Privacy is the Global Balefield - Do we have the Tools and ... · The GDPR as Catalyst • The...
Transcript of Privacy is the Global Balefield - Do we have the Tools and ... · The GDPR as Catalyst • The...
Privacy is the Global Ba2lefield - Do we have the Tools and Standards to Fight – and What is
“Privacy Engineering?”
John Sabo, Chair OASIS IDTrust Member
Section and Chair, PMRM Technical Committee
Technical Compliance with The GDPR
• Is your organization ready to comply with the GDPR’s requirements and put in place comprehensive controls over how it uses and manages personal data?
• Does your organization understand how to implement functionality that will not only demonstrate that you are compliant, but actually deliver the privacy you have promised?
• Does your technical team – including third party data partners – have the tools to understand their implementation requirements?
• Can you efficiently and confidently manage changing data protection requirements as your business environment changes?
• How do you apply abstract privacy engineering and data protection concepts to the pressing mandates on your organizations to achieve compliance?
OASIS IDTrust GDPR-Privacy Engineering Workshop-John Sabo 2
Privacy the Global Ba2lefield
• The GDPR’s mandates are global - will cover 510 million people (including Britain) and have International impact
• To effectively meet its mandates, we must o make use of tools that leverage existing technical and policy standards o foster the development and adoption of new standards that are needed o take the next steps towards building a Privacy Engineering capability
• Privacy Engineering as a discipline can analyze, document, visualize and provide technical solutions to data protection requirements o Addressing the delivery of data protection/privacy principles, regulations, and
business policies o Set in the context of a rigorous privacy management analysis specific to a use
case/implementation o Translated into Privacy Controls and Specific Requirements o Defined in required privacy services and functionality o Implemented in technical and procedural mechanisms and o Reported using tools that allow a privacy engineer to demonstrate compliance
OASIS IDTrust GDPR-Privacy Engineering Workshop 3
The GDPR as Catalyst
• The GDPR can be a strong catalyst for assessing and improving how to actually deliver assured data protection/privacy in today’s complex, cloud-based systems.
• Can this be done reliably, cost effectively, and with demonstrable compliance without standards and a privacy engineering discipline?
• This is no easy task. But it is essential to meet the spirit (and letter?) of the GDPR
OASIS IDTrust GDPR-Privacy Engineering Workshop 4
Why Privacy Engineering? – An Analogy • Civil engineering is a professional engineering discipline that deals with the design,
construction, and maintenance of the physical and naturally built environment, including works like roads, bridges, canals, dams, and buildings.
• Civil engineering is traditionally broken into a number of sub-disciplines:
o Materials science and engineering o Coastal engineering o Construction engineering o Earthquake engineering o Environmental engineering o Geotechnical engineering o Water resources engineering o Structural engineering o Surveying o Transportation engineering o Forensic engineering o Municipal or urban engineering o Control engineering
Source: Wikipedia
OASIS IDTrust GDPR-Privacy Engineering Workshop 5
Building One World Trade Center
OASIS IDTrust GDPR-Privacy Engineering Workshop 6
Building Privacy into Complex Applications
OASIS IDTrust GDPR-Privacy Engineering Workshop 7
Given that Analogy - What is Privacy Engineering?
NIST NISTIR 8062 • “A specialty discipline of systems engineering focused on
achieving freedom from conditions that can create problems for individuals with unacceptable consequences that arise from the system as it processes PII.”An Introduction to Privacy Engineering and Risk Management in Federal Systems“ http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
PRIPARE • “Privacy Engineering: A systematic, risk-driven process that
operationalizes the Privacy-by-Design philosophical framework within IT systems. Privacy concerns are subsequently integrated into systems as part of the systems engineering process.” http://pripareproject.eu/wp-content/uploads/2013/11/PRIPARE_Deliverable_D1.3_v1.0.pdf
•
OASIS IDTrust GDPR-Privacy Engineering Workshop 8
Given that Analogy - What is Privacy Engineering?
MITRE • “Privacy Engineering is a systemic, risk-driven process that
operationalizes the privacy by design (PbD) framework within IT systems.” The privacy engineer or a designated individual is the individual that performs privacy engineering.” https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/engineering-informationintensive-enterprises/privacy-systems-engineering
ISO 27550 Privacy Engineering Working definitions • "Privacy engineering deals with the integration of privacy concerns in
the engineering of information and communication technology (ICT) systems.
• “In the engineering of information and communication technology
(ICT) systems, privacy engineering deals with the addressing of privacy problems created by information system operations that process personally identifiable information (PII)"
OASIS IDTrust GDPR-Privacy Engineering Workshop 9
Where are we today? Tools and Standards are Slowly Emerging
• Privacy Engineering Models/Methodologies • Privacy Engineering Publication • Risk Management Privacy Engineering Methodologies • Privacy Engineering Automated Tools • Official Standards • Privacy Controls Design Strategies, Patterns Libraries • Privacy Engineering Education • Privacy Engineering Conferences and Workshops
Source: “Privacy Engineering…Its Time to Take the Next Steps towards Standards and Automated Tools,” Gail Magnuson, LLC https://www.oasis-open.org/committees/download.php/60650/Privacy%20Engineering%20Research%20Paper%20May%204th%202017%20Final%20.pdf
OASIS IDTrust GDPR-Privacy Engineering Workshop 10
This OASIS Workshop will explore these issues – GDPR Compliance
Privacy Engineering Standards
and…tools to support the technical delivery of data
protection/privacy in today’s applications and systems
OASIS IDTrust GDPR-Privacy Engineering Workshop 11