SlideShare une entreprise Scribd logo

Privacy is at the heart of data protection

Jisc
Jisc

by Robbie Walker

Technologie
1  sur  32
Privacy is at the heart of data protection…. RobbieWalker, Security architecture, University of Portsmouth 14/11/2017
Privacy is at the heart of data protection…. »Privacy by design is not data protection by design »‘Privacy by design’ is short on application detail Putting data protection by design into systems development (not perfect - but adequate!) Why? Because this is a key GDPR requirement (Article 25) (and it’s a big win for data security) The problem with ‘privacy’ 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 2
Privacy is at the heart of data protection…. “Successive Information Commissioners have always been clear that protecting people’s privacy is at the heart of data protection law.” The Information Commissioner But you won’t find ‘privacy’ in the GDPR Information Commissioner’s Response to the Law Commission’s Protection of Official Data Consultation (May 2017) 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 3
Privacy is at the heart of data protection…. eg Privacy is the right to be let alone, or freedom from interference or intrusion, the right to have some control over how your personal information is collected and used. I prefer…“Informational self-determination” The term informational self-determination was first used in the context of a German constitutional ruling relating to personal information collected during the 1983 census. What do we mean by Privacy? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 4
Privacy is at the heart of data protection…. Informational self-determination »It’s focus is on information »It allows privacy to be a matter of personal choice !!! »Means data controllers/processors have to support that choice How do you ‘engineer’ privacy into data processing systems ? What do we mean by Privacy? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 5
Privacy is at the heart of data protection…. “Privacy by design is an engineering and strategic management approach that commits to selectively and sustainably minimize information systems’ privacy risks through technical and governance controls.” Ann Cavoukian 1995 What about Privacy by Design? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 6
Privacy is at the heart of data protection…. 1. Proactive not reactive 2. Privacy by default 3. Privacy embedded into design 4. Full functionality is not impaired 5. Lifecycle protection 6. Visibility and transparency 7. Respect for user privacy What about Privacy by Design? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 7
Privacy is at the heart of data protection…. As concluded from the 2014 NIST Privacy EngineeringWorkshop, there is currently a communication gap around privacy between the legal and policy, design and engineering, and product and project management teams, which makes it difficult to understand and manage privacy risks. However… 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 8
Privacy is at the heart of data protection…. There are well known Privacy by Design principles, but you can’t build information systems by relying on high level principles alone. Note: P-by-D is not simply a task for application developers.True P-by- D requires collaboration with and commitment of business leaders, Senior management, Application and program owners, Line of business and Process owners. 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 9
STOP What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 10
Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” Note the use of : ‘Design’ and ‘Default’ What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 11
Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” By design… To deal with real-world demands for personal data, while properly addressing the risks to the rights and freedoms of the data subject, the controller must apply control measures which implement data- protection principles. These measures must be integrated at the earliest stage in the project and at go live - with the aim of protecting the rights of data subjects. What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 12
Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” …and by default Only process personal data necessary for each specific purpose. »Limit the amount of personal data collected »Limit the extent of the processing »Limit the period of the storage »Limit the accessibility What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 13
Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject 4. Limit the amount of personal data collected, extent of the processing, period the storage and accessibility – by default Data Protection by Design - boils down to 4 requirements: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 14
Privacy is at the heart of data protection…. Where does this fit within our ICT GDPR compliance activities ? We have the luxury of: »Application Development Group »Project Support Office Data Protection by Design boils down to 4 requirements: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 15
Privacy is at the heart of data protection…. 1, 2, and 3 are owned by ourApplication developers …but 4. Limit the amount of personal data collected, extent of the processing, period the storage and accessibility – by default. This element sits with our “Project Support Office” and is linked with Data Protection Impact Assessments Data Protection by Design and Default 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 16
Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject Who Why  When  Data Protection by Design for developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 17
Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject What× Where× How× Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 18
Privacy is at the heart of data protection…. »What are the ‘controls’ and ‘data protection principles’? » Where in the SDLC should all this come together? »How do we protect the rights of the data subject? Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 19
Privacy is at the heart of data protection…. Three steps… 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 20
Privacy is at the heart of data protection…. Control measures include: Firewall Network Segregation Password Policy Access Control Encryption Secure configuration Anti-malware Patch management 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 21
Privacy is at the heart of data protection…. »Lawfulness (consent), fairness and transparency »Specified, explicit and legitimate purposes »Accurate and, where necessary, kept up to date; »Adequate, relevant and limited to what is necessary »Kept in for no longer than is necessary »Processed in a manner that ensures appropriate security of the personal data › psudonymisation, data minimisation, account management Data Protection Principles (Article 5): 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 22
Privacy is at the heart of data protection…. What ‘rights’ are the developers able to protect? »Article 16 - Right to rectification (65) »Article 17 - Right to erasure ('right to be forgotten') (65, 66) »Article 18 - Right to restriction of processing (67) »Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing »Article 20 - Right to data portability (68) Rights of the Data Subject (Articles 12 - 23): 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 23
Privacy is at the heart of data protection…. »Is about finding the security problems before you write the code »Vulnerabilities are eliminated before they ever see the light of day »The design can be modified to eliminate or reduce security risks - without compromising functionality ooooooh! »Reworking (patching) efforts are reduced »Security is greatly improved Surely, this underpins DP by D Threat modelling – (Microsoft SDL) 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 24
Privacy is at the heart of data protection…. 1. Proactive not reactive 2. Privacy by Default 3. Privacy embedded into design 4. Full functionality not impaired 5. Lifecycle protection 6. Visibility and transparency 7. Respect for user privacy Threat modelling – resonates with Privacy by Design 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 25
Privacy is at the heart of data protection…. Builds on theThreat Modelling (STRIDE) process from Microsoft. It recognises the value of threat modelling for security - finding the security problems before you write the code - but security improvements don’t always bring privacy benefits, so it attempts to accommodate Rights of the Data Subject as a goal within theThreat Modelling process. Threat Modelling using STRIDER 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 26
Privacy is at the heart of data protection…. STRIDE(R) - is fundamentally good for DP by D 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 27 Threat Property challenged Rights of data subject likely to be challenged Spoofing Authentication Rec.57, 64; Art.12(2), (6)The GDPR explicitly enables controllers to require data subjects to provide proof of identity before giving effect to their rights. Tampering Integrity Art.18(1)a (accuracy contested by the data subject) Repudiation Non-repudiation Art.14 …data have not been obtained from data subj. Information Disclosure Confidentiality Art. 32 - Security of Processing Denial of Service Availability Art.15 - Right of Access Elevation of Privilege Authorization Art. 32 - Security of Processing Rights of Data Subject Privacy Art. 16 – 20
Privacy is at the heart of data protection…. Data flow diagram 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 28
Privacy is at the heart of data protection…. 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 29 sr-app-01 scms-db-01 SCMS Apex Quercus Front End https://srapp.port.ac.uk External Apex Apps (confirma place, Apply Online etc) https:// register.port.ac.uk https://srapp- uat.port.ac.uk Internal Users External Users A10 (Load Balancer/SSL offload) http A10 (Load Balancer/SSL offload) scms-web-01 scms-web-02 SCMS Windows 2012 R2 Oracle Forms and Reports 11.2 Oracle mod_plsql (Apex WebServer) Java 6 and 7 ORDS SLES 11 SP3 ORDS Rest webServices 2.0 SLES 11 SP3 Oracle RDBMS 11.2.0.4 Apex 4.2.6 Oracle Discoverer Users (Reporting) Interface-db-03 (interfaces) finlive-db-03 (Finance) cmis-db-03 (CMIS) odbclinkprod.ucas.com (UCAS) cron-02 (cron server)
Privacy is at the heart of data protection…. Applying STRIDER 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 30 Data Flow Element Example S T R I D E R Data Flow Function call, RPC, Network Traffic     Source/Destination Users, Admins, other systems    Data Store Database, File, Registry, Shared Memory, Queue     Process DLL, EXE, COM Obj, Components, Services,       
Privacy is at the heart of data protection…. »Microsoft - Security Development Lifecycle (SDL) »Bird and Bird - Guide to the GDPR (May 2017) Any Questions ? Thanks to: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 31
jisc.ac.uk Robbie Walker Security architect University of Portsmouth robbie.walker@port.ac.uk Ext 3279 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 32

