| 1. GDPR Compliance Topics: | | 1. General Data Protection Regulation (GDPR) became UK law in April 2016 and will be enforced from 25 May 2018. GDPR may be the single most significant legal change where compliance is mandated when dealing with people in UK, Europe, Australia, New Zealand, Argintina, South Africa, Singapore, Canada and many other countries. USA based companies must comply with GDPR when they interact with people from any of the above countries. | | 2. May 2018 may be marked with millions of Subject Access Requests being bombarded on companies that are not fully prepared and may not fully comply with the law. |
| 2. Glossary of Terms: | | "GDPR" means General Data Protection Regulations as UK law. | | "SAR" means Subject Access Request as a demand by a person for information about them. | | "PII" means Personally Identifiable Information as the objective of GDPR. | | "ICO" means Information Commissioners Office who regulate GDPR. | | "DPP" means Data Privacy Policy incorporating threat analysis, controls and counter measures. | | "DPO" means Data Protection Officer who is responsible for creating and maintaining the DPP as an asset, rather than a overhead cost. | | "PECR" means Privacy and Electronic Communication Regulations as UK law. |
| 3. Personal Identifiable Information: | | 1. GDPR demands that Personally Identifiable Information (PII) is kept secure and private. All information associated with people must be kept private. People do business with people. | | 2. More than 80% of companies have information as their primary asset. A company could survive if any major machinery was broken, but could not survive if it lost its information. | | 3. Every company must record PII about its shareholders, directors and staff. Most companies record PII about customer contacts and supplier contacts. Companies may wish their Intelectual Property Rights information, research information or related critical business information to be kept private and secure, but it is not a legal obligation to do so. |
| 4. Data Breach Notification: | | 1. GDPR makes it a legal obligation on every company to report any data breach to the Information Commissioners Office (ICO). | | 2. Any laptop containing business data and/or emails that is lost or stolen is a data breach to be reported. An exception would only exist if all PII was fully encrypted. | | 3. GDPR places obligations on smart phones used to communicate business emails. If the smart phone is lost or stolen, then all business emails and documents must be encrypted or a data breach must be reported. | | 4. When a person accesses any data that they should not access, then that data breach must be detected and reported to the ICO. Procedures are mandated to be able to detect and report such a data breach. | | * ASP shall never put itself in a position that could result in a data breach. |
| 5. Consent: | | 1. GDPR makes it a legal obligation to gain formal consent from a person before sending that person any information that is not part of a normal business transaction. | | 2. Every communication must also give the person the ability to unsubscribe from from being sent such information. | | 3. Subscription management is mandated to replace traditional email services that give people the right to opt-in and opt-out of communications. The management of consent subscriptions is a major mandated change. |
| 6. Liabilities: | | 1. GDPR cannot be overlooked because sanctions, fines and mandatory compensaction to all impacted people can bring a company down. It is no longer acceptable to hide behind insurance policy and imagine it will payout in the event of a data breach - by law, insurance policies cannot cover inadequate privacy measures. | | 2. Every company is assumed guilty until they can prove with evidence that all reasonable privacy and security measures were taken. Every person is assumed innocent until they can be proven to be guilty of a crime. This means that every company has a duty of care to gather evidence on a daily basis of what threats, attacks and controls are being used. | | 3. A point of deviation exists with traditional security professionals who state that complete privacy and security is not possible. The survival of the ASP business is totally dependent on 100% privacy and security - all possible threats and attacks have appropriate counter measures. While some pretend that all possible threats cannot be determined, we choose to deploy all possible counter measures to prevent any threat from becoming a data breach. | | 4. As a policy, the possibility of suffering a data breach must be eliminated because the liabailities are so significant. A benefit is that data breach notification procedures can be minimised. |
| 7. Transparent Governance: | | 1. Evidence management is mandated to prove that every company complies with privacy and security topics. Every company is assumed to be guilty until they can prove with evidence that they have taken all reasonable privacy and security measures. Every company without privacy and security evidence is guilty of not complying with their legal obligations. |
| 8. Lost Laptop: | | 1. Evidence from history shows that most data breaches come from laptops containing business data and emails being stolen by criminals. Nationwide was fined 1.5 million pounds when an executive was burguled and a laptop taken that contained customer data and emails containing confidential business information. A builder was fined 5000 pounds when a thief stole his laptop from his car when stopped at triffic lights - the laptop contained emails with quotations, building plans and sensitive planning information for hundreds of clients. | | 2. Press news about smart phones being stolen-to-order because they have emails with critical business information that can be sold to many thiord parties. People with smart phones are putting themselves and their family in danger from criminal gangs who can profit from stealing business information contained on those phones. The Information Commissioners Office have stated that such lax behaviour