How QP Helps you Take Action

Data protection legislation, privacy by design, and third-party SDKs

Image

Privacy by Design (PbD), a concept that is at the heart of the international GDPR legislation enacted in Europe in 2018, as well as dozens of other state and country-specific legislation aimed at data protection, emphasizes the importance of building privacy into both your company’s business processes and its code. Based on principles of PbD, governments are increasingly holding companies accountable for full protection of user data, no matter where that data ends up.

QPrivacy's solution, as developed by Privacy Rating Ltd, covers substantial PbD and other regulatory requirements and concepts under privacy and data protection regulations worldwide, including Regulation (EU) 2016/679 (GDPR). The following are the broad PbD concepts and related principles addressed by QPrivacy, and descriptions of the activities QP uses to fulfill them, keeping your customers' data safe and your company fully compliant with the law, no matter where you do business or which third party SDKs you engage.

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    AVOIDANCE (Preventing third parties from collecting data)

  • Activity Details

    • The ability to 'filter' content in two manners:
      identification of strings' structure such as government issued ID fields and blocking their transmission; and
      managing specific parameters (i.e., key-values).
    • The client can define a POLICY and PREVENT specific predefined data from being collected by third parties (Data Avoidance) by blocking collection of content (attributes and identifiers) directly (strings) or through specific parameters.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all collection of data by a third party.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

1

AVOIDANCE

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    ACCESS LIMITATION (preventing third parties from accessing already collected data)

  • Activity Details

    • The ability to block access from defined destinations, e.g., URL blocking, or according to a third-party server ID.
    • The client can block access to data (user attributes and identifiers) by unknown or unauthorized third parties, and to block access to data (attributes and identifiers) by authorized third parties, who wish to access and transmit the data to unauthorized or unknown destinations.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block access to data to each third party.
    • The client can limit access to data by a new version of the third party SDK, by blocking or screening automated updates.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

2

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    DATA REUSE/REPURPOSING LIMITATIONS (preventing third parties from collecting data for further unintended or unauthorized use)

  • Activity Details

    • By obfuscating known parameters (data points), the client can prevent the collection of clear data by third parties, thereby preventing the third parties from repurposing the data for unauthorized purposes.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

3

DATA REUSE/REPURPOSING LIMITATIONS

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Processing [processing of the data by third parties]

  • Activity

    ACCESS LIMITATION (limiting third parties’ ability to process/use data)

  • Activity Details

    • The client can limit the processing of data (user attributes and identifiers) by authorized third parties, by preventing, obfuscating or encrypting data points.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all further collection of, and access to data by a third party, thereby limiting third parties' ability to continue processing the collected data.
    • By limiting access to data by a new version of the third party SDK, through the blocking or screening of automated updates, the client can prevent unauthorized processing of data.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

4

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Processing [processing of the data by third parties]

  • Activity

    DATA REUSE/REPURPOSING LIMITATIONS (limiting third parties’ unauthorized processing of clear data)

  • Activity Details

    • By obfuscating, hashing or encrypting data points, the client can prevent a third party from processing clear data, reusing or repurposing it.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

5

DATA REUSE/REPURPOSING LIMITATIONS

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)]

  • Activity

    DATA AVOIDANCE (minimizing the data that third parties collect and thereafter share with their sub-processors)

  • Activity Details

    • The ability to 'filter' content in two manners: (i) identification of strings' structure such as government issued ID fields and blocking their transmission; and (ii) managing specific parameters (i.e., key-values) .
    • Limiting clear data accessible by a third party, by defining a POLICY, also limits the third party's ability to share the data with other third parties (the third party's vendors, clients and partners).
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with Server-to- Server communication

    Mobile -- PARTIAL
    QP cannot intervene with Server-to-Server communication

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

6

DATA AVOIDANCE

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)

  • Activity

    ACCESS LIMITATION (minimizing the already collected data that third parties can access and thereafter share with their sub-processors)

  • Activity Details

    • The client can limit the processing of data (user attributes and identifiers) by authorized third parties, by preventing, obfuscating or encrypting data points.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all further collection of, and access to data by a third party, thereby limiting third parties' ability to continue processing the collected data.
    • By limiting access to data by a new version of the third party SDK, through the blocking or screening of automated updates, the client can prevent unauthorized processing of data.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

