Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
The General Data Protection Regulation:
An Overview of Challenges and Opportunities
Dr. Dimitrios Patsos,
Chief Technology...
How we got here
Technology
• Increase on
breaches
• Cyber Security
Politics
• Safe Harbour
Diminished
• EU Reverses
requir...
The GDPR at a Glance
• Data of EU Citizens residing worldwide,
• Replaces Directive 95/46/EC,
• In full force: Friday, May...
Key Facts
GDPR
Fines
Data
Protection
Officer
Breach
Notification
Consent
Data Subject
Rights
Privacy by
Design
Wider
Geogr...
Degrees of Change
7
2
7
6
2
8
7
4
5
6
5
9
6
9
9
9
2
2
7
8
9
6
9
2
0 1 2 3 4 5 6 7 8 9 10
Material and Territorial scope
Ch...
OK, but…What Data ?
• Personal Data: anything related to an identified or identifiable natural person ("data subject"); as...
Lawful processing
• Identify a legal basis before you can process personal data
• Processing is necessary for compliance w...
Consent
• Freely given, specific, informed and an unambiguous indication of the
individual’s wishes,
• Clear affirmative a...
Data Subject Rights
• The right to be informed,
• The right of access,
• The right to rectification,
• The right to erasur...
Privacy by Design
• Demonstration of compliance
• Implement appropriate technical and organizational measures that ensure ...
Documentation
• Internal records of processing activities, such as:
• Name and details of your organization (and where app...
Privacy Impact Assessment
When ?
• Using new technologies; and processing is likely to result in a high risk, such as:
• s...
How are my data
being used?
Where are my
data?
How are my data
protected ?
Privacy Impact Assessment - How
What are my
dat...
Data Protection Officer
• Tasks
• Inform and advise the organization and its employees about their obligations to comply w...
Breach notification
• Data Breach >> Loss of Data
• Data breach == event leading to the destruction, loss, alteration,
una...
Technology
• Article 32 (Security of processing) specifies:
• (a) the pseudonymization and encryption of personal data;
• ...
The Cloud
• Controllers and processors must know the location where the
personal data are stored or otherwise processed,
•...
A Draft Action Plan
Q1/17 Q2/17 Q3/17 Q4/17 Q1/18
Today Deadline
Data
Inventory
Data
Flow
Mapping
PIA &
Consent
Mechanism
...
A Draft Methodology
Data Collection
• Lawfulness
• Consent
• Relevance
• Types of Data
Data Processing
• Specific Data
• S...
Main Challenges
• Reconciliation of multiple mandates (Lawful Processing),
• Collaboration with Stakeholders (Data Subject...
Opportunities
• Skill Shortage (Data Protection Officer),
• The rise of encryption and data security technologies,
• Syner...
Summary
• A demanding, ambitious but fair legislation aiming to the protection
of EU Citizens’ personal data worldwide,
• ...
Questions ?
Greece
Athens
25 Kreontos St.,
104 42 Athens
+30 210 5193740
Israel
Tel Aviv
16th Ha’ Melecha St.
48091 Rosh Ha’Ayin
+972 ...
GDPR 11/1/2017
Próxima SlideShare
Cargando en…5
×