will be fined until people take on a more responsible position. | | 3. In-house servers are at risk and any company still using in-house servers need to throughly increase their physical protection. A German bank in the City of London was attacked at noon by 20 people in motor cycle gear carring bolt cutters and big mallets. The gang pushed past reception and down the corridor to the computer room, they cut 20 servers from the racks and escaped with them in a few minutes. Not only did the bank loose all their current customer data, they lost their backups and could not recover a lot of customer information. The cost of replacing the stolen servers was trivial by comparison with the lost business and value of lost customer data - customer compensation was many millions. | | 4. As a policy, no business data is stored on any in-house server, desktop, laptop, tablet or smart phone - any such device could be stolen and cause a data breach. As a policy, no USB drives are permitted, no local storage devices are permitted, no Network Attached Storage (NAS) is permitted. As a policy, business data. documents and emails can be viewed and processed using encrypted communications while remaining in the cloud with encrypted storage. | | * ASP shall replicated business data to a large number of secure data centers, but shall never store business data on any local computer that could be stolen. |
| 9. Data Privacy Policy: | | 1. Data privacy is a board level decision while data security is a technology solution. Security provided methods and techniques assist in the delivery of privacy. | | 2. It is a policy to fully comply with the letter and spirit of every data privacy principle, regardless of cost. Because privacy is fundamental to the survival of the business, nothing less than total privacy is acceptable. Some commentators have said that 100% privacy is not achievable, but ASP only needs to be much better than everybody else so criminals will attack everybody else. | | 3. It is a policy to ensure that a reportable data breach is not possible. This is achieved with three simple decisions as: (1) encrypting each and every field, (2) never storing business data (emails) on a computing device that may be stolen and (3) never storing business data in a spreadsheet or document that may be copied. | | 4. Excessive Encryption is at the heart of this data privacy policy - when all data is totally encrypted, a data breach cannot happen because all data is meaningless and worthless. Every company that fails to deploy excessive encryption will eventually have a data breach. | | 5. Email Elimination is at the heart of this data privacy policy - communication is only by encrypted online application services that cannot be read by third parties. Every company that continues to use public email services will eventually have a data breach. | | 6. Office Elimination is at the heart of this data privacy policy - spreadsheet and document processing are provided by secure online application services. Every company that continues to use Office tools will eventually have a data breach. |
| 10. Threat Analysis: | | 1. Threat analysis is part of the Data Privacy Policy to document all possible threats with associated controls and counter measures. While data security may be treated as a technology issue, data privacy is a board room issue of how the company chooses to operate. | | 2. Threat analysis shows that people who know an application service are the primary threat - controls begin by making sure that system administrators cannot be treatened into disclosing business data because they do not have access to any such business data. Second Level Support people enjoy exactly the same online application services as any other person and everything is encrypted all the time. | | 3. It is not a reportable data breach when an approved person downloads some customer data they they are entitiled to view and then they sell that customer data to a competitor. What the approved person is doing may be illegal and against their contract of employment and is a data privacy breach by the company, but it is not a reportable data breach of security controls. The owner is responsible to determine what business data can be downloaded and is responsible to the ICO for any data breach that may result from that download. The ASP is responsible to make sure that business data cannot be downloaded by people who are not entitled to download such business data. | | * During 2017, each owner shall formally document for the ASP to implement, who can download what with the default that nobody can download anything. ASP shall recommend that all download services should be disabled. |
| 11. People Classification: | | 1. Behavioural monitoring and analysis is used to classify people into sets as follows: | | 2. Unwanted Visitor is a person accessing a web page from a country that is not USA or Europe. Any unwanted visitor is only shown a "hello world" message and are not shown any other data. | | 3. Unknown Visitor is a person accessing a web page from USA or Europe. Any unknown visitor is shown any public web page. | | 4. Known Visitor is an approved person accessing a web page from USA or Europe. Any Known visitor is shown any public web page and will be identified by name by the authentication web page. | | 5. Approved Person has been granted authentication rights to sign-in and access certain business data. Authentication is automatically renewed for a month each time a person signs-in. | | 6. Approved Manager is an approved person with more rights to access more application services. Each approved person has a set of data and function access rights. | | 7. System Administrator is a role to be eliminated because threat analysis shows that system administrators are the target of criminal attacks. Once an application service is configured and started, the role of system administrator is no longer needed. No single person has access rights to any operational server or physical data center. | | * Privacy is a board room decision that classifies people according to their data and functional rights. |
