PC PORTAL

Experienced. Trusted. Solutions.

GDPR

By

Using ISO 27001 to guide your GDPR breach response plan

Among the many changes GDPR will usher in, one of the biggest for many organisations will be mandatory breach reporting. From May 25, all organisations holding personal data about European Union residents must disclose a breach if it is “likely to result in risk to personal data”.

What’s more, organisations must report such breaches within 72 hours of discovering one. Reacting in such a short timeframe calls for a robust response plan. Unfortunately, experience to date suggests such plans tend to be conspicuously absent. The ISO 27001 Information Security Standard can help.

ISO 27001 can enable organisations to map an incident response plan that covers not just IT, but also people and processes. A good plan will cover the following steps:

  • Detect
  • Contain
  • Eradicate
  • Remediate
  • Recover
  • Review
  • Communicate.

Who implements the plan?

Incident response often falls solely – and unfairly – on the shoulders of the IT team. “It can’t just be the IT person’s job. It has to involve the whole business: this is a business risk and a business issue,” said Brian Honan. He added that GDPR applies to physical information, not just data on IT systems. Brian was speaking as part of a panel discussion on GDPR at the ISO 27001 Ireland event last week.

He recommended that a security response team should include representatives from information security, operations, HR, legal, PR, and facilities management. HR should be involved because if it’s an internal breach, the organisation may need to discipline a member of staff. Recovering from a breach often creates a fraught, high-pressure environment. HR can also play a role by helping to coach employees and manage their time. “Breaches don’t just happen between the hours of 9 and 5,” Brian said.

Involving a legal team is also important because organisations will probably need to deal with the appropriate data protection authority. “Speak the right language to the right people. You don’t want to open a can of worms by saying wrong thing to the regulator,” Brian said.

Sending the right message

Too often, organisations fall back on stock answers like “a sophisticated breach” when there’s little evidence to support the claim. Having PR expertise on the incident response team helps to ensure the organisation’s public statements are consistent, timely and truthful.

Brian also recommended including a representative from facilities management on the team. That’s particularly useful if a breach involved a break-in where CCTV cameras and physical security could prove vital.

“The key thing is, engage early with the business, find out what is important to them. Find out what you need to have in place. Establish relationships. Know who you need to contact in the regulator’s office or the supervisory office, find out what way you will contact them. And other relevant bodies you may need to contact. And think about what external expertise you may need. It’s important that you have those contact details already,” Brian said.

Ensuring transparency

To make sure the response process is repeatable, Brian recommended documenting all policies and procedures. “Transparency is important… It’s very easy to get caught in heat of moment in a breach, but then afterwards, can you recall what happened?”

Data breach notification also brings suppliers under its umbrella since many organisations now outsource their data hosting to third parties. “If your data is in a data centre or with a hosting provider, do you have an agreement in place so that they will let you know if they have had a breach? That’s a new thing to worry about. You may have to report a breach because one of your suppliers has had a breach,” Brian said.

Alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach. The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage. Teams should identify tools or software they will need both to detect possible breaches and to manage the response process. Brian suggested using examples like last year’s Equifax breach as the scenario for a desktop exercise to practice breach response. “If your vulnerability scanner didn’t work, how would you act? Use it as a learning mechanism,” he said.

People power

Staff training can also strengthen an organisation’s ability to spot potential breaches as well as responding to them. Brian referred to the Verizon Data Breach Investigations Report which found that many breaches come to light not via tools but through people noticing something strange. “The number one detection tool we have is our staff,” he said.

The last reason for implementing a breach response plan is simply reputation management. “It’s not that you’ve had a security breach that will damage your brand, it’s how well you respond,” Brian concluded.

The post Using ISO 27001 to guide your GDPR breach response plan appeared first on BH Consulting.

By

Permission slip: what consent means and where it really applies to GDPR

As data protection and privacy professionals, we use terms from data protection legislation daily and they roll off the tongue as if we were born knowing what the words mean. The problem is, GDPR contains words that have both a legal meaning and a different semantic meaning.

Talking with consumers and clients, I realise that we must temper our language carefully. As practitioners, we understand the legal meaning and frequently we don’t account for clients only understanding the semantic meaning.

You say consent, I say ‘consent’

The domain of GDPR where I have felt this disparity most strongly is with the legal instrument referred to in the GDPR as ‘consent ’. Beyond GDPR’s ‘consent as legal basis for processing data’, many other forms of consent exist in our society . I recently gave a talk to a group of executives on GDPR and when I discussed ‘consent’ as a legal basis for processing, one individual in the audience noted how horrified he was that Ireland was reducing the age of consent from 16 to 13. Realising his confusion, I quickly reaffirmed that the ‘consent’ I was referring to was as a legal instrument for certain types of processing such as e-marketing – and no other kind.

Recent media coverage of the Ulster Rugby   players trial made me realise how clear we must be with clients and others when expressing ourselves about ‘consent’.  So, if you aren’t doing so already, I encourage you to explain to your clients not just the differences between consent and the other legal instruments in the GDPR, but the actual meaning of consent under GDPR.

