Privacy by design: who does what?

Gordon Wade

Data Privacy and Protection Lawyer

PwC Legal Middle East, Dubai, UAE

“there is no one and only secure cloud for all purposes … for the cloud you also have to ask for which purposes it is to be used in each case. For the respective purposes, suitable security safeguards can be found.”

German Federal Office for Information Security

“Secure Use of Cloud Services”

Cloud Service Providers: Adopting Privacy by Design

Concept has rapidly evolved in two main areas:

Information Management

Implementing collection, management and de-identification processes to enable e.g. analyticswhilst taking into consideration data privacyrequirements

• Processes and procedures• Access control• Audits• Information paper trail

Architectural Design

Building the right systems architectures in orderto comply with current regulatory environmentto include tools and processes to mitigate datasubject privacy concerns

• Classification of information confidentiality• Encryption portability• Distributed storage

Saudi Arabia: Cloud Computing Regulatory Framework

• 2018 - Saudi Communications and Information Technology Commission (CITC) issued a novel and innovative regulatory framework for cloud computing • updated in Feb 2019

• Based on international best practice and public consultation (rare for the ME)

• One of only a few examples of cloud-specific regulatory frameworks around the world

Background

Riyadh

SAUDI ARABIA

Al Bahah

Al Jawf

Medina

Buraidah

Ha'il

Jizan

Abha

Dammam

Tabuk

Najran

Mecca

Arar

AL BAHAH

AL JAWF

MEDINA

ALQASIM

HA'IL

ASIR

JIZAN

EASTERNPROVINCEASH-SHARQĪYAH

AL RIYADH

TABUK

NAJRAN

MAKKAHPROVINCE

NORTHERNBORDER

Muscat

Abu DhabiDoha

Manama

Kuwait City

Tehran

BaghdadDamascus

Amman

Beirut

Nicosia

Sana’a

Djibouti

Asmara

SOMALIA

ETHIOPIA

ERITREA

SUDANOMAN

IRANIRAQ

SYRIA

JORDAN

EGYPT

DJIBOUTI

UNITED ARABEMIRATES

QATAROMANBAHRAIN

KUWAIT

LEBANON

CYPRUS

YEMEN

Socotra (YEMEN)

EGYPT

Red Sea

ArabianSea

PersianGulf

Gulf ofOman

Gulf of Aden

Cloud Regulatory Framework

Scope

• Governs the rights and obligations of cloud service providers (CSPs), cloud customers, government entities and businesses

• Binds CSPs who conclude agreements for cloud serviceswith cloud customers resident or with an address in KSA

• Also applies: 1) where a CSP is processing or storing cloud

customer information in KSA2) to the ownership, operation, or offering of access

to datacenters or cloud systems in KSA

Privacy and Security

• Cloud customer data subject to different levels of security, depending on the required level of preservation of its confidentiality, integrity, and availability

Cloud Regulatory Framework

Security in Design

CSPs must:

• design their clouds with such security features necessary to provide appropriate levels of protection

• inform cloud customers of these security features

To be allowed register, a CSPs cloud must be of an acceptable quality and sufficiently secure based on:

• resources dedicated to cloud computing• relevant experience• technical standards complied with by the CSP including:

• CITC Standards, Guidelines, Guides or Codes of Practice• any other demonstrably equivalent or superior technical standards

Security in Delivery

Cloud customers are responsible for:

• selecting the appropriate information security level which best matches their specific needs, duties, obligations and security requirements

• implementing all info-sec features required for their information in the cloud

Europe

European Cloud Initiative

Secure Use of Cloud Services

European Cloud Initiative

“a secure environment where privacy and dataprotection must be guaranteed by design, basedon recognised standards, and where users can beconfident concerning data security and liabilityrisks.”

“need to ensure that the initiative implements "by-design" the legal principles at the earliest possiblestage.”

Secure Use of Cloud Services

Focus on the Cloud User

Developing and implementing a cloud strategy:

1. Create a project team with decision-makersfor the IT strategy and for the corporatestrategy represented

2. Conduct a Feasibility Study

3. Examine the legal framework requirements

4. Is the organisation mature enough to be ableto use cloud services?

5. Conduct a Risk Assessment to classify theinformation requiring protection

6. Compile a Security Concept that definesinformation security safeguards• Cloud User and CSP

CSPs: Designing a cloud infrastructure

CSPCSP

Build configurable encryption

techniques into cloud infrastructure

Automate compliance with

always-on auditing

Assess adequacy and effectiveness of ‘tech

and org measures’

Conduct PIAs in cloud design phase and

iteratively feed outputs into design process

Personalised risk assessments for cloud customers

Cloud environments can involve a range of

different services with correspondingly different

levels of privacy and security required

PbD for cloud designers, architects, developers

•Analyse the system to assess how to give effect to data minimisation•Apply anonymisation techniques

