Category Archives: SmartJob

GDPR: My Final Conclusions

Within my first three articles covering the matters of GDPR, I forayed into Infra Business and Software Business, providing a full scope of GDPR and what it promises after its unveil in May. I have received much feedback in different form for these articles, most of it relating to how you, personally, as a consumer, find the liability of registry keepers irritating. From the feedback, I gather that not many are prepared to think about how they can be compliant with their own business, often considered someone else’s job.

In my opinion, it’s a matter that concerns us all.

GDPR in Consultancy Business

As someone who works as an ICT consultant, it’s easy for me to order people around. You can easily scare the other side of the table, making them feel there is nothing that can be done for a specific situation. Through scare tactics, we can send everyone home. As I touched on in my first article, many users already feel this way.

I’m here to say as a good consultant, you should help the customer reach total GDPR compliance. Through small steps, it is completely doable. As a consultant, you owe it to your clients to start preparing them.

When you have time, glance over the screenshots attached at the end of this article. It is unfortunate that the tool is nothing unless you know how to use it. This is why we are here to help you. This is why we help you gather the material along the way.

Once you have the materials, the tools, and the confidence, you’ll be able to navigate the GDPR waters on your own. Don’t worry, if you feel overwhelmed, we are here to provide support.

GDPR’s Commercial Side

Prog-It has made a 4-days consultancy packet for small to medium-sized clients. The 4-day program is divided as follows:

  • Day 1: Introduction and Business Model Documentation. Create a Privacy Map.
  • Day 2: Infra Side – Inventory of software, systems and hardware. Outcome, inventory document.
  • Day 3: Software Side – Databases and users. Integration map of systems. Outcome, inventory document.
  • Day 4: Conclusions, Report and Proposals for improvements. Continues development model to follow in Privacy Map. Action point divide to technical people and company internal usage. Possibly a 2-3-hour information event for personnel of findings and PowerPoint presentation.

The price of this is 1000 Euro per (exl vat) day, affordable for any sized business.

How Do I Proceed?

Start with the reference questions. Take the following into consideration before addressing the Tietosuojamalli:

What is Tietosuojamalli? Other language: Sekretesskarta in Sweden and Privacy Map in English.

If you’re starting from an empty table and you have nothing, begin with Data Sources or Databases.

Then move to ”Systems.” This means ”smart systems” that are ”designed” and contain “Data,” not just excel. It is considered as a tool, and tools needs no attention here.

Then move to Hidden Information. Hidden Info’s target is to minimize just that… See the summary. Definition of Hidden Data = does the management know where and what?

External Sources is usually something the registry keeper is not collecting, but instead using. Management is elsewhere.

Then there’s an element called “Bin” where you have the “System.” Please note that the terms must be the same in every system and every authority.

What Do BINs Do?

BINs link to each other, acting as a connection to a data source or database. The term logical level BIN refers to technical level BINs, but rely on different elements.

Now that you have entered your BIN, the GDPR practice states that the policy must be defined from the get-go. For example: technical policy requires access control. The BINs, therefore, create a logical link to one another.

It’s worth approaching this in the beginning from a visual level. The EDPS or Data Privacy Authority recommends that you draw a picture of the specific relations of your systems, providing you with an in-depth understanding.

GDPR Right To Be Forgotten

This GDPR feature must be actively added for the Privacy Map. You’re probably wondering how to do this. For example: approval of data register keeper to handle the data, what do I do? What happens if I cancel this acceptance? It’s very difficult to automate the system.

My Proposal: Make a portal for both the registry keeper to handle the data.

Another Proposal: Make a library template where you can important systems according to the vendor and manufacturer’s consideration. If company X delivers software Y, they can create a template for XY that clients can use in the Privacy Map.

When that’s all said and done, you are ready to order! Do you want to learn more? Comment below and I will gladly call you.

Check out the screenshots below. I want to personally thank everyone who has been along for the GDPR ride, bearing with all of my articles. To all the GDPR knights out there, know that you’re ahead of the curve. This is critically important information that needs to be shared and digested ahead of the GDPR release. Consider joining a class of masters by participating in one of our classes in the future. Who doesn’t want to be a GDPR master?

Thanks for reading. Stay tuned for more updates and details.

