A primer: homomorphic encryption vs. hardware enclaves

https://medium.com/mc2-project/secure-computation-homomorphic-encryption-or-hardware-enclaves-83da90102593

“[..] hardware enclaves are now available on major cloud providers such as Azure, AWS and Google Cloud. Running an enclave collaborative computation is as easy as using one of these cloud services. This also means that to use enclaves, one does not need to purchase specialized hardware, because the major clouds already provide services based on these machines.”

Also https://twitter.com/colmmacc/status/1438682296333180929

France/CNIL: Privacy maturity model (with self-assessment)

(in French)
https://www.cnil.fr/fr/la-cnil-propose-une-autoevaluation-de-maturite-en-gestion-de-la-protection-des-donnees

(also has additional information to go deeper)

and tool download at
https://www.cnil.fr/sites/default/files/atoms/files/auto-evaluation_de_maturite_en_gestion_de_la_protection_des_donnees.pdf

    Key activities: (machine-translated)

  • Define and implement data protection procedures
    • Definition, updating and communication of general policies and procedures relating to the management of personal data and the protection of privacy (charter of use of the information system, standard contractual clauses, etc.), verification of their application and triggering of any measures planned in the event of a breach.
      • Definition by the legal department, risk department or information systems department, verification via internal control processes.
        • 1 Informal practice
          • Some good practices are occasionally implemented (eg minimizing the collection or erasing obsolete data, information notices).
        • 2 Practice repeatable and followed
          • Documents relating to data protection (good practices, rules, examples, etc.) are shared. There is documentation (eg: charter for the use of IT resources) including rules relating to data protection.
        • 3 defined process
          • Formal documentation (eg: data protection policy), approved by the management committee, is communicated to all staff. Procedures are formalized and sent to all staff. The rules are applied.
        • 4 Controlled process
          • An annual review of policies and procedures is carried out. Indicators are produced (eg: on the implementation of rules, on the difficulties encountered, on their effectiveness, etc.).
        • 5 Continuously optimized process
          • Policies and procedures are updated as soon as a possible improvement is identified.
  • Steering data protection governance
    • Definition, implementation, implementation, communication and improvement of the data protection strategy within the organization (governance, roles and responsibilities, including those of the data protection officer – DPO).
      • General management of the company and, depending on the organization, management and implementation by the legal department, the risk department or the information systems department.
        • 1 Informal practice
          • Skills relating to protection of data are identified within of the organization (ex : Legal Department) and exploited punctually.
        • 2 Practice repeatable and followed
          • A manager of questions relating to protection of data loaded especially interactions with persons concerned (mail, etc.), is identified.
        • 3 defined process
          • A delegate to the Data protection is appointed to the national authority of Data protection personal (with a job description or engagement letter formal and known to the staff), a organization is set place and roles and responsibilities are defined
        • 4 Controlled process
          • The delegate to the protection of data takes stock annual of its actions to the leaders of the body (especially the (s) responsible for treatments).
        • 5 Continuously optimized process
          • Means are regularly allocated to implement eye action plans the balance sheet of the delegate data protection and ensure that they are implemented work and their continuous improvement.
  • Identify and update the list of treatments
    • Identification and updating of the inventory of personal data processing, data and the data flows associated with them.
      • Data Protection Officer (DPO)
        • 1 Informal practice
          • The services are able to identify the treatments data personal that they implement.
        • 2 Practice repeatable and followed
          • Treatments personal data are identified and / or signaled in a way centralized.
        • 3 defined process
          • A register of activities treatment, compliant to the GDPR, is required.
        • 4 Controlled process
          • Completeness and registry quality are regularly verified.
        • 5 Continuously optimized process
          • The register serves of piloting instrument actions relating to data processing personal (e.g .: it serves census, but also an instrument of comparative management of risks and monitoring action plans).
  • Ensure legal compliance of processing
    • Assessment of existing or planned processing of personal data with regard to legal and regulatory obligations in terms of data protection (proportionality and necessity, as well as individual rights), determination of measures to improve compliance (including standard contractual clauses) , advice to the data controller and verification of the implementation of the planned measures.
      • Relevant business departments, legal department, purchasing department, DPO, information systems security manager (CISO), project teams
        • 1 Informal practice
          • An information to people (ex : Legal Notice) is made on main places of collection of data personal (ex: website, forms).
        • 2 Practice repeatable and followed
          • For each treatment legal notices are carried out and a study principles fundamentals (proportionality, necessity and rights of people) is conducted. The contractual clauses are assessed and include a part relating to protection of data.
        • 3 defined process
          • Model clauses for contracts with subcontractors are formalized and used. Impact analyzes relating to protection data is carried out on likely treatments generate risks raised on people, in collaboration with departments concerned and the person in charge of Data protection.
        • 4 Controlled process
          • The planned measures are verified. Regular reviews legal notices and clauses contractual are scheduled and carried out. The quality of the analyzes of impact relating to protection of data is evaluated by indicators. Action plans (eg: in the event of non-compliance with a treatment) are created and implemented.
        • 5 Continuously optimized process
          • Data protection is taken into account from the initiation of projects, in collaboration with the delegate for the protection of data. The improvements possible are regularly studied. Legal watch and technique is carried out. From analyzes are produced and disseminated.
