GDPR Art. 25 - Privacy by design and default

•

0 j'aime•124 vues

Start safeguarding personal information of your users at the earliest beginning in a project and make it default. In this talk I will go over the concepts of privacy by design and default where I will go deeper into the why and how of safeguarding your user's personal information.

Ingénierie

GDPR
PRIVACY BY DESIGN & DEFAULT
GDPR article 25

MICHELANGELO VAN DAM
Doing stuff on the internet…

GDPR
WHAT WAS GDPR AGAIN?
Regulate the privacy of EU data subjects
Sanction organisations in violation of GDPR
Offer a privacy framework for businesses

GDPR
GDPR FRAMEWORK
Article 25: Privacy by design and default

GDPR
PRIVACY BY DESIGN
Request the minimum of personal information
Secure personal information
Get rid of personal information quickly

GDPR
PRIVACY BY DEFAULT
Don’t ask what you do not need
Anonymity is the default
Gain trust by protecting privacy

#PrivacyTip:

Non-identi
fi
able personal
information is like toxic waste: it
burns your skin,

Identi
fi
able personal information
is nuclear waste: stay away
from it!

WHAT IS AT STAKE?
No one can predict the future

PROTECTION CORE
Individual
Finance
Health
Religion
Politics
Education
Sex
Identity
Relationship

DEMOCRATIC
SOCIETY
Human liberties, rights and freedom
can change overnight

DIGITAL THEFT
Hackers, Ransomware gangs, State
Sponsored Cyber groups, …

INSIDER THREAT
The people within an organisation are the
weakest link

67%

of data breaches are caused by insiders

EVERYONE IS A TARGET
Not a matter of “if”, but “when”

DEFAULT OFF, GRANULAR ON
When using a feature that has a potential of collecting
personal information, start with it in the “off” state and let
users turn it on if they want to make use of this feature.

STRIP INVISIBLE METADATA
Provide a functionality that removes invisible metadata from
an item that has been provided on your platform (e.g. EXIF
data in photos, document history, IP addresses).

PERSONAL DATA CONFINEMENT
When collecting personal information, ensure that business
and personal data are kept separate (e.g. on device), without
the ability to link both data sources.

PERSONAL DATA STORE
When using personal devices (e.g. mobile device, personal
computer), you can use on-device storage for setting
personalised con
fi
gurations and preferences.

PRIVACY DASHBOARD
Provide a self-serviced, privacy dashboard where users can
request access to their personal information for review,
modify, remove, and transfer their data.

PRIVACY KILLSWITCH
Provide a mechanism that would remove, disconnect or
anonymise all personal information at the press of a single
button.

MORE PRIVACY PATTERNS
More at https://privacypatterns.org

INTERNATIONAL ADOPTION
Australia
India
US (California)
Canada
Argentina
Uruguay
New Zealand
South Africa

INTERNATIONAL ADOPTION
More countries are taking actions

IT’S UP TO THE DEVELOPERS!
Learn about (web application) security
Learn about encryption types & techniques
Add more telemetry in your applications

GREENFIELD PROJECT
User information
Location data
Advertisements

BROWNFIELD PROJECT
Customer data
Financial records
Employee info

THINGS DEVS CAN DO
Ask bare minimum
Reduce retention time
Remove from UI
Apply ACL/RBAC
Add DLP* solutions
Anonymise data
Encrypt data
Point out violations
(*) DLP: Data Leak Prevention

LEAD BY EXAMPLE
Things you can do for better privacy

CHALLENGE THE INFORMATION
Ask: what, why, how, and how long

ENCRYPT THE INFORMATION
If you keep information, make sure it is securely stored

EXPIRE THE INFORMATION
Don’t keep personal information any longer than needed

MONITOR THE INFORMATION
Know who has access to personal information and for what purpose

#InterestingFeat:

Did you know that
keeping a social security
number costs € 250.000
each day to protect?

