, ,

Does Microsoft ignore the GDPR data subject rights?

Some acquaintances had their Hotmail e-mail accounts blocked by Microsoft because a Microsoft algorithm suspected that unauthorized users had accessed their e-mail accounts.

For starters, I can only applaud that Microsoft takes measures to protect the confidentiality of the information stored in Hotmail mailboxes.

However, the problems started when these acquaintances tried to re-access to their mailboxes. Even after entering a lot of personal information, the Microsoft algorithm concluded that there was insufficient information to restore access.

Furthermore, they weren’t able to regain access to the mailbox through human intervention because the telephone helpdesk (‘helpdesk’ only by name, in practice you are not helped) only refers you to a web page with a procedure that brings you full circle to the same faulty algorithm for regaining access.

In my view, this incident contains a number of clear GDPR non-conformities, such as:

  • Data subjects cannot access their own data;
  • No possibility of human intervention, to bypass an algorithm;
  • No possibility of data portability to another mailbox;
  • No possibility to delete mailbox data if a user is required to create a new account?

In summary, this makes Microsoft non-compliant with the GDPR…

What skills should Data Protection Officers have?

Willem De Beuckelaere, the President of the Belgian Privacy Commission, gave the closing remarks yesterday (26/04/18) at the Cyber Security Coalition’s event in Brussels.

An element of uncertainty in the data privacy industry is the GDPR’s requirement for certain organisations to appoint a DPO. The IAPP has predicted that the world needs 75,000 Data Protection Officers but given the general lack of cyber security skills on the labour market, it’s not clear where these people will come from.

De Beuckelaere highlighted the role’s importance for organisations seeking to achieve GDPR compliance: “The most important tool will be the human tool: the Data Protection Officer. We know today that we need transparency with communication and technology; a legal perspective alone is not enough for compliance in a multidisciplinary world. The person performing the role should be a multidisciplinary expert. I am a lawyer, so I will not do a Shakespeare and say let’s kill all the lawyers, but lawyers should be prepared to step aside and assign duties to communications experts and IT teams”.

De Beuckelaere’s forthright declaration certainly stirred the attention of the audience. His statement was a strong put down for legal professionals selling themselves as omnipotent GDPR authorities.

I asked how he saw this playing out in practice: “What skills should the DPO have? If it shouldn’t be a lawyer, how do you stop lawyers from cannibalizing the profession?”

He responded: “It’s impossible for one person to have all the relevant knowledge necessary to perform the role, what you need is someone who can connect them. I divide the skills into four quadrants: IT, Legal, Internal Communications (project management) and Communications (customer service/public relations). Good ethics are also vital: the DPO needs to be a highly ethical person. Another added bonus is to have someone who understands how the organisation works. I suggest that companies look after their people!” De Beuckleaere later added that he probably should have added another role the DPO needs to take on: that of diplomat!

A follow-up question came from the audience: “So should the DPO be a restricted profession?”

De Beuckelaere: “I don’t know. It’s a very difficult position, hopefully the jurisprudence will give us some guidance. But DPOs should certainly be protected in order to do their jobs”.

So should lawyers really be cut out of the picture? Not entirely, the GDPR is clear that DPOs should have expert knowledge of data protection law, and there are elements of compliance that are impossible without legal expertise. De Beuckelaere’s remarks were presumably intended to encourage organisations into taking a more holistic approach to compliance, rather than hoping the legal department or some magic tool could make it all go away.

New GDPR standard as forerunner for GDPR ISO standardisation

(This article is also available in Dutch.)

Many organizations would like to obtain a certificate in order to objectively demonstrate GDPR compliance towards the market.
The General Data Protection Regulation (GDPR) mentions in article 42 that the creation and usage of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with GDPR, will be promoted. However, until recently there were no widely accepted certification standards available within the Benelux.

Therefore, lots of organizations are trying to obtain the ISO27001:2013 certificate as it is promoted by data protection authorities as a good way to objectively demonstrate that personal data is adequately protected. However, ISO27001 covers only one of the GDPR principles; the principle of confidentiality, and cannot be used to demonstrate full GDPR compliance.