7

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)]

  • Activity

    DATA REUSE/REPURPOSING LIMITATION (minimizing unauthorized processing of data by sub-processors)

  • Activity Details

    • Limiting clear data accessible by a third party, by defining a POLICY, also limits the third party's other parties (vendors, clients and partners) ability to access and use the data for unauthorized purposes.
    • By obfuscating third party cookies & identifiers, the client can prevent repurposing of the data through sharing the data with other parties.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

  • Notes

    Example: vendors (sub-processors) situated in unauthorized territories (e.g., for support purposes). By obfuscating third party cookies & identifiers, the client can prevent repurposing of the data through sharing the data with other parties.

8

DATA REUSE/REPURPOSING LIMITATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    SUPERVISION -- PERIODICAL/ON-GOING/REAL-TIME

  • Activity Details

    • Always-On, Real-Time special ability to policy Enforcement and Alerts
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

9

SUPERVISION -- PERIODICAL/ON-GOING/REAL-TIME

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    AUDIT TRAIL

  • Activity Details

    • Periodical audit reports provide the client an ability to review and control the functioning of the pre-defined policies.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

10

AUDIT TRAIL

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    EVENT MONITORING

  • Activity Details

    • Audit trail detailed records by Event and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

11

EVENT MONITORING

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability

  • Activity

    RETRIEVABLE EVENT LOG FILES

  • Activity Details

    • Ability to demonstrate policy enforcement. Evidence of collection and Sharing per third party tool per parameter and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

12

RETRIEVABLE EVENT LOG FILES

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability (Demonstration of Compliance)

  • Activity

    RETRIEVABLE ACCESS LOG FILES

  • Activity Details

    • Ability to demonstrate unauthorized access. Evidence of collection and Sharing of data breach violations.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

13

RETRIEVABLE ACCESS LOG FILES

  • Concept

    Concept:

  • Principle

  • Activity

  • Activity Details

  • QP Coverage

  • Regulatory/Business Importance

Empty

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability (Demonstration of Compliance)

  • Activity

    OTHER RECORDS AND DOCUMENTATION

  • Activity Details

    • Audit trail detailed records by Event and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

14

OTHER RECORDS AND DOCUMENTATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    INCIDENT MANAGEMENT

  • Activity Details

    • Alert, evidence and detailed reports regarding data breach and transfer to an unauthorized destination in total and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

15

INCIDENT MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    DATA SEGREGATION

  • Activity Details

    • Segregation by using different encryption allows data use on a need to know basis.
  • QP Coverage

    Web -- PARTIAL - not including data Silo

    Mobile -- PARTIAL - not including data Silo

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

16

DATA SEGREGATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    REDUCTION OF RISKS ASSOCIATED WITH DATA BREACHES

  • Activity Details

    • Risk reduction of Data Breaches on third parteis’s systems through data control, content collection and access avoidance, limits data collection, access, repurposing and sharing of the data.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

17

REDUCTION OF RISKS ASSOCIATED WITH DATA BREACHES

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    REMOTE CONTROL OVER DATA ACCESS

  • Activity Details

    • Ability to avoid risks by blocking access to unauthorized or unknown URLs including the prevention of phishing attempts in web and redirect in mobile.
  • QP Coverage

    Web -- PARTIAL - not including defacement

    Mobile -- PARTIAL - not including defacement

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

18

REMOTE CONTROL OVER DATA ACCESS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    SEGREGATION OF CLIENTS’ DATA

  • Activity Details

    • Ability to partial segregation using 3 different Encryption layers.
  • QP Coverage

    Web -- PARTIAL - not including

    Mobile -- PARTIAL - not including Re-route Re-route

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

19

SEGREGATION OF CLIENTS’ DATA

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Transfer

  • Activity

    SUPPLEMENTAL SAFEGUARDS

  • Activity Details

    • Encrypt data transfer by maintaining the private key in an adequate territory.
    • Ability to demonstrate that clear data is not accessible in unauthorized territories.
  • QP Coverage

    Web -- FULL for on-device communication (data in transit and data at rest).