GDPR in Business (Softa) – Sensitive Data and How to Implement into a Database

If you’ve made it this far, you’re now reading the third article in my GDPR series. Congratulations! Upon reading this, it means that there are only 100-days left until GDPR goes live. In this article, we’re going to look at compliancy with IT Softa Business and how it relates to GDPR moving forward.

Compliant in IT Softa Business?

When I say Softa, I mean “relax” in Swedish. This article was curated specifically for the developers, architects, and full-stack coders, encouraging you all to relax, too. You are not alone in your thoughts, and I wanted you to know that. Softa Business is an acronym of Software Development and Integration work.

Softa delivers end-users with a means to do their work. In a way, it is like creating a tool on how to deliver a hole in the wall. Sometimes the tool is a service where someone completes the job on your behalf; other times, it’s a hammer you use to hit the wall; and other times, it’s just plain explosive. With Softa Business, it can be either a project you start from scratch, or one of the several tools integrate to interact with. And other times, it’s just a way to deliver data, providing a visual user interface for the resulting view.

In all cases, the same prompt remains: it must be designed to deliver what to whom.

GDPR Map

Many tools and software are just too old and outdated today. Their compatibility is lacking as they date back 30-years, unable to work with new systems today. So I ask the business owners reading this to own up to their lack of compliancy. What is your next solution? Take some time; it may cost you more now, but it will be a good long-term investment.

Databases

It might be that you have had your first contact with Microsoft SQL already. I know technical people hate me when I say but in my opinion: excel spreadsheet is a database and it works like SQL does. (Yes, I know, they don’t do so; but it is nice to make things easy)

If you have a data in your database in one field and you start feeling unhappy about it being clear text and visible, you might end up using some ‘salt’ and crypt the data. In excel you could do the same, but it would no longer serve the user who tries to read the data.

When you have data crypted, the next question is: how will this crypted version of data will be distributed?

So there are numerous ways to crypt the data in a database. Excellent, are we now compliant? Sorry, but no.

The next question is: why do you even collect this information in a first place?

Is there a real need for a video rental store to know your social security number? Could the UID Key (unified identifier) be just a running number from 100? I know many cases where database keepers collect information they should not.

So next time you are designing a database and you make a decision on what to put there, take a while to consider the data you need. Remember that whoever uses this database in the future is a “registry keeper” who has liabilities to report to the users what was collected and why.

Keeping these two factors in mind, I might say that Softa Vendor is more compliant and probably better than 80% of the remaining options.

Sensitive data

You may have heard that in many countries there are programs where governmental players want to collect medical data in some big structured database. In Finland, this is being called Kanta-project. Direct translation could be ‘database.’ So I refer to my previous chapter. Then, what if it is mandatory that you collect sensitive data? What even if sensitive data? In this Kanta project, it is medical data which I always consider to be sensitive data. In this sense it is mandatory to have a social security number and my personal information. I get that. What I sincerely hope is, that the designers of that database knew what they are doing, because of the nature of this data as it is, makes it also tempting for hackers to address and see how well it is protected. I see big threats of how next generations of data architects are going to use this information.

So when you have sensitive data in a database, you should first consider how to track the usage of this data. You should have a database engine that supports making a mark when this information is accessed. For example, I am interested in who is viewing from Kanta my lactose intolerance and why do they need this information? First step of course is to mark in a database which fields are sensitive. In medical databases, disease is a sensitive topic, but it could be your trade union membership as well (in a picture right upper corner). In many medical systems this was called “paw print,” referring to the paper where you actually leave your fingerprint. You can add a tag or an entry to the database for people who access the information. For example, a police officer cannot just go in and see if their neighbour has lost their licenses for fun. They need a WHY for doing so.

In some systems, this would be called as audit log. I would not recommend SQL here without a question. In many file systems, this has existed for years, but is rarely used. And let me remind you that in the old, good times, file systems in UX field were called databases. Getting back to the sensitive data, also remember the fact that I wrote in my last article – the user also has a right to be forgotten.

The Political Question

Does my GDPR rights of Sensitive Data and right to be forgotten apply in this Kanta case? What would the EU commission say if I tested my rights against this governmental player? I assume I would lose the case? Interested in hearing your thoughts below.

