| | 27. Information Security
02. Data Protection Index | | |
|---|
| General Data Protection Regulation (GDPR): | | 1. Compliance with General Data Protection Regulation is the legal responsibility of the Information Security Manager and Data Protection Officer using this Information Security Management Service. | | 2. GDPR applied to Personally Identifiable Information that includes things like an IP address where that can be used to indirectly identify a person. | | 3. GDPR grants people certain rights invcluding:- | | (1) The right to be informed. | | (2) The right of access. | | (3) The right of rectification. | | (4) The right of erasure. | | (5) The right to restrict processing. | | (6) The right to data portability. | | (7) The right to object. | | (8) Rights related to automated decision making and profiling. | | 4. GDPR imposes the legal requirement of privacy-by-design, accountability and documented evidence of HOW the business complies with each privacy principle. | | 5. ICO provide facilities for whistle blowers to report a company that has chosen not to comply with the law and a company that gains unfair trading advantage known as "unjust enrichment". |
| 2. Glossary of Terms: | | ISM means Information Security Manager as the person responsible. | | DPO means Data Protection Officer as the person responsible and a role provided by ASP to the Owner. | | ISS means Information Security Standard as ISO 27001 and associated family of standards. | | ISMS means Information Security Management Service as the documentation application that makes it all happen. | | ICO means Information Commissioners Office as the enforcement regulator. | | GDPR means General Data Protection Regulation as the legal obligations to protect Personally Identifiable Information. | | PII means Personally Identifiable Information that is subject to Data Protection Regulation. | | PECR means Privacy and Electronic Communication Regulation as the legal obligations when dealing with marketing and sales information. | | DPIA means Data Protection Impact Assessment as a new kind of penetration test. | | Data Processor is the Application Service Provider (ASP) responsible to the Data Controller. | | Data Controller is the bespoke application Owner who owns the data that is maintained by the Owners staff, owns the copyright and owns all Intellectual Property in forms, reports, layouts, web pages and related documents. |
| Data Breach: | | 1. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure or access to personal data. | | 2. Every data breach must be reported to the ICO within 72 hours - failure can result in a fine of up to ten million Euros or two-percent of global turnover. | | 3. Each person concerned by the data breach must be notified by the appointed Data Protection Officer. |
| Data Breach Notification Procedure: | | Step 1. Procedure to notify the Information Commissioners Office (ICO) within 24 hours of any data breach. ASP has excessively encrypted all Personally Identifiable Information (PII) stored by the bespoke application service so any such data is meaningless and cannot suffer a data breach even if it was copied or stolen. Owner shall deploy their own procedures to notify the ICO when any locally stored data or email is lost or stolen. | | Step 2. Procedure to exactly identify what data has been lost or stolen. ASP does not permit PII to be stored on a local computer or in an email, so PII cannot be lost or stolen. Owner shall deploy their own procedures to identify what data that is lost or stolen because it was not secured by the bespoke application service. | | Step 3. Procedure to stop a data breach from happening in the future. ASP has taken and has created documented evidence that every possible means to eliminate any kind of date breach has been taken and shall be taken. ASP people have a standing instruction to continually monitor and learn lessons from data breaches suffered by others. Owner shall deploy their own procedures to stop future data breaches such as storing that data in the bespoke application service. | | Step 4. Procedure to recreate any missing or corrupted data. ASP has a large number of replicated copies of all encrypted data is stored in a large number of physically secure data centers so nothing can be lost. Owner shall deploy their own procedures to recover lost or corrupted data that was not stored by the bespoke application service. | | Step 5. Procedure to offer compensation to people who are impacted. ASP has no compensation liability because no data breach can happen and no person could be impacted. Owner shall pay people whatever compensation is awarded by ICO. | | Step 6. Procedure to offer a public apology. ASP shall not offer a public apology because everything that can be done to eliminate a data breach has been taken and shall be taken - without limit. Owner shall make any public apology for the loss of any data not securely stored by the bespoke application service. |
| Consent: | | 1. Personally Identifiable Information belongs to the person who provided or consented to the data to be provided - PII does not belong to the company that hold it. | | 2. Consent must be verifiable - records must be kept of how and when consent was given. Processing without verifiable concent is not legal. | | 3. Consent can be withdrawn at any time. Provision must be made to enable a person with withdraw consent and it must be as easy as granting consent. |
