Data Protection Impact Assessment

Print this Page	Data Protection Application	Data Protection Impact Assessment	Data Protection Index	Close this Page

Data Protection Impact Assessment: (Article 35 )

1. The processor shall deploy whatever security measures it takes to eliminate the possibility of a reportable data breach.

2. The processor shall engage a Data Protection Officer to direct the protection of persons data as part of the Bespoke Application Service.

3. The Data Protection Officer shall continually review and revise the Data Protection Impact Assessment based on risks, threats, industry experience, press reports and ISO advice.

7. The Data Protection Impact Assessment shall include:-

(a) a systematic description of the deployed processing operations and the purposes of the processing including the legitimate interest pursued by the controller.

(b) an assessment of the necessity and proportionality of the processing operations.

(d) the measures deployed to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. The processor shall be compliant with ISO 27001 Information Security Standard and CSA Code of Conduct.

9. The controller may seek the views of the data subjects.

+. Include technical and organisational measures to deploy "privacy by design" and to include:-

(1) Data minimisation.

(2) Pseudonymisation.

(3) Transparancy of functions and processing - no profiling.

(4) Enable the data subject to monitor data processing - keep them in the loop.

(5) Enable a means to create and improve security features.

+. Include the origin, nature, particularity and severity of each risk.

+. Assess and document the likelyhood and severify of each risk. Consider the nature, scope, context and purpose of proceessing and the sources of risk.

+. Accountability: Article 5(2) states that the controller must be able to demonstrate compliance with Article 5(1) as Accountability. This can be demonstrated in the DPIA by cross reference back to GDPR articles.

+. Protection by Design and Default: Article 25. This can be demonstrated by maintaining a timestamp of when processing is performed at the applicable time. Only provide the personal data needed to perform a process rather than making all personal data available. Every process is unique and has sight only of the personal data needed to complete that process.

UK ICO Sample PIA (not DPIA)

1. Identify the need and involve all stakeholders: transparency.

2. Describe the information flows.

3. Identify the privacy and related risks: Risk to people, risk to organisation, compliance risk

4. Identify and evaluate the privacy solutions: eliminated, reduced, accepted.

5. Document the PIA Outcomes.

6. Integrate the PIA Outcomes into a project plan to improve the application service.

*. Consult with stakholders as needed.

European Energy Sample

1. Introduction: (this is a process not a destination document).

1.1 Background and Motivation.

1.2 Purpose of the DPIA.

1.3 Scope of the DPIA.

1.4 Stakeholders.

1.4.1 ICO.

1.4.2 Controller and Application Owner.

1.4.3 Customers.

1.4.4 Suppliers and Energy Providers.

1.4.5 Processor and Application Service Provider.

1.5 Benefits of the DPIA.

1.6 Carrying out the DPIA.

1.7 The Result.

1.8 Success Factors.

2. Guidance.

2.1 Step 1 Pre-assessment criteria.

2.1.1 Personal data involved.

2.1.2 Data controller and data processor.

2.1.3 Impact on rights and freedom.

2.1.4 When to perform DPIA.

2.1.5 The nature of the bespoke application service.

2.1.6 Lagal base and public concern.

2.1.7 Other criteria.

2.1.8 Documented conclusion.

2.2 Step 2 Initiation.

2.2.1 Operational requirements.

2.3 Step 3 Description.

2.3.1 The use case.

2.3.2 Service information.

2.3.3 Description of the assets.

2.4 Step 4 Risk Management.

2.4.1 Introduction.

2.4.2 Threats for each possible event.

2.5 Step 5 Impact Management.

2.5.1 Impact of possible events.

2.5.2 Possibility of events.

2.5.3 Risk level, value and priority.

2.6 Step 6 Required Controls.

2.6.1 Assessment of security controls.

2.6.2 Risk Treatment.

2.6.3 Residual risk and risk acceptance.

2.6.4 Resolution.

2.7 Step 7 Documentation of DPIA.

2.8 Step 8 Reviewing and Maintenance.

Risks

1. Sharing passwords with other people.

2. Disabling anti-virus to access blocked content.

3. Using the same password for many services.

4. Sharing PII with strangers.

5. Downloading programs with vulnerabilities.

6. Downloading media from unlicensed sources.

7. People with little security education and motivation.

8. Lonelyness causing bad behaviour to gain attention.

9. Social demands for excitement from bad things happening.

10. Ransomware downloaded by clicking unapproved links.

11. Job applicants who are told too much and have the skills to disrupt.

12. Leaking private, confidential or sensitive data by phone or email.

Authentication

1. Many threats and risks have a common solution as the continually monitored authentication service that is known as Identity and Access Management (IAM).

