The Age of the DPO

Articles 37 and 38 of the General Data Protection Regulation (GDPR) provide information on the principles and impartiality of the critical data protection officer (DPO) role, specifying the high-level rules on what can and can’t be done. But like most of the GDPR, it leaves wide open the interpretation of the how and when it is appropriate to have a DPO.

Article 29 Working Party has provided much-needed guidance on this subject, and we have been told which roles can’t hold DPO responsibilities (such as the CEO and Marketing Director, due to potential conflicts of interest). However, it does not address the first question on every organization’s lips: “Do I need to appoint an independent DPO in the first place, and if yes, when?”

The answer lies in the organization itself, or more specifically, the types of data processing activities it undertakes. For example, if you process large quantities of EU personal data (such as a small US-based web profiling firm that tracks IP addresses or web cookies for a French utility website to provide customer website stickiness), or if you hold sensitive personal records like medical histories, then your organization qualifies under GDPR rules and you therefore need to allocate someone to manage the DPO responsibilities (note: the DPO does not necessarily have to be directly employed by the organization, just qualified to hold the role).

Like the applicability of GDPR itself, the DPO role is not dependent upon number of staff or size of turnover, which is why many of the UK’s 5.7 million small-to-medium sized organizations qualify for GDPR (55 million across the EU), and why so many other organizations around the world that provide services into Europe are busy preparing themselves for GDPR compliance. This makes GDPR a truly global regulation and its implications far-reaching. For example, if as an EU citizen I wanted to exercise my rights under GDPR with an organization based in Delhi, then I’m entitled to this right (assuming my personal data is processed there), and the organization has to uphold my request.

Depending upon the size of your organization and the level of processing activities you undertake, you may choose to nominate an individual with responsibility, split the responsibilities among different roles, or even outsource the role externally. However, the only stipulation is that the DPO must be truly independent and understand the systems and processes involving personal data and/or deliver services to EU citizens and, crucially, be qualified or experienced in data protection. This is obvious when you consider the unique nature of advice given and the difficulty in interpretation of the GDPR rule book. It also precludes the role being held by a lawyer; as important it is to understand the law, it is equally important to be able to implement the law within your organization.

So, every DPO has rather a difficult job to do. DPOs need to understand the implications of the law within your organization, uphold the rights of individuals and provide careful advice surrounding the implementation of the rules. Get this wrong, and you could end up in court or face huge financial penalties. Of course, this is naturally dependent upon how much data you are processing or perhaps the risks your systems face from its daily processing activities. In other words, if your systems for processing data are complicated and stretch back to the Doomsday book – you have a lot of work to do. Conversely, if you process small amounts of EU personal data, then the impact of GDPR is nominal. The key to appointing your DPO is choosing an individual who understands law, security and privacy risk. You need someone who can determine the difference between a business decision and a true privacy/security risk (e.g., consent, rights or data encryption), and has the ability to make crucial judgements on what could attract unwanted regulator attention or cost the business in loss of trade or a missed opportunity.

The key to this role, then, not only lies in finding a knowledgeable, balanced individual who is sensible under pressure, but also an individual who understands the principles of privacy and security, can act with integrity to protect the rights of an individual, and preferably can advise on protecting personal data to avoid any harm to that individual.

Above all, whether you outsource, co-source or hire a DPO (or contactor), my strong advice is you pick someone who understands GDPR, risk and controls, and has experience in implementing mechanisms that will allow your organization to make appropriate and proportionate risk assessments (think privacy by design), and realistic recommendations that will balance the cost of compliance in doing business against the cost of growing the business.

Good luck in your search, and take your time to find the right solution for your organization.

Editor’s note: For more ISACA resources on GDPR, visit www.isaca.org/gdpr.

Steve Wright, Data Privacy & Information Security Officer, John Lewis Partnership

[ISACA Now Blog]

Securing the Internet of Things: Connected Cars

Establishing safety and security in automotive design goes far beyond crash test dummies.

By 2022, the global automotive Internet of Things (IoT) market is expected to skyrocket to $82.79 billion – and manufacturers are racing to capitalize on this growing opportunity. While embedded computation and networking has been around since the 1980s, the advent of connectivity opens up an array of new options for automakers. From advanced collision detection and predictive diagnostics, to entertainment systems that load a driver’s favorite tunes the second they sit down, connected cars are poised to enhance the consumer experience.

Those extra conveniences, however, aren’t without their downsides. If not properly secured, connected cars threaten to expose sensitive consumer information. With data being passed between so many different connected channels, it’s easier than ever for hackers to get their hands on personally identifiable information.

In 2015, Chrysler announced a recall of 1.4 million vehicles after two technology researchers hacked into a Jeep Cherokee’s dashboard connectivity system. But the right security solutions can make such incidents a thing of the past.

Through new IoT security solutions, automotive manufacturers are able to assign a trusted identity to each and every device – regardless of whether it’s located inside a vehicle or across the IoT ecosystem. This extra layer of security sets the stage for trusted communication between authorized users, devices and applications. Ensuring the right security level for the right device helps prevent data being made accessible to unauthorized users or devices. Using cryptographic protection as well as strong authorization requirements will restrict access to those things, systems and users with the proper privileges.

In addition to creating a trusted IoT ecosystem, automotive designers also stand to realize significant business value. Instead of spending precious time determining which devices to trust, ioTrust makes it easy to not only recognize trusted devices, but operationalize them. That same convenience also extends to the supply chain, where manufacturers can get a better look at a product’s entire lifecycle – from creation to release.

IoT has burst onto the scene in a big way, especially in the quest to securely design the next connected car. But before making the most of automotive IoT, manufacturers must consider how to keep consumer data under wraps. By provisioning managed identities and authorization privileges, ioTrust paves the way for securely connected automotive systems.

Note: This is part of a blog series on Securing the IoT. 

Ranjeet Khanna, Director of Product Management–IoT/Embedded Security, Entrust Datacard

[Cloud Security Alliance Blog]

Growing Global Spotlight on Privacy, GDPR, Resonating in India

India is a country at the cross-roads of transformation. As one of the fastest-growing economies, it is expected to be the most populous country in the world in a few years, potentially home to about 20 percent of the world population. Therefore, events in India are becoming increasingly relevant from an economic as well as geopolitical perspective.

The advent of the General Data Protection Regulation (GDPR) has brought significant focus globally and in India on privacy. The interest in privacy goes beyond the transactional and operational aspects. It explores deeper into the basis and relevance for privacy.

It is in this context that a landmark judgment delivered in August 2017 by The Supreme Court of India assumes significance. A nine-judge bench of the Supreme Court delivered the order that privacy is a fundamental right and an intrinsic part of the right to life and personal liberty guaranteed by the Constitution of India. The judgment has settled the debate on the matter and has meant that initiatives and activities of the government, as well as those of private enterprises and organizations, will need to ensure that privacy of individuals is protected.

A committee was formed by the Indian government in 2012 under the chairmanship of the former Chief Justice of the Delhi High Court to draft a paper that would facilitate the authoring of a privacy law for India. The committee suggested a detailed framework to serve the conceptual foundation for the proposed privacy law and mentioned the following features that should be included:

  1. Technological neutrality and interoperability with international standards. This feature recognizes the need to preserve privacy in the face of ever-changing technology. It also recognizes the need to be in harmony with international regimes to create trust for cross-border data flow.
  2. Multi-dimensional privacy. This aspect recognizes that privacy protection involves different types of data and different methods of communication and storage.
  3. Horizontal applicability. The frameworks should not discriminate between the government and private enterprise in matters related to protection of privacy.
  4. Conformity with the privacy principles. The committee has laid down privacy principles that are in conformity with globally recognized principles such as choice, collection limitation, etc.
  5. Co-regulatory enforcement regime. The committee has recommended a structure for regulators and emphasized the need for self-regulatory industry or sector-specific bodies.

India has now set into motion discussions for a data protection law. The government has assembled a committee to study various aspects needed to create a bill under the chairmanship of Justice Srikrishna, former Supreme Court judge. The proposed law is expected to address data privacy in a holistic manner. The committee had issued a white paper to solicit opinion from various stakeholders and the public on multiple aspects, including the content of the law.

GDPR has been a significant step that has spurred discussions around data protection and privacy across the globe, and India is no exception. Given the significance of information technology to India’s growth, the interest is natural. In terms of population, India is about 2.5 times that of the EU. The impact and significance of the data protection law in India is likely to be even higher. It is certain that India is on a path that is in sync with the global direction.

Editor’s note: To view ISACA’s resources on GDPR, visit www.isaca.org/GDPR.

Sandeep Godbole, CISA, CISM, CGEIT, CISSP, CEH, Past President of ISACA Pune Chapter

[ISACA Now Blog]

Cloud Security Alliance Releases New Report Examining Ways in Which Blockchain Technology Can Facilitate, Improve IoT Security

SEATTLE, WA – Feb. 13, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today released Using Blockchain Technology to Secure Internet of Things, a new white paper which explores the capabilities of blockchain technology in facilitating and improving the security of the internet of things (IoT).

Authored by the CSA’s Internet of Things (IoT) and Blockchain/Distributed Ledger Technology Working Groups, the paper highlights various features that should be considered when securing connected devices using blockchain technology. The document provides a high-level overview of blockchain technology, and then outlines a set of architectural patterns that enable blockchain to be used as a technology to secure IoT capabilities. It also offers specific use-case examples of blockchain for IoT security.

“Organizations on the forefront of implementing IoT are understandably encountering challenges in identifying appropriate security technologies that are capable of mitigating the unique threats that IoT presents,” said Brian Russell, chair of the CSA IoT Working Group. “We hope this document will inspire business leaders and developers embracing the blockchain opportunity to extend the capabilities of this technology to secure the internet of things.”