Consent and permission ≠ the same

The second issue I have encountered is that I so frequently encounter people who do not understand ‘consent‘ in GDPR terms and who confuse it in that context with ‘consent’ in its literal sense.

It is an understandable confusion, as consent in its literal sense means ‘permission for something to happen or agreement to do something’. In GDPR, consent can only be provided and revoked from processing that is undertaken using consent as the legal basis for processing. I have found that organisations (and data subjects) often discuss how they will facilitate ‘revoking consent’ from processing of information that is processed under a  legal basis other than consent.

Lawful bases for processing data

Elizabeth Denham, the UK Information Commissioner, summarised this issue succinctly when she noted that headlines about consent often lack context or understanding about all the different lawful bases that organisations will have for processing personal information under the GDPR. For processing to be lawful under the GDPR, at least one lawful basis is required.

Consider the following  examples: a government body processing property tax information; banks sharing data for fraud protection purposes; or insurance companies processing claims information. All these examples require a different lawful basis for processing personal information that isn’t ‘consent’. Each legal instrument has its own set of requirements. If the legal basis for processing is, for example, legitimate interest, the GDPR outlines a completely different set of requirements. In such cases, you do not need consent. This also means that the rules for ‘consent’, such as positive affirmative opt-ins, and freedom to change preferences etc. are only mandatory for consent-based processing.

With less than a month to go until GDPR , some organisations may still be grappling with the issue of ‘consent’ and the related implications for data processing under a misunderstanding of the meaning and where it applies. For our part, privacy professionals can help by being completely clear in how we communicate – while watching for signs that our intended audience understands what we mean. The regulation will be with us for a long time to come after 25 May. It is always worthwhile to ensure privacy policies apply ‘consent’ only where it’s legally necessary to do so.

The post Permission slip: what consent means and where it really applies to GDPR appeared first on BH Consulting.

By

GDPRubbish: seven common data protection myths debunked

I have been evangelising about GDPR for almost two years, professionally and personally. It’s a powerful piece of legislation designed to empower citizens of Europe and to deter the inappropriate information management practices of the past. It aims to rebalance a data subject’s control over information with the organisation’s need to maximise use and profit from that information.

During the various communication sessions which I have been privileged to run as a member of the BH team, I have been asked many questions. Some have been easy: the yes and no kind with reference to the article in GDPR. Others have been really challenging. You know the kind…the type of questions that make you dig deep inside you and go rooting for the answer.

For example, one wonders if, in fact, GDPR will negatively affect customer service, given the onerous challenges now facing organisations in continuing to provide excellent customer service that complies with the regulation. Only time will tell. I foresee a big problem with misinformation, where customer service personnel, afraid they might process data in a way that results in damage to the data subject, will incorrectly cite ‘data protection legislation’ and refuse to provide a certain service that they used to.

False facts

In listening to organisations like these and discussing their challenges, I have repeatedly heard ‘things-GDPR’ that are mythical and inaccurate. The formation of these myths reminds me of the old joke of Chinese whispers in World War I trenches, where the commander of the troop sends a message to be communicated, man to man verbally, to the communications officer at the far end of the trench. The message starts as ‘send reinforcements we are going to advance’ and finally reaches the communications officer as ‘send three and fourpence we are going to a dance’. These GDPR myths too seem to form like Chinese whispers and end up as ‘facts’ communicated to the organisation or the data subject. So, I decided to pool these myths together and communicate them so that we can address them in business and as a society.

Myth 1: “We are not a European Organisation and therefore don’t have to worry about GDPR compliance and there is no way for the fines to be imposed on us

This is untrue. It doesn’t matter whether your organisation is based in an EU state or not. If it processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.

Myth 2: “We have only four employees and therefore don’t have to worry about GDPR compliance”

There is no ‘all-out’ clause in the GDPR for small companies. The GDPR applies to natural entities – which can range from individuals all the way up to governments and multinational corporations.

Myth 3: “We have less than 250 employees so the GDPR does not apply to us”

Again, another frequently cited myth. The GDPR does indeed mention exemptions for entities with fewer than 250 employees, but it does not state that these organisations are completely exempt. The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees. The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.

Myth 4: “We have to appoint a DPO”

Virtually all public sector bodies will be required to designate a DPO under the GDPR. When it comes to the private sector, the GDPR introduces a limited mandatory DPO requirement. Controllers and processors will only be required to designate a DPO if their core activities consist of either of the following:

  • Processing and systematic monitoring of data subjects on a large scale
  • Processing on a large scale of special categories of data or data relating to criminal convictions and offences.

Each Member State is free to introduce broader national DPO requirements. Larger organisations operating across the EU would be well advised to consider appointing a DPO on a voluntary basis as this might be the most effective and efficient way to discharge their comprehensive GDPR compliance obligations.