  • Train and raise awareness
    • Dissemination of knowledge and creation or strengthening of internal skills concerning data protection. Note: the training / awareness sessions must ensure that staff are familiar with the data protection policy.
      • DPO, human resources department, communication department.
        • 1 Informal practice
          • Some collaborators are aware of the protection of data.
        • 2 Practice repeatable and followed
          • The staff are trained to identify and transmit the subjects related to the protection of personal data in charge (e.g .: requests from persons concerned, from the authority of control, new treatments, etc.).
        • 3 defined process
          • Awareness sessions are regularly organized for the staff.
        • 4 Controlled process
          • Indicators measure qualitatively and quantitatively the understanding of subjects related to protection of data (e.g .: survey, annual questionnaire, etc.).
        • 5 Continuously optimized process
          • Training or information sessions iare regularly offered on news technologies or issues relating to data protection.
  • Process requests from internal and external users
    • Definition, implementation, implementation and communication of the means allowing the management of requests to exercise the rights of data subjects (e.g. requests for the right of access), complaints and other internal and external claims concerning data protection .
      • DPO
        • 1 Informal practice
          • Requests from users are managed on a case-by-case basis case.
        • 2 Practice repeatable and followed
          • Standard letters are created (e.g .: from models of the CNIL) to answer to requests regularly carried out.
        • 3 defined process
          • Typical responses to requests to exercise rights and questions are created and used. A procedure management of requests of exercise of rights is defined and communicated to staff. a contact form is set up on the site internet and all queries are centralized.
        • 4 Controlled process
          • The person in charge protection of data is systematically informed of each demands concerning the rights of people. Requests exercise of rights are the subject indicators that appear in the Annual Review.
        • 5 Continuously optimized process
          • The management process exercise requests rights and tools on which he rests make regularly the object improvements.
  • Manage security risks
    • Assessment of the security risks that the processing of personal data is likely to generate on the persons concerned, determination of measures contributing to the processing of them (including standard contractual clauses) and verification of the implementation of the planned measures.
      • Relevant business departments, legal department, purchasing department, DPO, information systems security manager (RSSI), project teams.
        • 1 Informal practice
          • Measures of security elementary are put in place (e.g .: authorizations, securing personal work places, etc.).
        • 2 Practice repeatable and followed
          • Repositories are used to choose and set up security measures (ex .: Safety guide Datas personal of the CNIL, policy of internal security, etc.).
        • 3 defined process
          • Impact analyzes relating to protection data (DPIA) include a study security risks. One method is used to appreciate the risks of likely treatments generate risks high on people concerned and treat them so proportionate. Risk studies are the subject of plans action.
        • 4 Controlled process
          • The implementation of action plans is verified in terms effectiveness and efficiency. Residual risks are followed by indicators.
        • 5 Continuously optimized process
          • Risk studies and action plans are the subject of an annual review. An active watch is carried out on vulnerabilities related to data carriers and corrective actions are taken in the event of an impact on the system of information.
  • Manage data breaches
    • Identification, qualification, resolution of personal data breaches, notifications to data protection authorities and communication to data subjects, keeping a register of breaches.
      • DPO, relevant business departments, risk department, information systems department, communications department, entities responsible for incident management and crisis management
        • 1 Informal practice
          • Incidents are reported. Corrective measures are sometimes taken. A breach notification is sometimes performed with the CNIL.
        • 2 Practice repeatable and followed
          • The management of incidents, setting work in a way centralized, includes data breaches. Corrective measurements are systematically implemented. A communication to people whose data were subject to a breach that can result in a high risk is planned.
        • 3 defined process
          • A data breach management procedure is formalized and implements a systematic approach. All data breaches are entered in a dedicated register. Following a data breach, an action plan is defined in order to reduce the risk that the breach would happen again.
        • 4 Controlled process
          • The implementation of corrective actions is verified. The follow-up to data breaches is monitored and communicated (e.g .: in the annual report).
        • 5 Continuously optimized process
          • A report on violations is regularly carried out in order identify and put implementing measures to improve the data security. The data breach management provides input to risk studies (e.g .: DPIA). Automatic monitoring systems allow the prompt detection of breaches.
  • Belgium – Court case of use of BYOK when processing personal data at AWS in EU

    The Council of State confirmed that the decision of the Flemish Authorities to contract with an EU branch of a US company using AWS cloud services does not breach the GDPR. The Council of State relied, among other things, on guidance issued by the EDPB and Flemish Supervisory Commission, which mention encryption as a possible supplementary measure for data transfers to the US. (BYOK, Bring-Your-Own-Key in context of processing of personal data with AWS in the EU)

    Summary, links, etc. at NOYB:
    https://gdprhub.eu/index.php?title=Council_of_State_-_251.378

    More commentary:

    See also Doctolib case:

    Article: What can you do with a stolen laptop? (by passing bitlocker without pre-boot authentication

    Can you get access to our internal network? That was the question a client wanted answered recently. Spoiler alert: Yes, yes you can. This post will walk you through how we took a “stolen” corporate laptop and chained several exploits together to get inside the client’s corporate network.
    https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network