In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of security by design.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s GDPR mini webinar series. You’re watching episode four, Security by Design. For those of you, who are joining us in this particular episode, we have episodes one, two and three, and you could search and watch them at BrightTalk.com; search for Cyber Management Alliance or search for GDPR mini webinar series and you should see them on our channel. I’m joined today by Chris Payne from Advanced Cyber Solutions and my name is Amar Singh. Chris, welcome.
Chris: Hey, Amar.
Amar: Excellent, Chris. So, we’re going to carry on from episode three and a very interesting and important topic which is Security by Design. So, the principle, the sixth core principle; go on, Chris, expand a little bit on this.
Chris: Yes, so, anybody who has watched our previous videos will know that we covered five of these and we promised to cover the sixth so this is us living up to that promise and the reason is that it’s an entire subject in itself. So, the first five core principles concentrate on proper collection, processing, the legalities of collection and processing. The sixth core principle introduces the idea of security and how it reads, and I’ve summarised it here so it is a little bit more technical in its jargon, so, if we could read it in the regulation itself but I’ve summarised it as personal information must be processed in a manner that ensures it’s security, and of course, most people discuss that as the topic of Security by Design.
Amar: Excellent. Now, why is this so important, Chris? I mean, people seem to think there’s too much technicality and design but you and I both know, and those listening in, should understand that it's not necessarily a very technical thought process. It's more of a change of process and as we’re going to discuss a little bit later, ensuring that it's a cultural change. So, I mean, what’s the next slide that we’re looking at, what is this about?
Chris: I think that rather than just concentrating on one sentence, if we take an excerpt from the regulation itself; it says that if you processing personal information, you have to ensure that it had appropriate security for that personal information, and that includes the CIA triad, which we’re probably all familiar with and students would definitely be familiar with it; it stands for Confidentiality, Integrity and Availability. So, we need to ensure that data processing systems and collection systems are adhering to security in those three spaces. Really, what we’re trying to get at here is, it's not just about introducing technological controls. So, there's a lot of talk out on the Internet, social media, media, that you need to buy certain types of solutions to be compliant. It’s not necessarily true; as long as you’re ensuring there’s appropriate security, and that could be via a technical or an organisational control, then you’re meeting the requirements of the GDPR.
Amar: And folks, just to stress, if any vendor, anyone convinces you that a particular product is really required to solve GDPR, please be aware. There’s a lot of snake call, as we call it, being sold out there. There is no specific need to purchase a product to solve GDPR. However, Chris, there is one or two things that must be considered.
Chris: Yes. So, it's interesting because I get this conversation all the time about how do I sell my product on the back of GDPR? It seems to be something that everybody wants to find out in our industry and very early in the regulation, if you read it, it actually says that the regulation will never mandate any types of solution. So, the European Union were very clear on the outset that they were never going to be a part of the sales process. I think it's also important to say that we’re not saying that you don't need any technological solution, it really depends on what you’re processing, how you’re processing and your existing security posture. It might be that technological solution does help you but consider for example, availability. If you don't have change control process in place, that’s something you should introduce to help with availability. That's not something which you need to be purchase; it’s just an organisational change so you don't need to buy stacks and stacks of products. One thing that you do need to consider though is that there is an advocation in the GDPR for using encryption and pseudomisation and actually, it goes a little bit further than this. I'm sure we’ll discuss this in the future webinars but if you do happen to have a breach and you’ve lost personal information that has been encrypted, for example, the GDPR goes as far as to say that you don't need to notify data subjects. So, there’re some pros at looking at technological solutions but specifically, none are mentioned in the GDPR other than using, possibly, these two techniques for obfuscating data.
