Data Ethics and Privacy in a GDPR World
•Download as PPTX, PDF•
2 likes•492 views
Public concern for the safety of data is growing – not just in how criminals might use stolen data to commit fraud, but also in how personal data is used by the organisations we engage with. The EU General Data Protection Regulation (GDPR) is designed to confront these concerns, defining a range of requirements to govern how organisations collect, store, process, retain, and share the personal data of EU citizens – irrespective of whether that organisation has a physical presence within the EU. In this session, we explore the specific data management requirements demanded by the GDPR, digital ethics and everyone's role in being conscientious stewards of customer data, and discuss how MongoDB can provide the core technology foundations to help organisations accelerate their path to compliance. Download the guide to GDPR and Impact to Data Management: https://www.mongodb.com/collateral/gdpr-impact-to-your-data-management-landscape
Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Data Ethics and Privacy in a GDPR World
- 1. Data Ethics and Privacy in a GDPR World MongoDB Europe 2018
- 2. GDPR Data Ethics and Privacy in a GDPR World Kenneth White, Product Security Lead, MongoDB Engineering kenneth.white@mongodb.com Mat Keep, Senior Director, MongoDB Product Team mat.keep@mongodb.com @matkeep
- 3. Agenda • GDPR Overview & Requirements • Data Management Impacts • Security Controls & Ethics • Case Studies • Next Steps
- 4. Disclosure For a full description of the GDPR’s regulations, roles, and responsibilities, it is recommended that readers refer to the text of the GDPR (Regulation (EU) 2016/679), available from the Official Journal of the European Union, and refer to legal counsel for the interpretation of how the regulations apply to their organization.
- 5. GDPR Rationale • How safe is our personal data? • How is personal data used by the organizations we choose to share it with? • Damage our reputations • Deny us access to the healthcare or financial services • Discriminate against us • Reduce our autonomy, freedom, individuality CyberSecurity Ventures Ginni Rometty, IBM’s chairman, president and CEO "Cyber crime is the greatest threat to every company in the world"
- 6. What is the GDPR? • EU General Data Protection Regulation 2016/679 • Enshrines protection & privacy of EU citizen data as a human right • Governs how organizations collect, store, process, retain, and share the personal data of EU citizens • Applies globally • Enforced from May 25th 2018 • Fines of up to 4% of global turnover or €20m
- 7. Why is GDPR Necessary? • Replaces Data Protection Directive 95/46/EC, enacted in 1995 • Implementations varied across EU member states • Technology has moved on • No global reach • Expands the scope of “personal data” Data Breach, defined by the GDPR “‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”
- 8. Key GDPR Demands • Explicit consent: defines for what, how long, who data is shared with • Data protection & privacy by design, by default • Review data at any time, portability between service providers • Right to be forgotten • Right to review automated decisions • Breach notification within 72 hours • Applicable to any organization processing EU citizen data
- 9. GDPR: 6 Months In….. "Only 27% of EU companies believe they are GDPR compliant" TrustArc, July 2018 "Just a third of companies are complying with subject access requests" Talend, September 2018 "Portuguese hospital hit with €400,000 fine for two GDPR violations" IT Pro, 29-10-2018
- 10. Mapping GDPR to Required Database Capabilities
- 11. What’s Needed for Compliance? What compliance isn’t…. • Turn on a bunch of database security controls • BOOM…we’re done!
