Information Security and GDPR

•

3 recomendaciones•2,840 vistas

London School of Hygiene and Tropical Medicine

Laurence Horton of the London School of Economics gave a talk on the information security implications of the General Data Protection Regulation (GDPR). Presented at the London Area Research Data meeting on 17th November 2017, held at the London School of Hygiene & Tropical Medicine.

Tecnología

Information Security and GDPR
Laurence Horton,
LSE Library
“Information Security and GDPR” by Laurence Horton is licensed under a Creative Commons Attribution 4.0 International License.

GDPR sanctions
• Written warning
• Data protection audit
• 20,000,000€ or up to 4% annual worldwide
turnover
• consent
• data subjects' rights
• transfers of personal data

Personal data
• Best way to manage personal data: don’t collect it unless
necessary.
– Name, identification number, location data, online identifier*
– Race or ethnicity
– Trade union membership
– Religious or philosophical beliefs
– Political opinions
– Health
– Sex life
– Criminal record†
– Genetic
– Biometric
• GDPR, *Article 4(1), Article 9(1), †Article 10

Information Security classifications
Access levels based on ‘least privilege’
principle.
• Controlled
• Safeguarded
• Open data
Source:
https://www.ukdataservice.ac.uk/manage-
data/legal-ethical/access-control
• Confidential
• Restricted
• Internal Use
• Public
Source:
https://info.lse.ac.uk/staff/Services/Policies-
and-
procedures/Assets/Documents/infSecStaIT.pdf

Five safes
Safe…
Projects: appropriate use?
People: researchers trusted to follow procedures and use data properly
Settings: security arrangements prevent unauthorised access or loss
Data: Is there a disclosure risk in the data itself?
Outputs: Publications don’t contain identifying results
Source: Ritchie, Felix (2008). "Secure access to confidential microdata: four years of the Virtual Microdata Laboratory" (PDF). Economic and Labour Market
Statistics. 2:5: 29–34. http://www.ons.gov.uk/ons/rel/elmr/economic-and-labour-market-review/no--5--may-2008/secure-access-to-confidential-microdata--four-
years-of-the-virtual-microdata-laboratory.pdf

Encryption
BitLocker FileVault VeraCrypt 7-zip MS Office
Windows
EFS
Hardware
encryption
Phones or
tablets
Hard drive
USB/External
Volume
Files
Folders
Archives
Hidden volumes
Best fit
Some issues
Use with caution
Not available
LSE Encryption matrix: http://www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/documents/encryption-matrix.pdf
• If it is necessary, anonymise it as soon as
possible. Separate and encrypt personal
data.

Physical access
• Don’t forget the physical: control access to
rooms and storage.
Image: 8th Ward Villere Street New Orleans Safe House C" by Infrogmation of New Orleans - originally posted to Flickr as 7WardVillereSafeHouseC. Licensed
under CC BY 2.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:8th_Ward_Villere_Street_New_Orleans_Safe_House_C.jpg

Information Security guidance
• Check contractual requirements
– ISO27001 (formal or ‘aligned with’)
– Data must not be accessed remotely
– Strong access controls (password complexity
& expiry, folder access, server access)
– Data must be encrypted
– Secure deletion

Information Security guidance
• Warn about breaches
– Phishing
– Spoofing
– Malware/ransomware
– Theft

Information Security guidance
• Cloud storage
– LSE has SharePoint, OneDrive
– data held in EU (Dublin and Amsterdam)
– accounts for external users to access where
needed
– Information Security team can assess Cloud
storage providers contracts

