GDPR and Cryptography - Catastrophic Risk Principles

Followed by GDPR Workshop #2

Date:
Wednesday 24 January 2018

Venue:
BCS, 1st Floor, The Davidson Building, 5 Southampton Street, London, WC2E 7HA | Maps

Time:
6.00pm - 9.30pm

Cost: (Prices stated are inclusive of VAT @ 20%)
BCS Members: £10
Non-members: £15

Speaker:
Dr Sally Leivesley PhD Lond., MSPD, BA(Hons) Qld., FICPEM, FRSA, MACE, MIABTI, MRSES

Talk - 6.30pm - 7.15pm

If companies want to cover 95% of loss events then Standards rule, but if catastrophic failure events are an obligation of the Board or a national government then we need to look beyond Standards to solutions for the real world of catastrophic attacks on data and systems. Once vulnerabilities in cryptography and other key security processes are understood the solution to maintaining continuity of operations and data protection requires a catastrophe plan that goes beyond the general processes currently outlined in security standards. Defining the adequacy of the security of cryptography and other processes will require innovative responses by the cyber community and advice from the legal community and possibly further refinements in GDPR definitions. It is essential that a set of catastrophic risk management principles are established for continuity of operations and that there is not a dependence on encryption as an unassailable security solution. A wide discussion is needed on governance, critical functions loss assessments, residual risk management and the impact of failure under GDPR requirements. Developing a coherent industry approach to preparing a catastrophe plan requires pathways to adequate or reasonable risk management that can be argued within the context of a business, an industrial process, or a government operation and within the context of threat intelligence.

About the speaker:

Dr Sally Leivesley, advises companies and governments on catastrophic risk to critical functions essential for operations and reputation. Managing Director of Newrisk Limited and a founder member of The Exercise Group7LLP. She runs exercises to stress test organisational resilience and capability to secure the modern threat (www.Newrisk.com; teg7.co.uk). She is known for her media appearances on catastrophic events including terrorism, security and cyber across all sectors of government and industry. She served as a member of the technical committee for the first IET guidance document on Resilience and Cyber Security of Technology in the Built Environment, and the Register for Security Engineers and Specialists. She has worked in practical recovery operations for cities after disasters in Australia and originally trained and worked as a Scientific Advisor with the British Home Office on mitigation of all-out nuclear attack and other extreme threats.

There will be no remote attendance or recording permitted at the first event.

GDPR Workshop 2 - 7.30pm - 8.45pm

GDPR obligations for personal data security and integrity: what counts as good enough "organisational and technical measures"?

Workshop lead: Chiara Rustici

The obligation to identify and report a data breach within 72 hours is a new data protection requirement, mandatory for organisations of all sizes.

  • Do you have clear breach reporting lines between the highest level of your organisation and the entire chain of your processors and sub-processors (contractors and sub-contractors) handling personal data on your behalf?
  • Do you have a company-wide assessment method to recognise what counts as a data breach in the eyes of the Regulator?
  • If your business operates in multiple countries, do you know which Data Protection Supervisory Authority you must report the breach to? Your lead supervisory authority or the one in the country where the breach occurred?
  • Do you know what triggers your obligation to notify the data subjects affected?
  • Which personal data do you plan to encrypt and how?
  • What measures beyond encryption count as "state of the art "organisational and technical measure"?

After meeting all of the recommended EU security standards and your own sector-specific standards, how can you mitigate residual risk such as catastrophic risk?

Workshop participants are advised to read the most up-to-date version of Art. 29 WP "Guidelines on Personal data breach notification under Regulation 2016/679" Adopted on 3 October 2017 and a working paper published by ENISA "Recommendations for a methodology of the assessment of severity of personal data breaches"