Category: accountability

European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

GDPR Article 32 on the security of data processing lists the various criteria that a controller and a processor must take into account to determine the level of security required, namely, the state of the art, the costs of implementing security, the processing in question, including its purpose and context, the probability and the severity of the risks for individual rights and freedoms The logic consists in customizing security measures to the risks identified with respect to the processing of personal data.
Major change: the Regulation provides for an assessment of risks to privacy from data processing. Subsequently, it is up to the controller to perform a PIA (privacy impact assessment) for all the processing actions likely to result in a high degree of privacy risk for the individuals in question. According to GDPR, some types of processing are deemed to constitute risks and are subject to a PIA because of the nature of the data being processed (large-scale processing of sensitive or criminal record data) or the purpose of such processing (profiling, large-scale monitoring of public areas, etc.).
Given that this is about safeguards to be put in place, Article 32 lists certain measures that are to be implemented by the controller and/or the processor, such as data pseudonymization or encryption, the implementation of methods capable of ensuring system confidentiality, integrity, availability, and resilience, the implementation of techniques capable of restoring availability and access to personal data in the event of a physical or technical incident, regular verification of such measures. The Code of Conduct (GDPR Article 40) and certification (GDPR Article 42) are also solutions that are likely to be considered with respect to security.
Pursuant to GDPR Article 36, whenever a PIA identifies a high level of risk, it becomes mandatory to consult the CNIL prior to proceeding with the data processing in question. This requires, for instance, that the CNIL be advised of any measures having to do with the security of processing for the CNIL to evaluate whether they are sufficient to allow the processing to proceed.
Pursuant to GDPR, data security also requires that a notification of a personal data breach be made initially to the supervisory authority (CNIL) within 72 hours of it becoming known (Article 33) and to the data subject (Article 34) if CNIL believes the security measures to have been inadequate. This obligation extends to the processor who must notify the controller of any data breaches as soon as it becomes aware of them. These data breaches result from one or more security incidents (unauthorized access to an IT system, data extraction, reproduction, or distribution). Advance incident detection and correction help obviate the need to notify since there is no breach.
We understand that the new regulation requires that locations where data are processed within an organization (mapping) be brought to a condition that will help determine specific priorities for bringing into compliance as well as the relevant support. As for security, implementation of Bug Bounty practices appears to us to be highly recommended to detect security incidents early, thereby preventing them.

GDPR leads us to the following motto:

When security works, everything works!

ZeroDisclo.com : IT Security Researchers finally Protected

In constant contact with its community of security researchers, YesWeHack has noted that it is complex for a security researcher and therefore, for a whistle-blower to report security flaws -in a  coordinated way – to impacted organizations. Especially if those organizations do not have a Bounty Bounty program registered on BountyFactory.io !

Vulnerability discoverers often experience difficulties on how to report them to the organizations concerned without disclosing them to a third party and unfortunately direct contact with companies constitutes a legal risk.

A long-time partner of the security research community through its founders, YesWeHack launches ZeroDisclo.com.

This platform provides the technical means and the required environment for all to adopt the coordinated reporting of vulnerabilities commonly known as “Coordinated Vulnerability Disclosure“.

The platform, which can be accessed directly or via the Tor network, offers any Internet user the opportunity to report a vulnerability to CERTs™ via an on-line form, providing the necessary information to understand and evaluate its severity through its CVSS score. The researcher can then choose to remain anonymous or provide his identity if he/she wishes to be contacted, or even thanked in return.

The report will be encrypted via OpenPGP plus the key of the CERT™ in the very browser, time-stamped, signed by the Blockchain and forwarded automatically to the CERTs™ chosen from an exhaustive list.

In exchange, the researcher receives a certificate attesting to his/her submission.

Currently, the CERTs™ selected by ZeroDisclo.com are the CERT-EU, CERT-FR, and the CERT-UBIK created by Digital Security dedicated to the Internet of things. Moreover, organizations can subscribe to ZeroDisclo.com in order to monitor in real time, the flaws concerning their systems and -if necessary- to contact the relevant CERTs™ in order to know the details.

ZeroDisclo.com aims at empowering the community, for security researchers to prove their good faith. ZeroDisclo.com offers an efficient and ethical alternative to services disclosing vulnerabilities on the Internet and on the black market.

Founded in 2013, YesWeHack connects organizations or projects with IT security needs with skilled people.

4 interdependent platforms are available:

– YesWeHack Jobboard: the first job site specializing in computer security.
– Bounty Factory: Bug Bounties’ first European platform.
– FireBounty: Bug Bounties aggregator.
– ZeroDisclo: Vulnerability Reporting Platform.


References


Press contact: presse@yeswehack.com


YES WE HACK © 2017 | Our Job Board | Our Bounty Factory | Events | Press