Download presentation
Presentation is loading. Please wait.
Published byDale Banks Modified over 9 years ago
1
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October 2012 1
2
Company Confidential Three questions... 2 1.Why do we need security requirements? 2.How does Nokia organize privacy compliance? 3.How are privacy and security requirements implemented in collaboration cases?
3
Company Confidential What does the law say about security requirements? 3
4
Company Confidential Finnish Law 4 Henkilötietolaki § 5: General commitment to „ hyvää tietojenkäsittelytapaa“ § 32: obligation to implement technical and organizational measures depending on the circumstances Sähköisen viestinnän tietosuojalaki § 2: Definition of data security = administrative and technical measures to make sure only those entitled may process the data) Degrees from Finnish Communications Regulatory authority (viestintäviraston määräykset)viestintäviraston määräykset
5
Company Confidential Directive 95/46 5 Article 17 Security of processing 1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. 2. Summary: applies for processors, too. 3.+4. Summary: need a contract in writing and instructions
6
Company Confidential DRAFT General Data Protection Regulation (1)General Data Protection Regulation 6 Article 23 Data protection by design and by default Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
7
Company Confidential DRAFT GDPR(2)GDPR(2) 7 Article 30 Security of processing 1. The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. 2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organizational measures referred to in paragraphs 1 and 2 […]
8
Company Confidential How is privacy and security organized in Nokia? 8
9
Company Confidential Nokia Privacy Program elements 9 1.Executive Oversight 2.Training and Awareness* 3.Policies and processes to implement the policies 4.Staffing and delegation 5.Risk assessment and mitigation 6.Issue Response Management 7.Internal enforcement 8.Redress
10
Company Confidential Different needs for training 10 All Employee s Privacy 2500 Privacy Network Basic knowledge => eLearning Role Specific knowledge => face to face or other tailored learnings Expert knowledge => Privacy Academy + Certifications
11
Company Confidential How are privacy and security requirements implemented in collaboration cases?
12
Company Confidential 12 TARGET: ~ Ensuring Security in Extended Nokia HOW: ~ Team effort of several stakeholders using consistent and fit for purpose security principles TARGET: ~ Ensuring Security in Extended Nokia HOW: ~ Team effort of several stakeholders using consistent and fit for purpose security principles
13
Company Confidential Risk Management based approach What are the risks? Compliance based approach (privacy, ethical business) Business continuity (availability) Leak prevention and asset protection Consumer / personnel data (confidentiality) ICM / L&C service delivery (integrity) Product security (various risks) How to adresse the risk? Contractual controls IT security controls Document/onsite review Relationship/governance Support/knowledge sharing Awareness raising
14
Company Confidential Introducing Third Party Security Management (3PSM)
15
Company Confidential Four aspects of 3PSM Requirements Lay the foundation of the 3PSM arrangement. E.g. Common or Advanced Security Requirements, Nokia Supplier Requirements Processes Ensure consistent implementation of 3PSM practices. E.g. Consultative review, self- assessment, Preventive & Corrective Actions People Deliver the 3PSM requirements through physical or virtual means. E.g. Sourcing, 3PSM experts, Business People Tools Help the case for Sourcing, Business & 3PSM network. E.g. Case profiling tool, Current State Analysis tool, Reporting tool
16
Company Confidential Modular requirements structure Case Profile Specific Security Requirement (e.g. Web Application) Specific Security Requirement (e.g. Web Application) Specific Security Requirement (e.g.. Hosting Services) Specific Security Requirement (e.g.. Hosting Services) Specific Security Requirement (e.g.. Software Development) Specific Security Requirement (e.g.. Software Development) Common Security Requirements for Nokia Third Parties 3PSM Expert Pre-set, all cases Pre-set, decided case-by- case Adhoc, decided case-by- case
17
Company Confidential Case Profiling Tool Case profiling tool helps Business and Sourcing to understand what kind of security requirements are needed for a collaboration case and how critical the case is from a security point of view. The tool has two sections: −Control selection – case specific requirements for agreements −Mini BIA (business impact assessment)
18
Company Confidential Locate use case © Nokia 2012 Mobile Industry Privacy Challenge Kiitos!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.