navigating the data privacy maze - security first corp · grandfather of every other privacy...
TRANSCRIPT
1 © 2019 SecurityFirst Corp. All rights reserved.
Navigating theData Privacy Maze
By Paul Russert
June 2019
2 © 2019 SecurityFirst Corp. All rights reserved.
Executive Summary
According to the United Nations Conference on Trade and Development (UNCTAD) 107
countries have put in place legislation to secure the protection of data and privacy, not to
mention all 50 U.S. states having their own laws. The span of data protection laws around
the world often creates confusion, not just for global enterprises but for all organizations
that collect and process personal information.
While meeting with large global enterprises through our OEM and channel partners, and
with many small to medium size companies directly, we often hear things such as, “I don’t
do business in the EU, so their laws don’t impact me” or “I outsource my credit card processing so I don’t need to support payment card regulations”.
The challenge is that new privacy laws in California and Brazil, not to mention new
legislation being debated on a global basis every day, are changing the playing field.
Organizations shouldn’t wait to start implementing processes to protect privacy rights,
secure personal information and be able to respond to a security incident.
The intent of this paper is to look at what we can learn from the work that has been
and continues to be done for compliance readiness. Compliance is not just about using
technology A, B or Z, ...but creating replicable processes that will build trust with your
customers. Giving customers a say in how their own data is used, and by whom, as well
as protecting that information from unauthorized access is an important start.
Every company should ask the following questions, and build a plan to address them,
because sooner or later they will be impacted by new data protection and privacy
legislation.
• Whose data do we collect and what jurisdiction do the data owners fall under?
• What data do we collect, for what purpose and does it include personal information?
• What compliance regulations legally impact us?
• How much data do we have and is it still needed?
• Is the data protected responsibly today? By us? By our processing partners?
• Are we ready for incident detection, response, recovery and notification?
3 © 2019 SecurityFirst Corp. All rights reserved.
Contents
INTRODUCTION 4A Look Back at Data Protection Regulations
CHAPTER 1 10Privacy and Security – Separate but Connected Paths
CHAPTER 2 13Entering the Maze - Develop Your Compliance Roadmap
CHAPTER 3 19Choose the Right Path - Implement your Compliance Roadmap
CONCLUSION 24Completing the Maze
4 © 2019 SecurityFirst Corp. All rights reserved.
Introduction
Imagine you are the Chief Privacy Officer (CPO) of a global enterprise headquartered
in California that does business with customers and consumers around the world. You
need to comply with a wide variety of laws like the European Union’s General Data
Protection Regulation (GDPR) -- which you may still be working on well over a year
after it came into effect -- the California Consumer Privacy Act (CCPA), the Brazilian
Lei Geral Proteção de Dados Regulation (LGDP), China’s Personal Information Security
Specification and the expectation of many new, but similar regulations.
GDPR went into effect May 28, 2018, and while barely a year old it looks like the
grandfather of every other privacy regulation that has and will follow. GDPR’s “DNA” is
clearly evident in both the CCPA and especially LGDP. To help understand this alphabet
soup jumble of data protection acronyms, we will focus on some fundemental elements
they share. But first, let’s look at how we got here in the first place.
A Look Back at Data Protection Regulations
At the end of the twentieth century, rapidly advancing technologies and automation
triggered an exponential growth of data with more and more personal information being
collected and processed around the world. Growing concerns about protecting the
confidentiality of personal information led to the implementation of new data protection
guidelines, regulations and laws, but that was just the tip of the iceberg.
Following World War II, many European countries and subsequently the European
Union (EU) were determined to protect individual privacy rights. The EU Data Protection
Directive 95/46/EC (the Directive) enacted in 1995, was the first major legislation that
impacted a large population. The Directive’s focus was for personal information to
flow freely from one member state to another, while still safeguarding the fundamental
rights and freedoms of the individual, in particular their right to privacy with respect to
the processing of personal information. Most regulations, including the Directive were
5 © 2019 SecurityFirst Corp. All rights reserved.
influenced by the 1980 Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data, from the multi-national Organization for Economic Co-operation and
Development (OECD).
Two key parts of the Directive have laid the foundation for most other legislation that
followed.
Rights of the Data Subject - The individual has the right to know what data has been
collected, the purpose for which it is being used , other parties the data has been
shared with and access to the data with the ability to have it corrected or deleted. Data
subjects must have the ability to opt out of having their data collected or shared with
third par-ties. In addition, the amount of data collected should be minimized and only
kept for the period of time it is needed.
Security of Processing - The controller must implement, or where processing is
carried out on their behalf, choose a processor with the appropriate technical and
organizational measures to protect personal information against accidental or unlawful
destruction, accidental loss, alteration, unauthorized disclosure or access, at a level
of security appropriate to the risks of processing and the nature of the data to be
protected.
The Directive was a solid foundation for data protection, but it
itself was not a law. Each member state had three years to pass
local legislation per the Directive and while it was an important
first step, total uniformity of data protection across the EU had to
wait over 20 years until the introduction of the GDPR.
In the United States (US), there was no parallel legislation
at the federal level like the Directive, so data protection has
been driven at the state level1. California has a long history of
recognizing the rights of the individual and the state Constitution
was amended in 1972 to include the right of privacy among the
inalienable rights of all Californians. In 2003, California passed
the first breach notification law in the US that defined the
requirements for protecting computerized personal information
and breach notifications.
In 2003, California passed the first data protection law in the US that defined the requirements for protecting computerized personal information and breach notifications.
1. The United States Privacy Act of 1974, established guidelines for the collection, maintenance, use, and dissemination of personalinformation by Federal Agencies. It did not extend to public corporations, businesses, organizations or individuals.
6 © 2019 SecurityFirst Corp. All rights reserved.
Unlike the general definition for the “security of processing” in the Directive, California
law was more specific as to personal information, data breaches and beach notification
requirements. The following is a brief summary of what the law covers.
A person or business conducting business in California, with computerized data that
includes personal information, shall disclose a data breach to a resident of California
whose unencrypted personal information was acquired by an unauthorized person,
or whose encrypted personal information and the encryption key was acquired by an
unauthorized person with a reasonable belief that the encryption key could render that
personal information readable or useable.
Many security and legal professional agree that under this law, the use of encryption,
external key management, monitoring and access controls authorizing the processing of
data for the purpose it was created – can negate the requirements to notify customers,
state authorities and even the media for a breach of a perimeter, network or host where
the data remains unreadable and unusable.
The California law became the guide for all other states, and after 15 years, with Alabama
passing legislation in 2018, every state in the union as well as the District of Columbia
now have similar breach notification laws in place.
In addition to the US and EU, the world has seen the passage of numerous data
protection laws over the past 2 decades in all leading economies such as Australia,
Argentina, Brazil, Canada, Japan, China, Korea and more.
2018 – The Year of Privacy
2018 included several very important actions in support of privacy as a fundamental
human right for over one-tenth of the world’s population – the citizens of the EU, Brazil
and the State of California. May 25, 2018 finally brought the long anticipated GDPR into
full effect, while in June, California passed the CCPA that takes effect January 1, 2020
and in August Brazil signed the LGDP that goes into effect in 2020. Let’s take a brief look
at these major data protection laws.
7 © 2019 SecurityFirst Corp. All rights reserved.
General Data Protection Regulation
The GDPR replaced the Directive, building upon the basic tenets with a number of new
protections for EU data subjects and significant fines and penalties for non-compliant
data controllers and processors. In addition, as a regulation instead of a directive, the
GDPR is directly applicable in each EU member state to unify data protections and
make e-commerce easier throughout the EU.
Under the GDPR, data subjects have privacy rights that must be explained in clear and
simple language they can understand. Data subjects must be informed what data is
being collected, the purpose it is collected, how it will be processed and how long it will
be retained. In addition, they must be able to get a complete copy, request correction
and even deletion of the collected data.