    Mobile -- FULL for on-device communication (data in transit and data at rest).

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

20

SUPPLEMENTAL SAFEGUARDS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    ISMS AREA - VENDOR MANAGEMENT

  • Activity Details

    • Third Party (vendors) Risk prevention and risk management - Management of risk associated with unauthorized Access and Data leakage to privileged vendors and non-privileged factors.
  • QP Coverage

    Web -- FULL for third parties in digital channels

    Mobile -- FULL for third parties in digital channels

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

21

ISMS AREA - VENDOR MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    STATE OF THE ART (BEST AVAILABLE) TOMS

  • Activity Details

    • Appropriate technical and organizational measures (TOMs) to prevent unauthorized data leakage and Access. Best Available, in terms of vendors management, requires that the client will not rely solely on contracts with vendors and occasional vendor audits, but instead engage vendor management pro-actively and use PbD tools such as QPrivacy to manage and control data sharing with vendors on an on-going and real time basis.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

22

STATE OF THE ART (BEST AVAILABLE) TOMS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    ISMS AREA - INCIDENT MANAGEMENT

  • Activity Details

    • Assistance with incident management - data (records, logs, reports) for forensics + KILL SWITCH for mitigation.
  • QP Coverage

    Web -- FULL for on-device communication (data in transit and data at rest).

    Mobile -- FULL for third parties in digital channels

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

23

ISMS AREA - INCIDENT MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    User-centric

  • Activity

    DATA SUBJECT RIGHTS (DSR)

  • Activity Details

    • DSAR (especially CCPA) - ability to provide the individual with information about the data collected by third parties (historically, and not just a current snapshot that anyone can draw from the F12 browser function).
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

24

DATA SUBJECT RIGHTS (DSR)

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    User-centric

  • Activity

    CHOICE (CONSENT)

  • Activity Details

    • Consent Management Platform (CMP) by destination, parameter and Content.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

25

CHOICE (CONSENT)

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    AVOIDANCE (Preventing third parties from collecting data)

  • Activity Details

    • The ability to 'filter' content in two manners:
      identification of strings' structure such as government issued ID fields and blocking their transmission; and
      managing specific parameters (i.e., key-values).
    • The client can define a POLICY and PREVENT specific predefined data from being collected by third parties (Data Avoidance) by blocking collection of content (attributes and identifiers) directly (strings) or through specific parameters.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all collection of data by a third party.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

1

AVOIDANCE

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    ACCESS LIMITATION (preventing third parties from accessing already collected data)

  • Activity Details

    • The ability to block access from defined destinations, e.g., URL blocking, or according to a third-party server ID.
    • The client can block access to data (user attributes and identifiers) by unknown or unauthorized third parties, and to block access to data (attributes and identifiers) by authorized third parties, who wish to access and transmit the data to unauthorized or unknown destinations.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block access to data to each third party.
    • The client can limit access to data by a new version of the third party SDK, by blocking or screening automated updates.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

2

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Collection [communications with the third parties]

  • Activity

    DATA REUSE/REPURPOSING LIMITATIONS (preventing third parties from collecting data for further unintended or unauthorized use)

  • Activity Details

    • By obfuscating known parameters (data points), the client can prevent the collection of clear data by third parties, thereby preventing the third parties from repurposing the data for unauthorized purposes.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

3

DATA REUSE/REPURPOSING LIMITATIONS

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Processing [processing of the data by third parties]

  • Activity

    ACCESS LIMITATION (limiting third parties’ ability to process/use data)

  • Activity Details

    • The client can limit the processing of data (user attributes and identifiers) by authorized third parties, by preventing, obfuscating or encrypting data points.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all further collection of, and access to data by a third party, thereby limiting third parties' ability to continue processing the collected data.
    • By limiting access to data by a new version of the third party SDK, through the blocking or screening of automated updates, the client can prevent unauthorized processing of data.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

4

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Processing [processing of the data by third parties]

  • Activity

    DATA REUSE/REPURPOSING LIMITATIONS (limiting third parties’ unauthorized processing of clear data)

  • Activity Details

    • By obfuscating, hashing or encrypting data points, the client can prevent a third party from processing clear data, reusing or repurposing it.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