Recommandé

Information lifecycles: a tool for GDPR
Information lifecycles: a tool for GDPRInformation lifecycles: a tool for GDPR
Information lifecycles: a tool for GDPR
Jisc
 
DDoS mitigation at Jisc
DDoS mitigation at JiscDDoS mitigation at Jisc
DDoS mitigation at Jisc
Jisc
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
James Mulhern
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
Webinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPRWebinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPR
Storage Switzerland
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 

Recommandé

Information lifecycles: a tool for GDPR
Information lifecycles: a tool for GDPRInformation lifecycles: a tool for GDPR
Information lifecycles: a tool for GDPR
Jisc
 
DDoS mitigation at Jisc
DDoS mitigation at JiscDDoS mitigation at Jisc
DDoS mitigation at Jisc
Jisc
 
Privacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the artPrivacy by Design - taking in account the state of the art
Privacy by Design - taking in account the state of the art
James Mulhern
 
Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019 Privacy by Design as a system design strategy - EIC 2019
Privacy by Design as a system design strategy - EIC 2019
Sagara Gunathunga
 
Privacy and Security by Design
Privacy and Security by DesignPrivacy and Security by Design
Privacy and Security by Design
Unisys Corporation
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
Webinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPRWebinar: How to Design Primary Storage for GDPR
Webinar: How to Design Primary Storage for GDPR
Storage Switzerland
 
Privacy by Design: White Papaer
Privacy by Design: White PapaerPrivacy by Design: White Papaer
Privacy by Design: White Papaer
Kristyn Greenwood
 
Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
Trish McGinity, CCSK
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
TrustArc
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Codemotion
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
Gary Dodson
 
The GDPR and What It Means to You
The GDPR and What It Means to YouThe GDPR and What It Means to You
The GDPR and What It Means to You
Delphix
 
Why Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateWhy Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major Update
Delphix
 
eDiscovery platform EMEA user conference 2017
eDiscovery platform EMEA user conference 2017eDiscovery platform EMEA user conference 2017
eDiscovery platform EMEA user conference 2017
Veritas Technologies LLC
 
Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Grid
bradley_g
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
Peter Procházka
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
TrustArc
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 
Dcg cba legal ethics and the cloud final 06.20.17
Dcg cba legal ethics and the cloud final 06.20.17Dcg cba legal ethics and the cloud final 06.20.17
Dcg cba legal ethics and the cloud final 06.20.17
DENNIS GARCIA ☁
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
Forcepoint LLC
 
What happens if you’re not ready for the GDPR?
What happens if you’re not ready for the GDPR?What happens if you’re not ready for the GDPR?
What happens if you’re not ready for the GDPR?
Digital Transformation EXPO Event Series
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
Stephen Owen
 
Convince your board: How to prepare your business for List X
Convince your board: How to prepare your business for List XConvince your board: How to prepare your business for List X
Convince your board: How to prepare your business for List X
Dave James
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
Ishay Tentser
 
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
TrustArc
 
3 oraclex evento reg puglia_v2017-09-14-2
3 oraclex evento reg puglia_v2017-09-14-23 oraclex evento reg puglia_v2017-09-14-2
3 oraclex evento reg puglia_v2017-09-14-2
Redazione InnovaPuglia
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
 

Contenu connexe

Tendances

Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
TrustArc
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
TrustArc
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
kevintsmith
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
TrustArc
 

Tendances (20)

Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17Csa privacy by design & gdpr austin chambers 11-4-17
Csa privacy by design & gdpr austin chambers 11-4-17
 
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
 
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers GDPR solutions (JS Event 28/2/18) | Greenlight Computers
GDPR solutions (JS Event 28/2/18) | Greenlight Computers
 
The GDPR and What It Means to You
The GDPR and What It Means to YouThe GDPR and What It Means to You
The GDPR and What It Means to You
 
Why Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateWhy Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major Update
 
eDiscovery platform EMEA user conference 2017
eDiscovery platform EMEA user conference 2017eDiscovery platform EMEA user conference 2017
eDiscovery platform EMEA user conference 2017
 
Enlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter GridEnlightened Privacy – by Design for a Smarter Grid
Enlightened Privacy – by Design for a Smarter Grid
 
Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...Privacy by Design and by Default + General Data Protection Regulation with Si...
Privacy by Design and by Default + General Data Protection Regulation with Si...
 