Amar: So, on that note to the listeners, please be aware, encryption, yes, is very powerful, very important but before you jump into an encryption solution, please do your due diligence. You can obviously contact us if you want, info@cm-alliance, but very importantly, if someone promises you unbreakable encryption, that is NSA or government proof, please be aware. There is nothing like unbreakable encryption ever, and that’s the same for security. There is no 100% security, so please, please be aware. If someone’s promising you proprietary encryption that has never been broken, I would run at least a mile or maybe more; I’ll walk a mile, I can't run these days but yes, I would definitely walk away. Don't consider it and do your research. On that note, additionally, if you're looking to use encryption, please make sure you manage and look after the keys of the encryption. Do not fall for outsourcing providers who may convince you to hold on to those keys. There is a lot of consideration in encryption. This is not the right time but we may actually do a special encryption webinar that discusses the things to look out for and the things to do's and don’t’s. Chris, that might be a good idea. But moving on to something really important here which, we just love the image there, is Security by Design. Chris, it needs to be baked into, I just love saying that; the whole thing needs to be baked into the process; Chris, over to you.
Chris: Yes, absolutely. I think most people will empathise with the scenario we’re about to describe. I’ve been a part of many projects where security people are included at the end. So, a company goes out and buys something or produces something and then says to the security guy at the end, “Oh, we also need to make sure this is secure”, and that's now a backward way of doing things in the eyes of the GDPR. You need to bake security in right at the conception point of projects, development, whatever happens to be, security needs to be involved and you need to be able to demonstrate that security’s been involved from the outset.
Amar: And, just going read it out, just as you need to add flour before you bake, please do your risk assessments at DPIA. We’re going to discuss that briefly in the next slide but DPIA, which is what, Chris?
Chris: So, a DPIA is essentially, and I guess in a wider context, is just a risk assessment but it's called a DPIA in the eyes of the GDPR and that stands for Data Privacy Impact Assessment. Now, these are actually mentioned a number of times in the regulation and really what they are is it’s a framework, a taller document, however your prefer to have it, whichever format you like, and it’s there to evaluate the security and the risks associated with data processing systems. So, that could be anything from the human element to the machines you’re using, the way data is entered into the systems, stored in the data subjects, rights that you need to be adhering to, all of those are data processing systems and you probably should, but in not all cases, there are some criteria for when you should be conducting risk assessments against those, and the purpose of running those is really to reveal undue levels of risk, and then the GDPR describes that as, if you were to have a breach and it would be causing distress to a data subject, then that's undue risk and that should be highlighted in your data protection, Data Privacy Impact Assessment. Now, one of the important things to note about DPIA is that the ICO in the UK, or your supervisory authority for your region in the EU, can actually request those from you at any time. They don't need to do that in the event of a breach, they could just ask you tomorrow for that and you'll need to supply that to them, so there’s an audit function that they can perform by asking you for those. We’re going to cover penalties in another webinar but you can actually receive a penalty by just not supplying them so, be aware that you should be conducting DPIAs, and that's essentially the idea of the DPIA. In wider context, it is a risk assessment. So, it’s likely that most of the listeners will have a mechanism for performing them; if they don't, then they should probably look at finding one.
Amar: Goes back to the basics, isn’t it? Have a risk assessment and anyone, moving forward, just simply, “Oh, I forgot to do a risk assessment” and then, “I need to release this particular game app”, it's not really going to be worth the while. So, accepting risk and it used to be pretty much an exception, always accept the risk, personally, professionally, this is not going to work in the future, so you really need to bake the process in. We’re coming to the end of this particular webinar, and thank you all for listening. Chris, what’re we covering next in detail?
Chris: So, probably, one of the more spoken about parts of the GDPR, at least in the media anyway, is the fines and penalties, and it’s a subject that’s quite close to my heart because I get a little bit upset when I see misquoting online. So, we’ll be talking about, of course, what the values are, the tiers and how they evaluate what those penalties will be.
Amar: Excellent. That is something yes, very close to all the CFO’s and anybody who does not want their business to be fined, actually. So, we’ll see you next time but before you go, useful downloads and resources, the summary sheet for this episode can be downloaded at the link, you can pause this particular thing and download those on your own, and also do download our free GDPR preparation kit at that particular link at the bottom on there. Thank you for listening. Chris, thank you for joining and sharing your knowledge, and we’ll see you in episode five. Thank you.