2. Login risks have been eliminated and replaced with a comprehensive sign-in authentication service that is the single point of entry before any private data can be processed. Criminal attacks on private data must get past this one authentication service that has been hardened by daily attacks for decades and regular external security audits.

3. Authentication is so important that every sign-in transaction is monitored 24*7 to ensure that criminal behaviour is stopped and blacklisted, while approved people are given every assistance.

4. Passwords risks have been eliminated and replaced with assigned pass phrases that are only known to the approved person and cannot be discovered by any other person. Pass phrases are never communicated by phone, email or in a way that can be intercepted by a criminal. Pass phrases are too important to be left to people to make-up without using the same ideas for many other web sites.

5. When a manager authorises a new approved person that manager is given a one-time pass-phrase that must be used by the approved person to sign-in within 15 minutes. The one-time pass-phrase may be communicated by word, by phone or by email, but its life cycle is limited.

6. When a new approved person signs in with their one-time pass-phrase, they are shown their permanent pass phrase that is not known to any other person. The one-time pass-phrase is disabled and the approved person must use their permanent pass phrase for all subsequent sign-in.

7. When an approved person forgets their permanent pass phrase, they will ask their manager to request a new one-time pass-phrase to be used in the next few minutes. When the new one-time pass-phrase is used, a new permanent pass-phrase is assigned to the approved person.

8. Where a new manager arrives and if an existing manager at that office is not available, then a support request can be created to ask Second Level Support to enter the new managers details and assign a one-time pass-phrase to that new manager. Managers are in complete control of their own teams and managers can help one another when a new one-time pass-phrase is needed. Where a manager is not available, a support request can be created with a rapid response by automated email.

9. Authentication deploys many factors including cookies and other secret characteristics of approved computers.

10. An approved person may be authorised to sign-in from a named office, but not sign-in from home or any other office. A few approved people may sign-in from many different offices and may be permitted to sign-in from their home network. An approved person may be permitted to sign-in from their smart phone using a named network or from any network.

11. An approved person may be authorised to sign-in between certain hours of the day and on certain days of the week. The behaviour of approved people is monitored to detect unusual behaviour and stop criminal behaviour such as a sign-in attempt at 03:00 on a Sunday morning.

12. Malware, keyloggers and people spying on others will leak a persons pass-phrase and additional measures are needed to manage the threat. Encrypted cookies and device characteristics identify when a pass-phrase is used by a different computer - monitoring triggers a potential alarm. Geo-location, network names, day of week, hour of day, size of screen, browser and computer operating system are checked and a phone call may be made to verify that the person has had a change of computer.

13. With more than 20 years of continual evolution of this single authentication facility, many security mechanisms have been incorporated to detect and stop criminal behaviour. Every day criminal attacks verify the robustness of the authentication service and every six months, external professional white hat hackers and security consultants are paid to simulate what a criminal agency could do. The attack surface is very small and continual improvements mean that as new cyber warfare attacks are discovered, the authentication service stays one step ahead.

14. The possibility of a phishing attack by a criminal impersonating an approved person is minimised by granting local management the right to manage their own teams.

SMS Two-Factor Login

1. Two-factor SMS message login is not used because it can easilly be demonstrated to be a major security vulnerability as follows:-

2. The criminal triggers the "forgotten" password procedure for the target and is asked a number of security questions where the reply can normally be guessed from the persons social media.

3. The criminal sends an email to the target stating that because of an attack and to keep them safe they need to login again after their security is checked.

4. The criminal shows the target a form that looks identical to the forgotten password form and shows the identical questions that the criminal is shown.