- 12. What’s Needed for Compliance? What compliance isn’t…. • Turn on a bunch of database security controls • BOOM…we’re done! What compliance is… • People • Roles, responsibilities, accountability • Process • Business practices • Product • Technologies to implement controls
- 13. GDPR Data Protection Requirements DISCOVER DEFEND DETECT Identify all PII in your systems Implement appropriate security controls Monitor to identify suspicious behavior, remediate gaps
- 14. MongoDB Security Capabilities Providing customers with control over their data
- 15. MongoDB Security Capabilities Providing customers with control over their data Authentication & Authorization • LDAP, Kerberos, x.509 certificates • On-premises AD or Azure Domain Services Rich Role Based Access Controls (RBAC) • Read-only database views • Redacted query logs
- 16. MongoDB Security Capabilities Providing customers with control over their data Advanced Auditing & Administrative Controls • Consumed through web services, remote SysLog, Change Stream events, 100% API logs • User account/privilege mods made outside Atlas API automatically blocked
- 17. MongoDB Security Capabilities Providing customers with control over their data Enterprise-grade Encryption Options • Whole volume encryption w/ single-use keys • Encrypted Storage Engine with BYO key mgmt • TLS 1.2 in-flight encryption default across all products, full forward secrecy ephemeral ECC & ECDSA support on API endpoints • Strong Challenge-Response (SCRAM-256)
- 18. • SCRAM authentication enforced • Pre-defined roles against each database • IP whitelisting enforced • VPC Peering option with application tier • 2FA authentication for admin console • Encrypted data volumes • Ingress blocked by default • TLS 1.2 by default Atlas Security MongoDB’s DBaaS in the Cloud
- 19. • Temporary, expiring accounts • Temporary, expiring whitelist origins • 24 hour opt-in control plane tokens • Customer managed encryption keys - AWS KMS - Azure Vault - GCP Cloud KMS coming soon Atlas Security MongoDB’s DBaaS in the Cloud • SCRAM authentication enforced • Pre-defined roles against each database • IP whitelisting enforced • VPC Peering option with application tier • 2FA authentication for admin console • Encrypted data volumes • Ingress blocked by default • TLS 1.2 by default
- 20. Data Ethics and Community ● Commitment to open development and open standards ○ LetsEncrypt ○ IETF ACME automated certificate management standard ○ KMIP development ○ LDAP standards ○ Regional security and local developer conferences
- 21. Long-Term Path ● Enhanced encryption options for data-in-use ● Deeper integration with cloud HSM/key management services ● TLS 1.3 support w/ Forward Secret-only AEAD ciphersuites & ECC KeyEx ● U2F/WebAuthn token identity support ● X.509 authentication for Atlas clusters ● Best-in-field 3rd party software security engineering review
- 22. Case Studies
- 23. Single Customer View Improving customer experience, providing platform to manage user permissions Problem Why MongoDB Results Problem Solution Results Customer data spread across many source systems, no way to get a single view of its customers Opportunities to improve customer service online & via call centres Faster fraud detection Legal & marketing need to be able to manage customer preferences Built a single view, extracting data from source systems, transforming and loading to MongoDB MongoDB Atlas on AWS with Kafka for messaging and transformations, built on microservices architecture Project delivered in 3 months, using MongoDB single view reference architecture Reduced average call centre handling times by 40% Fraud detection lead times reduced from hours to seconds Legal and marketing can now comply with requests for personal information, and launch marketing campaigns faster
- 24. Using GDPR to Support Business Transformation 10-Step Methodology to Creating a Single Customer View Download the Whitepaper
- 25. Digital Transformation with MongoDB UK’s Leading Commercial Property Data Service Drives GDPR readiness Problem Why MongoDB Results Problem Solution Results Need to develop a new platform for the company to move from traditional print media to a digital business delivering market intelligence and tools across multiple online channels Monolithic application architecture and rigid relational database prevented IT team pushing new updates any more than once per month Moved to MEAN stack powered by a microservices-based architecture in the cloud MongoDB Enterprise Advanced for access to Ops Manager, Compass and Support MongoDB Encrypted storage engine to support GDPR readiness Transformed business: now digital is driving revenue growth Supports 50x more releases per month, with always on availability Faster development velocity to build custom services for multiple market segments
- 26. Wrapping Up
- 27. Discover Defend Detect Identify Personal Data • MongoDB Compass • Expressive Queries & Analytics Access Control • Authentication (i.e. SHA 2, LDAP, Kerberos) • Authorization (RBAC) • IP Whitelisting & VPC Peering Monitor & Report • Real-Time Alerting Personal Data Retention • TTL Indexes Pseudonymisation & Encryption • Read-Only Views • Log Redaction • TLS/SSL Network Encryption • Encrypted Storage Engine Audit • MongoDB Audit Log • MongoDB Change Streams Resilience & DR • Replica Sets • MongoDB PIT Backup & Recovery Data Sovereignty • MongoDB Global Clusters MongoDB Training & Global Consulting How MongoDB Supports GDPR
- 28. Next Steps Download the whitepaper Refer to your legal counsel for GDPR advice Engage MongoDB Consulting
- 29. Data Ethics and Privacy in a GDPR World MongoDB Europe 2018