GDPR for operations and development teams. GDPR includes the data protection by default and data protection by design principles that can be troublesome if not taken into consideration in the beginning of the secure software development life cycle. What are the technical requirements to be considered as "satte of the art" that are mentioned in the regulation. What are the methods of implementation to the risk-based approach the general data protection regulation has.
3. GDPR for devs and ops
3
1. The fines
2. The risk based approach of GDPR
Development
1. Data protection by Design
2. Data protection by Default
Operations
1. Data breaches
2. Notification to the supervisory authority
3. Server and application logs
8. Conclusion
4. The Fines??!!
4
The Data Protection Ombudsman (tietosuojavaltuutettu) in Finland monitors compliance;
their work is coordinated at EU-level.
The cost of falling foul of the rules can be high.
https://ec.europa.eu/justice/smedataprotect/index_en.htm
5. 5
Risk Based Approach
● A risk is evaluated based on the impact it has upon realization to the
individuals whose data you have
● IT security risk management framework; measures to mitigate risks for
the individuals whose data are processed by adequately securing those
data, make a data flow diagram to assist
● InfoSec (CIA triad, software security development lifecycle, owasp 10 and
so on..)
● When the processing is likely to result in a high risk to the rights and
freedoms of natural persons, a Data Protection Impact Assessment
(DPIA) is mandatory
Implement protective measures corresponding to the level of risk
of the data processing.
If you don’t evaluate risks, you can not be compliant.
7. Data protection by Design
7
Implement technical and organisational measures, at the earliest stages of the design of
the processing operations, in such a way that safeguards privacy and data protection
principles right from the start.
- pseudonymise (replacing personally identifiable material with artificial identifiers)
and/or anonymize personal data
- encrypt (encoding messages so only those authorised can read them).
- analyze risks
- make sure the entire lifecycle is managed in some way
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
8. Data protection by Default
8
By default, companies/organisations should ensure that personal data is processed with
the highest privacy protection so that by default personal data isn’t made accessible to an
indefinite number of persons.
- process only necessary data
- store only for the needed period (not indefinitely)
- limit access to the data
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
9. 9
9
Data protection by Default and Design 1/2
“When developing, designing - producers of the products, services and applications
should - take into account the right to data protection when developing and designing
- products, services and applications and, with due regard to the state of the art, to
make sure that controllers and processors are able to fulfil their data protection
obligations.”
“Taking into account the state of the art, the cost of implementation and the nature,
scope, context and purposes of processing as well as the risks of varying likelihood and
severity for rights and freedoms of natural persons posed by the processing, the
controller shall - implement appropriate technical and organisational measures - in an
effective manner and to integrate the necessary safeguards”
● https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
10. What this means is that the tools to be compliant have to be build in to the software:
- individual rights (right to be forgotten, export data and so on…) from 1 to 3 months
time to reply to the requests, whatever is considered reasonable eg. for removing data
permanently from backups
- pseudonymization
- logs (system level server logs, application level logs)
- encryption
- automatic opt-out
- and so on...
10
Data protection by Default and Design 2/2
11. What is “state or the art”?
11
● Comprehensive and layered approach for modern cyber security standards, is valid
for both development and operations.
There is no way to be sure before a precedent.
Image source: http://www.pinsdaddy.com/physical-security-layers-diagrams_HnU2%7CpG1mJSga3a88AGjQfqCr53P6kJ1DBYnoK7DEEDzFOCEVmrX1Io5zWJOzcpcMBph1G%7ChIaTmilpU6g6uGw/
13. Data breaches
13
● Notification to the supervisory authority must be made in 72 hours after detecting the
breach, can be later if accompanied by reasons for the delay
● When there is no need to notify the data subject:
○ If “the personal data breach is unlikely to result in a risk to the rights and
freedoms of natural persons” Remember risk based approach.
○ If the data is encrypted
○ If the supervisory authority doesn’t say so :)
GDPR probably isn’t very actively supervised, authorities get their information from
individuals that have their rights violated or from data breach notifications.
So what about the fines when it comes to data breaches?
14. 14
Notification to the supervisory authority
● Content of the notification:
○ describe the nature of the personal data breach including where possible, the
categories and approximate number of data subjects concerned and the
categories and approximate number of personal data records concerned;
○ communicate the name and contact details of the data protection officer or other
contact point where more information can be obtained;
○ describe the likely consequences of the personal data breach;
○ describe the measures taken or proposed to be taken by the controller to address
the personal data breach, including, where appropriate, measures to mitigate its
possible adverse effects.
● The controller shall document any personal data breaches, comprising the facts
relating to the personal data breach, its effects and the remedial action taken. That
documentation shall enable the supervisory authority to verify compliance.
Where do we get all of this data for the notification..? → Server and application logs
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
15. Server and application logs
15
● You must have enough logs to do the required forensics on the breach
○ How much logging do you need? Risk based approach, don’t over do it.
○ Prevent hackers from accessing the logs by having a dedicated log database
○ CIA (confidentiality, integrity and availability) triad must be applied with logging
● Regular server logs might be enough, but...
○ Manage logs with ELK or some other tool
○ Implement machine learning to automate log analysis (eg. logz.io)
○ Take it to the next level
■ use threat hunting (HELK)
■ do auditing
■ build a SOC
■ do bugbounties
■ IPS, IDS, SIEM
■ and so on…
Logging is complicated, solution: outsource hosting to a GDPR compliant
company (like wp-palvelu.fi).
17. Conclusion
17
● Analyze the risks
● If you don’t have sensitive data, there’s no point in going the extra mile
● Remember the data lifecycle when designing systems
● Use best practices and write safe code (owasp 10, sanitize everything and so on)
● Encryption (symmetric: AES, 3DES; asymmetric: RSA)
● Data loss prevention
● Always have a recovery plan (breaches, errors, breakdowns...)
● Document changes, changes may require re-evaluating risks and impact analysis
● Do security testing (eg. penetration testing)
● Get a cyber security certificate (eg. FINCSC)
● Get somebody (eg. Nixu) to audit the level of compliance
● Automate everything you just possibly can to make this process more painless.
● Build a solid documentation to verify compliance and update it every year.
19. Sources and additional reading
19
● European Comission. January 2017. Instructions for small businesses.
https://ec.europa.eu/justice/smedataprotect/index_en.htm
● General Data Protection Regulation 2016/679
https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN
● Regulation on Privacy and Electronic Communications (aka ePrivacy Regulation)
https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017PC0010
● European Data Protection Supervisor. May 2018. Preliminary Opinion on privacy by
design.
https://edps.europa.eu/sites/edp/files/publication/18-05-
31_preliminary_opinion_on_privacy_by_design_en_0.pdf