Dr. Ferenc Leitold and Dr. Attila Kiss will talk about the assessment of users’ IT security awareness in light of the GDPR at #BSidesBUD2018. Here is the abstract of their presentation:

After two years of implementation period the General Data Protection Regulation – GDPR, (Regulation (EU) 2016/679) – will be directly applicable in all Member States as of 25 May 2018. This new law aims to put individuals back in control of their personal data by strengthening rights of data subjects and introducing a set of new obligations for all data processing bodies – including companies, NGO-s and even most of the governmental sector.

However, when focusing on the latest challenges, we can identify our own user as the weakest link of our IT systems, the main source of threats to IT security. Therefore, an integrated IT security tool must include also means of user behavior and IT awareness analytics and management tools nowadays, such as monitoring services, risk assessment tools, or activities and training supporting security awareness. The application of these services and methods may support security, but meanwhile needs the collection, storage, analysis and in general processing of personal data of users, and have to be implemented to our systems in line with the requirements of GDPR.

The presentation will show examples of the above-mentioned tools and applications available on the market, discuss their weak spots and challenges of their use from a legal aspect. Speakers will focus on the following issues:

• Are users’ IT awareness assessment tools legally applicable after May 2018? What are the relevant new rules and basic principles of GDPR?
• Are there legitimate goals or interests of data controllers to use behavioral or awareness analytical tools?
• Is anonymization or pseudonymization of data collected a usable way to keep functions of users’ awareness assessment tools?
• How to prepare your company for the lawful processing of the collected data under GDPR?