GDPR 11/1/2017

1.135 visualizaciones

Publicado el

ISC2 Hellenic Chapter 11/1/2017

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

GDPR 11/1/2017

  1. 1. The General Data Protection Regulation: An Overview of Challenges and Opportunities Dr. Dimitrios Patsos, Chief Technology Officer, ADACOM S.A.
  2. 2. How we got here Technology • Increase on breaches • Cyber Security Politics • Safe Harbour Diminished • EU Reverses requirements EU Framework • Weakly Enforced Directive 95/46/EC • Multiple constituents
  3. 3. The GDPR at a Glance • Data of EU Citizens residing worldwide, • Replaces Directive 95/46/EC, • In full force: Friday, May 25th, 2018, • Fines Up to 4% of worldwide turnover, or 20M € (whichever is bigger), • 173 recitals setting the context of the regulation and how it will be interpreted by the Data Protection Authorities, • 99 articles describing in detail the content of the regulation, • 98 of 99 articles are not directly related to technology, • 1 article (32) talking about technology.
  4. 4. Key Facts GDPR Fines Data Protection Officer Breach Notification Consent Data Subject Rights Privacy by Design Wider Geographic Scope controller: determines the purposes and means of the processing of personal data processor: processes personal data on behalf of the controller data subject: person whose personal data is processed
  5. 5. Degrees of Change 7 2 7 6 2 8 7 4 5 6 5 9 6 9 9 9 2 2 7 8 9 6 9 2 0 1 2 3 4 5 6 7 8 9 10 Material and Territorial scope Changed concepts Data Protection Principles Lawfulness of processing and further processing Legitimate interests Consent Children Sensitive Data and lawful processing information notices subject access, rectification and portability rights to object Right to erasure and right to restriction of processing Profiling and automated decision-taking Data Governance Personal data breaches and notification Codes of conduct and certifications Transfers of personal data Appointment of supervisory authorities Competence, tasks and powers Co-operation and consistency between supervisory authorities European Data Protection Board Remedies and liabilities Administrative fines Delegated acts, implementing acts and final provisions
  6. 6. OK, but…What Data ? • Personal Data: anything related to an identified or identifiable natural person ("data subject"); as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person (Art. 4 (1)), • Sensitive Personal Data: anything revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. (Rec.10, 34, 35, 51; Art.9(1)), • Data relating to criminal offences: Data relating to criminal offences and convictions may only be processed by national authorities. National law may provide derogations, subject to suitable safeguards (Rec. 19, 50, 73, 80, 91, 97; Art.10), • Anonymous data: The GDPR does not apply to data have been anonymized in a way that an individual cannot be identified from the original data (Rec.26), • Pseudonymous data: pseudonymous data are still treated as personal data because they enable the identification of individuals (via a pseudonymization process). However, the risks are likely to be lower (Rec.26, 28-29, 75, 78, 156; Art.4(5), 6(4)(e), 25(1), 32(1)(a), 40(2)(d), 89(1)).
  7. 7. Lawful processing • Identify a legal basis before you can process personal data • Processing is necessary for compliance with a legal obligation, • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1)(c),(e)). • Lawfulness of processing conditions • Consent of the data subject (Article 6(1)(a)), • Performance of a contract with the data subject or to take steps to enter into a contract (Article 6(1)(b)), • Compliance with a legal obligation (Article 6(1)(c)), • Protect the vital interests of a data subject or another person (Article 6(1)(d) ), • Legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (Article 6(1)(f )).
  8. 8. Consent • Freely given, specific, informed and an unambiguous indication of the individual’s wishes, • Clear affirmative action, • Silence, pre-ticked boxes or inactivity does not apply (Articles 6-10, Recitals 38, 40-50, 59), • Must be verifiable, • Individuals have a right to withdraw consent at any time.
  9. 9. Data Subject Rights • The right to be informed, • The right of access, • The right to rectification, • The right to erasure (be forgotten), • The right to restrict processing, • The right to data portability, • The right to object, • Rights in relation to automated decision making and profiling.
  10. 10. Privacy by Design • Demonstration of compliance • Implement appropriate technical and organizational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies, • Maintain relevant documentation on processing activities, • Where appropriate, appoint a data protection officer, • Implement measures that meet the principles of data protection by design and data protection by default. • Measures could include: • Pseudonymisation, • Transparency, • Allowing individuals to monitor processing, • Creating and improving security features on an ongoing basis. • Use data protection impact assessments where appropriate, • Adhere to approved codes of conduct and/or certification schemes. • Article 5(2)