Closing Words

There are many alternative approaches to the subject of software business, development and integration. How do they deliver the information from their systems to someone else, external advertising companies for example? As you can see, the list of possible breach of compliance is endless.

Do you have a personal experience as a software vendor where you did not think of GDPR? Later you found out that you should have done so? Was it a matter of technical solution or structure of data?

Next article will be published Tuesday 27th of February – That will be the last of this series. Keep reading! Please also remember to share your interested thoughts.

PS. Reference information you might be interested in: https://thehackernews.com/2017/07/sweden-data-breach.html
and see the paragraph “here is what happened.” Could this happen to you?

GDPR in Business (Infra) – What Are the Rights?

In this article, we are going to continue looking at GDPR. Last time, we reviewed history and the background of the regulation, exploring its origins and need for existence. This time, we’re going to strike up a new kind of conversation, looking specifically at ICT Infra Support.

What is Infra Support?

When I say Infra, I mean the business vertical of professional services. I am not referring to manufacturing or OEM of hardware. In this case, Infra refers to maintenance and support businesses, as well as help desk and end user support services. Occasionally, these are referred to as manage service providers.

With Infra support, you buy a service and have someone maintain or fix the computer on your behalf.

Infra Support Background

Most companies have someone today trusted with Infra needs. Smaller companies might use the Pekka next door who has some free time here and there. Other companies build out internal IT departments, while others opt to outsource into the gig economy. The problem is that most users don’t know how to use the system or fix it if it’s broken.

What do you do when something happens? You probably call an IT department and rely on their support. The person who answers the phone writes down the information for invoicing and tracking purposes. In ITIL, they may refer back to CMDB. The information collected is actually telecom identification information: Who called, when the call was made, from which number it came, duration, etc.

Now, imagine a case where your phone log’s are published to the telecom provider you work with. It would be a disaster. Why are the users not interested when it’s read to public? Did you know this?

With ICT Infra Support, the vendor side is now considering this matter. If you have any ideas by the end of the article, please share them in the comments below.

Did you know this? Do you know how the information might end up in an invoice or public report that has been displayed to multiple people?

What is the Data Subject?

Whereas I already discussed the rights of data subject, I will now be looking at the actual data side of the subject in my next article.

The short answer is that the data subject is YOU and me. GDPR ideology says that the information should be transparent. In many cases, it is, enabling you to browse your tickets and track who did what with them. Someone else in this case is accessing the data again. In my opinion, there should be a visible statement in the vendor agreement stating who is permitted to view the ticket. If this is not the case with your current vendor, I recommend you ask for it.

If we look at it from a CMBD side, if the machine is registered to a certain user, and the tickets are assigned to that machine, how can you just delete the name of the user? The ticket would end up orphaned.

Reporting

Finally, this is also a matter of reporting. One of my good friends runs reports for the management of a vendor company. I interviewed him on his experiences, and after one hour, he made the conclusion: “Now that you say – I think I need to take this to our coffee table conversation.” In my opinion, even highly-skilled professionals don’t always comply when they should.

Next time, if you are a report user, try and really observe the details. Usually these reporting systems are made so that you can actually organize the data, enabling you to select what you want to see. If you start seeing ticket owners or machine IDs, reflect on it. Are you breaking someone’s right to be anonymous? How anonymous is it to say that a certain person had malware of their workstation because he viewed pages he wasn’t supposed to at his desk.

Conclusion

I could go on for decades. I would love to hear opinions for the ICT Infra business vendors below. What subjects have you found important in your business? Are mobile devices concerning, or is it BYOD that makes it hard to be GDPR compliant?

There are alternatives we should consider, like the decrypting of data and access control. First, I thought I should point out how important it is to secure your storage, for example using bitlocker and master passwords. After mulling over the topic, I realize I do not have a solution on how to be compliant with this infrastructure. With access control, there is also no solution. It might be tempting after several reboots to leave the password in the site. You might just have to give some external person access to the data. That’s not a viable option. If you have any good ideas, I am open to listening!

Refer to www.techprivacy.com for more information. I have found it incredibly useful, and I hope that you do.