SUMMARY
GDPR is here to stay
Personal information protection goes global
We all have a responsibility to protect data

REFERENCES
Privacy Design Patterns Eight Privacy Design Patterns
ENISA Privacy By Design
Article 25 GDPR ICO Data protection
Data protection in the EU

QUESTIONS?
Slides online

slideshare.net/DragonBe
Contact me

twitter.com/DragonBe

Recommandé

Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet

What's Hot In IT - CybersecurityRow Murray

Data Security.pdfFujifilmFbsg

BigID DataSheet: Data Access IntelligenceBigID Inc

Data Security.pptxFujifilmFbsg

Protect your sensitive data against data leaks with Safetica DLPAdi Saputra

ZyLAB ACEDS Webinar- GDPR Annelore van der Lint

Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson

Recommandé

Data Privacy: What you need to know about privacy, from compliance to ethicsAT Internet

What's Hot In IT - CybersecurityRow Murray

Data Security.pdfFujifilmFbsg

BigID DataSheet: Data Access IntelligenceBigID Inc

Data Security.pptxFujifilmFbsg

Protect your sensitive data against data leaks with Safetica DLPAdi Saputra

ZyLAB ACEDS Webinar- GDPR Annelore van der Lint

Protecting the Crown Jewels – Enlist the BeefeatersJack Nichelson

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security

Getting Started with GDPR ComplianceDATAVERSITY

Le soluzioni tecnologiche a supporto della normativa GDPRJürgen Ambrosi

Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka

Big Data Dectives- Mark - Fullbright

GDPR Webinar - febSophos Benelux

Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec

The Meaning and Impact of the General Data Protection RegulationJake DiMare

2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)Andris Soroka

Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...Symantec

GDPR Presentation slidesNaomi Holmes

2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community

Webinar Express: Securing BYOD without MDMBitglass

N3275466 - Final Presentation Advance network (1)Christopher Lisasi

How a Minnesota Law Firm Brings Mission Critical Security To Myriad Mobile De...Dana Gardner

What Happens to Your Data When a Company Gets BreachedDigital Devices LTD: Top B2B IT Reseller in UK | Digital Devices

Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec

Microsoft 365 ComplianceDavid J Rosenthal

Data-Centric Security | Seclore Seclore

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB

Moving from app services to azure functionsMichelangelo van Dam

Privacy by designMichelangelo van Dam

Contenu connexe

Similaire à GDPR Art. 25 - Privacy by design and default

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...IBM Security

Getting Started with GDPR ComplianceDATAVERSITY

Le soluzioni tecnologiche a supporto della normativa GDPRJürgen Ambrosi

Privacy by Design and by Default + General Data Protection Regulation with Si...Peter Procházka

Big Data Dectives- Mark - Fullbright

GDPR Webinar - febSophos Benelux

Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec

The Meaning and Impact of the General Data Protection RegulationJake DiMare

2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)Andris Soroka

Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...Symantec

GDPR Presentation slidesNaomi Holmes

2015 09-22 Is it time for a Security and Compliance Assessment?Raffa Learning Community

Webinar Express: Securing BYOD without MDMBitglass

N3275466 - Final Presentation Advance network (1)Christopher Lisasi

How a Minnesota Law Firm Brings Mission Critical Security To Myriad Mobile De...Dana Gardner

What Happens to Your Data When a Company Gets BreachedDigital Devices LTD: Top B2B IT Reseller in UK | Digital Devices

Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec

Microsoft 365 ComplianceDavid J Rosenthal

Data-Centric Security | Seclore Seclore

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB

Similaire à GDPR Art. 25 - Privacy by design and default (20)

Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...

Getting Started with GDPR Compliance

Le soluzioni tecnologiche a supporto della normativa GDPR

Privacy by Design and by Default + General Data Protection Regulation with Si...

Big Data Dectives

GDPR Webinar - feb

Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...

The Meaning and Impact of the General Data Protection Regulation

2015 Cyber security solutions vs cyber criminals @WOHIT2015 (EU eHealth week)

Symantec Webinar Part 4 of 6 GDPR Compliance, What NAM Organizations Need to...

GDPR Presentation slides

2015 09-22 Is it time for a Security and Compliance Assessment?