5. The target replies to each security question by entering the answer into the criminals form - the criminal replicates that same data into the real forgotten password form.

6. Eventually the forgotten password process says it is sending a SMS (or phone) message with an access code that must be entered into the form.

7. The target gets the access code and enters it into the criminals form - the criminal enters it into the real forgotten password form.

8. Eventually the criminal is asked to enter their new password - they make up a complex password that is unknowable to the target.

9. The criminal then is able to login to the application using the new password that they created while the target is told that the application is down for maintenance and will they try again later.

10. With very clear evidence that the majority of forgotten password procedures are not safe, the most effective solution is to deploy anything else that is safe and secure.

Pseudonymised and Replicated Encrypted Data (PARED)

1. Pseudonymisation has been used for more than a decade for some business data and the current thrust is to use the technique to store most business data.

2. Pseudonymisation means replacing a field value with a token and using that token to lookup a different data store that holds the real field value. For the last decade this was known as "code-description" options, but it has not been refined to incorporate encryption.

3. Real field values are encrypted and each is stored with its onw unique primary key. The primary key is encrypted by an algorithm into a token that is stored in the persons record.

4. Two levels of encryption are used: one level for the field value and one level for the token so the token cannot be associated with an encrypted field value. Different encryption methods are used for each field so the same token value may be replicated to represent totally different field values.

5. Every database table is only identified by a number and every column in a record is only identified by a number - meaningful meta data has been eliminated. It can be hard for a criminal to known if column 78 in table 123 that holds a token like 345 is a token to a person name or department name in any other table or file.

6. Web 2.0 technology means that each field is saved as it is entered so it is not possible to enter some data and forget to save it. This means that each field is updated one at a time and as the field value is updated in one database, the same encrypted transaction will update a different database in a distant data center. Replication of all data means that in the event of a failure in one data center, business continues to be provided by other data centers.

Notifiable Data Breach

1. For a data breach to have to be notified to ICO, then a risk must exist to personal data that has been lost or stolen.

2. It is a mission and an objective to do whatever it takes to eliminate the risk of a notifiable data breach.

3. Pseudonymisation is recommended by GDPR article 25 and 32 as a means to improve data protection.

4. Encryption of field values is recommended by GDPR article 32 and 34 as a means to improve data protection. Encryption means that if the stored data is accessed by a criminal agency, the data would be unintelligible, meaningless and worthless.

5. Replication is a means to provide integrity and availablity as required by GDPR article 32 because replicated data cannot be lost - data can always be recreated from many other data centers. By deploying the Bespoke Application Service over a large number of data centers, the possibility of all data centers failing at the same time is too small to estimate. The mission and an objective is for the Bespoke Application Service never to stop and cannot be stopped because some data centers will continue to operate.

6. Authentication with continual monitoring is a means to provide access control to only those approved people that have the right to process personal data at certain times.

7. It is stated that Pseudonymisation, Encryption, Replication and Authentication make the possibility of a notifyable data breach involving personal data being lost, stolen or accessed as negligible.

Customer Contact Workflow and Life Cycle

1. A customer contact agrees to a discussion or dialogue with a company - the sales person imagines they are "selling" and the customer contract knows they are "buying". The first step is that the company must disclose a lot of business data such as: who they are, where they operate, how long they have operated and what they offer.

2. When the customer contact is happy with the company data and what is on offer, the customer contact agrees to do a deal.

3. The customer contact must provide their personal data so the deal can proceed. The customer contact can self-register or provide their personal data to somebody else to transcribe - transcribing is more expensive and error prone.

4. The customer contact must formally consent to have their personal data - evidence of consent can be hard to prove if the meeting is face-to-face or by phone. Where the customer contact uses a self-register form, then a formal consent tick box can be included and all relevent information that the company must provide by law to the customer can be certain to be exchanged. Consent must be time limited and 13, 25 or 37 months may be reasonable durations.

5. A paper "terms of business" and "letter of authorisation" may be signed by the customer contact where the company is not ready minimise the cost of doing business by using electronic communications. Paper documents do not excuse the company from providing a large amount of data protection information and gathering evidence that the customer contact has accepted the data protection information.