GDPR expanded the roles and responsibilities of controllers (Article 24) and processors
(Article 28). Controllers are essentially the entity that has the relationship with the data
subject and determines the purposes and means of the processing of personal data.
Processors are typically vendors who process data on behalf of the controller. It also
strengthened and better defined the responsibilities of the processors and requirements
for the “security of processing” under Article 32.
The other major change from the Directive is that the penalties for not complying can be
as high as 4 percent of global revenues or €20,000,000, whichever is higher depending
upon the violation.
California Consumer Privacy Act (CCPA)
The CCPA builds upon existing California breach notiification laws that provide for the
confidentiality of personal information and require a business or person that suffers
a breach of personal information to disclose that breach. The CCPA is focused upon
the online collection and management of consumer personal information for business
applications.
8 © 2019 SecurityFirst Corp. All rights reserved.
Beginning January 1, 2020, the law will grant a California consumer
the right to request a business (it does not specifically differentiate
between controllers or processors), to disclose what personal
information is being collected, whether the information is sold
or disclosed and to whom and to say no to the sale of personal
information. In addition, they have the right to access the collected
information and request data be deleted.
The CCPA requires businesses to allow Californians to “opt out”
of a business’ ability to collect or sell their personal information
and to provide equal service and price, even if they exercise their
privacy rights.
The CCPA also defines the right for a Californian to pursue
civil action against businesses for the breach of a consumer’s
nonencrypted or nonredacted personal information, as currently
defined in California law.
Similar to how California was the impetus for all other US states to
pass breach notification laws and looking at the current legislative
calendars in a number of states, CCPA may do the same for
privacy rights.
Brazil - Lei Geral Proteção de Dados Regulation (LGDP)
The LGDP has a close family resemblance to the GDPR but there are also a number of
key differences that make the LGDP more advanced and flexible.
It sets roles for data controllers and processors, applies to organizations both inside
and outside the country that process information on Brazilian data subjects, requires
consent for processing and sets steep penalties up to 2% of prior year total revenues.
The LGDP has a similar definition of personal information to the GDPR but expands
protections to cover health and credit data. LGDP like GDPR excludes anonymized
data from the protections but does differentiate when anonymous data used for
Similar to how California was the impetus for all other US states to pass data protection and breach notification laws and looking at the current legislative calendars in a number of states CCPA may do the same for data privacy rights.
9 © 2019 SecurityFirst Corp. All rights reserved.
profiling purposes which may or may not impact big data analytics, machine learning or
behavioral modeling.
Based upon the commonality between GDPR and LGDP, it is likely that Brazil will meet
the “suitable level of data protection on the basis of an adequacy decision” to make data
transfer easier with EU countries.
While the legislative momentum seems to be all about privacy rights, it
does not mean that data security has been pushed to the back-burner. In
the following chapter we look at the goals of privacy and security with the
concept of “security of processing”.
10 © 2019 SecurityFirst Corp. All rights reserved.
Chapter 1
Separate but Connected Paths – Privacy and Security
Data privacy and data security have often been used interchangeably, but they really are
two different concepts and are important distinctions when looking at the regulatory
landscape.
Data privacy is about the trust relationship between the data collector and the GDPR
data subject (or the consumer under CCPA), pertaining to the collection, processing
and retention of personal information -- for the purpose it was collected, for the time it
is needed and for defining who can use it. It concerns the “authorized use” of personal
information.
Data security is all about the technology and processing safeguards that ensure your
private data stays private. It concerns securing the data and preventing “unauthorized
access or misuse” during collection and processing.
When looking at data protection laws and regulations it is important
to understand that you cannot have true data privacy without
implementing and maintaining data security. This goes hand-in-
hand with supporting two key concepts outlined in the Directive and
the regulations that followed, the rights of the data subject and the
security of processing.
The rights of the data subject are what I like to view in my simple way
as the trust relationship agreement between the data subject and
data controller for a specific interaction. It is really about data privacy as it defines what
is authorized in terms of collecting and processing personal information.
