GDPR in 30 minutes from design point of view, some excerpts from regulation

1. EU GENERAL DATA PROTECTION
REGULATION IN 30 MINUTES
MORE PRACTICAL INFO SESSION FOR SOFTWARE DEVELOPMENT
DIRECTIVE SAYS ”WHAT”, WE NEED TO DEFINE ”HOW”
TOMI JÄRVINEN – SECURITY SPECIALIST
23/01/2017 1COPYRIGHT © ADITRO. ALL RIGHTS RESERVED.

2. Personal data
The definition is meant to be broad. "Personal data" : when someone is able to
link the information to individual person, directly or indirectly.
Credit card number, bank statements, medical record (just mention about rare
decease) Full name, photo, phone number, birth date, e-mail address, car number
plate, physical characteristics…and IP address.
The definition is also technology neutral. It does not matter how the personal data
is stored – on paper, on an whatever IT system, on a CCTV system, photographs,
etc
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 2
https://ico.org.uk/media/for-organisations/documents/1549/determining_what_is_personal_data_quick_reference_guide.pdf
EU Court of Justice ruled that IP addresses are protected personal data
https://www.quora.com/Is-IP-address-considered-to-be-personal-information-in-EU-in-general-and-in-Finland-in-particular

3. Roles from legislation point of view: Data
Controller, Processor and Data Subject
The data controller is the natural person, company, association or other entity that is
factually in control of the processing of personal data and is empowered to take the
essential decisions on the purposes and mechanisms of such processing including the
applicable security measures. “Who is responsible and owns Data Subjects information”.
A processor becomes a controller if he or she uses data for his or her own purposes, not
following the instructions of a controller (Think about Google and targeted advertising)”
Data Processor: Directive: “The natural or legal person, public authority, agency or any
other body, which processes personal data on behalf of the controller. Article 2(e) of the
Data Protection Directive” If an organization holds or processes personal data, but does
not exercise responsibility for or control over the personal data, then this organization is a
"processor." Examples of processors include payroll companies, accountants and market
research companies, call centres of telecom or financial companies, all of which could hold
or process personal information on behalf of someone else.
Data Subject: The natural person a personal data relates to. One individual person
(Directive goal, to give full control and knowledge about storing and
handling his/hers personal data)23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 3

4. GDPR says “WHAT” , It doesn’t say “HOW”
Nothing about:
» specific tools to use
» specific processes to use
» specific standards to use
» examples or templates for solutions
» Best practices for development or guidelines
actual ”privacy engineering (privacy by default)”
Specs from GDPR??

5. GDPR Demands (what) to system design (how)
At the moment guidelines are mostly at this level*
» “Proactive not Reactive; Preventative not Remedial”
» “Privacy as the Default Setting”
» “Privacy Embedded into Design”
» “End-to-End Security — Full Lifecycle Protection”
» “Respect for User Privacy — Keep it User-Centric”
Not so practical or useful for system owners or application developers
Ann Cavoukian, Ph.D. Information & Privacy Commissioner Ontario, Canada
P r i v a c y b y D e s i g n guideline: https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 5

6. Design principles – typical view and proposals
» Article 23 – “Data protection by design and by default”
» Minimise
» collect only a limited set of attributes
» Select before collect
» Anonymization and pseudonyms
» Hide
» hidden from application view if not necessary, e.g. technical admins login can not open data content
view
» use of encryption of data (when stored, or when in transit, key management -> encrypted back-ups)
» Control
» User centric identity management and end-to-end encryption support control.
» Providing users direct control over their own personal data
» Enforce
» A privacy policy compatible with legal requirements, and technical protection mechanisms that prevent
violations of the privacy policy.
» Demonstrate
» In case of complaints or problems, controllers must immediately be able to determine the extent of any possible
privacy breaches
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 6
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design

7. Personal Data Flow – subcontractor management (example)
Cloud based
storage in USAApplication
server in Finland
Administration
and support in
India
Remote
connections to
systems
API
Data
analytics
HTTPS / SSL encryption
Finland USA
EU India
API
Contractor
Vendor
Vendors
subsidiary
In all boxes, note:
• Data retention
(Right to erasure)
• Minimisation
• Agreements
Application
development
partner
Outside EU/ETA
Aditro’s Customer
Aditro
Data Subject
HTTPS / SSL encryption, EULA, Input forms

8. 8
I mage: Based on PrivaOn presentation
* https://www.enisa.europa.eu/topics/data-protection/privacy-enhancing-technologies (PET)
• ”Privacy by Design” is today undefined
• Official privacy by design will be defined aftre precedent legal
cases
Privacy
requirements
Security
requirements
PET*a
Evidence collection for accountability, technology (log, authentication) process (test reports, memos)
Backlog
P-I-A
Privacy Architecture
Threat analyzes
Security testing
Implementation
Auditing
Certification
Data access process
Data retention
Backups

9. Privacy inside application development process
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 9
X
http://privacypatterns.org/patterns/
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
Guide to Privacy by Design Documentation for Software Engineers
http://docs.oasis-open.org/pbd-se/pbd-se-annex/v1.0/cnd01/pbd-se-annex-v1.0-cnd01.html
https://www.ipc.on.ca/wp-content/uploads/Resources/pbd-primer.pdf
https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/risk/ca-en-ers-privacy-by-design-brochure.PDF

