layout | title | type | track | technology | related-to | status | when-day | when-time | location | room-layout | organizers | participants | invited | outcomes |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
blocks/working-session |
GDPR and DPO AppSec implications |
workshop |
CISO |
GDPR |
done |
Mon |
PM-1 |
Room-6 |
cabaret |
Anders Reeves |
Dinis Cruz, Francois Raynaud, Phil Parker, Stuart Gunter, Don Gibson, Robert Morschel,Neil Barlow, Steven van der Baan, Bjoern Kimminich |
Kevin Fielder, Dilek Koluman, Clare Creeden |
mapped |
GDPR (General Data Protection Regulation) is a major EU Regulation which will affect every company that does business with the EU, which is just about every major company worldwide.
This Working Session will discuss some aspects of GDPR, including the role of the DPO (Data Protection Officer), the wider definition of PII data (like IP Addresses), and the need to report breaches and incidents within a short time period.
- AppSec professionals
- DPOs (and DPOs Service providers)
- CISOs
- Heads of InfoSec
- Generate the list of 10 questions for the ICO to clarify the implications for AppSec specifically
- Generate the list of questions for the ICO regarding general implications
Letter in final draft stage.
We need to be much more focused on the questions to ask and provide as much information about the answers that we are able to figure out.
- What are the AppSec implications of this regulation?
- What is the accepted format/notation for data flows and data at rest documentation requirements?
- How to include the DPO as part of the software security governance?
- What constitutes personal data and what about edge cases? (Post code, First Name + Last Name, IP Address etc.)
- Can it be used to improve existing Application Security practices and activities?
- What are the real requirements for the DPO and what should he/she focus on?
- How to become an DPO (and how to hire one)
- The role of SOC in detecting and reporting security incidents