| 12. Data Directory and Classification: | | 1. Business data is classified according to the degree of threat. | | 2. Public information as the content of public web pages is copyrighted, but is in the public domain where it will be copied and plagerised by visitors in the USA and Europe. People in other countries would need to use a VPN with an internet connection in the USA or Europe to access such public information. People in other countries without a VPN may only see a "hello world" message. | | 3. Private Reference information is shared data in the public domain that is used by private application services, such as a list of all country codes. Only approved people who have been authenticated can access private reference information in read-only mode. A few authenticated people can add new private reference information with a private evidence chain of all such additions. | | 4. Private Internal information is the business data managed by a set of bespoke application services. This includes customer and supplier contact PII details that must comply with GDPR. | | 5. Private External information includes business emails and documents that are shared with external customers and suppliers. Subscription management is involved as people opt-in and opt-out of different communication strategies. | | 6. Private Support information includes HR staff data where each approved person has the right to view and correct their own data. Excessive encryption is involved on all fields so all data is unreadable, meaningless and worthless to criminals. | | * Privacy is a board room decision that has a different solution for each data class. |
| 13. Where is the data: | | 1. All business data is encrypted and replicated to many secure data centers. Data is encrypted at the partition level, database level, table level, record level, field level and sub-field level using many different encryption methods and techniques. It is expected that from time-to-time, an encryption method will be cracked, but all business data remains secure within many other encryption layers. | | 2. It is plausible that all business data is in all data centers, in some data centers and is in no data center, because not business data can be identified. It may be reasonable to ask "where is the HR data for Mr John Doe" and it plausible to say nobody knows because nobody can read business data when every field is encrypted. | | 3. It is understood that agencies may be able to track and trace business information to a specific data center that houses thousands of racks of servers. It may be possible for an agency to identify a specific rack of servers in a specific data center. It may be possible for an agency to copy all stored data from the rack of servers on the understanding that all disk partitions are encrypted. It may be possible for an agency to detect a database in a disk partition, but the entire database is encrypted using unique keys. It may be possible for an agency to extract a table from the database, but the entire table is encrypted using different methods. It may be possible for an agency to view a record in a table, but every field in the record is encrypted using different techniques. | | 4. It is plausible that any business data has a life cycle of less than 10 milli-seconds before it is encrypted and no longer can be classified as business data. The encrypted data is replicted to many different physical locations so the question "where is the data" could have many different correct answers. If it was said that the data was in a specific data center, that could never be proven because all the data in that data center is unreadable and meaningless. | | 5. Business data is encrypted until it appears on the screen for an approved person. That business data could be saved to a local computer, printed and photographed while it is shown on the screen. A computer screen that can be viewed from outside the building may be considered a data leak or reportable data breach. | | * Security is a technical decision that can be identified by excessive encryption. |
| 14. Domain Name: | | 1. By design, the domain name to provide bespoke application services is not registered to the owner and cannot be linked by criminals to the owner. While all private web pages are copyrighted to the owner, the public pages never reference the owner by name. By law, the ASP must be named on public web pages, but the owner name does not need to be disclosed. | | 2. It is line of defence to separate the bespoke application service web site from the owner so a criminal wishing to attack the owner will not identify the web site and a criminal wishing to attack the web site will have no idea who the owner may be. Privacy begins by not disclosing trivial issues that give knowledge to criminals. | | * Privacy is a board room decision that can be identified by separation of owner and web site domain. |
| 15. URL Design: | | 1. Each data classification deserves its own unique URL design so a criminal who gathers information from one class of data will have no knowledge of how other classes are designed. Specifically, the public web pages have a simplified URL design that conveys no information about how any private web page URL is designed. | | 2. URL design includes security measures to detect and stop any kind of URL manipulation. When any URL has been criminally manipulated, that criminal is silently blacklisted without any error message. The criminal can continue to waste their time with further URL manipulations, but no matter what they enter, they will only be shown the home page. | | 3. When a criminal is identified and blacklisted by one application service, that criminal is automatically blacklisted for all other application services. Many honeypot web sites are provided to entice criminals to show their skill with a honeypot of made-up data that looks valid, but is as traceable as a fingerprint. When the criminal tries to resell or exploit the made-up data, they can be identified and prosecuted. | | * Security is a technical decision that can be identified by URL design. |