10. Excerpts from GDPR (total amount 85 Articles)
Article 30: “appropriate organisational and technical measures”
What is appropriate organizational and technical measures?
» Article 32 “Security of processing” “ongoing confidentiality, integrity, availability and
resilience of systems and services processing personal data”. The ability to restore the
availability and access to “data in a timely manner”.
To do: e.g. Documented security implementation, credible documented fault tolerance
» Breach notification process (article 33), For processor: ”alert and inform controllers
immediately”, no exact time in last regulation proposal. “without undue delay”. From Controller
to data subject time is 72hr.
To do : e.g. Every customer agreement must have exact time
No panic, communication: ” unless the personal data breach is unlikely to result a risk” vs. “breach
is likely to result in a high risk” = Encryption?
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 10

11. Practical implementations
» Article 35 Data protection impact assessment (P-I-A)
» To do: Formal risk analysis” “Privacy impact assesment” taken into account data
confidentiality”
To do: e.g. Where a type of processing in particular using new technologies, and taking
into account the nature, scope, context and purposes of the processing, is likely to result
in a high risk
» Article 28 “Processor”, “processor shall not enlist another processor without
the prior specific or general written consent of the controller.” , transfer data
without the approval of the organization originally supplying the data
To do: e.g. subcontractor management and contract requirements
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 11
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

12. Practical implementations
» Article 17 “right to erasure” (known as forgotten)
To do:
» Systems must have option to search and delete individual user data,
remove data away from “operative level”, not from backups, logs, etc.
» Personal data segregation (sensitive/general), retention time/data type,
automated processes to delete data (e.g. 10 years in bookkeeping)
» But no panic button needed! Note 1: ” taking account of available technology”
, note 2: “data retention for compliance with a legal obligation”
» Generally, sanctioning. GDPR gives data subjects a private right of action in EU
courts. Data subjects will have a right to money damages from either controllers
or processors for harm caused by processing personal data. Every article have
Sanctions 10/20 M€ or 2/4% turnover. no panic here, (scale is for Google,
Microsoft…
Accountability by Design for Privacy http://prescient-project.eu/prescient/inhalte/download/3-Butin.pdf
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 12

13. Practical implementations
» Article 14, “Right of access for the data subject (‘s personal data)”
data subject shall have the right to obtain:.. are being processed, where
processed, purpose of processing…”, “the recipients or categories of recipients
to whom the personal data have been or will be disclosed”
To do: Log management, at the moment no one knows exact requirements. After 2018,
after first legal cases there will be final answers. But, good educated guesses can be
done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single
person or organization, Only data content?
» Article 22: ”be able to demonstrate that the processing of personal data is
performed in compliance with this Regulation”
To do: Evidence* proof information security, updated systems,
modern firewall, malware protection, documentation,
formal documented risk management, ISMS, ISO 27001, demonstrate somehow
to be compliant
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 13
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

14. Practical implementations
» Article 14, “Right of access for the data subject (‘s personal data)”
data subject shall have the right to obtain:.. are being processed, where
processed, purpose of processing…”, “the recipients or categories of recipients
to whom the personal data have been or will be disclosed”
To do: Log management, at the moment no one knows exact requirements. After 2018,
after first legal cases there will be final answers. But, good educated guesses can be
done. Customers will be asking “all” to be sure. Big questions: what is recipient? Single
person or organization, Only data content?
» Article 22: ”be able to demonstrate that the processing of personal data is
performed in compliance with this Regulation”
To do: Evidence* proof information security, updated systems,
modern firewall, malware protection, documentation,
formal documented risk management, ISMS, ISO 27001, demonstrate somehow
to be compliant
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 14
http://www.globalprivacybook.com/blog-european-union/306-accountability-and-protection-of-personal-data

15. The Fines
» The GDPR has increased fines for both data controllers and data processors who are prosecuted
for data protection breaches. Between 2 to 4% of global annual turnover.
» Fines can be levied for an infringement of the data controller’s or data processor’s obligations
under the GDPR and not just for data security breaches.
» NOTE: will be based upon the seriousness of the infringement and the circumstances of the case,
including : (next slide)
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 15

16. “Circumstances”
» The nature, gravity and duration of the infringement
» The purpose of the processing concerned
» The number of data subjects affected
» The level of damage suffered by data subjects (including infringement of their rights)
» Whether the infringement was intentional or negligent
» Any action taken by the controller or processor to mitigate the damage suffered by data subjects
» The degree of responsibility of the controller or processor taking into account technical and organisational measures implemented
» Any relevant previous infringements
» The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects
» The categories of personal data affected by the infringement
» The manner in which the infringement became known to the supervisory authority, in particular whether they were notified and if so, to what
extent
» Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with
» Whether approved codes of conduct or approved certification mechanisms were in place
» Any other aggravating or mitigating factors, such as financial benefits gained, or losses avoided, as a result of the infringement.
» Encryption, as such, is not a panacea to all ills and you will still need to consider the 'organisational and technical' measures that are in place.
These are not just in relation to security risk assessments, general security management and the implementation of controls that ensure
personal data is protected, but potentially in documented privacy impact assessments. These are now mandatory where new processing
operations are likely to result in high risk* to the rights and freedoms of data subjects. The specification of measures required to reduce these
risks, including the potential need to seek prior approval from a supervisory authority (in some cases), is vital. Organisational measures include
the overall governance and compliance regime, in order to demonstrate compliance and ensure your obligations for 'accountability' are met and
maintained.
* The controller will need to define 'high risk' and in the event of doubt, seek prior approval for the processing from the supervisory authority.
23/01/2017 COPYRIGHT © ADITRO. ALL RIGHTS RESERVED. 16