Privacy by design: who does what? · Six phases of the SDLC Waterfall Model Requirements •Perform...
Transcript of Privacy by design: who does what? · Six phases of the SDLC Waterfall Model Requirements •Perform...
Privacy by design: who does what?
Gordon Wade
Data Privacy and Protection Lawyer
PwC Legal Middle East, Dubai, UAE
“there is no one and only secure cloud for all purposes … for the cloud you also have to ask for which purposes it is to be used in each case. For the respective purposes, suitable security safeguards can be found.”
German Federal Office for Information Security
“Secure Use of Cloud Services”
Cloud Service Providers: Adopting Privacy by Design
Concept has rapidly evolved in two main areas:
Information Management
Implementing collection, management and de-identification processes to enable e.g. analyticswhilst taking into consideration data privacyrequirements
• Processes and procedures• Access control• Audits• Information paper trail
Architectural Design
Building the right systems architectures in orderto comply with current regulatory environmentto include tools and processes to mitigate datasubject privacy concerns
• Classification of information confidentiality• Encryption portability• Distributed storage
Saudi Arabia: Cloud Computing Regulatory Framework
• 2018 - Saudi Communications and Information Technology Commission (CITC) issued a novel and innovative regulatory framework for cloud computing • updated in Feb 2019
• Based on international best practice and public consultation (rare for the ME)
• One of only a few examples of cloud-specific regulatory frameworks around the world
Background
Riyadh
SAUDI ARABIA
Al Bahah
Al Jawf
Medina
Buraidah
Ha'il
Jizan
Abha
Dammam
Tabuk
Najran
Mecca
Arar
AL BAHAH
AL JAWF
MEDINA
ALQASIM
HA'IL
ASIR
JIZAN
EASTERNPROVINCEASH-SHARQĪYAH
AL RIYADH
TABUK
NAJRAN
MAKKAHPROVINCE
NORTHERNBORDER
Muscat
Abu DhabiDoha
Manama
Kuwait City
Tehran
BaghdadDamascus
Amman
Beirut
Nicosia
Sana’a
Djibouti
Asmara
SOMALIA
ETHIOPIA
ERITREA
SUDANOMAN
IRANIRAQ
SYRIA
JORDAN
EGYPT
DJIBOUTI
UNITED ARABEMIRATES
QATAROMANBAHRAIN
KUWAIT
LEBANON
CYPRUS
YEMEN
Socotra (YEMEN)
EGYPT
Red Sea
ArabianSea
PersianGulf
Gulf ofOman
Gulf of Aden
Cloud Regulatory Framework
Scope
• Governs the rights and obligations of cloud service providers (CSPs), cloud customers, government entities and businesses
• Binds CSPs who conclude agreements for cloud serviceswith cloud customers resident or with an address in KSA
• Also applies: 1) where a CSP is processing or storing cloud
customer information in KSA2) to the ownership, operation, or offering of access
to datacenters or cloud systems in KSA
Privacy and Security
• Cloud customer data subject to different levels of security, depending on the required level of preservation of its confidentiality, integrity, and availability
Cloud Regulatory Framework
Security in Design
CSPs must:
• design their clouds with such security features necessary to provide appropriate levels of protection
• inform cloud customers of these security features
To be allowed register, a CSPs cloud must be of an acceptable quality and sufficiently secure based on:
• resources dedicated to cloud computing• relevant experience• technical standards complied with by the CSP including:
• CITC Standards, Guidelines, Guides or Codes of Practice• any other demonstrably equivalent or superior technical standards
Security in Delivery
Cloud customers are responsible for:
• selecting the appropriate information security level which best matches their specific needs, duties, obligations and security requirements
• implementing all info-sec features required for their information in the cloud
Europe
European Cloud Initiative
Secure Use of Cloud Services
European Cloud Initiative
“a secure environment where privacy and dataprotection must be guaranteed by design, basedon recognised standards, and where users can beconfident concerning data security and liabilityrisks.”
“need to ensure that the initiative implements "by-design" the legal principles at the earliest possiblestage.”
Secure Use of Cloud Services
Focus on the Cloud User
Developing and implementing a cloud strategy:
