SKILLS & TRICKS
For the past few weeks a lot has been spoken, written and talked about is GDPR Compliance. I have always retained the view that Europeans are much more intelligent when it comes to compliance and regulatory of Personal Data then Americans. I am not going to use the word privacy because its been the most mocked around word in some quarters and of course in USA we all know how well its protected and implemented. :D
I'll start with first highlighting some key aspects of GDPR - like
What is GDPR
Its not something new and before GDPR we had Data Protection Act so if you had it implemented then you will go through less pain since a lot of elements are partially covered by it. The whole idea and concept is to know how the data is collected, where the data resides, stored, processed, deleted, who can access it and how its used for EU citizens. This means that organizations will be required to show the data flow or lifecycle to minimize any risk of personal data being leaked and all required steps are in place under GDPR.
In short, GDPR is to have common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle and also by adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, as well as strengthening rules for data minimization.
Key Regulatory Requirements
data with, and minimize how long you keep it. Less is more: less data for the hacker to take, means a more secure environment. So the data points you collected from a web campaign over three years ago — maybe containing 15000 email addresses along with favourite pet names — and now lives in a spreadsheet no one ever looks at. Well, you should find it and delete it.If a hacker gets hold of it, and uses it for phishing purposes, you’ve created a security risk for your customers. Plus, if the local EU authority can trace the breach back to your company, you can face heavy fines.
Who exactly determines whether your organization's processing presents a high risk to the individuals' rights and freedoms? The text of the GDPR is not specific, so each organization will have to decide for itself.
is the still controversial right to stay out of the public view and “be forgotten”. This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process!
It also means that data controllers are regulated by a lead data protection authority located in the territory of their main establishment. The European Commission has the power to decide if a country outside the EEA provides adequate protection and declare “a territory or one or more specified sectors within that country” adequate. For example, although the United States is not deemed to be an “adequate” jurisdiction, as of 1 August 2016, organisations located in the U.S. may register with the EU-U.S. Privacy Shield. Legal experts note this may not be that easy to enforce and extraterritoriality is particularly relevant to core web services such as search, social networking, e-commerce, companies that allow you to rent apartments online, etc.
- Integrity breach - where there is an unauthorized or accidental alteration of personal data.
- Availability breach - where there is an accidental or unauthorized loss of access to, or destruction of, personal data (include where data has been deleted either accidentally or by an unauthorized person).
Role of IT Professionals
Information Security today is just not limited to the IT Department of any organization and as businesses have evolved during time, so does the need for everyone in the business for making his or her contribution to the security of the organisation's information, and for protecting the personal data the organisation uses. You will notice that most GDPR webinars are attended by business managers, compliance people and the like and these people are responsible for operating and overseeing GDPR compliance. Asking colleagues what data they hold, and getting the company lawyer to update standard contract terms and write privacy notices. But they can't really do all this stuff on their own since they need IT for doing most of the work like providing a dump of the database schema, gives a guranteed correct version and don't forget the unique access required to scan the various files stored in local hard disks and networked file shares for the millions of files we use in the form of documents, emails, spreadsheets, meeting notes, etc.
It is extremely important to engage the IT Team from the discovery phase and don't forget subject access requests (SARs), for example: most of us hardly ever had one because nobody's really been sufficiently bothered to spend the money and ask what data you hold about them. The other thing you need to understand is whether there's a gap between how you think you work and how you actually work. For example backups:
even though your backup strategy is documented, do you really understand how it's implemented by the tech teams? How your disk-to-disk-to-tape setup really works? Who transports the tapes to offsite storage? Do you destroy tapes when you say you will? If you've erased someone's data on request, does the tech team re-delete the data from the live system if they've had to restore from backup?
Nearly everyone organization i have come across keeps some sort of back up with them and not everyone is fully utilizing the Cloud infrastructure and Back up tools. The data aspect is important and becoming compliant is one thing, but being able to quantify compliance is quite another. Anyone who's read BS 10012 (Data protection – Specification for a personal information management system) will be familiar with clause 9.1, which is all about "monitoring, measurement, analysis and evaluation".
Now i am not a lawyer but just to give you some insight on how tricky things can get i am listing down a couple of items which might be eye opener for some of you. I wasn't able to get a clear cut answer about these from anyone and could not find any details in GDPR or the hundreds of lawyer websites claiming to make you compliant with GDPR in just weeks.