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
Demonstrating Compliance & the Role of Certification Under the GDPR [Webinar ...
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
Big Data Security and Privacy - Presentation to AFCEA Cyber Symposium 2014
 
Dcg cba legal ethics and the cloud final 06.20.17
Dcg cba legal ethics and the cloud final 06.20.17Dcg cba legal ethics and the cloud final 06.20.17
Dcg cba legal ethics and the cloud final 06.20.17
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
What happens if you’re not ready for the GDPR?
What happens if you’re not ready for the GDPR?What happens if you’re not ready for the GDPR?
What happens if you’re not ready for the GDPR?
 
Data privacy impact assessment
Data privacy impact assessmentData privacy impact assessment
Data privacy impact assessment
 
Convince your board: How to prepare your business for List X
Convince your board: How to prepare your business for List XConvince your board: How to prepare your business for List X
Convince your board: How to prepare your business for List X
 
Privacy by design for peerlyst meetup
Privacy by design for peerlyst meetupPrivacy by design for peerlyst meetup
Privacy by design for peerlyst meetup
 
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
Benchmarking Your GDPR Compliance: Will You Make the Grade? [TrustArc Webinar...
 

Similaire à Privacy is at the heart of data protection

SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
South Tyrol Free Software Conference
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docxITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
christiandean12115
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
TEST Huddle
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
AIIM International
 

Similaire à Privacy is at the heart of data protection (20)

3 oraclex evento reg puglia_v2017-09-14-2
3 oraclex evento reg puglia_v2017-09-14-23 oraclex evento reg puglia_v2017-09-14-2
3 oraclex evento reg puglia_v2017-09-14-2
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR ReadinessSymantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
Symantec Webinar Part 1 of 6 The Four Stages of GDPR Readiness
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docxITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
ITC568 Cloud Privacy and SecurityThe Cloud Security Ecosyste.docx
 
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
'Test Data Management and Project Quality Go Hand In Hand' by Kristian Fische...
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Business Continuity and app Security
Business Continuity and app Security Business Continuity and app Security
Business Continuity and app Security
 
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
[Webinar Slides] Data Privacy Solving Negligence, Bad Practices, Access Contr...
 
GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
 
Getting to Approval Faster Through Technology Innovation
Getting to Approval Faster Through Technology InnovationGetting to Approval Faster Through Technology Innovation
Getting to Approval Faster Through Technology Innovation
 
GDPR - no beginning no end
GDPR - no beginning no endGDPR - no beginning no end
GDPR - no beginning no end
 
Splunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR ComplianceSplunk: How Machine Data Supports GDPR Compliance
Splunk: How Machine Data Supports GDPR Compliance
 
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data AssetsFS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
FS-ISAC APAC Summit 2017 Singapore - Of Crown Jewels and Data Assets
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
 
O365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure scoreO365Engage17 - Black belting office 365 security with secure score
O365Engage17 - Black belting office 365 security with secure score
 
Symantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR ComplianceSymantec Webinar Part 2 of 6 GDPR Compliance
Symantec Webinar Part 2 of 6 GDPR Compliance
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 

Plus de Jisc

Plus de Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Privacy is at the heart of data protection