Webinar Express: Securing BYOD without MDM

N3275466 - Final Presentation Advance network (1)

How a Minnesota Law Firm Brings Mission Critical Security To Myriad Mobile De...

What Happens to Your Data When a Company Gets Breached

Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness

Microsoft 365 Compliance

Data-Centric Security | Seclore

Information Security vs. Data Governance vs. Data Protection: What Is the Rea...

Plus de Michelangelo van Dam

Moving from app services to azure functionsMichelangelo van Dam

Privacy by designMichelangelo van Dam

DevOps or DevSecOpsMichelangelo van Dam

Privacy by designMichelangelo van Dam

Continuous deployment 2.0Michelangelo van Dam

Let your tests drive your codeMichelangelo van Dam

General Data Protection Regulation, a developer's storyMichelangelo van Dam

Leveraging a distributed architecture to your advantageMichelangelo van Dam

The road to php 7.1Michelangelo van Dam

Open source for a successful businessMichelangelo van Dam

Decouple your framework now, thank me laterMichelangelo van Dam

Deploy to azure in less then 15 minutesMichelangelo van Dam

Azure and OSS, a match made in heavenMichelangelo van Dam

Getting hands dirty with php7Michelangelo van Dam

Zf2 how arrays will save your projectMichelangelo van Dam

Create, test, secure, repeatMichelangelo van Dam

The Continuous PHP PipelineMichelangelo van Dam

PHPUnit Episode iv.iii: Return of the testsMichelangelo van Dam

Easily extend your existing php app with an apiMichelangelo van Dam

Your code are my testsMichelangelo van Dam

Plus de Michelangelo van Dam (20)

Moving from app services to azure functions

Privacy by design

DevOps or DevSecOps

Privacy by design

Continuous deployment 2.0

Let your tests drive your code

General Data Protection Regulation, a developer's story

Leveraging a distributed architecture to your advantage

The road to php 7.1

Open source for a successful business

Decouple your framework now, thank me later

Deploy to azure in less then 15 minutes

Azure and OSS, a match made in heaven

Getting hands dirty with php7

Zf2 how arrays will save your project

Create, test, secure, repeat

The Continuous PHP Pipeline

PHPUnit Episode iv.iii: Return of the tests

Easily extend your existing php app with an api

Your code are my tests

Dernier

Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar

multiple access in wireless communicationpanditadesh123

Gravity concentration_MI20612MI_________Romil Mishra

signals in triangulation .. ...Surveyingsapna80328

11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad

THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian

List of Accredited Concrete Batching Plant.pdfisabel213075

High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMSsandhya757531

Earthing details of Electrical Substationstephanwindworld

Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork

Turn leadership mistakes into a better future.pptxStephen Sitton

Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1

Ch10-Global Supply Chain - Cadena de Suministro.pdfChristianCDAM

CS 3251 Programming in c all unit notes pdfBalamuruganV28

CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESkarthi keyan

"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University

2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon

Artificial Intelligence in Power System overviewsandhya757531

ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370

System Simulation and Modelling with types and Event SchedulingBootNeck1

Dernier (20)

Cost estimation approach: FP to COCOMO scenario based question

multiple access in wireless communication

Gravity concentration_MI20612MI_________

signals in triangulation .. ...Surveying

11. Properties of Liquid Fuels in Energy Engineering.pdf

THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION

List of Accredited Concrete Batching Plant.pdf

High Voltage Engineering- OVER VOLTAGES IN ELECTRICAL POWER SYSTEMS

Earthing details of Electrical Substation

Stork Webinar | APM Transformational planning, Tool Selection & Performance T...

Turn leadership mistakes into a better future.pptx

Comprehensive energy systems.pdf Comprehensive energy systems.pdf

Ch10-Global Supply Chain - Cadena de Suministro.pdf

CS 3251 Programming in c all unit notes pdf

CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES

"Exploring the Essential Functions and Design Considerations of Spillways in ...

2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.

