1

Big Data and its Real Impact on Your Security & Privacy Framework:

Erik LuysterborgPartner, DeloitteEMEA Data Protection & Privacy leaderPrague, SCCE, March 22nd 2016

A Pragmatic Overview

1. Understanding Big Data

© 2016 Deloitte Belgium - European Privacy Academy 2

2

Understanding Big Data Definition & Characteristics

3© 2016 Deloitte Belgium - European Privacy Academy

“Big Data is the collection of large and complex data sets that are difficult to process using “traditional” database management tools or data processing applications. Big Data is the new “raw material of

business”.” – The Economist

BUT

As Dan Ariely, Professor at Duke University said “Big Data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are

doing it.”

Understanding Big Data Definition & Characteristics

4© 2016 Deloitte Belgium - European Privacy Academy

Big Data generally refers to a set of technologies and initiatives involving data that is too fast changing (velocity), massive (volume) or too diverse (variety) for conventional technologies, skills and infrastructure to

handle efficiently.

90% of the data in the world today has been created in the last 2 years Velocity• Batch to streaming data

Every day, we create more then 2,5 quintillion bytes of data Volume• Terabytes to Zettabytes

Diversity of data sources and formatsVariety• Structured to Semi-Structured to Unstructured

Analytics on almost all types of data

Virtualization architecture

Often distributed large-scale (cloud)

infrastructures

3

• No “one to one” relationship of server to data storage

Reliance on virtualization architecture, needed to be able to draw from large content stores and archives as a single global resource

• Big Data environments often rely on distributed large-scale (cloud) infrastructures

a diversity of data sources and a high volume + frequency of data migration between different (cloud) environments

Understanding Big DataA different set up

5© 2015 Deloitte Belgium

Understanding Big DataBig Data Analytics

6© 2015 Deloitte Belgium

Collecting, organizing and

analyzing

Large sets of data

To discover patterns and other useful information

Better decisions

Competitive advantage

4

Understanding Big DataAnalytics Opportunities

7© 2015 Deloitte Belgium

Big Data Analytics represents tremendous opportunities, both for the private and public sector… :

• As a business asset: can serve to understand customers at a whole new level.

• To improve health care: can help deliver effective health care to patients faster and earlier (e.g. predictive medicine).

• To improve service: analytics can be used by governments to improve their citizens’ experience with administration by anticipating their needs.

• To strengthen security : Potential for new security insights and enhanced detection and prevention systems

provided that the challenges and risks are properly mitigated…

Profile

Geo-localisation

Email content

Online surveys

Browser history

…

Understanding Big Data Gathering information

8© 2015 Deloitte Belgium – European Privacy Academy

5

Example:

Many apps request the user’s location in order to give more accurate search results (e.g. nearest restaurant or shop of a certain company)

Example:

The content of the emails sent and received through Gmail are scanned by an automated software of Google. This information is then combined with other information of the Google profile of the users to display more relevant ads.

Understanding Big DataGathering information

9© 2015 Deloitte Belgium – European Privacy Academy

Geo-localisation

Email content

Example:

Data gathered through online surveys are used by companies to gain more insight about their clients (e.g. average age of people consuming their products)

Example:

Several service providers combine the browsing history of an individual user with the knowledge gathered about other users following a similar browsing path to give more accurate search results or advertising (e.g. Amazon and FNAC’s books’ suggestions, YouTube’s videos’ suggestions, etc)

Example:

data about the purchases made by a customer with its loyalty card, sensors in a car to determine the driving style of an individual, etc.

Understanding Big Data Gathering information

10© 2015 Deloitte Belgium – European Privacy Academy

Online surveys

Browser history

Other sources

6

Big Data in perspective: General Data Protection Regulation Understanding Big Data

© 2016 Deloitte Belgium - European Privacy Academy 11

Privacy by Design

Privacy by Default

Privacy Impact

Assessment

Records of Processing Activities

Data Security of Processing

Breach Notification

Data Protection

Officer

2. Big Data vs. Security & Privacy

© 2016 Deloitte Belgium - European Privacy Academy 12

7

Big Data vs. Security & PrivacyPrivacy Challenges

13© 2015 Deloitte Belgium

Outsourcing/Transfers

Accuracy

Transparency

Big Data

User Rights

Privacyby

Design

Lawfulness

Creating entirely new challenges we have not encountered before:

• Data linkages: Powerful analytics solutions can link data sets to reveal someone’s lifestyle, consumer habits, social networks and more – even if no single data set reveals this personal information.