Shortly before May 25, 2018, anyone using the web suddenly saw a popup with
language to the effect, ‘this website uses cookies to…(perform some action)…and for
You cannot have true data privacy without implementing and maintaining data security.
11 © 2019 SecurityFirst Corp. All rights reserved.
more information please review our Privacy or Cookie Policy’. While I leave the matter
of cookies to another discussion, this appeared to be a quick means to give easy and
clear access to the Privacy Policy. Most Privacy Policies were updated to inform the
data subject about the purposes for which data is collected, how it is used, shared and
retained.
When someone performs an action such as requesting this paper or making an online
purchase the controller needs to outline the purposes for which the data is collected
and provide the option for the data subject to cancel or opt-out.
Using this paper as an example, you may be asked for specific personal information
such as your name, email and phone number. The purpose may state something like, ‘by
downloading the whitepaper you agree to be contacted by SecurityFirst’. This may also
be where you have the option to allow or deny having this data shared with a third-party
or for another purpose. It’s a two-way agreement and must be clear as to what the data
subject information is being used for and whether it is being shared.
Other key rights concerning data collection have to do with the data subject being
able to access the data collected, receive the data in a standard transferable format for
portability and ask for corrections or deletions. In most current implementations the
processes to make this happen are defined in the privacy policy itself. This basically
allows the data subject to amend the original agreement with the data controller, but
most of what I have seen to date are very manual, email processes that must be initiated
by the data subject.
The security of processing is what I like to view as simply keeping
private data private. It is the data security part of the equation. Along
with discovering and minimizing data, security of processing seems
to be the biggest hurdle for GDPR readiness.
In the example of an online purchase, in this case a pair of shoes,
the data subject searches the website for the shoes they want. They
get suggestions and advertisements, finally selecting a pair and
putting them in the shopping cart. The data subject supplies the data
required to purchase the shoes and have them delivered.
Along with discovering and minimizing data, security of processing seems to be the biggest hurdle for GDPR readiness.
12 © 2019 SecurityFirst Corp. All rights reserved.
At a glance the data subject has given authorization to have their personal information
used to simply buy shoes, but there are a lot of steps in the actual processing of
this purchase and personal information. The idea of unauthorized access is not just
about some outside element or hacker, but also understanding that there is a defined
purpose at specific steps in the processing for data access based upon job function or
application, and only for a specific time.
For instance, name, address and credit card data are used by a processor to make the
purchase, but that same data may be needed for a refund or store credit if the shoes
don’t fit. Also, there are taxes and other localized requirements that may require access.
In addition, other functions such as shipping, returns or warranties have an impact on
access and retention of specific data. All of these functions may be processed by the
data controller company or multiple third-party processors, and each item adds to the
complexity of securing the data from unauthorized access or misuse.
The challenge of making data privacy and data security part of your day-
to-day business can be overwhelming, unless you build a good plan.
13 © 2019 SecurityFirst Corp. All rights reserved.
Chapter 2
Entering the Maze - Develop Your Compliance Roadmap
We opened this paper with the challenge of a global enterprise having to sort through
the jumble of different data protection and breach notification regulations across
numerous organizations, industries, states, regions and countries. The question I often
get asked is if there is a key element running through all these regulations, where if they
focus on that element, they will comply with most of the requirements that apply to their
business.
Essentially, organizations just want to know where to focus and how to start.
We will start with the simple concept that your organization and how you do business
is unique. Your team, products or services, processes, intellectual property, sales
marketing and so much more have been put together to give you an advantage over
your competition or to build completely new markets. Those differences are also
why there isn’t a really a simple answer to <add compliance regulation name here>
readiness like “everybody must use this tool, process, form, consultant… and you will be
compliant”.
Compliance readiness most likely will be supported by cross-functional teams,
documented processes, numerous software products and considerable professional
consulting engagements – all aligned with the organization’s business and security
goals.