Myth 5: “We don’t do transactions or undertake ‘profit’-related activity as we are a charity/club, so the GDPR does not apply”

This myth is a frequent one. To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in “economic activity”. Economic activity essentially translates into ‘not personal’ e.g. people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.

Myth 6: “When relying on consent to process personal data, consent must be explicit”

The GDPR requires that where consent is the legal instrument for processing data,  consent must be “unambiguous” (Art 4(11)).  “Explicit” consent is required only for processing sensitive personal data – in this context, nothing short of explicitly expressed “opt in” will suffice (Art 9(2)).  But for non-sensitive data, “unambiguous” consent suffices.

Myth 7: “GDPR is all about encryption, pseudonymisation and privacy enhancing tools”

GDPR is in fact a ‘technology neutral’ piece of legislation that advocates reviewing data in light of the six key principles of data protection. Only one of these principles addresses securing data. Although the regulation advises that there are some compliance advantages to encrypting personal information (such as possibly not having to inform data subjects in the event that there is a breach), the GDPR focuses equally on all six data protection principles:

  • 1. Lawfulness, fairness and transparency Organisations need to make sure their data collection practices are fair to data subjects, and compliant with rules for collection and processing. They should also state in their privacy policy the type of data they collect and process, and the reasons for doing so.
  • 2. Purpose limitation Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
  • 3. Data minimisation Organisations must only process the personal data that they need to achieve its processing purposes.
  • 4. Accuracy The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
  • 5. Storage limitation Similarly, organisations need to delete personal data when it’s no longer necessary.
  • 6. Integrity and confidentiality This is the only principle that deals directly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing.

The GDPR is a serious piece of legislation, and organisations need to have certainty about their obligations and responsibilities as outlined in it. Certainty can only be achieved by reading the legislation (it is very well written) and reading interpretations – or paying someone to do it for you.

In my view, we can lend organisations some slack if they genuinely misunderstood this new legislation, but service providers engaged by clients to understand and advise on GDPR cannot be forgiven for misleading clients. And many of the myths I have encountered originated from professionals operating in the GDPR space. Just like when we need to find a person to service a gas boiler, we go to a registered operator. The same applies for GDPR advisors: organisations should determine the privacy and data protection qualifications of those they engage for GDPR advice.

The post GDPRubbish: seven common data protection myths debunked appeared first on BH Consulting.

By

10 Cybersecurity Predictions for 2018

It has been a turbulent year of devastating ransomware attacks (e.g. NotPetya) and gut-wrenching breaches (e.g. Equifax). Undoubtedly, the question on everyone’s mind is, “what’s in store for us in the New Year?” Webroot’s top 10 cybersecurity predictions for 2018 covers everything from ransomware and breaches to mobile, cryptocurrency, and government.We’ve grouped our predictions to help you navigate this glimpse into one possible cybersecurity future.

Malware will get smarter and threats more serious.

Malware campaigns will use AI to make secondary infection decisions based on what they’ve learned from previous campaigns. – Gary Hayslip, chief information security officer

We will see the first health-related ransomware targeting devices like pacemakers. – Eric Klonowski, sr. advanced threat research analyst

We haven’t seen the last of breaches.

I predict a minimum of 3 separate breaches of at least 100 million accounts each. I’d be willing to bet the data has already been compromised, but the affected organizations won’t learn of the breach until next year. – Tyler Moffitt, sr. advanced threat research analyst

Not even biometric security will be safe from malicious actors.

We will see the first biometric-access-based exploits using facial recognition or fingerprint access. – Eric Klonowski, sr. advanced threat research analyst

Consumers will want more from governments to keep them safe.

Consumers fighting back: 2018 will see major a major backlash from consumers (perhaps in the form of class action lawsuits), necessitating more regulations around data protection, particularly in the U.S. – David Kennerley, director of threat research

Infosec will become a C-level priority.

The CISO role will be mandatory for all organizations who do business with the Federal Government. – Gary Hayslip, CISO

Being a mobile-first society will come with greater costs.

We will see the first widespread worming mobile phone ransomware, perhaps spread by SMS or MMS. – Eric Klonowski, sr. advanced threat research analyst

Cryptocurrency will continue to rise and impending legislature is inevitable.

Malware distribution will rise and fall in conjunction with Bitcoin value. – Christopher Cain, associate malware removal engineer

GDPR will set a tone, for better or worse, and businesses should prepare on all sides.

Companies who trade with the European Union will suddenly panic over GDPR requirements and just encrypt everything in a knee-jerk response. – Jonathan Giffard, sr. product manager

The boom in the IoT space will bring stricter oversight to device manufacturers.

Data collected from IoT devices will be aggregated and used to develop an even larger, more involved picture of customers’ habits, constituting a major breach of privacy without consent. – Gary Hayslip, CISO

Do you have any cybersecurity predictions for 2018? Share your thoughts with us on Twitter with the tag #CyberIn2018.

The post 10 Cybersecurity Predictions for 2018 appeared first on Webroot Threat Blog.