Contact
• datalibrary@lse.ac.uk
• @laurencedata

Más contenido relacionado

La actualidad más candente

cybercrime landscape for moldova

moldovaictsummit2016

Avoiding Common Security Breaches & HIPAA Violations

Biblical Counseling Center of Bradenton, FL

Data protection in Practice

Tomppa Järvinen

Computer crimes and forensics

Avinash Mavuru

Computer forensics ppt

Nikhil Mashruwala

Cybercrime And Cyber forensics

sunanditaAnand

The Data Protection Act

burto111

Privacy , Security and Ethics Presentation

Hajarul Cikyen

cyber security and forensic tools

Sonu Sunaliya

Organizations worldwide collect data about customers, users, products, and services. Striving to get the most out of collected data, they use it to fuel many day-to-day processes including software testing, development, and personnel training. The majority of this collected data is sensitive and falls under specific government regulations or industry standards that define policies for privacy and generally limit or prohibit using the data for these secondary purposes. Data masking solves this problem. It replaces sensitive information with data that looks real and is structurally similar to the actual information but is useless to anyone trying to obtain the real data. Learn about the process, pros and cons of static and dynamic data masking architectures, subsetting, randomization, generalization, shuffling, and other basic techniques used to set up data masking. Discover how to start data masking and learn about common challenges on data masking projects.

Data Masking: Testing with Near-real Data

TechWell

How to keep women safe, online?

Ankit Mehta

Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...

Winston & Strawn LLP

Confidentiality

izzati masturah

This is a copy of my presentation at the 2013 VT Family Law Conference. This lecture discusses the growing importance of electronic evidence in divorce litigation, and provides suggestions on how to locate, recover, and preserve emails, social media posts, pictures, and computer files. It also covers the legal risks that attorneys and their clients face if they are too aggressive in pursuing electronic evidence.

Divorce in the Digital Era

Frederick Lane

Internet Security is an Oxymoron

Max Nokhrin

Submitting documents anonymously by Atanas Chobanov

eurobsdcon

Ip bill issues

rcorrigan

DPA seminar presentation

Rodonoghue72

Electronic Signatures - Technical Foundations

Torsten Eymann

Security and Safe Keeping of Official Information by DPO

Atlantic Training, LLC.

La actualidad más candente (20)

cybercrime landscape for moldova

Avoiding Common Security Breaches & HIPAA Violations

Data protection in Practice

Computer crimes and forensics

Computer forensics ppt

Cybercrime And Cyber forensics

The Data Protection Act

Privacy , Security and Ethics Presentation

cyber security and forensic tools

Data Masking: Testing with Near-real Data

How to keep women safe, online?

Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...

Confidentiality

Divorce in the Digital Era

Internet Security is an Oxymoron

Submitting documents anonymously by Atanas Chobanov

Ip bill issues

DPA seminar presentation

Electronic Signatures - Technical Foundations

Security and Safe Keeping of Official Information by DPO

Similar a Information Security and GDPR

IoT PPT Deck

John Yates

Wipo smes ge_08_topic07

AbdurrahmanADandalam1

Digital Finance Africa 2022 - https://itnewsafrica.com/event/ -hosted by IT News Africa is the definitive annual event on technology leadership in the financial services industry. It asks the hard questions not asked in other conferences, and identifies the skills required to steer a course in an age where the entire industry is transforming rapidly. This is a Summit for bold, visionary leaders who are willing to take calculated risks as much as they are willing to consolidate, who know what to give up as much as what they expect to gain.

Trust in a Digital World

itnewsafrica

2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers

Jon-Michael C. Brook, CISSP

The 2019 Infosecurity ISACA North America Expo and Conference was held in New York City’s Javits Convention Center on November 20-21. With more than 50 sessions spanning 5 tracks, this conference offered the best-in-class educational content ISACA members and certification holders depend on, plus unprecedented access to leaders in the security industry. Join Ulf Mattsson, Head of Innovation at TokenX for a conference recap webinar on the biggest takeaways

What I learned at the Infosecurity ISACA North America Conference 2019

Ulf Mattsson

With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced data privacy and security solutions has become even more critical. French regulators cited GDPR in fining Google $57 million and the U.K.'s Information Commissioner's Office is seeking a $230 million fine against British Airways and seeking $124 million from Marriott. Facebook is setting aside $3 billion to cover the costs of a privacy investigation launched by US regulators. This session will take a practical approach to address guidance and standards from the Federal Financial Institutions Examination Council (FFIEC), EU GDPR, California CCPA, NIST Risk Management Framework, COBIT and the ISO 31000 Risk management Principles and Guidelines. Learn how new data privacy and security techniques can help with compliance and data breaches, on-premises, and in public and private clouds.