What are the compliance must haves for privacy and security?
14 © 2019 SecurityFirst Corp. All rights reserved.
Privacy
Granted, while you, your competitors and partners may be unique in many ways, when it
comes to compliance everyone must support privacy rights by providing:
• knowledge as to what data you are collecting, the purpose for its collection, whom that data is shared with, minimizing the data and retaining it only for the time required;
• the ability for customers to opt-in or opt-out related to how the data may be used, including whether it can be shared or sold;
• the ability for customers to access to their data in a format that can be portable, request data corrections, data deletion or forgotten; and
• notification in the event of a data breach based upon severity and determination of a data controller.
Security
While most compliance regulations don’t specifically define how to protect personal
information, they do define tasks required for the security of processing such as:
• pseudonymize and encrypt personal information;
• only allowing data access based upon need to know or job-function per processing
tasks;
• ensuring the ongoing confidentiality, integrity and availability of processing systems
and services;
• restoring access to personal information in a timely manner in the event of a physical
or technical incident; and
• regularly testing, assessing and evaluating the effectiveness of these measures to
ensure the security of the processing.
Where to start?
From my discussions with customers and partners, I would describe the most common
starting point as
“We don’t know what we don’t know.”
15 © 2019 SecurityFirst Corp. All rights reserved.
They need to have at least a basic understanding of the following to even begin.
• Whose data do we collect and what jurisdiction do the data owners fall under?
• What data do we collect, for what purpose and does it include personal information?
• What compliance regulations legally impact us?
• How much data do we have and is it still needed?
• Is the data protected responsibly today? By us? By our processing partners?
• Are we ready for incident detection, response, recovery and notification?
There are many companies and individuals who are focused on GDPR readiness across
specialties such as technology and security assessments, legal reviews and regional
data transfer law. The good news is that you do not have to go it alone and reinvent the
wheel.
Companies, both large and small have been succeeding, as well as failing, in the
development of processes, practices and procedures for over three years and that
experience is very valuable whether for GDPR, CCPA, LGDP or future compliance. Even
if you haven’t been focused on GDPR because you currently don’t do business with the
EU, GDPR and lessons learned is a good place to start for any regulation.
Another important aspect is that building and implementing
a compliance roadmap will require input from the data
controller business line managers, compliance team, legal
team and especially the data processors, whether internal or
third parties–because compliance is about more than a
single regulation. For example, while a data subject can
request personal information be deleted or forgotten under
GDPR, other obligations and laws for retaining that data
may override that action. Legal counsel well versed in
compliance laws can help decide the best options for your
particular business and customer relationships.
...while a data subject can request personal information be deleted or forgotten under GDPR, other obligations and laws for retaining that data may override that action.
16 © 2019 SecurityFirst Corp. All rights reserved.
Lawful processing
As stated earlier, it seems like you can’t visit a website without being told have updated
their privacy policy. This appeared to be a quick response for many companies to
identify how they support lawful processing, what information they are collecting and to
provide clear ways for data subjects to request what information companies have, ask
for a copy of the data and ask for corrections or deletion. The harder part is aligning the
data subject responses to the actual processing of the data.
The best place to start for each business line or application is by capturing what type
of data is being collected and for what purpose. Unfortunately this also may be the
most complex issue companies have today. The basic question should be, what is the
minimum amount of information I need to run this business and deliver my expected
output. At this point it is not about where the data is specifically located, but what the
data is.
I recommend classifying data very simply;
1) personal or private data that needs to be protected
2) public or anonymized data that falls outside the scope of the regulation(s).
If the data “needs to be protected”, then I would next look at
how that data is processed, and what data is required for each
specific step in the processing. Going back to our example of
purchasing shoes.
The data controller, the company with the website selling
shoes has a customer or data subject that purchases a
specific pair of shoes. The customer logs in or creates
an account to make the purchase. The account data may
include name, email address, password, password recovery
information (mother’s maiden name, first pet, etc.). At this point
the account data is required, but no access is needed to the
credit card or personal residence information.