6. After the customer contact has provided consent for their personal data to be used and has evidence that the person is aware of the data protection information, then the company may process that personal data.

7. The first sensitive process may be to credit check the customer contact involving sharing personal data with a third party - if the customer contact has formally consented to such a process and evidence has been saved.

8. The next sensitive process may be to obtain one or more supplier quotations for the customer contact involving sharing personal data with a third party - if the customer contact has formally consented to such a process and evidence has been saved.

9. Quotation details may then be shared with the customer contact for review and decision.

10. After the customer contact has made a decision, one supplier quotation will be accepted and other supplier quotations will be declined. The customer contract has the right to request that their personal data that was shared with the declined suppliers is erased - the right to be forgotten.

11. The accepted supplier will provide what was quoted for a period of time. The customer contract has the right to request personal data is kept up to date, that errors are rectified and that their personal data is erased as soon as a contract comes to an end. Personal data will not be erased while billing is still outstanding, but the person has the right to withdraw consent for their personal data to be processed at any time.

12. A contract may be renewed where the customer contact gives consent to that renewal. Where the contract is not renewed, then the company need to erase the personal data as soon as it is no longer necessary.

13. All personal data must have a formal life cycle and must be erased when it is not longer needed and the person must be informed when it is erased.

ONLINE: This sample data workflow shows that the customer must continually be kept in the loop because the company must put the customer first. A regular dialogue between the customer and the company is mandated and where that relationship can prosper, then the company can prosper. The Bespoke Application Service is not just an internal CRM, its a constant communications vehicle with customers.

Digital Wallet: Private Block Chain

1. Personal data belongs to a data subject who may consent for a company to share that personal data for a period of time.

2. Personal data is locked up in a secure digital wallet that is known as a private block chain - block chain has a 20 year evidence of being very secure.

3. The data subject can access their digital wallet at approved times of the day and days of the week to view, rectify, download or erase their personal data or withdraw consent from their data being used by the company. The data subject has the right to take their digital wallet to any other company.

4. The company can access each digital wallet at approved times of the day and days of the week to process that personal data for as long as the data subject has given consent.

5. Ownership of personal data in a digital wallet is self-evidently with the data subject who must consent to that digital wallet being used by a company and can change their mind at any time.

Priviledged User Problem

1. The privileged user problem has been eliminated by removing the need to have any privileged user.

2. Approved people are granted normal sign-in rights and no other person can access any business data.

3. Approved people include the ASP Second Level Support team who can use the normal Bespoke Application Service forms that are used by all approved people. The only exception is that Second Level Support like Executives can access data that is owned by any selected office.

4. System administrators have access to raw encrypted data in multiple data centers but have no way to know what data is in any file or table and have no way to decrypt the contents. Vast amounts of encrypted business data is hidden in images that are lost in a massive image library - it is all meaningless to a criminal and to any person who has physical access to any equipment in any data center.

CRM Personally Identifiable Information (PII)

1. CRM holds PII about customer contacts, supplier contacts and staff.

2. PII includes: Name, Phone, Email. Vehicle/vessel insurance CRM includes: Driving Licence number and expiry date.

3. CRM excludes: gender, age, religion, disability, ethnicity, place born, home address, etc..

4. All PII is pseudonymised and replicated encrypted data (PARED) to ensure that PII: (1) cannot be stolen, (2) cannot be lost and (3) cannot be the subject of a reportable data breach.

5. Notes. (1) Not all email addresses are PII, but all are pseudonymised and treated as if they were PII. (2) Job title and occupation are not considered to be PII, but they are pseudonymised.

System Software

1. It is a business requirement to minimise the risk from vulnerabilities of system software running racks of servers. A risk is that an agency will gain physical access to a rack of servers - it will be impossible for that agency to install malware or fit monitoring equipment. A risk is that a criminal will gain remote access to a rack of servers - it will be impossible for that criminal to execute any programs or access any intelligible data.

2. Three Tier Architecture is the most secure server rack configuration that has been devised and is used to ensure that no database server or application server is connected to the Internet. Web servers are connected via an Intrusion Detection Server (IDS) with all ports disabled, except 443 for HTTPS traffic.