| 16. Application Stack: | | 1. Many thousands of private web pages are available to be used, but one and only one web program is used to access all web pages. Security begins by reducing the stack of programs that can be exploited by a criminal to one - only one program can be seen and so only one program can be attacked. | | 2. The one web program that exists is the artificial intelligent assistant that is driven by a knowledgebase of business rules. Evidence is that criminals have not yet learnt how to attack an artificial intelligent assistant and are incapable of applying malware to knowledge. | | 3. It took a long evolutionary journey to reduce the application stack to one artificial intelligent assistant. An accidental benefit is that criminals have no experiance of how to attack such an application stack. No application programs exist and no application programs can run on any server, so malware, viruses and Trojans cannot run on any server. | | 4. For more than a decade, the finest security consultants in the land have tried and failed with their penetration tests. Every day, criminals in all parts of the world try and fail to find any way into any application service, even the honeypots that are engineered to look tempting. The elimination of application programming has created a secure and private environment in each data center that is beyond the experience and expectations of criminals. | | * Privacy is a board room decision that can be identified by the elimination of programming and the reduction of the application stack to one. |
| 17. System Administration: | | 1. Having eliminated the need for system administration tasks from all operational application services, it is clear that the only reason system administration tasks took so long to be phased out was a lack of board level commitment. As soon as the strategic decision was made to eliminate system administration, then privacy and security became very much more effective. | | 2. Every System Administrator in the world knows they are a target for agencies and criminals. It was imagined that a system administrator could take a backup copy of all business data and sell it to a criminal. | | 3. Backup is a very poor operational technique with a 50% probability of failure - it was superceeded more than a decade ago when replicated data was introduced. Criminals know that to attack and copy backup data is a cheap and easy way to get rich - so backups had to be eliminated. | | 4. Data replication is 100% automated and works with encrypted field values, so anybody with access to replicated business data can only see encrypted meaningless and worthless data. Administration of replicated data to ten data centers is fully automated. | | 5. Application programming has been eliminated, so anti-virus protection is meaningless. System software is locked down in dedicated servers so it does not need to be patched until the machine needs to be replaced. An effect is that servers are replaced before they fail, but day-to-day system administration is avoided. | | 6. ASP have a duty of care to its people to make sure they and their families are not put in a position of danger from criminal gangs. No one person has a password that can access any operational server, so no matter what threats are made, the ASP publish a clear, open and transparent statement that no person can access any physical server. In fact, it is very likely that no ASP person knows the physical location of any dedicated server. | | 6. ASP have a duty of care to its people to make sure they and their families are not put in a position of danger from criminal gangs. | | * Privacy is a board room decision that can be identified by the elimination of system administration. |
| 18. Privacy and Electronic Communication Regulations (PECR): | | 1. PECR is an extension of GDPR to deal with subscription management for people receiving marketing information. For business survival reasons, ASP have chosen never to communicate private, confidential or sensitive information by email or telephone. Email is not-fit-for-purpose where a purpose includes privacy and security. Telephone is not-fit-for-purpose where business privacy must be maintained. | | 2. Email servers get hacked every day - an email server must not contain any private, confidential or sensitive information that must not get into the hands of criminals who may sell it to competitors or make it publicly available. Every email is copied by many agencies in many countries - what is legal communication in one culture at one point in time may be illegal in another culture at a later time. It is not possible to delete all copies of any electronic communication from all agencies in all countries, so eventually the content of every email shall be published - when? | | 3. Threat analysis shows that a worst case scenario is that an email server is hacked and all emails made public, including some made up emails designed to benefit an adversary. A person is then obliged to acknowledge that 99% of the emails are genuine and company confidential information has been leaked, but they must try to prove that one percent are not true. The smoke caused by disclosure of so much private company information will obsqure the fact that a few emails are false and do not reflect the true position at the time. Just a few minor changes to real email to criticse a strategic direction or to make sexest remarks about a collegue or to cast doughts on a new product could cripple a carrer for life. | | 4. Scenario: Two people are shortlisted for a senior post. The following day, emails from 20 years earlier by one of the candadates are made public. Those emails contain inappropriate language and are scathing of executive decisions with extreme opinions about some of the decision makers. The emails are all real, but have been slightly changed to add some bad language and extreme opinions. Worldwide publicity by all news agencies shows the company in a bad light - who will be appointed to the vacant senior post?. | | 5. Cultures