Time
5 hours 49 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello, everybody, and welcome to the Iraqi Security episode Number 32.
00:05
Reducing privacy risk. My name is on hand Dragon, and I'll be your instructor for today's session.
00:13
Learned archetypes of this module is to understand and be able to identify the main concepts that will help you reduce your practice to risk for your dirty infrastructure.
00:26
Privacy in your nearest you know, knew I said new discipline that 16 sure systems application and advices are engineered to confirm the privacy policies and regulations.
00:38
The right people and processes are first needed to accomplish this.
00:42
Privacy touches up. You know, several professions in the corporation on government, the world attorneys or legal professionals, engineers, quality assurance, human resources and other disciplines becoming both in different capacities in the creation. An adoption of privacy policy,
01:00
the implementation and enforcement
01:03
for all the departments involved. The role that privacy engineer, instant understanding, participate or department see of the privacy department, you know, understanding participate in both the policy on the technical life cycle off a privacy masterman implementation.
01:19
You know, the assigned privacy Engineer Department shoot maintained strong association on developing team function as I used to representative representative in development you know, uh, privacy program
01:37
provided charity and nor reputation guidance Ask questions like is the co creating any meta meta data using the personal? I didn't file information.
01:49
We need thio to, you know, protect things made to data. How was it passed from a function to function? How word? You know how it is this written. Do a database is encrypted in in the communication bath.
02:06
Are we saving clear text data? And that is our oceans. Are we saving hashes?
02:12
Uh, when a function is not needed anymore, the divided you destroyed memory. Except is, if that's the case, how was it simply, you know, moved to the trash when she
02:25
a symbol of the reference
02:29
or was it actually off written, maybe zero ization or, you know, a military grade? Um,
02:37
elimination.
02:38
So this is the task that privacy engineer or privacy departments should be doing and should be. You know that that those kind of questions they should be asking,
02:49
Ah,
02:50
this list of activities is way too small, eh? So let's dive into a well known privacy regulation to give us a clearer picture, which is the CPR.
03:00
JD. Pierce stands for General Data protection regulation. Um, it's a game changing data privacy law because it came from the European Union. It wasn't force uh, in May off the originating.
03:17
Now, if your company's based, for example, somewhere outside that European Union for something the U. S or any anywhere in Latin America. Uh,
03:29
this won't save you from the penalties from there. You know, the American that there are European Union has promised imposed a do must begin CPR complying when building with using European citizens data
03:42
GPR consists of long, uh, least of regulations and family consumers are how to consume or handled the consumer data.
03:53
The goal of this new regulation is to help align existing data protection protocols are while increasing the levels of protection for individual information.
04:04
Now to be complying with this eyes, no walk in the park.
04:09
Ah, here some points and this is on Lee reduced amount of points that you have to achieve if you want to be complying with this regulation from temple timely bridge notification. If a security breach occurs, you occurs. You have 22 hours to reboard the data bridge to your stakeholders
04:28
and, you know, dealing with media
04:30
Billy with Matt Stakeholders. That's a huge deal on. And this, of course, we won't save you from from from pain defines and punishes
04:41
they established,
04:43
um, right to access the data. If you re user requests existing the resistant data profile, you must be able to serve them in a fully detail and free electronic copy of data you have collected about them.
04:58
Eso This means keeping a database with all the information. How did you gathered it? And you know, if you have gather new information over time and you, of course, will have to implement controls to say a word this information
05:14
right to be for gotten also known at the right to that abolition. Once the original purpose of our use of the customers data has been realized, your customers have the right to request that you totally raise their personal data.
05:30
So totally raising any data is hard and it's costly
05:34
because at the end you have to implement techniques not only to just put it in the trash, so you have to implement your techniques like serialization military, great Galician. I'm a physical destruction on all that is costly really, really comfortable.
05:54
Uh, data poor ability that these guests users the right to own their data. They must be able to obtain their data from your from you and reuse that same data in a dig in different environments outside your company.
06:06
Privacy by design. It's in this section that J. D. P. R requires companies to design their system with the proper security control to brace in place from the very beginning off the system are from start. You know, I remember that we discussed some poor development life cycle and why we should include security from the big bird beginning. Well,
06:28
here's another reason to do so.
06:30
Uh, the panel and then of these are gonna walk in the park. You know, failure to comply with J. D. P R can result in some pretty, you know, high fines.
06:42
The fines will range from 20,000,012 medium 1,000,000 heroes, which will be like $25 million for something in between. $2 million are up to 4% off the, you know, organization or any cell signals
06:57
annual revenue, whichever is greater. S O. You know you're here will guarantee that you at least get a fine of 20 million
07:05
heroes. So use will really hurt you. Yeah, this will definitely hurt your annual revenue on That's that that says you're refined for lesser offenders. They find will, how will be, you know, calling health and will be 10 millions. It's still she's still, you know,
07:26
I really huge fine.
07:28
So, yeah, you have to complain with that
07:30
unless you know that this is a personal thought. And I believe some other companies are doing so as well.
07:39
For example, let's say that implemented the controls, which will not be the case here, because I can't think of any control that will, you know, go above 20 millions.
07:49
Um, you consider that you can you can actually, I've served the risk.
07:57
Oh, are your risk appetite is high,
08:00
um, and the cost of implementing the controls eyes weigh about 20 millions. For example, maybe you realized that implemented all the controls requested in a J. D. P. R is $50 million so you decide to take the risk and pay a fine if that's the case.
08:18
But just remember that having a bridge injured on a compromise of
08:24
your customer's privacy will all not only result in you have do paying the fine of 20 millions. But you will also result on damages on your image on your business image. And you will also end up losing customers. So maybe that 12 million fine will, uh,
08:41
you know, convert into ah, 100 million fine.
08:46
Meaning that you will pay the 20 million Fine. But you will also end up losing three other any millions in, you know, business images, damage on dhe, losing customers and all that stuff.
09:03
So, yeah, Thio,
09:05
if you want to plan the controls, just be mature tourist to run a risk on now. This is first.
09:16
What does J d P r stands for? Well, remember, this is the law would just discussed is for the Europeans um uh, citizens. And
09:30
it stands for general data protection regulations
09:35
mentioned some of the main basic on basic task
09:39
that the privacy engineering department should be doing. Or, uh, there's a lot of fast, but, you know, they have to be be able to maintain a strong association, you know, with the development of the new device and the privacy concerns,
09:54
they have to help you comply with regulations like J. T. P. R. For example,
10:00
mentioned at least two principals you must apply to BJ VP are compliant with well timely, timely bridge notification. You have 22 hours to know it's not a fight. All your stakeholders for any bridge do you have suffered? All right, be fore gotten also known and the right of
10:18
that a Galician wants. The original purpose of the customer
10:22
data has been realized. Your customers have the right to request that you're totally race their personal data
10:30
in today's brutal lecture with this cause, the main topics on concepts off my auntie privacy risk
10:37
Well, you should definitely check the Jedi PR official weapons. That's service of any any questions you may have or have to confine.
10:46
That's your go to.
10:50
In the next video, we'll review some concepts that will help us set up a plan of piety compliance program.
10:56
Well, that's it for today, folks. I hope you're the video and talk to you soon

Up Next

IoT Security

This IoT Security training is designed to help IT professionals strengthen their knowledge about the Internet of Things (IoT) and the security platforms related to it. You’ll also be able to identify the security, privacy and safety concerns related to the implementation of an IoT infrastructure.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor