OWASP · Ambg05 · Jun 17, 2017 · Jun 22, 2017
diff --git a/Outcomes/CISO/GDPR-letter.md b/Outcomes/CISO/GDPR-letter.md
@@ -6,15 +6,12 @@ title    : GDPR and DPO AppSec implications
 
 ### Synopsis and takeaways
 
-
-## Questions
-
-**PII**
+#### PII
 
   - In the event of a data breach when the IP address is an Indicator of Compromise (IOC), and that IP address is not specifically tied to a user, is it still considered PII?
   - If a third party provides a component of your product, do you need to anonymize/encrypt PII data? If so, how, and What are the approved methods?
 
-**Supplier responsibility**
+#### Supplier responsibility
 
 Example Scenario: an organisation uses a free tier (or educational/charitable) version of Google Docs (or any other SaaS) for storing lists of customers/benefactors. In this scenario:
   - Is Google considered a processor?
@@ -27,22 +24,22 @@ Example Scenario: an organisation uses a free tier (or educational/charitable) v
 - Browser fingerprinting, URLs visited, etc., clearly fall under the definition of “personal data” (Article 4 - 1) and “profiling” (Article 4 - 4)
 - If you are using a cloud provider and they state that the server side is encrypted, is that enough? End-to-end (client side also) vs. server side encryption?
 
-**Definitions**
+#### Definitions
 
 - What types of company are required to have a DPO?
 - How do we quantify what a breach actually is?
 
-**Operational Questions**
+#### Operational Questions
 
 - Transfer of data (e.g., when accessing a free Wi-Fi, should a default routed VPN be used when accessing customer data)?
 - Should security be mandatory on Wi-Fi networks?
 - What type of evidence is required in the event of a data breach to prove due diligence (process vs. pentest reports)?
 - Subjects rights
-   The right to be forgotten.
+   - The right to be forgotten.
 - Are data backups in scope?
 - What if the data backup is the source of the breach?
 
-**Data Breach Notification**
+#### Data Breach Notification
 
 You must notify the ICO of a breach only where it is likely to result in a risk to the rights and freedoms of individuals – for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage.
 
@@ -54,21 +51,21 @@ You must notify the ICO of a breach only where it is likely to result in a risk
   - Is this another PCI DSS scenario where the offending party must pay for expensive consultants to come in and tell the offender how to put things right?  
    - Can this be the penalty rather than a fine?
 
-**ICO**
+#### ICO
 
 - Are external parties required to report (responsible disclosure) ICO notification following the discovery of a vulnerability that resulted in the extraction of personal data that potentially is being exploited by malicious parties?
 - In the event of vulnerability discovery, how is the magnitude and sensitivity of personal data disclosure determined; what dictates disclosure to the ICO or regulator?
 - Are there safeguards (security measures) at ICO level to protect confidentiality and sensitivity of incident notifications? How is such information protected in transit/motion and at rest/storage?
 - Must the compliance documentation (risk assessment) be available to the ICO prior to any breach or only after an incident?  
 - How is commercially sensitive information made available?  Can it be published to all? (ED, clarify)
 
-**IP Address**
+#### IP Address
 
 - Is an IP Address on its own PII?
 - Do you need consent to record an IP Address?
 - What is “legitimate business context”?
 
-As an IP address is not necessary unique to a person, at what point does it become PII? See the following scenarios:
+As an IP address is not necessarily unique to a person, at what point does it become PII? See the following scenarios:
 
   - IP address
   - IP address from known Proxy / TOR / UPA, etc.
@@ -78,32 +75,32 @@ As an IP address is not necessary unique to a person, at what point does it beco
   - IP address and browser type (footprint)
   - IP address and MAC address
 
-**Impact assessments**
+#### Impact assessments
 
 - Is an impact assessment a part of your actual cyber hygiene regime and overall cyber risk assessment?
 
 - Once legislation is enacted, is an impact assessment (or any changes made to systems/infrastructure since the enactment) retrospective?  Does it cover existing infrastructure, systems, and applications?
 
-**Personal data**
+#### Personal data
 
 - What happens to personal data deletion requests, does this apply to backups and archiving?  
 - What about off-site archived data?  
 - What happens when archived personal data is restored following a denial of service attack?  
 - Is the data holder responsible for deleting from all locations?
 
-**Consent**
+#### Consent
 
 - How long is consent valid?  
 - Do we need consent management in our application design or data models?
 
-**Education**
+#### Education
 
 - Who should be responsible for GDPR education initiatives?
   - Technical Leads
   - Legal Leads
   - Data Owners
 
-**Pseudonymisation**
+#### Pseudonymisation
 
 Consider a situation where an organisation hashes personal data (e.g., email address).
 - Is this still considered personal data even though it is not theoretically reversible?