  • 1. Privacy is at the heart of data protection…. RobbieWalker, Security architecture, University of Portsmouth 14/11/2017
  • 2. Privacy is at the heart of data protection…. »Privacy by design is not data protection by design »‘Privacy by design’ is short on application detail Putting data protection by design into systems development (not perfect - but adequate!) Why? Because this is a key GDPR requirement (Article 25) (and it’s a big win for data security) The problem with ‘privacy’ 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 2
  • 3. Privacy is at the heart of data protection…. “Successive Information Commissioners have always been clear that protecting people’s privacy is at the heart of data protection law.” The Information Commissioner But you won’t find ‘privacy’ in the GDPR Information Commissioner’s Response to the Law Commission’s Protection of Official Data Consultation (May 2017) 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 3
  • 4. Privacy is at the heart of data protection…. eg Privacy is the right to be let alone, or freedom from interference or intrusion, the right to have some control over how your personal information is collected and used. I prefer…“Informational self-determination” The term informational self-determination was first used in the context of a German constitutional ruling relating to personal information collected during the 1983 census. What do we mean by Privacy? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 4
  • 5. Privacy is at the heart of data protection…. Informational self-determination »It’s focus is on information »It allows privacy to be a matter of personal choice !!! »Means data controllers/processors have to support that choice How do you ‘engineer’ privacy into data processing systems ? What do we mean by Privacy? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 5
  • 6. Privacy is at the heart of data protection…. “Privacy by design is an engineering and strategic management approach that commits to selectively and sustainably minimize information systems’ privacy risks through technical and governance controls.” Ann Cavoukian 1995 What about Privacy by Design? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 6
  • 7. Privacy is at the heart of data protection…. 1. Proactive not reactive 2. Privacy by default 3. Privacy embedded into design 4. Full functionality is not impaired 5. Lifecycle protection 6. Visibility and transparency 7. Respect for user privacy What about Privacy by Design? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 7
  • 8. Privacy is at the heart of data protection…. As concluded from the 2014 NIST Privacy EngineeringWorkshop, there is currently a communication gap around privacy between the legal and policy, design and engineering, and product and project management teams, which makes it difficult to understand and manage privacy risks. However… 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 8
  • 9. Privacy is at the heart of data protection…. There are well known Privacy by Design principles, but you can’t build information systems by relying on high level principles alone. Note: P-by-D is not simply a task for application developers.True P-by- D requires collaboration with and commitment of business leaders, Senior management, Application and program owners, Line of business and Process owners. 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 9
  • 10. STOP What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 10
  • 11. Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” Note the use of : ‘Design’ and ‘Default’ What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 11
  • 12. Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” By design… To deal with real-world demands for personal data, while properly addressing the risks to the rights and freedoms of the data subject, the controller must apply control measures which implement data- protection principles. These measures must be integrated at the earliest stage in the project and at go live - with the aim of protecting the rights of data subjects. What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 12
  • 13. Privacy is at the heart of data protection…. Article 25 “Data Protection by Design and by Default” …and by default Only process personal data necessary for each specific purpose. »Limit the amount of personal data collected »Limit the extent of the processing »Limit the period of the storage »Limit the accessibility What does the GDPR say? 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 13
  • 14. Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject 4. Limit the amount of personal data collected, extent of the processing, period the storage and accessibility – by default Data Protection by Design - boils down to 4 requirements: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 14
  • 15. Privacy is at the heart of data protection…. Where does this fit within our ICT GDPR compliance activities ? We have the luxury of: »Application Development Group »Project Support Office Data Protection by Design boils down to 4 requirements: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 15
  • 16. Privacy is at the heart of data protection…. 1, 2, and 3 are owned by ourApplication developers …but 4. Limit the amount of personal data collected, extent of the processing, period the storage and accessibility – by default. This element sits with our “Project Support Office” and is linked with Data Protection Impact Assessments Data Protection by Design and Default 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 16
  • 17. Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject Who Why  When  Data Protection by Design for developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 17