The basic question should be, what is the minimum amount of information I need to run this business and deliver my expected output.
17 © 2019 SecurityFirst Corp. All rights reserved.
Assume the purchase itself is handled by an external credit card processor. They need
first and last name, credit card number, security code, address, product id, amount of
sale and a confirmation or consent to process the sale. Another department or third
party handles the shipping, so they need name, address, product ID, and shoe size
so they can drop the shoes in a box and ship. Meanwhile the data controller finance
team needs to know that the sale was concluded, what was sold, the price and tax
information. While this doesn’t include everything, it shows the complexity of a sale
and that everyone or every application doing the processing does not need all of the
collected data. At this point you just need to map out what goes where.
Now that we know the minimum amount of data required and who needs what data
for specific tasks, we must assess where we have gaps that need to be addressed by
mapping the privacy must haves above to each of the processing tasks. This allows us
to see what modifications are necessary to meet requirements for lawful processing.
This is also an opportunity to identify where contracts, privacy policies and other
agreements need to be updated as well as review data transfer requirements and
implemention of the role of a Data Protection Officer (DPO) as required.
Security of processing
Most organizations are also struggling with the requirement for security of processing
personal information. Organizations must understand how personal data is processed
and implement the security measures to make sure data is constantly secure and
monitored as it moves through the process.
18 © 2019 SecurityFirst Corp. All rights reserved.
They must continuously protect personal information and only process it under a legal
bases for lawful processing, with access based upon processing role or function, only
for the purpose the data was collected and only for the time needed per function or
upon the user’s delete/forget request. They also must have the observability required to
meet the notification requirements of a data breach, which in the case of GDPR is within
72 hours.
We have already assessed what data is required and who needs that data for specific
processing tasks. At this point we would want to map what security measures are
currently in place and assess the gaps to meet the must haves above for data security
and notification.
The goal is to build a basic compliance roadmap that highlights the
directions you need to put in place and verify the interfaces and security
measures required for applicable regulations. While there will be
speedbumps, detours and potholes along the way, you can move forward
knowing that many others have already gone down this road successfully.
19 © 2019 SecurityFirst Corp. All rights reserved.
Chapter 3
Choose the Right Path - Implement your Compliance Roadmap
While I don’t want to minimize the rights of the data subject and lawful processing
of their personal information, most of what I am going to focus on is the security of
processing, access monitoring and breach response and notification. Because whether
you are the data controller or data processor under GDPR or LDGP, or a business
under CCPA, you have the requirement to implement and maintain reasonable security
procedures and practices appropriate to the nature of the information to protect,
according to the wishes of the data subject.
How the data controller or business interfaces to the data subject and how the
agreement or consent is given or denied will vary greatly depending upon an
organizations business model.
Let’s say for example, under the CCPA, a consumer does not give consent to the sale of
their personal information. How is that data processed differently than for the consumer
who does give consent? How does consent apply to security methods that must be
addressed for each step in the processing?
We can start by identifying some of the key security tasks and actions required:
• Discover and map location(s) where personal information is stored
• Classify data to be protected and its viability based upon collection purpose
• Minimize the amount of data based upon processing, retention and recovery needs
• Encrypt identified data and control encryption keys separately from data
• Implement controls restricting data access / usage as needed for processing
• Implement data subject’s right to access, port, restrict, rectify, erase or forget
• Track data access / usage for compliance audits
• Ability to identify, rectify and notify in response to incident or violation
20 © 2019 SecurityFirst Corp. All rights reserved.
And while most of these functions are traditionally thought of as responsibilities of the IT
organization, compliance will require input from your cross-functional team of business
line managers, security and privacy executives, legal team, compliance team and data
processors, whether internal or third party.
In addition, the implementation of security of processing should be looked at as
part of the overall design so new data and business lines have access management,
encryption, key management, monitoring, secure recovery and incident response plans
built in by default.