Artificial Intelligence in Power System overview

ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt

System Simulation and Modelling with types and Event Scheduling

GDPR Art. 25 - Privacy by design and default

1. GDPR PRIVACY BY DESIGN & DEFAULT GDPR article 25

2. MICHELANGELO VAN DAM Doing stuff on the internet…

3. GDPR WHAT WAS GDPR AGAIN? Regulate the privacy of EU data subjects Sanction organisations in violation of GDPR Offer a privacy framework for businesses

4. GDPR GDPR FRAMEWORK Article 25: Privacy by design and default

5. GDPR PRIVACY BY DESIGN Request the minimum of personal information Secure personal information Get rid of personal information quickly

6. GDPR PRIVACY BY DEFAULT Don’t ask what you do not need Anonymity is the default Gain trust by protecting privacy

7. #PrivacyTip: Non-identi fi able personal information is like toxic waste: it burns your skin, Identi fi able personal information is nuclear waste: stay away from it!

8. WHAT IS AT STAKE? No one can predict the future

9. PROTECTION CORE Individual Finance Health Religion Politics Education Sex Identity Relationship

10. DEMOCRATIC SOCIETY Human liberties, rights and freedom can change overnight

11. DIGITAL THEFT Hackers, Ransomware gangs, State Sponsored Cyber groups, …

12. INSIDER THREAT The people within an organisation are the weakest link 67% of data breaches are caused by insiders

13. EVERYONE IS A TARGET Not a matter of “if”, but “when”

14. 2018

15. DID WE IMPROVE?

16. PRIVACY DESIGN PATTERS

17. DEFAULT OFF, GRANULAR ON When using a feature that has a potential of collecting personal information, start with it in the “off” state and let users turn it on if they want to make use of this feature.

18. STRIP INVISIBLE METADATA Provide a functionality that removes invisible metadata from an item that has been provided on your platform (e.g. EXIF data in photos, document history, IP addresses).

19. PERSONAL DATA CONFINEMENT When collecting personal information, ensure that business and personal data are kept separate (e.g. on device), without the ability to link both data sources.

20. PERSONAL DATA STORE When using personal devices (e.g. mobile device, personal computer), you can use on-device storage for setting personalised con fi gurations and preferences.

21. PRIVACY DASHBOARD Provide a self-serviced, privacy dashboard where users can request access to their personal information for review, modify, remove, and transfer their data.

22. PRIVACY KILLSWITCH Provide a mechanism that would remove, disconnect or anonymise all personal information at the press of a single button.

23. MORE PRIVACY PATTERNS More at https://privacypatterns.org

24. IT’S THE LAW

25. INTERNATIONAL ADOPTION Australia India US (California) Canada Argentina Uruguay New Zealand South Africa

26. INTERNATIONAL ADOPTION More countries are taking actions

27. IT’S UP TO THE DEVELOPERS! Learn about (web application) security Learn about encryption types & techniques Add more telemetry in your applications

28. GREENFIELD PROJECT User information Location data Advertisements

29. BROWNFIELD PROJECT Customer data Financial records Employee info

30. THINGS DEVS CAN DO Ask bare minimum Reduce retention time Remove from UI Apply ACL/RBAC Add DLP* solutions Anonymise data Encrypt data Point out violations (*) DLP: Data Leak Prevention

31. LEAD BY EXAMPLE Things you can do for better privacy

32. CHALLENGE THE INFORMATION Ask: what, why, how, and how long

33. ENCRYPT THE INFORMATION If you keep information, make sure it is securely stored

34. EXPIRE THE INFORMATION Don’t keep personal information any longer than needed

35. MONITOR THE INFORMATION Know who has access to personal information and for what purpose

36. #InterestingFeat: Did you know that keeping a social security number costs € 250.000 each day to protect?

37. SUMMARY GDPR is here to stay Personal information protection goes global We all have a responsibility to protect data

38. REFERENCES Privacy Design Patterns Eight Privacy Design Patterns ENISA Privacy By Design Article 25 GDPR ICO Data protection Data protection in the EU

39. QUESTIONS? Slides online slideshare.net/DragonBe Contact me twitter.com/DragonBe