5

DATA REUSE/REPURPOSING LIMITATIONS

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)]

  • Activity

    DATA AVOIDANCE (minimizing the data that third parties collect and thereafter share with their sub-processors)

  • Activity Details

    • The ability to 'filter' content in two manners: (i) identification of strings' structure such as government issued ID fields and blocking their transmission; and (ii) managing specific parameters (i.e., key-values) .
    • Limiting clear data accessible by a third party, by defining a POLICY, also limits the third party's ability to share the data with other third parties (the third party's vendors, clients and partners).
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with Server-to- Server communication

    Mobile -- PARTIAL
    QP cannot intervene with Server-to-Server communication

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

6

DATA AVOIDANCE

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)

  • Activity

    ACCESS LIMITATION (minimizing the already collected data that third parties can access and thereafter share with their sub-processors)

  • Activity Details

    • The client can limit the processing of data (user attributes and identifiers) by authorized third parties, by preventing, obfuscating or encrypting data points.
    • In Incident and other relevant situations, the client can use a KILL SWITCH to completely block all further collection of, and access to data by a third party, thereby limiting third parties' ability to continue processing the collected data.
    • By limiting access to data by a new version of the third party SDK, through the blocking or screening of automated updates, the client can prevent unauthorized processing of data.
  • QP Coverage

    Web -- PARTIAL
    QP cannot intervene with user device run-time processing

    Mobile -- PARTIAL
    QP cannot intervene with user device run-time processing

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

7

ACCESS LIMITATION

  • Concept

    Data Minimization

    Concept: Data Minimization

  • Principle

    Sharing [by the third parties with their sub-processors (“fourth parties”)]

  • Activity

    DATA REUSE/REPURPOSING LIMITATION (minimizing unauthorized processing of data by sub-processors)

  • Activity Details

    • Limiting clear data accessible by a third party, by defining a POLICY, also limits the third party's other parties (vendors, clients and partners) ability to access and use the data for unauthorized purposes.
    • By obfuscating third party cookies & identifiers, the client can prevent repurposing of the data through sharing the data with other parties.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

  • Notes

    Example: vendors (sub-processors) situated in unauthorized territories (e.g., for support purposes). By obfuscating third party cookies & identifiers, the client can prevent repurposing of the data through sharing the data with other parties.

8

DATA REUSE/REPURPOSING LIMITATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    SUPERVISION -- PERIODICAL/ON-GOING/REAL-TIME

  • Activity Details

    • Always-On, Real-Time special ability to policy Enforcement and Alerts
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

9

SUPERVISION -- PERIODICAL/ON-GOING/REAL-TIME

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    AUDIT TRAIL

  • Activity Details

    • Periodical audit reports provide the client an ability to review and control the functioning of the pre-defined policies.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

10

AUDIT TRAIL

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Control

  • Activity

    EVENT MONITORING

  • Activity Details

    • Audit trail detailed records by Event and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

11

EVENT MONITORING

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability

  • Activity

    RETRIEVABLE EVENT LOG FILES

  • Activity Details

    • Ability to demonstrate policy enforcement. Evidence of collection and Sharing per third party tool per parameter and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

12

RETRIEVABLE EVENT LOG FILES

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability (Demonstration of Compliance)

  • Activity

    RETRIEVABLE ACCESS LOG FILES

  • Activity Details

    • Ability to demonstrate unauthorized access. Evidence of collection and Sharing of data breach violations.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

13

RETRIEVABLE ACCESS LOG FILES

  • Concept

    Concept:

  • Principle

  • Activity

  • Activity Details

  • QP Coverage

  • Regulatory/Business Importance

Empty

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Accountability (Demonstration of Compliance)

  • Activity

    OTHER RECORDS AND DOCUMENTATION

  • Activity Details

    • Audit trail detailed records by Event and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

14

OTHER RECORDS AND DOCUMENTATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    INCIDENT MANAGEMENT

  • Activity Details

    • Alert, evidence and detailed reports regarding data breach and transfer to an unauthorized destination in total and per end-user.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

15

INCIDENT MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    DATA SEGREGATION