Data Minimisation

• Tamper-resistant hardware to protect data in-transit and at-rest• Availability of user access controls

Data Security

• Permit users to state preferences for the data management • Design systems to enable prompt response to user data access requests

User Control

• Digital Rights Management techniques and privacy policies to ensure the purpose of data is checked against lawful purposesPurpose Limitation

Design human and graphical user interfaces to clearly demonstrate data usesDesign processes, apps and services to enable users make informed decisions

Transparency

PETs in the data life cycle

Data life cycle Privacy principles Privacy protection measures

Examples of PETs

Collection Proportionality andpurpose specification

Data minimisation Anonymous communicationsGroup and blind signaturesISO

Storage Accountability Security measures

Confidentiality Encryption by default

Sharing and processing AccountabilitySecurity measures

Data access control Privacy dashboard

Deletion OpennessRight to delete

Confidentiality DeletionAnonymisation Protocols Hash functions ISO

CSP

CSP

Cloud Customer

Cloud Customer

Cloud Customer: Implementing a cloud infrastructure

•Assess current IT environment and evaluate interactions with personal data

•Consider business priorities in order to incorporate solutions that:

- are technologically current- meet compliance requirements - don’t create unnecessary exposure or

costs

•Existing architectures can be rife with manual processes, risk intolerance, and an inability to adapt to business innovation

Introspection

•Develop a clear view of cloud architecture’sability to satisfy legal requirements

Understand iconsiderations to be made toimplement adequate security and privacysafeguards

Readiness Assessment

• Assess the tech-driven requirements of the GDPR against the firm’s tech capabilities

• Cover:- data lifecycle management process- associated policies - infrastructure - security - controls

•Gap analysis will expose deficiencies, vulnerabilities, potential threats, and areas of non-compliance

Gap Analysis

Embedding PbD into system development life cycles (SDLC)

Embed data protection into the design

Ø Protection embedded into design andarchitecture of IT systems, techinfrastructure, business practices

Ø Integral part of any initiative from the outset

E.g. Creating a corporate culture where privacyand data protection are tone-at-top.

Support accountability

Ø Assign, document and communicateaccountability for policies and procedures

E.g. Routine audits of privacy and dataprotection compliance

Maintain transparency

Ø All practices operate in compliance with theprivacy practices

Ø Data subjects receive proper notice ofprivacy practices

E.g. Notices identify purposes for which personaldata is collected, used, retained and disposed of

Data protection the default setting

Ø Protection built into IT systems, techinfrastructure, business practices by default

Ø Data automatically protected

E.g. Automatically setting consent choices toopt-out so data subjects don’t have to doanything to opt-out manually

PbD in a SDLC Waterfall Model

Waterfall Model

• Uses a linear series of phases where the output of each phase becomes the input for thenext phase

• Each phase has a hard stop, there is no going back once a phase has reached completion

• Privacy Threshold Analyses, PIAs, and DPIAs are conducted during the first two phases willincrease the likelihood that “PbD” is embedded into projects at the outset

• Projects with personal data should have strong change-management controls and notadvance to the next phase until privacy and data protection requirements are approved

Six phases of the SDLC Waterfall Model

Requirements

• Perform initial PTA, PIA, DPIA

• Review data privacy and security policies, standards, and controls to ensure compliance

• Define baseline and custom privacy system requirements

Design

• Minimise data

• Perform formal PTA, PIA, DPIA

• Analyse relevant privacy controls to ensure they are designed, developed and implemented

• Design and implement feedback to control privacy mechanisms

Develop

• Proper lawful basis for personal data collection, use, disclosure, retention

• Transparency to data subjects

• Implement appropriate security measures

• Perform ongoing testing and evaluation

Test

• Monitor and report privacy controls through periodic testing and evaluation

Deploy

• Integrate new privacy protection controls into systems

• Analyse privacy policies, standards, procedures, systems performance for irregularities

Maintain

• Ensure proper management of new applications and technology in production

Key roles and responsibilities

Project Management Office

• Embeds “PbD” into projects at the outset • Contributes to

PTA/PIA/DPIAs during the appropriate phases• Promotes accountability

across projects• Ensures appropriate

oversight of service providers

Information Security

• Implements privacy and security measures• Contributes to

PTA/PIA/DPIA during the appropriate phases of the SDLC process.

Information Technology

• Considers privacy issues at all phases of the design and development • Oversees maintenance of

data management procedures• Provides privacy and

security training• Regularly assesses privacy

and security impact of projects

Business Representatives

• Define the business requirements with privacy in mind at the outset• Responsible for complying

with privacy policies, standards and procedures on data collection, use, retention, disposal

Privacy Office• Oversees the Privacy Program• Embeds “PbD” into the design and operation of IT operational infrastructure

and business practices

Gordon Wade

Data Privacy and Protection Lawyer

PwC Legal Middle East, Dubai, UAE