For example how can a small company which runs its site on PHP and have a user forum implement GDPR? It can be very time consuming for them and some key aspects are tricky to be implemented.
- Any web community will at least be storing usernames, passwords, emails and most likely IP addresses. As far as I know, all of that counts and comes under PID (Personal Identifiable Data)
One can say that you're allowed to log people's IP addresses for diagnostic reasons, to prevent fraud and abuse. You don't have to delete these logs when someone emails you if they're still useful for those purposes. You do need to delete those logs eventually though, and you need to disclose how often that is. It can be ten years if you want. Yeah but where does it say this and who decides?
- What happens when i restore the backup?
Now all old usernames, emails and ip addresses will be part of the system again and how do i delete it them or keep track of them :) Yup you need to define a solid process for this .
Of course if you're Facebook or Twitter you just assign a few developers to this and you'll be fine. But this might affect small-time web companies.
Actions for Compliance
Below is a list of Actions the organization needs to take in order to comply with GDPR and the timeline is mostly representing implementation for a medium to large size organization.
Identify and map your data processing activities, including data flows and use cases in order to create a comprehensive record of activities.
GDPR requires you to keep detailed records of data processing activities. These records can be used to assess the compliance steps required by the business going forward and respond quickly to data breaches and to individuals who request their own data.
Assess whether you are required to appoint a Data Protection Officer (DPO) and if so, recruit a professional who meets the GDPR criteria. Irrespective of the legal requirement, review and, if necessary, improve the corporate governance policies and structure to ensure that they are effective to achieve reasonable compliance throughout the business.
Appointment of a DPO is mandatory for some businesses. Robust data governance is, in any event, key to fulfilling the accountability obligation of all organizations.
Identify any data sharing with third parties, determine the role of those parties and put appropriate safeguards in place. This may require the execution of new or revision of existing agreements.
GDPR imposes mandatory content for certain agreements and requires the clear assignment of roles and responsibilities.
Review or establish legal bases for processing, at least for key use cases. Plan and implement remedial action to fill any compliance gaps.
GDPR requires that all data processing has a legal basis, such as consent, contract and balance of interests, etc. and makes usage more difficult. GDPR also contains restrictions / additional obligations relating to the use of automated processing, including profiling.
Review and amend all privacy notices, consent forms and related processes in order to comply with the GDPR.
The GDPR imposes additional minimum consent for privacy notices. It also imposes stricter consent requirements.
Assess whether the business carries out any “high risk” processing under the GDPR. If so, carry out a Data Protection Impact Assessment (DPIA) and, if necessary, consult with your supervisory authority.
DPIAs must be carried out in relation to all “high risk” processing and consultation with supervisory authorities may be required in certain circumstances.
Review and supplement the company’s existing suite of polices and processes dealing with data protection, including those dealing with data retention and integrity, such as data accuracy and relevance.
The GDPR imposes stricter obligations to keep data accurate, proportionate and no longer than necessary.
Identify the new individual rights provided by the GDPR and establish procedures for dealing with them. Review the procedures in place in order to comply with existing rights and set up any new internal procedures and processes, where required.
GDPR extends existing rights and introduces new rights for individuals, such as the right of data portability.
Review or establish procedures for ensuring that GDPR compliance is embedded in all applications and processes that involve personal data from the start. Default settings must comply with the GDPR.
Compliance must be integrated into all processes and applications that involve the use of personal data, and default settings must comply with the GDPR, including data minimization.
Identify and review the data transfer mechanisms in place in order to comply with the GDPR. Fill any gaps, including entering into Standard Contractual Clauses with service providers and group companies, and evaluate the use of Binding Corporate Rules (“BCRs”).
The GDPR retains the current requirement to have adequate measures in place when transferring personal data outside the EEA, but sanctions for non-compliance are substantially increased.
Review the data security measures in place to ensure they are sufficient and to assess whether the specific measures referred to in the GDPR are (or should be) in place. Review or establish an effective Data Breach Response Plan.
The GDPR implements stricter requirements regarding appropriate technical and organizational data security measures. It also requires data breaches involving risk to individuals to be reported to supervisory authorities without delay and within 72 hours (unless a longer period can be justified); affected individuals must also be notified if the breach is high risk.