How you implement, maintain and continuously verify your security
of processing needs to be documented as it is important to both
training and possible audits by compliance authorities.
The last thing I want to discuss before going a little deeper into the
above actions is about penalties and fines. One of the most talked
about parts of GDPR has been the large administrative fines of up to €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Unfortunately,
I’ve heard from conversations that these fines in particular had
many companies thinking they had to protect everything at once.
Something like -- if out of the millions of records they protect, and three were not
protected, they would have to pay the maximum amount.
These are maximum amounts and there are a number of factors that go into how or if a
supervisory authority assesses a fine. Many people have been surprised that over the
first year GDPR has been in effect, fines have been relatively small. But in actuality this
fits with the overall goals of lawful processing, reporting an infringement a quickly as
possible and rectifying to mitigate the effect on the data subjects.
I have no basis for a legal opinion, but in my own reading of the laws I would say that not
starting to support lawful processing and at the very least protect some data, is a major
infraction. Doing nothing is both intentional and neglectful, for which I would expect a
major fine.
...these fines in particular had many companies thinking they had to protect everything at once.
21 © 2019 SecurityFirst Corp. All rights reserved.
No matter what regulation you need to support, pick a department, business line or
application and implement your compliance roadmap as-soon-as-possible. Then you
will be ready for the next, and the next, and then it will be easier to integrate security into
all future businesses and offerings.
What, Where, When and How
Organizations working on compliance readiness face a major challenge in determining
what data they have, where it is located, when it was stored and how it is currently
secured, accessed and used. It can be a daunting process depending upon the size
of the organization or business model. If you manage your own data center where you
control the servers, storage and archives directly, it may be much simpler than for an
organization with data spread across multiple clouds, locations and vendors. You may
need to implement data discovery and classification tools, or it may be doable with a
basic spreadsheet.
You want the outcome of this to be a data map, not just of where the data is but how the
data flows. The same personal information, whether structured or unstructured may be
on a mobile device, laptop or server. It may be backed up locally, archived to the cloud
(where the cloud service provider may make multiple copies for resiliency) or on stacks
and stacks of archive tapes stored in some offsite location.
Understanding this flow and what data you have not only allows you to minimize data
repositories that are no longer needed and bring this data under your new security
measures, but also document these processing steps to minimize ongoing data
collection.
Who
We’ve discussed a lot about lawful processing, and now we need to tie that
authorization to both the rights of the data subject and security of processing. In terms
of processing, in Chapter 2 where we used the shoe purchase as an example, we saw
there were many different steps to completing the purchase and delivery.
As the data controller or business under CCPA that collects the personal information,
it is your responsibility to verify the data is only used for the purposes the data subject
22 © 2019 SecurityFirst Corp. All rights reserved.
authorized, and that the level of security used by the data processors is appropriate
to the nature of the information to protect. This is where mapping the data flow to the
processing steps enables you to put in place the controls required to restrict data
access.
Per requirements, the data should always be encrypted or pseudonymized, and
therefore your security measures should only give access to data in a decrypted state,
only for the time needed and only for authorized processing.
The other part of authorized access is in relation to the rights of the data subjects
themselves. While there are differences between the regulations, in general you need
to establish a process for a data subject to request and for you to comply in relation to;
what data has been collected, provide access to the data, to correct or rectify the data
(GDPR/LGDP), block or restrict processing (GDPR/LGDP), getting data in a portable
format (GDPR/LGDP) and/or have the data erased.
Visibility and Response
One of the key rights in GDPR, LGDP and California law is that as soon as a controller/
business is aware that a breach of personal information has occurred, they should
notify the supervisory authority without undue delay, and under GDPR where feasible
not later than 72 hours after having become aware of it. Unless the controller is able to
demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of
natural persons.
Under GDPR, communication to the data subject in the event of a breach is not required
if appropriate technical protection measures were applied to the personal information
affected, in particular those that render personal information unintelligible to any person
who is not authorized to access it, such as encryption.