3. Wilux is the most secure operating system that is configured to disable all services, except the one dedicated to web, application or database services. No application programs are installed and no application programs are permitted to be executed. When Wilux has come to the end of its life cycle (between 19 and 28 months), then the machine is moved off line and refurbished. The risk of enabling regular patches to the operating system is greater than the risk of operating Wilux with all remote services disabled. Wilux is an engineered edition of Centos with encrypted configuration files that prevent access, even if the machine was stolen.

4. Anti-Virus is built into the CPU architecture to stop remote code execution and prevent any malware from being executed. The risk of anti-virus daily patch updates to software is greater than the risk of only using auti-virus hardware.

5. Servers are engineered as a simplified motherboard with CPU, local memory and encrypted flash memory. Multiple ethernet ports connect via local routers to other servers, but no graphics, USB or any other type of port exist.

6. Picture library is what will be seen if a server was stolen with all system software files stored as pictures - unintelligible privacy by design. Hundreds of thousands of the pictures are not used and it is impossible to distinguish which pictures hold real configuration details and which pictures hold fake configuration details.

Plausable Test Data

1. With more than a decade of continual improvements to the encryption methods, a mechanism of creating plausible fake business data has evolved.

2. All business data is encrypted using layer after layer of different methods so if one layer is cracked, other layers continue to protect the business data.

3. In addition, a lot of fake test data is also encrypted and stored as the plausible result of a criminal using massive processing power to guess all possible decryption solutions. It is assumed that the decryption procedure will stall when a load of plausible fake test data is revealed.

4. Periodically, additional layers of encryption are introduced so no single method is used to encrypt any specific field value. A field value encrypted last year will use a unique set of encryption methods and the same field value encrypted today will use a different set of encryption methods. This encures that if one set of encryption methods are cracked by massive processing power, other field values will remain protected.

Risk Checklist:

1. Equifax had hundreds of millions of personal details stolen over many months because they used a propriatory operating system that needed regular patches to prevent remote code execution. That risk is eliminated by not using a propriatory operating system the needs regular patching. That risk is eliminated by using a rack of dedicated servers where each server can only provide one and only one service. That risk is eliminated by disabling all system software services, except one specific service.

2. TalkTalk had millions of personal details stolen when a machine was physically stolen. Deutsche Bank had 20 servers stolen from their London office at midday by a gang of people armed with bolt cutters and sledge hammers. That risk is eliminated by only storing encrypted data and never storing readable data. That risk is eliminated by using a large number of single purpose servers that are housed in the same secure data centers that house the UK broadband backbone.

3. NHS and thousands of other companies lost use of their computers when ransomware spread by Office files were opened. That risk is eliminated by not installing any application software on any service and not permitting any application program to be executed. That risk is eliminated by not permitting emails to be stored on any machine that can see a server - every email is a potential threat to be erased as soon as possible.

Encryption Farm

1. Pseudonymised data is stored in encrypted files where many layers of encryption are deployed. The number of layers of encryption is a trade secret, but can be said to be every changing. Each different field type has a unique set of encryption methods and each field may have its own bespoke encryption layers.

2. An industry standard encryption layer using normal 2048 bit keys are used, but the result is further encrypted using many other methods.

3. Encryption includes the generation of fake business data that is a plausible result, but is just made up test data. Where a criminal was to spend vast resources to try to decrypt the stored data, they would discover many alternative plausible results where the majority of the results are fake.

4. Built into the encryption farm is a method of continual improvement so the encryption methods used one week will not be the same as the encryption methods used in a later week. It would be illogical to imagine that one encryption method could be satisfactory for all time, so continual improvements means that a criminal trying to decrypt the stored data would be faced with an ever improving set of encryption methods.

5. Obfuscation is the primary security method with no documentation to identify what data is stored in what table and no way to guess what a stored column token may represent. Table 123, column 78 may hold a value as 567890 that may or may not be a token to some pseudonymised file of encrypted field values - even the token is encrypted. A unique characteristic of the architecture is that all data objects are represented by a number and all tokens are represented by a number and all files are represented by a number.

6. Fragmentation is a characteristic of primary data objects that are not stored as fields in one record, but fragmented into fields many different records.