A practical data privacy and security approach to ffiec, gdpr and ccpa

Ulf Mattsson

Bcc comp4 ppt1

ifrieshe

INT 1010 07-4.pdf

Luis R Castellanos

Personal data privacy will be the most prominent issue affecting how businesses gather, store, process, and disclose data in public cloud. Businesses have been inundated with information on what recent privacy laws like GDPR and CCPA require, but many are still trying to figure out how to comply with them on a practical level. Many companies are focusing on data privacy from the legal and security side, which are foundational, but are missing the focus on data. The good news is that these data privacy regulations compel businesses to get a handle on personal data — how they get it, where they get it from, which systems process it, where it goes internally and externally, etc. In other words, the new norms of data privacy require proactive data management, which enables organizations to extract real business value from their data, improve the customer experience, streamline internal processes, and better understand their customers. The new Verizon Data Breach Investigations Report (DBIR) provides perspectives on how Criminals simply shift their focus and adapt their tactics to locate and steal the data they find to be of most value. This session will discuss Emerging Application and Data Protection for Multi-cloud and review Differential privacy, Tokenization, Homomorphic encryption, and Privacy-preserving computation. • Learn New Application and Data Protection Strategies • Learn Advancements in Machine Learning • Learn how to develop a roadmap for EU GDPR compliance • Learn Data-centric Security for Digital Business • Learn Where Data Security and Value of Data Meet in the Cloud • Learn Data Protection On-premises, and in Public and Private Clouds • Learn about Emerging Application and Data Protection for Multi-cloud • Learn about Emerging Data Privacy and Security for Cloud • Learn about New Enterprise Application and Data Security Challenges • Learn about Differential privacy, Tokenization, Homomorphic encryption, and Privacy-preserving computation

ISSA Atlanta - Emerging application and data protection for multi cloud

Ulf Mattsson

Jul 16 isaca london data protection, security and privacy risks - on premis...

Ulf Mattsson

ISACA Houston - Practical data privacy and de-identification techniques

Ulf Mattsson

The Threats Posed by Portable Storage Devices

GFI Software

Network security

Ravikumar Natarajan

Five steps to secure big data

Ulf Mattsson

Privacy & Data Ethics

Erik Kokkonen

Presentación en la que participamos junto con Pete Herzog, Director del ISECOM, durante los I Juegos Fractales de la Vila de Gràcia celebrados en el CSOA de Les Naus. En ella se presentan aspectos sobre la nueva versión del OSSTMM (Open Source Security Testing Methodology Manual), liderada por Pete Herzog y en la que colaboran expertos en seguridad de todo el mundo, entre los que se encuentran miembros del equipo técnico de Internet Security Auditors. Además se presentó el proyecto de la Hacker High School de este año, apadrinada por La Salle y en la que colabora Internet Security Auditors en España y Mediaservice desde Italia, además de muchas otras personas que colaboran de forma desinteresada.

I spy. The world of info Security from the known to the unknown.

Internet Security Auditors

Refugees on Rails Berlin - #2 Tech Talk on Security

Gianluca Varisco

IT Security Presentation - IIMC 2014 Conference

Jeff Lemmermann

Internal social networks

Prof. Jacques Folon (Ph.D)

Get ready to learn some immensely powerful tips and management approaches designed to safeguard your digital files firm from today’s growing cyber threats. Dive into Worldox technology and how it helps clients ensure compliance with ABA rules and protect your documents. We’ll offer practical guidance and strategies for Worldox users, law firm administrators, and IT managers looking to secure their documents and protect their sensitive client, business and employee information.