Under CCPA, breach notification is only required when unencrypted personal
information was acquired by an unauthorized person, or when encrypted personal
information was acquired by an unauthorized person and the encryption key was
acquired.
23 © 2019 SecurityFirst Corp. All rights reserved.
Under LGDP, the controller shall notify the supervisory authority and data subject of any
security incident that may result in any relevant risk or damage to the data subjects. The
supervisory authority determines the severity of the incident and assess if appropriate
technical measures were adopted to make the personal information unintelligible to third
parties not authorized to access them.
You need the ability to detect, respond and recover from a security incident or
violation of the regulation. This applies to all parties as processors are required to
notify controllers in the event of an incident. Documented and validated processes that
demonstrate security measures are in place, as well as having an incident response
team are very important for notification and the assessment of administrative fees.
In terms of your compliance roadmap security metrics, my recommendation
would be to look at it as simply as possible. Implement access management
controls, encryption, key management and access tracking to:
• Keep private data private,
• Minimize the scope of notification and
• Track data access violations or anomalies for early detection of a security
incident.
24 © 2019 SecurityFirst Corp. All rights reserved.
Conclusion
Completing the Maze
I set out to try and take a practical look at some very complex, legal regulations in terms
of data privacy and data security. These are not new concepts, nor is the idea that privacy
is a fundamental human right, but the business model of sharing and selling online
consumer information to create new revenue streams and the highly publicized Facebook
and Cambridge Analytica scandal appears to have spurred a race to enact new data
protection laws.
This certainly was the motivation for voters in my home state of California when they
qualified a ballot proposal to add consumer privacy rights the state constitution. In
response, the California legislature wrote and passed the CCP A as-soon-as-possible.
More and more personal information is collected online, and whether the reason is that
citizens truly value their privacy or they see the financial value of their data and want their
fair share, privacy rights are certainly at the forefront of data protection legislation
worldwide. The collection and processing of data requires a clear statement of purpose
to the data subject or consumer, so they can give or deny consent to collect and process
that personal information. It comes down to trust between the parties. Trust that the
business will only use the data for the authorized purpose and trust the business will
protect that data at all times.
One certainty is that you cannot have data privacy without data security. Almost every
organization falls under current data protection or breach notification regulation by
locality, industry or international law. They have the responsibility to maintain reasonable
security procedures and practices appropriate to the nature of the information to protect.
I know there are a lot of items to consider when it comes to compliance
regulations, but I recommend you start by protecting the data itself. Because
if it wasn’t for Data Protection, GDPR would just be a General Regulation.
25 © 2019 SecurityFirst Corp. All rights reserved.
From the Author
With over forty years of experience in cybersecurity, learning management and
semiconductor software companies, as well as delivering professional services to
hundreds of customers, I feel have a good understanding of the fine line between the
promised benefits and unplanned downside that technology can bring based upon how
it is used or abused.
I am not a lawyer or representing myself as a legal expert. I just have the opportunity
to speak with many clients about their business challenges and work with them to
translate those concerns into a technical solution. My current focus is around how the
use of learning management and cybersecurity practices can help protect data privacy.
Disclaimer
This paper is a collection of ideas to try and make the compliance process less
frightening and complex for some readers. SecurityFirst™ does not provide legal advice
or represent that its products or services ensure customers comply with any law or
regulation. It is the responsibility an organization to get the advice of legal counsel as
to what laws and regulations may apply to their business and how best to comply with
those laws and regulations.
About SecurityFirst
SecurityFirst delivers advanced security solutions that build a firewall around your data
to protect against ever increasing threats and aid in meeting regulatory requirements
such as GDPR, CCPA, HIPAA, NYDFS and many others.
SecurityFirst’s flagship product DataKeep™, serves as your data firewall by using
advanced encryption, scalable hierarchical key management, extensive policy
enforcement and monitoring of unauthorized access to deliver the highest levels of
availability, resiliency and time to value. Security requires a layered approach and
protection of the data itself is your last line of defense.