• Profiling: the use of identifiable data to profile individuals in order to analyze, predict and influence their behaviour.

Big Data vs. Security & PrivacyPrivacy Challenges

14© 2015 Deloitte Belgium

8

Big Data vs Security & PrivacySecurity Challenges

© 2015 Deloitte Belgium 15

Access to huge volumes Difficult to protect and monitor

Complex environments Lack of granular audit trails

Variety of data Difficulty to verify access

BIG DATA TRADITIONAL SECURITY

• Big Opportunities: Big Data is now often regarded as most critical enterprise asset, focusing attention on performance and collection of data, not security.

• Big Attackers: Big Data attracts a new class of hackers & attacks. Threat landscape has altered radically.

Big Data vs. Security & PrivacySecurity Challenges

16© 2015 Deloitte Belgium

9

Big Data vs. Security & PrivacyOpportunity example

17© 2015 Deloitte Belgium

Using Big Data to analyse, predict and prevent security incidents

Potential for new insights and enhanced detection and prevention systems through continual adjustment and

effectively learning “good” and “bad” behaviours

Big Data provides the opportunity to consolidate and analyse logs automatically from multiple sources rather

than in isolation

Big Data vs. Security & PrivacyChallenge example

18© 2015 Deloitte Belgium

Securing the organisation and customers’ information

Encryption and access controls based on data attributes rather than storage environment

Information classification and data ownership become more critical

10

3. Conclusive remarks

© 2016 Deloitte Belgium - European Privacy Academy 19

• The Big Data security challenges will require a more agile security governance model including:

• More attention to detail :A holistic privacy/security strategy

• A migration from point products to a more unified security architecture

• Open and scalable Big Data security tools and approach

• A strengthening of SOC’s (Security Operations Centre) data science skills

• A more extensive leverage on external threat intelligence

• A more pragmatic focus on (breach) incident as well as identity and access management

Conclusive remarks

From a classic data protection governance model to an agile one…

20© 2015 Deloitte Belgium

11

• In addition, a more agile governance model should address the main privacy challenges of Big Data:

• Invest in IT security governance, not only security products

• Manage the security/privacy paradox and use an integrated security/privacy approach (e.g. monitoring versus anonymization)

• Clearly define privacy (and security) responsibilities

• Ongoing monitoring and audits (eg privacy impact assessments)

• Focus on the obtaining consent of the data subject: opt-in, not opt-out

• Make sure that processing remains compatible with purpose of collection(eg “secondary use” issue)

• Engage in harmonization and standardization

• Transparency towards data subject regarding its (GDPR) rights

Conclusive remarksFrom a classic data protection governance model to an agile one…

21© 2015 Deloitte Belgium

Conclusive remarksA holistic risk based approach across the (big) data lifecycle

22© 2016 Deloitte Belgium - European Privacy Academy

Inconsistent methods

Distributed storage

Accidental loss

Inappropriate third-party controls

Partial deletion

Accidental deletion

Sp

eci

fic r

isks

Inappropriate classification

Inappropriate security controls

Data distributed across network

Unnecessary retention

Improper duplication

Theft or breach

Improper access/sharing

Unnecessary retention

Misuse

Collection Storage Use SharingRetention & Destruction

Da

ta li

fecy

cle

• Classify: Inconsistent/unclear data classification scheme to understand the type of data that exists throughout the organization

• Discover: Insufficient understanding of where data is stored and how it is used

• Control: Lack of user awareness of individual and organizational responsibilities surrounding data protection

• Access: Unauthorized access to data across the data lifecycle

• Audit: Insufficient capability to audit the usage of data or monitor the effectiveness of implemented controls

Ge

ne

ral r

isks

• Effective data protection looks across the data lifecycle to allow an enterprise to tailor policy in a way that keeps information safe, yet available to those authorized to access it.

• Without knowing the lifecycle of data flowing through your organisation, it is impossible to be sure that it is all managed appropriately.

• Creating a personal data inventory and/or personal data flow maps will allow to understand and analyze the scope of privacy in your organization.

12

Thank you for your attention Any questions ?

23© 2016 Deloitte Belgium - European Privacy Academy

Erik LuysterborgPartner, CIPPBE Cyber Risk Services LeaderEMEA Data Protection & Privacy Leader

eluysterborg@deloitte.comDirect: + 32 2 800 23 36Mobile: + 32 497 51 53 95

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.

© 2016 For information, contact Deloitte Belgium

© 2016 Deloitte Belgium - European Privacy Academy 24