Roll-out amended and new privacy notices and consent forms. Publish new and revised policies and procedures and conduct training of key personnel on GDPR compliance.
Microsoft and GDPR
Microsoft provides two great compliance solutions which can really help organizations assess and manage compliance risks:
Compliance Manager: A single pane of glass with ongoing risk assessment on Microsoft cloud services, actionable insights, and recommended actions to improve data protection capabilities, as well as simplified compliance via streamlined workflow and audit-ready reports. Compliance Manager is a cross-Microsoft Cloud services solution designed to meet complex compliance obligations, including the EU GDPR, ISO 27001, ISO 27018, NIST 800- 53, NIST 800- 171, and HIPAA. It also provides you the information and tools to conduct self-assessment for your responsibilities of meeting regulatory requirements. Compliance Score is a new feature for Compliance Manager which gives you visibility into your organization’s compliance stature with a risk-based score reference.
By using group functionality, you can now create multiple assessments for any standard or regulation that is available to you in Compliance Manager by time, by teams, or by business units. For example, you can create a GDPR assessment for the 2018 group and another one for the 2019 group. Similarly, you can create an ISO 27001 assessment for your business units located in the U.S. and another one for your business units located in Europe. This functionality gives you a more robust way to manage compliance activities based on your organizational needs for performing risk assessments.
Azure Information Protection Scanner: It lets you configure policies to automatically discover, classify, label, and protect documents in on-premises repositories like file servers and on-premises SharePoint servers. The classification is identifiable always, regardless of where the data is stored or with whom it’s shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.
The following are the licenses and what is supported for each:
one of the first tasks in a GDPR exercise is to know and find the content you have and then classify as needed. This can often be the biggest problem, as most organizations have content stored in collaboration tools such as SharePoint, file servers, local machines or other applications. Asking business users to go to these locations and classify is a task that will never happen.
the scanner is a separate download using the following URL, but in the future, it will be bundled as part of the ‘Azure Information Protection‘ client.
From the download select the ‘AzInfoProtectionScanner’.
Once downloaded, click to install. If needed you can install a ‘demo policy‘ as part of the setup, which can be used for testing, until the application is connected to your ‘Azure Information Protection‘ service instance. You need to launch a PowerShell window, so the commands to use it can be run. The first task is to setup the SQL database that will be used by the scanning tool. This is done by typing the following:
For a default instance: Install-AIPScanner -SqlServerInstance SQLSERVER
For a named instance: Install-AIPScanner -SqlServerInstance SQLSERVER\AIPSCANNER
For SQL Server Express: Install-AIPScanner -SqlServerInstance SQLSERVER\SQLEXPRESS
We will use the SQL Express but you could use a full-blown SQL implementation if that is installed on your network. Firstly, however, you may need to import the ‘AIP‘ DLL for the commands to work.
Next, we can run the installation command:
When prompted type the service account you wish to use for the scanner.
Once it has completed successfully you can check in the ‘Services‘ console and the new service will be listed.
Within the PowerShell console, we need to run the command that checks the status and mode of the scanner.
The scanner by default is set to ‘Discover’ mode, and outputting informational reports only. These settings can be changed easily by using the ‘Set-AIPScannerConfiguration‘ command.
You need to set the repository of data that you wish to scan. Check what is being used by typing ‘Get-AIPScannerRespository‘. The first time you run this, it will be blank as nothing has been set. For this example, I am going to use a network share on a server. To set this we can use the following command:
Now, you need to get an ‘Azure Information Protection‘ authentication token for the scanner. This is done using the ‘Set-AIPAuthentication‘ command. When prompted login with your Office 365/Azure AD account that has access to your ‘Azure Information Protection‘ service. Once completed this will return an access token that will then be used by the scanner.
Open the ‘Services‘ console and start the service ‘Azure Information Protection Scanner‘. When this completes the scanner, service will stop automatically. Any reports, that were generated are stored within ‘%localappdata%\Microsoft\MSIP\Scanner\Reports‘ and have a ‘CSV‘ file extension.
‘CSV‘ to review the files found, the label applied, and the condition used and found on the content. Of course, for this example, it was only set to ‘Discover‘ not ‘Enforce‘ which would have applied the labels and protections.