Next article will be published Tuesday 20 th of February – Stick around for my next  installment in the GDPR series: GDPR in Business (Softa)!

 

GDPR: What It Is & a Brief History

In this blog, I am going to share some background information about data privacy history, and how we arrived today at what’s called: General Data Protection Regulation (GDPR). To many of my Nordic friends, this might already be easy to understand. You may be wondering why I am here defining the terms. The answer is that my inspiration came from our independence day event conversation. I was at a table with a respected colleague who was thinking out loud. He was mulling over how business was performing for everyone else at the table. Was everyone doing well? It made me realize that even if you have heard of the acronym GDPR, you might not still have a clear understanding of what the term means for you and your business.

This blog is to help you understand the matter moving forward.

I will be approaching the matter from an ICT System Vendor point of view, providing you with tips that you should ask your existing vendor. To find out more, keep reading on with my series of blogs.

History of GDPR

Once upon a time, there was the safe harbor law. The safe harbor law specified that certain conduct would be deemed not to violate a given rule. Vendors frequently referred to this regulation if a client or partner asked something about their data and the location where it was stored. Vendors knew that they actually had no idea where the physical storing of the data was occurring, but since most vendors like Microsoft or Google were in the U.S., they just told their clients that.

Unfortunately, the safe harbor law is a thing of the past. No one really refers to it anymore. Very few vendors actually understood the concept of it in the first place.

What happened to the safe harbor?

During my years spent doing business in Russia, traveling back and forth to Moscow, I actually learned that the initiative to adopt GDPR originated in Russia, under Mr. Putin. In total, the European Commission decided to quickly establish GDPR, but it was Mr. Putin who put the directive in place much earlier. Since there were sanctions between the EU and Russia, it made sense that the EU came to a similar conclusion. Ahead of their time, Russians were already pondering such a regulation in 2014, though it took until 2017 for the EU to follow suit.

GDPR Passage

When talking about data privacy or organization information security policy, GDPR is often referenced from a financial perspective, particularly, a penalty of non-compliance. Before GDPR, data privacy was considered a good thing, centered on promoting respect among organizations. However, when GDPR peaked above the horizon, a new messaged arrived stating, “If you do not buy this service, you might end up in trouble, paying a maximum of 20 million euro, or 4% of your annual turnover.”

This reminded me of the time when computer Trojans or anti-virus software marketing was based on scare tactics. Similar to when countries changed to the euro currency back in 2001 and the threat loomed that business would suffer moving forward. The point is that with change comes uncertainty, and with uncertainty comes apprehension to embrace something new, something that could be valuable. To me, this is an unavoidable development of an inevitable subject – and it’s not a bad one anyway. The countdown is on, and I am waiting for the space shuttle launch, ready to journey somewhere new.

Preparing for GDPR

GDPR is here and it’s here to stay. Though it was passed in 2016, the next notable date on your timeline is its official rollout May 2018. There is nothing you can do now to thwart the implementation of GDPR. It’s a done deal, one that included many conversations and negotiations among key players. Now, all we can do is prepare for its arrival. If you are just hearing about GDPR, it’s not too late to learn more about what it means for you and your business.

Many are awaiting this spring date with fear, uncertainty, and anger in their hearts. When should we expect the first big trial and complaint by individuals to be made? Which country will it be coming from within the EU? These are the questions keeping people up at night right now as everyone struggles to totally comprehend the GDPR premise.

Now that you know not to be afraid of the tiny acronym, I am hoping that you are willing to approach the subject from a more positive mindset. All amazing, groundbreaking concepts in our world were first met with misunderstanding and backlash, too. With GDPR, try and see it positively. Maybe in the future, there will be no one selling your email to a list of cold-contacts. Maybe that list will turn into a real subscription model again. Maybe the topics you are interested in and the vendors that you are eyeing are easier to approach and to communicate with. Maybe they’ll have more relevant information about their offering, presenting offers that are directly needed by your business.

From a privacy policy standpoint, if you are curious to see how we are handling the GDPR impending implementation, visit us here: https://www.prog-it.net/privacy- policy/. See what we can do for you.

In the next part of my GDPR series, I will be looking at some of the specific changes that are to come with the new regulation.

Next article will be published Tuesday 13th of February – keep reading!