Recently, BrandCompliance, one of our partners, has created a new standard (BC5701:2018) based on the GDPR. This standard facilitates the implementation of a privacy management system, which is the base to demonstrate GDPR compliance.

This standard uses a similar structure as the ISO standards and therefore can be easily combined with other standards such as ISO27001 to implement an integrated privacy and information security management system.

This BC5701:2018 standard will be proposed as the basis for the creation of an internationally harmonized GDPR standard which can be used by organization such as NBN and NEN, the Belgian and Dutch certification institutes, and which would allow organizations to obtain a market recognized certification.

The cross table below (in Dutch) shows how GDPR requirements are integrated within the BC5701:2018 chapters. The entire cross table can be found within the BC5701:2018 standard.

 

 

 

 

 

 

 

 

 

 

Toreon will be one of the first companies that will adopt these standard within the Belgian market in order to aid organizations in their quest to become demonstrable compliant with the GDPR.

To be clear, the implementation of a privacy management system based upon BC5701:2018 is not a legal requirement but does position your company as a privacy pioneer within your industry. Allowing you to leverage compliance as a competitive advantage.

Purchase and download the standard.

For implementation advise, please reach out to info@toreon.com or call us at +32 33 69 33 96.

,

Our guy at the Flux50 Smart Energy Academy

From the 22nd to the 24th of November I attended the first Smart Energy Academy by Flux50, which was focused on how the energy transition will impact the various aspects of the energy landscape in Flanders.

The Energy transition in Flanders consists of several large changes happening in the current context, including the introduction of larger scale renewable energy production, distributed energy production (solar panels etc), decentralized storage of electricity (home batteries), electric cars, hydrogen fueled cars …

Every market player, be it a producer or consumer and everything in between, showed what they expected of the near future.

The biggest takeaways for me were:

  • We are evolving to a massively distributed energy production and storage scenario, which will also change the attack scenarios of hackers towards our energy grid.
  • The vulnerability level of consumer-grade electronics is generally higher and the devices are less well-managed, and there will be a larger diversity of manufacturers and types of devices. This should make it much more difficult to write large scale attacks to impact a large part of the grid all at once. Attackers will have to change their current attack strategy from power plant-specific to generalized attacks.
  • Lots of devices are being connected to each other to create smart buildings or other intelligent systems, but the connections themselves are often only made on a per-project basis and no real security measures are considered during development.
  • Privacy: data about how a building is adapting itself to its users might seem trivial and non-privacy related, but imagine how you would feel if someone knew exactly when you came home, took a bath, exercised or were cooking dinner. Now imagine someone would know this about your whole building or whole neighborhood…

 

There is still some work to be done to ensure all systems communicate in a secure way and only authorized persons can access and control these systems or the data they produce.

There are still lots of improvement needed on security aspects in the energy sector, so I hope we can continue to guide the energy market towards a safer tomorrow!

GDPR: tips for demonstrating compliance to the awareness requirement

In my previous blog, I discussed the need for adequate awareness and how this is the task of the DPO. The accountability principle requires you to be able to objectively demonstrate compliance.

So here are some tips to do just that:

  1. Create an Awareness Matrix by mapping the Personal Data Inventory (see article 30. records of processing) activities to the GDPR requirements.
    The DPO and CISO can create a combined awareness matrix to optimise educational and time-efficiency synergies.
    Examples:
    – The sales department is involved in direct marketing and they use cookies.
    Therefore, it is important to make them aware about consent and E-privacy regulation.
    – The R&D department writes new software.
    Therefore, it is important to make them aware about Privacy by Design & Default and Secure Development.
  2. Create an Awareness Roadmap.
    It is important to prioritise the awareness sessions, taking into account the inherent privacy and security risks of the different departments. Departments with more privacy and information security risks should receive more extensive awareness training. Also, make sure to engage top management and the board of directors when developing the awareness roadmap as experience proves that top management awareness, support and involvement is an important factor for a successful implementation of any management system.
  3. Organise Awareness Trainings and gather evidence.
    The GDPR states that organisations must be able to prove that they are compliant (= accountability principle). Hence it is important to keep attendance records of awareness trainings.
    Do you want to go the extra mile? Let your employees fill in a test to monitor their privacy and security knowledge after the awareness sessions.
  4. Make use of external expertise: scientific research has proven that the role of top management support for the implementation of privacy and security management systems, including but not limited to awareness, may not be as critical as external privacy and information security expertise, in the form of specialized consultants and vendors.
  5. Appoint Local Privacy Champions.
    Local Privacy Champions are key employees in existing business departments with an above average knowledge of GDPR requirements. These individuals support the DPO by monitoring compliance and advocating compliance within their respective departments. Make sure to create a job description for and overview of the privacy champions as evidence.
  6. Repeat.
    Repetition works. It is important to make awareness a recurrent activity to ensure that privacy and security remain embedded in the operational activities. Recurrent awareness sessions also prevent any awareness drain in your organisation when key employees leave or when newcomers enter the organisation.
  7. Diversify.
    Make use of marketing tactics to optimise the reach of your awareness actions. Use different communication channels (class sessions, email, posters …) to maximise audience reach.
  8. KISS.
    Your awareness message will be much better received and remembered by Keeping It Simple, Stupid.

Toreon at Privacy Café: combining privacy by design with the SDLC

At the last Privacy Café*, held in Mechelen on October 23rd, Seba Deleersnyder, co-founder and managing partner of Toreon, and Siebe De Roovere, Privacy and Information Secruity Expert at Toreon, explained to the Café’s guests how to combine Privacy by Design with the SDLC and objectively prove that your organization meets all of the set requirements.

A quick recap:

What can you do?
– Do not “bold on” extra compliance activities.
– Integrate compliance in AppSec / InfoSec activities.
– Add “GDPR epics and stories” to product backlog & include in sprints.

What will this get you?
– GDPR and SDLC re-inforce each other.
– (ab)use GDPR to start SDLC (business case).
– Improve SDLC by including GDPR activities.
– SDLC “deliverables” with GDPR artifacts demonstrate compliance.

What are the key success factors of this approach?
– Extend your AppSec “community” with DPO & legal allies.
– Turn your DPO into an SDLC advocate.

Hungry for more?
Find the complete presentation here.

Furthermore, Toreon happily donates the complete SAMM/GDPR mapping we’ve come up with to OWASP and all of the Privacy and Security Community.
Download our SAMM/GDPR Mapping. 

We would love to hear whether this was helpful to you or your organisation!

* A few times a year the Data Protection Institute (DPI) hosts a Privacy Café where they invite guests to talk about their job in the Data Protection field; discussing best practices and possible obstacles in their attempt to comply with the GDPR. All professional privacy enthusiasts are welcome to attend.

GDPR: adequate security measures and awareness

The GDPR requires that both controllers and processors implement adequate security measures in order to protect the processed personal data. The word ‘adequate’ seems vague and open to interpretation to most.

For security experts however, it is clear that ’adequate meausures’ means that risk based security control measures should be implemented. These have to be based on internationally recognised security standards, such as ISO2700x, NIST and ISF. These standards provide enough guidelines for security experts to objectively implement an Information Security Management System (ISMS) within organisations. A well implemented ISMS contains a sustained improvement cycle which allows for continuous progress of security controls that keep providing the necessary adequate protection of personal data when the security landscape changes.

And it will change over time…

The GDPR is even more vague when it comes to awareness requirements for controllers and processors. The GDPR only mentions – in article 39 on the tasks of the Data Protection Officer -, that the DPO has the task of raising privacy awareness and training staff.
I would argue that this means that the DPO must ensure sufficient privacy and information security awareness, which is a basic requirement in every ISMS, as one cannot guarantee adequate security without adequate awareness .
Adequate awareness means that at least every department of an organisation has the necessary information on the privacy legislation and information security aspects relevant to their function in order to prevent and/or detect unauthorised data processing activities or data breaches. The required privacy and information security knowledge depends on the operational activities of the different organisational departments and roles.