  • 18. Privacy is at the heart of data protection…. 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject What× Where× How× Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 18
  • 19. Privacy is at the heart of data protection…. »What are the ‘controls’ and ‘data protection principles’? » Where in the SDLC should all this come together? »How do we protect the rights of the data subject? Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 19
  • 20. Privacy is at the heart of data protection…. Three steps… 1. Apply controls to implement data-protection principles 2. Integrate these at the earliest stage in the project and at go live 3. Always aim to protect the rights of the data subject Data Protection by Design for Developers: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 20
  • 21. Privacy is at the heart of data protection…. Control measures include: Firewall Network Segregation Password Policy Access Control Encryption Secure configuration Anti-malware Patch management 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 21
  • 22. Privacy is at the heart of data protection…. »Lawfulness (consent), fairness and transparency »Specified, explicit and legitimate purposes »Accurate and, where necessary, kept up to date; »Adequate, relevant and limited to what is necessary »Kept in for no longer than is necessary »Processed in a manner that ensures appropriate security of the personal data › psudonymisation, data minimisation, account management Data Protection Principles (Article 5): 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 22
  • 23. Privacy is at the heart of data protection…. What ‘rights’ are the developers able to protect? »Article 16 - Right to rectification (65) »Article 17 - Right to erasure ('right to be forgotten') (65, 66) »Article 18 - Right to restriction of processing (67) »Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing »Article 20 - Right to data portability (68) Rights of the Data Subject (Articles 12 - 23): 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 23
  • 24. Privacy is at the heart of data protection…. »Is about finding the security problems before you write the code »Vulnerabilities are eliminated before they ever see the light of day »The design can be modified to eliminate or reduce security risks - without compromising functionality ooooooh! »Reworking (patching) efforts are reduced »Security is greatly improved Surely, this underpins DP by D Threat modelling – (Microsoft SDL) 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 24
  • 25. Privacy is at the heart of data protection…. 1. Proactive not reactive 2. Privacy by Default 3. Privacy embedded into design 4. Full functionality not impaired 5. Lifecycle protection 6. Visibility and transparency 7. Respect for user privacy Threat modelling – resonates with Privacy by Design 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 25
  • 26. Privacy is at the heart of data protection…. Builds on theThreat Modelling (STRIDE) process from Microsoft. It recognises the value of threat modelling for security - finding the security problems before you write the code - but security improvements don’t always bring privacy benefits, so it attempts to accommodate Rights of the Data Subject as a goal within theThreat Modelling process. Threat Modelling using STRIDER 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 26
  • 27. Privacy is at the heart of data protection…. STRIDE(R) - is fundamentally good for DP by D 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 27 Threat Property challenged Rights of data subject likely to be challenged Spoofing Authentication Rec.57, 64; Art.12(2), (6)The GDPR explicitly enables controllers to require data subjects to provide proof of identity before giving effect to their rights. Tampering Integrity Art.18(1)a (accuracy contested by the data subject) Repudiation Non-repudiation Art.14 …data have not been obtained from data subj. Information Disclosure Confidentiality Art. 32 - Security of Processing Denial of Service Availability Art.15 - Right of Access Elevation of Privilege Authorization Art. 32 - Security of Processing Rights of Data Subject Privacy Art. 16 – 20
  • 28. Privacy is at the heart of data protection…. Data flow diagram 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 28
  • 29. Privacy is at the heart of data protection…. 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 29 sr-app-01 scms-db-01 SCMS Apex Quercus Front End https://srapp.port.ac.uk External Apex Apps (confirma place, Apply Online etc) https:// register.port.ac.uk https://srapp- uat.port.ac.uk Internal Users External Users A10 (Load Balancer/SSL offload) http A10 (Load Balancer/SSL offload) scms-web-01 scms-web-02 SCMS Windows 2012 R2 Oracle Forms and Reports 11.2 Oracle mod_plsql (Apex WebServer) Java 6 and 7 ORDS SLES 11 SP3 ORDS Rest webServices 2.0 SLES 11 SP3 Oracle RDBMS 11.2.0.4 Apex 4.2.6 Oracle Discoverer Users (Reporting) Interface-db-03 (interfaces) finlive-db-03 (Finance) cmis-db-03 (CMIS) odbclinkprod.ucas.com (UCAS) cron-02 (cron server)
  • 30. Privacy is at the heart of data protection…. Applying STRIDER 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 30 Data Flow Element Example S T R I D E R Data Flow Function call, RPC, Network Traffic     Source/Destination Users, Admins, other systems    Data Store Database, File, Registry, Shared Memory, Queue     Process DLL, EXE, COM Obj, Components, Services,       
  • 31. Privacy is at the heart of data protection…. »Microsoft - Security Development Lifecycle (SDL) »Bird and Bird - Guide to the GDPR (May 2017) Any Questions ? Thanks to: 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 31
  • 32. jisc.ac.uk Robbie Walker Security architect University of Portsmouth robbie.walker@port.ac.uk Ext 3279 14/11/2017 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all) 32