severe network latency (data will become tediously slow to access) and access issues (if you give everyone the key to decrypt the data then is the data actually encrypted) you need to decide which of the three principles you want to prioritise. Records management professionals play a significant role here. With a world dictated by regulation and with each business demanding different CIA requirements, it takes a records management professional to properly define the levels of protection that the data requires and an information security professional to then provision the controls.


With a world dictated by regulation and with each business demanding different CIA requirements it takes a records management professional to properly define the levels of protection that the data requires…

THE WHY: WHY SHOULD YOU INVEST IN

will be responsible for ensuring that the controls

PROTECTING THIS DATA?

are implemented? Who will be responsible for

Protecting data costs money. In order to secure

ensuring that the controls are maintained? Who

funding, you have to be able to provide the business with a reason to invest. Both records management and information protection professionals can help here – records management professionals are able to dissect and translate the complex regulatory requirements of data storage and processing into real business requirements and information security professionals are able to advise the business on the risks and impacts of not securing their data. The combination of both of these should give your business a real incentive to protect its data. THE WHO: WHO WILL BE RESPONSIBLE FOR PROTECTING THE DATA? Finally, we have the who. Once you have defined

will be responsible for monitoring the controls and reporting any issues that occur? CONCLUSION The above questions should be answered by every business in order to ensure that their records management and information security programmes are as comprehensive and secure as can be, and the questions require both input from records management professionals and cyber security professionals. Roger Poole Head of Information Governance Secgate

the data and levels of protection required, who M AY 2 017 • 6 6


GDPR: Why Smart Solutions Are The Way Forward Thomas Pluharik

67 • C Y B ER WORLD


About the Author: Tomas Pluharik is a long-term innovation and security enthusiast and professional, currently working as security consultant for Deloitte Central Europe. He has worked in both start-ups and global corporations all around the world, and he has been a guest lecturer at several universities (VSE, CEVRO institute). Tomas is also the founder of the start-up Humainn, which specialises in open data and data integration principles applied in practice.

For some businesses, the GDPR might look a bit

IDENTIFY

like a new EU-driven digital Armageddon. The

To identify the data you need smart solutions that

Regulation looks so tough that many companies are very concerned whether they will be able to meet the stringent new requirements, and many technology companies are making changes to their products in an attempt to appease Brussel and comply with the GDPR. While the new Regulation is clearly revolutionary, don’t panic! Let’s look at the technological options (and especially the smart ones) available to companies to help them meet the GDPR. The Regulation itself is relatively vague with regard to technologies. Even the authors had trouble describing how technological solutions should be implemented. Which is good news and bad news. Bad news in that, at least in the beginning, we have to count on structured and unstructured data as a target for our solution. One common problem, for example, is that client contracts or other data is frequently left on shared drives. The good news is that this lack of technological standards creates greater space for smart and practical solutions. It also provides an impetus for managers to justify investing significant time and resources in resolving issues with data and role classification - a common problem for organisations. The challenge is that sensitive data located all over the infrastructure requires tools to find, convert, operate and audit/control it. This article looks at

will scan your infrastructure – but be aware since such solutions usually create indexes that will be full of sensitive personal data. So the hope is that process-based protection will be acceptable to the regulatory authorities. Solutions will also have to be smart enough to look for integrations/ linkages between data sources, which will need to be reflected in any reports they produce. This is the tricky part for organisations using numerous reports, custom spreadsheet machines crunching data on local machines etc. Solutions that monitor operations and utilise deep packet inspection might then be a good way forward to approach this problem. CONVERT/MIGRATE Once you have identified all the data that you have to convert, you have to choose your strategy. How will you convert frequently used dynamic/operational data, and how will you handle that generic data you store for ‘just in case’ scenarios (called archives)? Legacy data can be a big issue, especially in the case of backups. Again, the GDPR is not able to clearly answer the ‘backup question’, and in some cases it will not even be technically possible to convert backups. It is also useful to know that you cannot keep older versions of databases purely for ‘just in case’ scenarios.

how this can be handled.

M AY 2 017 • 6 8


OPERATE

demonstrates that you have done so! Hence, yes,

You have to look for smart solutions that can combine

there is a little chicken and egg problem with those

data integration and encryption/decryption of

requirements, but safely stored indexes and audit

database fields fast enough not to interfere with

logs should spare you any trouble.

your operations. Unfortunately, this will lead to

Vendors of solutions will provide some tools for

process and role changes. You will probably not be able to keep your good old root account, and any solution will create massive indexes of sensitive data. This is a problem because there is something known as the ‘right to be forgotten’. You will not only have to control access to personal data and

their own systems, but not many will help you with integration. The hope is that software vendors will soon come up with solutions, and also the open source community is beginning to rise to the challenge (such as, for example, OpenGDPR.eu).

provide ‘proper data protection’, you also have to

CONTROL/AUDIT

provide a service that deletes sensitive personal

Integration is also tricky on the level of control

data from your records on request; and you have to able to provide appropriate audit information that 69 • C Y B ER WORLD

and audit, as companies have to be able to control employees’ handling of data and provide proper


audit trails for future checks. The problem is that

common operation practices that are not compliant

audit trails tend to contain a lot of sensitive personal

with the Regulation. It presents a huge opportunity

data, and so again solutions have to either encrypt

for organisations to make the right architectural

them or split and store them with limited access.

changes

Deep packet inspection tools, integration platforms

Implementation of integration platforms may

and process monitoring can help with monitoring

help business development and transformation to

daily activities. Smart solutions are also a must for

achieve more secure and flexible IT.

to

their

data

and

infrastructures.

unstructured data handling. When analysing data to identify sensitive information, it is better to apply big data analytics’ principles and work with probability rather than attempt 100% precision. In a nutshell, the GDPR will not just be about process changes and consulting. Technical implementations

Tomas Pluharik Security Consultant Deloitte Central Europe

will require creativity. It will also include tons of smart solutions to sort out unstructured data and M AY 2 017 • 70


Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on cyber@secgate.co.uk

71 • C Y B ER WORLD


About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clients’ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.

www.secgate.co.uk info@secgate.co.uk

Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom

M AY 2 017 • 72


73 • C Y B ER WORLD

Cyber World May 2017 - Special Edition on The GDPR  

Special Edition of Cyber World magazine, focused exclusively on the upcoming EU General Data Protection Regulation (GDPR).

Read more
Read more
Similar to
Popular now
Just for you