In my next blog, I will give some tips for reaching awareness compliance.

,

Embedding GDPR in the secure development lifecycle (SDLC)

Did you know that the GDPR and SDLC re-inforce each other and that the GDPR can be used as the ideal business case to start with SDLC? Siebe and I explained how and why during the OWASP AppSec Europe conference in Belfast. Couldn’t attend? You can find the presentation in our previous blog, or begin by reading the introduction below.

We all know that in less than a year the GDPR (General Data Protection Regulation) enters into force to unify the privacy legislation within Europe and the UK and improve the protection of personal data and data subject rights. And I don’t need to tell you that the secure development lifecycle (SDLC) method is thé go to methodology when planning for, designing, building, testing and delivering information systems. But if you play it smart, you can improve your SDLC by including GDPR activities and use SDLC artifacts to demonstrate compliance with GDPR.

A lot of articles in the GDPR specifically refer to security. Article 25 for instance, on privacy by design & default, article 32 on Security of Processing and article 35 on DPIA’s all specifically mention the security levels and assessments that should be considered. The most efficient way to comply with these GDPR security requirements when developing (new) applications, is by integrating them into your Secure Development Lifecycle.

You can find more information on the OWASP Software Assurance Maturity Model (SAMM) and how it can be integrated into any existing SDLC here. For now, it suffices if you know that OpenSAMM is defined in different levels.

  • At the highest level it is divided into four tasks or concerns to consider while developing or using software. They align well with a typical organisational structure, and this is how software security typically ties into an organisation.
  • At a lower level, several security practices are defined that should be considered for improving software security.
  • At the lowest level, every security practice consists of a set of activities, ordered in maturity levels or objectives.

The GDPR articles related to security fall perfectly into these activities. Just check out this table:

SAMM domains

 

So, when you divide for example the GDPR requirements on Policy & Compliance into three objective levels, this is the result:

PolicyCompliance

More examples and details can be found in the presentation in our previous blog. Or get in touch!

 

How compatible is the GDPR with public cloud?

Are the requirements for the GDPR compatible with the use of public cloud? That interesting question does not only live amongst our customers, but is also on the mind of the readers of the ICT Magazine Smart Business. I made a thorough analysis considering not only the rules and regulations, but also the feasibility and overhead costs. You can read my conclusions on the website of Smart Business, in Dutch.

,

Presentation “Embedding GDPR in the SDLC” available for download

Last week Thursday we delivered our presentation “Embedding GDPR in the SDLC” at the OWASP AppSec Europe conference in Belfast.
The presentation is the outcome of various projects where we encounter both privacy and application security challenges.
Siebe De Roovere (one of our privacy specialists) and myself have worked on integrating GDPR compliance requirements in a secure development life cycle.

SAMM – GDPR mapping

For secure development life cycle projects we use the OWASP Software Assurance Maturity Model (SAMM). This is an excellent maturity model with concrete guidance on application security activities. You can integrate these activities in your software governance, development, testing and operations. We identified the GDPR requirements and deliverables and mapped these on the SAMM activities.
This way we improve both software security activities and can demonstrate GDPR compliance with the security deliverables. One example is a documented threat model , that includes the outcome of a data privacy impact assessment.

Download

There was a lot of interest for our session and we had great questions and feedback at the end of our presentation.
The slides of the presentation are available for download here: TOREON_Embedding_GDPR_into_the_SDLC_OWASP_AppSecEU_Sebastien_Siebe_V20170511
We will let you know when the video of the presentation is available.

We decided to donate the SAMM/GDPR mappings to the OWASP SAMM project and will organize a working session during the upcoming OWASP Summit in June to develop this further.

In the mean time: we do encourage you to provide us feedback and/or input to improve the current mappings!

Kind regards,

Seba & Siebe