| Data Protection Impact Assessment (DPIA): | | 1. A DPIA is a process to assist in identifying and minimising privacy risks of improvements and changes. | | 2. A DPIA project may include internal and partner people who are skills to identify and reduce privacy risks. | | 3. A DPIA will ensure that potential problems are identified at an early stage when it is easier to address them. | | 4. A DPIA is a mini-project that demonstrates HOW the business will implement privacy-by-design and will mitigate each risk identified - risks are classified as (1) Eliminated, (2) Reduced or (3) Accepted. | | 5. Each DPIA will identify what data is PII to be protected, what risks are possible and what mitigating measures are designed to reduce those risks. | | 6. The risk of inaccurate or incomplete data is important. The risk on the business if a data breach happens is important. | | 7. While the DPIA is not mandated, the business must deploy similar procedures to gather evidence of privacy-by-design - a DPO responsibility. | | 8. ISO 31000 Risk Management Standard (PMBOK) and PRINCE2 Project Management Standard are used to manage such projects. |
| DPIA Project Steps: | | (1) Identify the need. | | (2) Describe the data flows: PII life cycle. | | (3) Identify the privacy and related risks: to person, for compliance, to business. | | (4) Identify privacy solutions: method, result, evaluation. | | (5) Sign off and record the outcomes. | | (6) Integrate the outcomes with the PRINCE2 project plan. |
| What To Do: | | 1. PII shall be fairly nd lawfully processed: purpose, privacy notice, consent. | | 2. PII shall be obtained for only documented purposes: purpose. | | 3. PII shall be adequate, relevant and not excessive: data quality, accuracy, life cycle. | | 4. PII shall be accurate and kept up to date: maintenance cycle. | | 5. PII shall not be kept for longer than is necessary: retention period, destruction method. | | 6. PII shall be processed in accordance with peoples rights: SAR handling, subscription opt-in and opt-out. | | 7. Appropriate technical and organisational measures shall be taken: security risks, staff training. | | 8. PII shall not be transfered to other countries: PII when encrypted cannot be identified and so cannot be moved. |
| Data Protection Officer: | | 1. To inform and advise the business and its employees about their obligation to comply with GDPR and related data protection laws. | | 2. To monitor compliance with GDPR, including the managing of data protection activities, advise on data protection impact assessments, train staff and conduct internal audits - audit is key. | | 3. To be the first point of contact for supervisory authorities and for individuals whose data is processed (staff and customers). | | * The DPO must report at the Board level. | | * The DPO operates independently and cannot be dismissed or penalized for performing their task. | | * Adequate resources must be provided to enable the DPO to meet their GDPR obligations. | | * The roles of the DPO may be contracted to suitably qualified, skills and experienced people. | | 4. The DPO advokes Replicated Encrypted Data (RED) as a technical method to mitigate the security journey. |
| Responsibility: ASP: | | GDPR Article 28 defines the Data Processors responsibilities in providing the Bespoke Application Service as the Application Service Provider. | | 1. The Data Processor must provide adequate evidence and guarantees to implement appropriate control measures. The Data Controller must undertake due dilligence to ensure itself that the Data Processor is able to provide all relevant guarantees. Please see "GDPR Due Diligence" above. | | 2. The Data Processor shall not engage another Data Processor without the prior written authorisation of the Data Controller. | | 3. Processing by the Data Processor shall by governed by a contract with the Data Controller that defines the nature, purpose and obligations of the processing, including the Data Processor shall: | | (a) process the personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to another country; | | (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; | | (c) takes all measures required pursuant to Article 32; | | (d) respects the conditions referred to in paragraphs 2 and 4 for engaging another Data Processor; | | (e) taking into account the nature of the processing, assists the Data Controller by appropriate technical and organisational measures; | | (f) assists the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Data Processor; | | (g) at the choice of the Data Controller, deletes or returns all the personal data to the Data Controller after the end of the provision of services relating to processing; | | (h) makes available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. | | With regard to point (h) of the first subparagraph, the Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions. | | 4. Where the Data Processor engages another Data Processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in the contract shall be imposed on that other Data Processor by way of a contract. | | 5. Adherence of the Data Processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article. | | 6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43. | | 7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2). | | 8. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63. | | 9. The contract referred to in paragraphs 3 and 4 shall be in writing, including in electronic form. | | 10. Without prejudice to Articles 82, 83 and 84, if the Data Processor infringes this Regulation by determining the purposes and means of processing, the Data Processor shall be considered to be a Data Controller in respect of that processing. |
| Responsibility: Owner: | | GDPR Article 24 defines the Data Controller responsibilities in defining and using the Bespoke Application Service. | | 1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. | | 2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the Data Controller. | | 3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the Data Controller. |
| Document Control: | | 1. Document Title: Data Protection Index. | | 2. Description: Data Protection Index. | | 3. Keywords: Data Protection Index. | | 4. Privacy: Public education service as a benefit to humanity. This is not legal advice. | | 5. Issued: 13 Feb 2017. | | 6. Edition: 1.1. |
|
|