  • Activity Details

    • Segregation by using different encryption allows data use on a need to know basis.
  • QP Coverage

    Web -- PARTIAL - not including data Silo

    Mobile -- PARTIAL - not including data Silo

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

16

DATA SEGREGATION

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    REDUCTION OF RISKS ASSOCIATED WITH DATA BREACHES

  • Activity Details

    • Risk reduction of Data Breaches on third parteis’s systems through data control, content collection and access avoidance, limits data collection, access, repurposing and sharing of the data.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

17

REDUCTION OF RISKS ASSOCIATED WITH DATA BREACHES

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    REMOTE CONTROL OVER DATA ACCESS

  • Activity Details

    • Ability to avoid risks by blocking access to unauthorized or unknown URLs including the prevention of phishing attempts in web and redirect in mobile.
  • QP Coverage

    Web -- PARTIAL - not including defacement

    Mobile -- PARTIAL - not including defacement

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

18

REMOTE CONTROL OVER DATA ACCESS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Breach Management and Mitigation

  • Activity

    SEGREGATION OF CLIENTS’ DATA

  • Activity Details

    • Ability to partial segregation using 3 different Encryption layers.
  • QP Coverage

    Web -- PARTIAL - not including

    Mobile -- PARTIAL - not including Re-route Re-route

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

19

SEGREGATION OF CLIENTS’ DATA

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Data Transfer

  • Activity

    SUPPLEMENTAL SAFEGUARDS

  • Activity Details

    • Encrypt data transfer by maintaining the private key in an adequate territory.
    • Ability to demonstrate that clear data is not accessible in unauthorized territories.
  • QP Coverage

    Web -- FULL for on-device communication (data in transit and data at rest).

    Mobile -- FULL for on-device communication (data in transit and data at rest).

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

20

SUPPLEMENTAL SAFEGUARDS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    ISMS AREA - VENDOR MANAGEMENT

  • Activity Details

    • Third Party (vendors) Risk prevention and risk management - Management of risk associated with unauthorized Access and Data leakage to privileged vendors and non-privileged factors.
  • QP Coverage

    Web -- FULL for third parties in digital channels

    Mobile -- FULL for third parties in digital channels

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

21

ISMS AREA - VENDOR MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    STATE OF THE ART (BEST AVAILABLE) TOMS

  • Activity Details

    • Appropriate technical and organizational measures (TOMs) to prevent unauthorized data leakage and Access. Best Available, in terms of vendors management, requires that the client will not rely solely on contracts with vendors and occasional vendor audits, but instead engage vendor management pro-actively and use PbD tools such as QPrivacy to manage and control data sharing with vendors on an on-going and real time basis.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

22

STATE OF THE ART (BEST AVAILABLE) TOMS

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    Secure Data Cycle

  • Activity

    ISMS AREA - INCIDENT MANAGEMENT

  • Activity Details

    • Assistance with incident management - data (records, logs, reports) for forensics + KILL SWITCH for mitigation.
  • QP Coverage

    Web -- FULL for on-device communication (data in transit and data at rest).

    Mobile -- FULL for third parties in digital channels

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

23

ISMS AREA - INCIDENT MANAGEMENT

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    User-centric

  • Activity

    DATA SUBJECT RIGHTS (DSR)

  • Activity Details

    • DSAR (especially CCPA) - ability to provide the individual with information about the data collected by third parties (historically, and not just a current snapshot that anyone can draw from the F12 browser function).
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- HIGH

    Mobile Apps -- HIGH

24

DATA SUBJECT RIGHTS (DSR)

  • Concept

    Audit, Control and Report

    Concept: Audit, Control and Report

  • Principle

    User-centric

  • Activity

    CHOICE (CONSENT)

  • Activity Details

    • Consent Management Platform (CMP) by destination, parameter and Content.
  • QP Coverage

    Web -- FULL

    Mobile -- FULL

  • Regulatory/Business Importance

    Websites -- MEDIUM

    Mobile Apps -- MEDIUM

25

CHOICE (CONSENT)

GET THE WHITEPAPER

Access our full report.

    YOUR RULES SHOULD RULE.

    Take back data privacy control today.

    Request Demo

    Background