Unrestricted email plus full PII access: recipe for trouble

Storage giant Seagate suffered exposure of the withholding-tax records of some 12,000 employees following a phishing attack.

link

At the time Seagate noted that there was no evidence that the information had been misused, also known as the absence-of-evidence defense.

Fast-forward a year or so, and the evidence has appeared.

link

As is usual in these cases, we have a combination of failures, such as: Continue reading “Unrestricted email plus full PII access: recipe for trouble”

Cloud apps and outsourcing bring new breaches

Given the apparent proliferation of data breaches (or at least their coming to light), I doubt that I can keep up, and so in future will comment only on those cases that illustrate some aspect of the GDPR.

That aspect today is the rampant push to get sensitive PII into the hands of cloud vendors and external (outsourced) developers and testers. I just came across some recent cases: Continue reading “Cloud apps and outsourcing bring new breaches”

Sweden’s data breach: a cautionary tale

Another week, another data incident. The GDPR is arriving none too soon. Let’s hope that it can slow the tide that is washing our personal data out into the internet data-ocean.

This time the victims are the citizens of Sweden, or at least those who have a vehicle registered, are in the police or military, or who are protected witnesses. In other words,  a nightmare scenario, which clearly would be a violation of the GDPR (that is, when it comes into force some ten months from now). Continue reading “Sweden’s data breach: a cautionary tale”

Considering the GDPR as a whole

Should versus shall

Sitting down to read through the GDPR is not a casual undertaking, but initial skim-throughs left me wondering about the word should, which one encounters often in the text of the legislation. It seemed odd to me that legislation should merely suggest behaviors and outcomes; I had assumed that legislation is a recital of what you must (or must not) do.

It might be useful to compare the frequency of words like ‘should’ and ‘shall’ (known to English grammar as modal or auxiliary verbs) in the GDPR in order to understand the intentions of its creators. What are they trying to convey with their use of these different modal verbs? Continue reading “Considering the GDPR as a whole”

BUPA suffers an incident

News stories reinforce the reality of privacy incidents. Today I plan to discuss a story from The Register, one of my favorite tech sites. The article is short and well worth reading. Don’t miss the comments, which raise interesting points.

Bupa: Rogue staffer stole health insurance holders’ personal deets

BUPA, a UK health insurance company, suffered a leak of more than 100,000 customer records, including phone numbers and email addresses, due to the actions of an employee. Continue reading “BUPA suffers an incident”

The Data Inventory, Part 1

Let’s get started on something concrete. One of the first things you’ll need to launch your privacy-compliance effort is an inventory of what data you are currently storing. This inventory will be at the core of your efforts, and will be the reference point for stakeholders. In this article I suggest a basic approach to get started using a single table. Future posts will add more tables to provide additional information, so that in the end we have a small schema for our inventory.  Continue reading “The Data Inventory, Part 1”

What to do first

Confronted with the enormity of an effective compliance effort, you are likely to be overwhelmed. For one thing, your resources are likely to be meager. For another, the typical objective at this point is merely informational (“look into it”, “impact assessment”, “cost estimate”). From management’s point of view, this is a reasonable request. From your point of view, it’s not; the information is not lying around, but must be must be collected from dozens or hundreds of applications, databases, filesystems, and more.  Continue reading “What to do first”

First Post: the IT landscape under GDPR

This blog is dedicated to questions raised by the pending application of the GDPR (General Data Protection Regulation), which is coming into force on 25 May 2018.

  • My experience, as a data modeler and analyst, is that very few data-processing shops have begun to compliance measures.
  • Online materials focus on the headline aspects of the legislation, such as fines, audits, and liability, but few address day-to-day practical concerns.

What this blog aims to do is to leave the strictly legal questions to the lawyers and instead discuss the impact of the GDPR on business and IT, particularly in Belgium.

What follows are some GDPR challenges that have occurred to me thus far:

  • getting started, given the vast number of tasks required
  • it seems that IT operates with more limited resources than ever before; how can we accommodate privacy protection into this minimalist landscape
  • visualizing the end-to-end development process
  • organizing roles and responsibilities
  • the relation between privacy and security measures
  • managing the process/traceability paper-shuffle
  • pondering open questions about non-EU providers, such as cloud applications and outsourcing companies

Viewing GDPR as a business risk

  • risk assessment
  • contingency planning
  • mitigation
  • revenue flows (e.g., marketing, selling data)

Application development

  • Retro-fitting existing applications to make them compliant
  • Organizing the development process to implement “Data protection by design and by default” (one of the chapters of the GDPR)
  • How we might integrate Agile-type practices into protection-by-design

The Big Picture

  • the global struggle between guarding privacy and the profitability of personal data
  • globalization trends (cloud, outsourcing) and the conflict with privacy
  • what level of protection is ‘good enough’?

Reading the text of the legislation

  • what does it say on its face?
  • where could we benefit from guidance from legal experts?
  • assuming that national privacy auditors will use the legislation as a guide, how can it help us in our processes and contingency planning?

Ongoing developments – Given that privacy, data breaches, government action, court cases, and more can be expected in the run-up to GD-day, I will discuss events that appear significant to a broad audience.

Being new to blogging in general and WordPress in particular, I expect to have some teething problems. In particular, I will have to learn how to handle comments so as to keep discussions civil and on-topic. Please bear with me; I hope you will find this to be a useful resource.