1. Create a project team with decision-makersfor the IT strategy and for the corporatestrategy represented
2. Conduct a Feasibility Study
3. Examine the legal framework requirements
4. Is the organisation mature enough to be ableto use cloud services?
5. Conduct a Risk Assessment to classify theinformation requiring protection
6. Compile a Security Concept that definesinformation security safeguards• Cloud User and CSP
CSPs: Designing a cloud infrastructure
CSPCSP
Build configurable encryption
techniques into cloud infrastructure
Automate compliance with
always-on auditing
Assess adequacy and effectiveness of ‘tech
and org measures’
Conduct PIAs in cloud design phase and
iteratively feed outputs into design process
Personalised risk assessments for cloud customers
Cloud environments can involve a range of
different services with correspondingly different
levels of privacy and security required
PbD for cloud designers, architects, developers
•Analyse the system to assess how to give effect to data minimisation•Apply anonymisation techniques
Data Minimisation
• Tamper-resistant hardware to protect data in-transit and at-rest• Availability of user access controls
Data Security
• Permit users to state preferences for the data management • Design systems to enable prompt response to user data access requests
User Control
• Digital Rights Management techniques and privacy policies to ensure the purpose of data is checked against lawful purposesPurpose Limitation
Design human and graphical user interfaces to clearly demonstrate data usesDesign processes, apps and services to enable users make informed decisions
Transparency
PETs in the data life cycle
Data life cycle Privacy principles Privacy protection measures
Examples of PETs
Collection Proportionality andpurpose specification
Data minimisation Anonymous communicationsGroup and blind signaturesISO
Storage Accountability Security measures
Confidentiality Encryption by default
Sharing and processing AccountabilitySecurity measures
Data access control Privacy dashboard
Deletion OpennessRight to delete
Confidentiality DeletionAnonymisation Protocols Hash functions ISO
CSP
CSP
Cloud Customer
Cloud Customer
Cloud Customer: Implementing a cloud infrastructure
•Assess current IT environment and evaluate interactions with personal data
•Consider business priorities in order to incorporate solutions that:
- are technologically current- meet compliance requirements - don’t create unnecessary exposure or
costs
•Existing architectures can be rife with manual processes, risk intolerance, and an inability to adapt to business innovation
Introspection
•Develop a clear view of cloud architecture’sability to satisfy legal requirements
Understand iconsiderations to be made toimplement adequate security and privacysafeguards
Readiness Assessment
• Assess the tech-driven requirements of the GDPR against the firm’s tech capabilities
• Cover:- data lifecycle management process- associated policies - infrastructure - security - controls
•Gap analysis will expose deficiencies, vulnerabilities, potential threats, and areas of non-compliance
Gap Analysis
Embedding PbD into system development life cycles (SDLC)
Embed data protection into the design
Ø Protection embedded into design andarchitecture of IT systems, techinfrastructure, business practices
Ø Integral part of any initiative from the outset
E.g. Creating a corporate culture where privacyand data protection are tone-at-top.
Support accountability
Ø Assign, document and communicateaccountability for policies and procedures
E.g. Routine audits of privacy and dataprotection compliance
Maintain transparency
Ø All practices operate in compliance with theprivacy practices
Ø Data subjects receive proper notice ofprivacy practices
E.g. Notices identify purposes for which personaldata is collected, used, retained and disposed of
Data protection the default setting
Ø Protection built into IT systems, techinfrastructure, business practices by default
Ø Data automatically protected
E.g. Automatically setting consent choices toopt-out so data subjects don’t have to doanything to opt-out manually
PbD in a SDLC Waterfall Model
Waterfall Model
• Uses a linear series of phases where the output of each phase becomes the input for thenext phase
• Each phase has a hard stop, there is no going back once a phase has reached completion
• Privacy Threshold Analyses, PIAs, and DPIAs are conducted during the first two phases willincrease the likelihood that “PbD” is embedded into projects at the outset
• Projects with personal data should have strong change-management controls and notadvance to the next phase until privacy and data protection requirements are approved
Six phases of the SDLC Waterfall Model
Requirements
• Perform initial PTA, PIA, DPIA
• Review data privacy and security policies, standards, and controls to ensure compliance
• Define baseline and custom privacy system requirements
Design
• Minimise data
• Perform formal PTA, PIA, DPIA
• Analyse relevant privacy controls to ensure they are designed, developed and implemented
• Design and implement feedback to control privacy mechanisms
Develop
• Proper lawful basis for personal data collection, use, disclosure, retention
• Transparency to data subjects
• Implement appropriate security measures
• Perform ongoing testing and evaluation
Test
• Monitor and report privacy controls through periodic testing and evaluation
Deploy
• Integrate new privacy protection controls into systems
• Analyse privacy policies, standards, procedures, systems performance for irregularities
Maintain
• Ensure proper management of new applications and technology in production
Key roles and responsibilities
Project Management Office
• Embeds “PbD” into projects at the outset • Contributes to
PTA/PIA/DPIAs during the appropriate phases• Promotes accountability
across projects• Ensures appropriate
oversight of service providers
Information Security
• Implements privacy and security measures• Contributes to
PTA/PIA/DPIA during the appropriate phases of the SDLC process.
Information Technology
• Considers privacy issues at all phases of the design and development • Oversees maintenance of
data management procedures• Provides privacy and
security training• Regularly assesses privacy
and security impact of projects
Business Representatives
• Define the business requirements with privacy in mind at the outset• Responsible for complying
with privacy policies, standards and procedures on data collection, use, retention, disposal
Privacy Office• Oversees the Privacy Program• Embeds “PbD” into the design and operation of IT operational infrastructure
and business practices
Gordon Wade
Data Privacy and Protection Lawyer
PwC Legal Middle East, Dubai, UAE