evolve and what were called on TV about people from Africa in 1960 would be totally inappropriate forty years later. Religions eveolve and what can be said about people of faith in one decade may become inappropriate in a later decade. It is illegal to offend another person by email contents, where the other person is the judge of what is offensive. Suggesting that a computer geek was a little queer may be acceptable in one decade but offensive in another decade - some find geek to be offensive. Ageism has eveolved to the point where it is now illegal to ask a persons age when interviewing. Gender has eveolved to the point where it is now illegal to record a persons gender when interviewing. Even a persons family name may have to be censored because it could accidently infuence an interview. | | * Privacy can be enjoyed by eliminating ad-hoc email (and phone) messages and only using shared business data. |
| 19. Email Legacy: | | 1. Emails cannot be deleted, they are copied by many agencies in many countries, contents are read, processed, consolidated and sold to third parties. End-to-end email encryption may be meaningless if the emails pass through email servers owned by Microsoft, Google, Yahoo, Apple, Amazon, eBay and associated email servers that hold copies and process email contents. | | 2. Evidence that what nice government agencies can do one year, bad governments can do the following year and criminals can do the year after - copies of all emails will exist for hundreds of years to come. To be realistic, the content of every one of your emails will one day be disclosed and your may be judged by how they are interpreted by a future culture with a future way of thinking. | | 3. Privacy is a choice of "I dont care" or "I do care" about the future when email contents may be disclosed for adversarial purposes. Where a person does not care about their reputation at one stage in their life, that legacy may dictate their future reputation. Where a person does care about who they are and they take care to minimise email, then that legacy reputation will define their future reputation. | | 4. After social media evolved for twenty years, certain countries demanded full access to a persons social media data to enter the country or to apply for a job. It may be the next step for governments to demand access to all emails before they can apply for a job, have benefits or travel to a new country. Access to all telephone calls, pictures, music preferences and other data may be a natural evolution of the current social media access demands. | | 5. Threat analysis indicates that email avoidance has lower liabilities than sending emails to many people. Security controls begin with email reduction towards zero by replacing messages with secure online application services that Internet agencies cannot read. | | * Privacy is a cultural decision that some will embrace and some will discard - indications are that most young people have discarded privacy for life. |
| 20. Subject Access Request: | | 1. It has been suggested that some legal firms may submit millions of SAR to overload a company that has not prepared for GDPR. It has been suggested that people will be invited to share in class-actions for compensation claims on companies that do not fully comply with all parts of GDPR. | | 2. A company has forty days to collect all requested information for each person who submits a SAR. The time and cost to extract and edit such information from a large number of private inboxes may be significant. Editing may be needed to make sure that other peoples privacy rights are not compromised by a SAR reply. | | 4. ASP have chosen to grant any person the right to sign-in and view all their own data. This applies to staff, customers and suppliers - any person may view their own business data. This open and transparent approach ensures that private opinions are not recorded in any business data. Even comments about a person going on holiday or getting married or being on maternity leave must be eliminated as private matters that have no place in business data. | | * Privacy is proven by granting people the right to sign-in and view their own data. |
| GDPR Conclusion: | | 1. Excessive Encryption is at the heart of this data privacy policy - because all business data is encrypted, a data breach cannot happen because all business data is meaningless and worthless. | | 2. Email Elimination is at the heart of this data privacy policy - communication is only by encrypted online application services that cannot be read by third parties. Telephone is also eliminated for the same reason. | | 3. Office Elimination is at the heart of this data privacy policy - spreadsheet and document processing are provided by secure online application services. | | 4. Storage Eliminated from in-house servers, desktops, laptops, tablets, smart phones and all other kinds of local devices so business data and emails cannot be stolen. | | 5. Shared Evidence is automatically gathered to prove that all reasonable privacy and security measures are enacted on a daily basis. | | 6. Personal Privacy is extended to social media to ensure that owner information cannot be disclosed or implied from work history, travel profiles or skills. | | 7. Ad-Hoc Messages are eliminated and replaced with standard correspondance that cannot be faked or changed in the future. | | 8. Application Programming is eliminated and replaced an Artificial Intelligent Assistant driven by knowledge as business rules that cannot be hacked. | | 9. Data Breach possibility is eliminated - no matter what the cost. | | 10. Replicated business data shall increase from tens of data centers to hundreds of data centers - business data cannot be lost and nobody can ask where is the data. |
| Document Control | | 1. Title: GDPR Compliance Topics. | | 3. Key Words: GDPR, policy, process, compliance, procedure, business rules. | | 4. Description: GDPR compliance Topics. | | 5. Privacy: Public shared for the benefit of humanity. | | 2. Reference: 162728. | | 6. Edition: 1.3. | | 7. Issued: 22 Aug 2017. |
|
|