7. Field level encryption is based on more than one field value so the same field value that is encrypted for different records will have a different encrypted representation. For example, if LONDON is encrypted as 98706543 in one record, the same value for LONDON in a different record may be encrypted as 76541390.

8. Date field encryption is based the number of time units since a prior historical event where the time units may be a count of 345 second units and the historical event may be the date Kennedy was killed. While trial and error will eventually decrypt this date encryption method, another factor is continual evolution where the time units will vary and the historical event will vary based on other stored data.

9. The mission is not to prevent decryption, but to cause many plausible results to be possible. A solution is not to use an encryption method but to deploy many thousands of different encryption methods and have them layered on top of one another - five layers may be too hard to reverse. It has been said that it may be impossible for the most powerful computers in the world to decrypt a field value that has been encrypted using many different encryption methods in an order that cannot be determined.

PII Encryption

1. The mission is to ensure that business data cannot be stolen and used by a criminal - only meaningless and worthless encrypted garbage can be stolen from any stored data.

2. All business data is encrypted so the context of fields in a record is unknowable to a criminal. However; three field values has additional encryption as:

(1). Persons Name is fragmented into two parts and each part is independently encrypted using different pseudonymisation methods. The first name is stored as a token with a value as 3 Feb 2002 to 27 Dec 2005. The family name is stored as a token with a value as 21 Jan 2005 to 31 Dec 2011.

(2). Email Address is fragmented into two parts and each part is independently encrypted using different pseudonymisation methods. The prefix is stored as a token with a value as 3 Feb 2001 to 20 Dec 2007. The suffix is stored as a token with a value as 9 Jan 2010 to 9 Dec 2013.

(3). Phone Number is fragmented into two parts and each part is independently encrypted using different pseudonymisation methods. The prefix is stored as a token with a value as 7 Feb 2003 to 20 Dec 2005. The suffix is stored as a token with a value as 2 Jan 2009 to 22 Dec 2019.

3. A record that may have stored the persons name, email and phone is improved to a record that stores six dates that cannot be reverse engineered to the original field values. The clever criminal who counts unique instances of each field may they can deduce which stored field represents what kind of data. The criminal may expect that more instances of "john" is stored, but the criminal cannot know that every field value is unique because the record primary key is a factor in the encryption methods used.

4. It is suggested that the most powerful computers in the world cannot decrypt six sets of dates into a persons name, email and phone with any credibility. To ensure this theory is proven, a considerable amount of fake data is incorporated into the set of records so many plausible results exist.

5. The use of dates as tokens is just one of many layers of encryption deployed. This example fragments a field value into two parts, while in practice, much more fragmentation is deployed. A token value will be reused over and over again in different contexts, so 21 Aug 2012 will mean the town is "Watford" and the same token value will mean the person job title is "Broker" and the person preferred contact method is "email".

Replication

1. The mission is to ensure that business data cannot be lost by storing a large number of copies of encrypted images that represent business data. It is assumed that when more than ten copies are stored in independent data centers, then the possibility of loosing any business data tends towards zero.

Threats have Counter Measures

1. Malware risks have been eliminated by not permitting any business data to be stored on any client computer or phone.

2. Ransomware risks have been eliminated by not permitting any business data to be stored on any client computer or phone.

3. Password Theft risks have been eliminated by 24*7 monitoring with multi-factor authentication.

4. Lost or Stolen Computer risks have been eliminated by not permitting any business data or emails to be stored on any client computer.

5. Lost or Stolen Phone risks have been eliminated by not permitting any business data or emails to be stored on any smart phone.

6. Human Error risks have been eliminated by 24*7 monitoring, by deleting mail after they have been sent, by eliminating mail to the wrong person.

7. Insider Theft risks have been eliminated by demanding at least three people working in cooperation to physically access any server that holds encrypted data.

Document Control

Document Title: Data Protection Impact Assessment.

Document Description: GDPR Data Protection Impact Assessment.

Document Key Words: GDPR, policy, process, procedure, Data Protection Impact Assessment.

Document Privacy: Public shared for the benefit of humanity.

Document Edition: 1.3 retail GBP 249.99.

Document Released: 22 Aug 2017.