Data Protection and Privacy: Important developments

Jamie ArmstrongPosted by Jamie Armstrong

As Associate Legal Counsel at Questionmark, I spend a lot of time thinking about data protection and privacy law issues. There have been many important developments over recent months, and I thought it would be interesting for our readers if I summarized just three of these below. I may look at others and/or consider those mentioned here in more detail in a future blog post. With a dedicated in-house technical and legal team, Questionmark is continuously monitoring changes in this field and my role helps to ensure that Questionmark is ahead of the curve in protecting our customers.

1. For around fifteen years, organizations transferring personal data from the European Union to the United States were able to rely on the US-EU Safe Harbor Agreement as a legal basis for such transfers. The Safe Harbor Agreement allowed organizations to self-certify compliance with certain data protection standards. In October 2015, the Court of Justice of the EU invalidated the EU decision that underpinned this arrangement. This meant that organizations transferring relevant data had to review their arrangements to ensure such transfers remained legal by different means, such as the EU Standard Contractual Clauses or Binding Corporate Rules – Safe Harbor can no longer be relied on for transfers of EU personal data to the US.

2. The final text of the new General Data Protection Regulation (“GDPR”) was agreed in April this year, and the GDPR will have legal effect from May 2018. From that date, the GDPR will replace the current Data Protection Directive and will apply in all EU member states without any implementing national law required. This should help multinational organizations with compliance, as there will be more uniformity than there is now. The GDPR includes some new obligations, like requiring appointment of a data protection officer in certain cases, hence the two year lead in period to allow organizations time to prepare. The GDPR is relevant for organizations based outside the EU as it has broader effect when EU personal data processing is involved.

3. After Safe Harbor was invalidated, the US and EU authorities worked together on a replacement, known as the Privacy Shield. The initial agreed text received a cool response in Europe and was subsequently revised to address concerns, including around possible continued surveillance in the US and insufficiency of the Ombudsman role created to consider complaints. It is expected that the mechanics of the Privacy Shield will operate similarly to Safe Harbor (but with stricter requirements), with voluntarily compliance certification to the US Department of Commerce possible from August 1 of this year. Unlike the EU Standard Contractual Clauses and Binding Corporate Rules, the Privacy Shield, as with Safe Harbor, will only apply to transfers of data from the EU to the US. The collective of EU data protection authorities have recently said they will not legally challenge the Privacy Shield for at least a year, to provide an opportunity to gauge how this operates in practice.

With the above representing a very simplified summary of just three important recent developments in the data protection and privacy law field, organizations that control and process personal data clearly need to maintain a heightened level of vigilance to be positioned to respond to the shifting landscape. Check back here for updates on these and other relevant developments in future blog posts.

Disclaimer: This blog post is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

For more on Questionmark’s commitment to security, check out the video below:

Single sign-on: secure and easy access

Bart Hendrickx Small

Posted by Bart Hendrickx

It’s Tuesday morning. You have just started your computer. Now it’s time to open your day-to-day tools: email, chat/phone, tasks and so on. As you go through your tasks, you realize you need to take that data security test you’ve been postponing.

Every day, you interact with various applications. Some are installed on your personal computer, others on servers managed either by your organization by vendors.  Your applications might come from a multitude of service providers, in-house or on the Cloud.

For many of those applications, you need to authenticate—to tell the applications who you are—so that the app can present the information that pertains to you. Sometimes this happens automatically. When your email client connects to the mail server, you read your emails, not those of your co-workers. Your email client has authenticated you against your mail server because you entered a username or email address, a password and some other data, way back when.

You often need to use different sign-ins for different apps. When you log in tor you Questionmark OnDemand portal, for instance, you enter a different username and password than the one you used to unlock your computer earlier today, (Your organization’s data security policy does not allow you to  store your organizational password in other systems.)

Want to learn more? I’ll be discussing this topic and more at the Questionmark Conference 2016 in Miami, April 12-15. Register before March 3 to take advantage of our final early-bird discounts.

Problem: Unrecognized username or password

You’ve logged in for your exam, but you get an error message. Maybe you mistyped the password? Second try. Nope; same results. You must have forgotten your password. You start an instant message window with your internal IT help desk. “Sorry, we don’t manage Questionmark OnDemand. Can you use its password reset function?”

You go back to your Questionmark login page, get a secure on-time login and establish a new, permanent password that complies with the data security policy — “I better not forget my password this time,” you say to yourself as you finally start your data security test. “Isn’t there something more convenient?”

Solution: Single sign-on

We all find ourselves in similar situations, but with Single sign-on (SSO) we can avoid them.

Since, there are several definitions of SSO, here’s how I’ll define it in the context of this blog:

Single Sign-On (SSO) for software is the ability for one application, the identity provider, to tell another application, the service provider, who you are.

By identity provider, I mean a system that contains digital identity information—also known as people data—on users, For example, think of social network sites or Active Directory from Microsoft.

The service provider is the system that users work with to do something—say Questionmark OnDemand, in the case of your data security test.

With SSO, a user does not log on directly to the service provider. Instead, they log on to an identity provider, which then tells the service provider who the user is. The identity provider and service provider have been configured to trust each other. So when the identity provider says: “This is Jane Doe,” the service provider will trust and accept that.

It is important to note that SSO is therefore not about creating accounts with the same usernames and passwords—a prevalent mechanism for different service providers. SSO is about making those service providers accept what an identity provider says about a user.

Why SSO?

SSO comes with several advantages. Users can access all applications that are linked to their identity providers—using one username and password for multiple systems. Depending on the capabilities of the applications and how things have been set up, the authentication can be seamless. You might log on to your identity provider when you start your computer, and the other applications (service providers) you access during the day will automatically check with your identity provider without you having to enter your username and password again.

SSO makes password management easier for IT administrators. Having an employee leave an organization might mean having to decommission access to dozens of service providers. If the authentication to those service providers has been set up with SSO, then an IT administrator only needs to decommission the employee’s identity provider account. Without that account, the employee can no longer log on to any of the linked applications.

There is one disadvantage to SSO: If the account at the identity provider is hacked, all linked applications can be compromised. It is therefore imperative the account is properly secured. How can you set up SSO to ensure its security and effectiveness? Watch for more posts on this subject, which will include information about our newly added support for a popular technique called SAML.

If you would like to learn more, attend my session: Secure Authentication: Accessing Questionmark OnDemand with SSO at the Questionmark Conference 2016, April 12-15. Register before March 3 to take advantage of our final early-bird discounts.