Securing Your Digital Files from Legal Threats

Abbie Hosta

Similar a Information Security and GDPR (20)

IoT PPT Deck

Wipo smes ge_08_topic07

Trust in a Digital World

2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers

What I learned at the Infosecurity ISACA North America Conference 2019

A practical data privacy and security approach to ffiec, gdpr and ccpa

Bcc comp4 ppt1

INT 1010 07-4.pdf

ISSA Atlanta - Emerging application and data protection for multi cloud

Jul 16 isaca london data protection, security and privacy risks - on premis...

ISACA Houston - Practical data privacy and de-identification techniques

The Threats Posed by Portable Storage Devices

Network security

Five steps to secure big data

Privacy & Data Ethics

I spy. The world of info Security from the known to the unknown.

Refugees on Rails Berlin - #2 Tech Talk on Security

IT Security Presentation - IIMC 2014 Conference

Internal social networks

Securing Your Digital Files from Legal Threats

Más de London School of Hygiene and Tropical Medicine

Preparing to submit your thesis at LSHTM

London School of Hygiene and Tropical Medicine

Your research is more than a thesis: Make the most of research data and other...

London School of Hygiene and Tropical Medicine

Enhance your research impact through open science

London School of Hygiene and Tropical Medicine

GDPR and Research Data Management

London School of Hygiene and Tropical Medicine

Towards Open Research: practices, experiences, barriers and opportunities

London School of Hygiene and Tropical Medicine

Data Journals and repositories: Getting academic credit for data sharing

London School of Hygiene and Tropical Medicine

Crowd sourcing and high resolution satellite imagery in public health

London School of Hygiene and Tropical Medicine

Ketevan is a Research Fellow in the Department of Health Services Research and Policy at LSHTM. She currently works on SPOTLIGHT, a cross-European research project for sustainable prevention of obesity through integrated strategies, where she is managing a large-scale survey conducted in England to assess the perceptions of environmental obesogenicity in selected neighbourhoods. She also assessed the built environment in those neighbourhoods using remote imaging using Google Street View.

Determining the relationship between physical environment and weight status u...

London School of Hygiene and Tropical Medicine

i-Sense: an early-warning sensing systems for infectious diseases

London School of Hygiene and Tropical Medicine

Internet-based surveillance of illness: the FluSurvey platform

London School of Hygiene and Tropical Medicine

An overview of the MyHeart Counts app

London School of Hygiene and Tropical Medicine

Electronic data collection for a modular household survey in Ethiopia

London School of Hygiene and Tropical Medicine

Mobile-Based Experience Sampling for Behaviour Research

London School of Hygiene and Tropical Medicine

An introduction to the FAIR principles and a discussion of key issues that must be addressed to ensure data is findable, accessible, interoperable and re-usable. The session explored the role of the CDISC and DDI standards for addressing these issues. Presented by Gareth Knight at the ADMIT Network conference, organised by the Association for Data Management in the Tropics, in Antwerp, Belgium on December 1st 2015.

Preparing Data for Sharing: The FAIR Principles

London School of Hygiene and Tropical Medicine

RDM Training for health researchers: An institutional perspective

London School of Hygiene and Tropical Medicine

Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...

London School of Hygiene and Tropical Medicine

Research data services at the University of Oxford

London School of Hygiene and Tropical Medicine

Research Data Management at The University of Edinburgh

London School of Hygiene and Tropical Medicine

Research data management at UAL

London School of Hygiene and Tropical Medicine

RDM at UEL: agile, fragile or feral?

London School of Hygiene and Tropical Medicine

Más de London School of Hygiene and Tropical Medicine (20)

Preparing to submit your thesis at LSHTM

Your research is more than a thesis: Make the most of research data and other...

Enhance your research impact through open science

GDPR and Research Data Management

Towards Open Research: practices, experiences, barriers and opportunities

Data Journals and repositories: Getting academic credit for data sharing

Crowd sourcing and high resolution satellite imagery in public health

Determining the relationship between physical environment and weight status u...

i-Sense: an early-warning sensing systems for infectious diseases

Internet-based surveillance of illness: the FluSurvey platform

An overview of the MyHeart Counts app

Electronic data collection for a modular household survey in Ethiopia

Mobile-Based Experience Sampling for Behaviour Research

Preparing Data for Sharing: The FAIR Principles

RDM Training for health researchers: An institutional perspective

Research Data Readiness in UK Institutions: Digital Curation Centre’s 2015 Su...