The report addresses two technologies with different maturity levels:

  • Blockchain: A technology enabler that supports rapidly evolving cryptocurrencies such as BitCoin, Ethereum, Litecoin, Dash and hundreds more. Blockchain’s success as a foundation for cryptocurrencies has spawned new research aimed at securing systems and technologies using the distributed ledger. Most initiatives in the business context are limited to prototypes that serve mostly to master the intricacies of this complex technology. Current applications only scrape the surface of their possible uses.
  • Internet of Things: A fast-maturing set of technologies that support the transformation of business and mission processes. The IoT is the inter-networking of physical devices such as connected vehicles, smart buildings, industrial control systems, drone and robotics systems and other items embedded with electronics, software, sensors, actuators and network connectivity that enable these objects to exchange data. The IoT has reached varying levels of maturity across sectors such as consumer, transportation, energy, healthcare, manufacturing, retail and financial.

“The IoT is having a major impact on how many companies conduct business and people go about their daily lives. However, security has become a stumbling block to widespread adoption or implementation. Luckily, blockchain holds great promise for securing connected devices and systems,” said Sabri Khemissa, co-chair for the Blockchain/Distributed Ledger Technology Working Group and the lead author of the paper. “This research should serve as a roadmap to implementing technology that will push the dial forward in securing IoT.”

The CSA IoT Working Group focuses on understanding the relevant use cases for IoT deployments and defining actionable guidance for security practitioners to secure their implementations. The Blockchain/Distributed Ledger Technology Working Group works to produce useful content to educate different industries on blockchain and its proper use, as well as define blockchain security and compliance requirements based upon different industries and use cases.

Individuals interested in becoming involved in the future research and initiatives of either group are invited to do so by visiting the Internet of Things WG join page and the Blockchain/Distributed Ledger WG join page.

The Using Blockchain Technology to Secure Internet of Things white paper is a free resource from the CSA and is available at https://cloudsecurityalliance.org/download/using-blockchain-technology-to-secure-the-internet-of-things.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

SCHOLARSHIP OPPORTUNITIES WITH (ISC)² AND THE CENTER FOR CYBER SAFETY AND EDUCATION

Every year, (ISC)² and The Centre for Cyber Safety and Education award a range of scholarships to individuals pursuing, or planning to pursue a degree in cybersecurity or information security.

Addressing the cybersecurity skills gap

The aim of these initiatives are to help bridge the cybersecurity workforce skills gap – which our research predicts to reach a 1.8 million shortfall in the next four years – and improve diversity within the profession; by providing future information security professionals with UndergraduateGraduate or Women’s scholarships to assist them in preparing for their rewarding career in this vital sector.

How the scholarship program has evolved

The program started in 2005, awarding four graduates $12,500 each towards an advanced degree in the sector. The scheme was initially part of (ISC)²’s “Year of the Information Security Professional” program, designed to create additional awareness of the profession and encourage high-quality new entrants into the field.

From 2005 through to 2010, the program grew, distributing between three and six awards each year; with the early scholarships being focused on graduate students conducting research in cybersecurity.

Last year however, 48 scholarships out of the 1000 plus who applied were rewarded; and today up to $125,000 is available across the varying scholarships – indicating a real growth and popularity in the scheme. Back in 2011, 28 applications were received, with the number of submissions growing but staying around the 60 – 70 mark each year. Though 2016 saw the real turning point, with over 500 applications being received, and of course last year where the scheme received its record number of submissions yet.

And it was in 2011 – in a concerted effort to address the fact that women are underrepresented in the profession –  the women’s scholarships were created. Females also have made up 73% of scholarship recipients to date, with nearly $200,000 being presented since the program commenced.

Successful recipients across the program have hailed from all corners of the globe too, including United Kingdom, Iraq, Estonia, Cameroon, Nigeria, South Korea, India, Jamaica, Australia, Canada and more.

If you’re interested in applying, or know someone who might be, read on for details on the individual initiatives:

Undergraduate Scholarships

Aspiring information security professionals have the opportunity to ease some of their educational financial burden with the (ISC)² Information Security Scholarship, offering undergraduate students studying information security from $1,000 to $5,000 per recipient. To be eligible, your GPA must be at least 3.3 on a 4.0 scale (or an analogous rank based on a comparable scale). Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² undergraduate scholarships page.

Graduate Scholarships

Graduate students often need funding to conduct special research projects or assistance with tuition and fees; and the (ISC)² Graduate Scholarship Program helps grad students achieve those goals.  Graduate applicants may be awarded between $1,000 and $5,000 each. To be eligible, your GPA must be at least 3.5 on a 4.0 scale (or an analogous rank based on a comparable scale). Please note, if you have just been accepted to Graduate School, or are just beginning classes, you will use the final cumulative GPA from your undergraduate degree transcript to meet the criteria. Additionally, you can apply if you are a citizen from any country and studying in any country, either on a full time or part time course; whether it’s online or on-campus. For more details on eligibility and how to apply, see the official (ISC)² graduate cybersecurity scholarships page.

The deadline for the Undergraduates scholarships is 15 March 2018, and for Graduates, it’s 17 April 2018.

Learn more and apply via the Center’s website  and for email enquiries: scholarships@isc2.org

[(ISC)² Blog]

English
Exit mobile version