Research data services at the University of Oxford

Research Data Management at The University of Edinburgh

Research data management at UAL

RDM at UEL: agile, fragile or feral?

Último

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Information Security and GDPR

1. Information Security and GDPR Laurence Horton, LSE Library “Information Security and GDPR” by Laurence Horton is licensed under a Creative Commons Attribution 4.0 International License.

2. GDPR sanctions • Written warning • Data protection audit • 20,000,000€ or up to 4% annual worldwide turnover • consent • data subjects' rights • transfers of personal data

3. Personal data • Best way to manage personal data: don’t collect it unless necessary. – Name, identification number, location data, online identifier* – Race or ethnicity – Trade union membership – Religious or philosophical beliefs – Political opinions – Health – Sex life – Criminal record† – Genetic – Biometric • GDPR, *Article 4(1), Article 9(1), †Article 10

4. Information Security classifications Access levels based on ‘least privilege’ principle. • Controlled • Safeguarded • Open data Source: https://www.ukdataservice.ac.uk/manage- data/legal-ethical/access-control • Confidential • Restricted • Internal Use • Public Source: https://info.lse.ac.uk/staff/Services/Policies- and- procedures/Assets/Documents/infSecStaIT.pdf

5. Five safes Safe… Projects: appropriate use? People: researchers trusted to follow procedures and use data properly Settings: security arrangements prevent unauthorised access or loss Data: Is there a disclosure risk in the data itself? Outputs: Publications don’t contain identifying results Source: Ritchie, Felix (2008). "Secure access to confidential microdata: four years of the Virtual Microdata Laboratory" (PDF). Economic and Labour Market Statistics. 2:5: 29–34. http://www.ons.gov.uk/ons/rel/elmr/economic-and-labour-market-review/no--5--may-2008/secure-access-to-confidential-microdata--four- years-of-the-virtual-microdata-laboratory.pdf

6. Encryption BitLocker FileVault VeraCrypt 7-zip MS Office Windows EFS Hardware encryption Phones or tablets Hard drive USB/External Volume Files Folders Archives Hidden volumes Best fit Some issues Use with caution Not available LSE Encryption matrix: http://www.lse.ac.uk/intranet/LSEServices/IMT/about/policies/documents/encryption-matrix.pdf • If it is necessary, anonymise it as soon as possible. Separate and encrypt personal data.

7. Physical access • Don’t forget the physical: control access to rooms and storage. Image: 8th Ward Villere Street New Orleans Safe House C" by Infrogmation of New Orleans - originally posted to Flickr as 7WardVillereSafeHouseC. Licensed under CC BY 2.0 via Wikimedia Commons - https://commons.wikimedia.org/wiki/File:8th_Ward_Villere_Street_New_Orleans_Safe_House_C.jpg

8. Information Security guidance • Check contractual requirements – ISO27001 (formal or ‘aligned with’) – Data must not be accessed remotely – Strong access controls (password complexity & expiry, folder access, server access) – Data must be encrypted – Secure deletion

9. Information Security guidance • Warn about breaches – Phishing – Spoofing – Malware/ransomware – Theft

10. Information Security guidance • Cloud storage – LSE has SharePoint, OneDrive – data held in EU (Dublin and Amsterdam) – accounts for external users to access where needed – Information Security team can assess Cloud storage providers contracts

11. Contact • datalibrary@lse.ac.uk • @laurencedata

Information Security and GDPR

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Information Security and GDPR

Similar a Information Security and GDPR (20)

Más de London School of Hygiene and Tropical Medicine

Más de London School of Hygiene and Tropical Medicine (20)

Último

Último (20)

Information Security and GDPR