  11. 11. Documentation • Internal records of processing activities, such as: • Name and details of your organization (and where applicable, of other controllers, your representative and data protection officer), • Purposes of the processing, • Description of the categories of individuals and categories of personal data, • Categories of recipients of personal data, • Details of transfers to third countries including documentation of the transfer mechanism safeguards in place, • Retention schedules, • Description of technical and organizational security measures. • Article 25, Recital 78
  12. 12. Privacy Impact Assessment When ? • Using new technologies; and processing is likely to result in a high risk, such as: • systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals, • large scale processing of special categories of data or personal data relation to criminal convictions or offences, • considerable amount of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to rights and freedoms. What ? • A description of the processing operations and the purposes, including, where applicable, the legitimate interests pursued by the controller, • An assessment of the necessity and proportionality of the processing in relation to the purpose. • An assessment of the risks to individuals, • The measures in place to address risk, including security and to demonstrate that you comply, • A PIA can address more than one project. • Articles 35, 36, 83 and Recitals 84, 89-96
  13. 13. How are my data being used? Where are my data? How are my data protected ? Privacy Impact Assessment - How What are my data? guidelinespolicies procedures awareness integrity quality compliance
  14. 14. Data Protection Officer • Tasks • Inform and advise the organization and its employees about their obligations to comply with the GDPR and other data protection laws, • Monitor compliance with the GDPR and other data protection laws, advise on data protection impact assessments; train staff and conduct internal audits, • Point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.). • Position & Skill Set • The DPO reports to the highest management level– i.e. board level, • The DPO operates independently and is not dismissed or penalized for performing their task. • Adequate resources are provided to enable DPOs to meet their GDPR obligations, • Can be an internal employee or an external contractor, • Should have professional experience and knowledge of data protection law. • (Articles 37-39, 83 and Recital 97)
  15. 15. Breach notification • Data Breach >> Loss of Data • Data breach == event leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data • What Should I Report, Where and How Fast ? • A breach where it is likely to result in a risk to the rights and freedoms of individuals, • Notify the relevant supervisory authority & those concerned directly*, • Within 72 Hours from becoming aware of, • Failing to notify results to fines. • Exclusions? • Encrypted Data • Articles 33, 34, 83 and Recitals 85, 87, 88
  16. 16. Technology • Article 32 (Security of processing) specifies: • (a) the pseudonymization and encryption of personal data; • (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  17. 17. The Cloud • Controllers and processors must know the location where the personal data are stored or otherwise processed, • Limits the ability of entities covered by the GDPR to transfer data to recipients outside the EEA, • In cascaded cloud environments the transfer of personal data must comply with the data transfer rules of the GDPR, • Controllers & Processors (incl. sub-processors) should take adequate security measures to protect the personal data and must supervise the implementation of security measures by the processor by conducting regular audits.
  18. 18. A Draft Action Plan Q1/17 Q2/17 Q3/17 Q4/17 Q1/18 Today Deadline Data Inventory Data Flow Mapping PIA & Consent Mechanism Data Subject Rights Assess Readiness Identify DPO Build a Plan Data Breach Plan Training and Awareness Calculate Residual Risk
  19. 19. A Draft Methodology Data Collection • Lawfulness • Consent • Relevance • Types of Data Data Processing • Specific Data • Specific Purpose • Change Notification Data Security • Process • Technology • Awareness Data Management • Access • Rules • Subject Rights
  20. 20. Main Challenges • Reconciliation of multiple mandates (Lawful Processing), • Collaboration with Stakeholders (Data Subject Rights), • Accountability, • Usage of Cloud Providers, BYOD, Consumerization, • Codes of Conduct, Certifications, Seals and BCRs, • SMEs and Start-ups, • Time Restrictions & Tight Budgets.
  21. 21. Opportunities • Skill Shortage (Data Protection Officer), • The rise of encryption and data security technologies, • Synergies & Collaborations, • Additional budgets, • New and Innovative solutions, • Market Awareness.
  22. 22. Summary • A demanding, ambitious but fair legislation aiming to the protection of EU Citizens’ personal data worldwide, • Applies without further consultation, • Heavy fines involved, • Wide manoeuvre room, Article 29 WP trying to provide further explanations and resolve conflicts (i.e. EU-US Privacy Shield), • Multiple Challenges and Multiple Opportunities, • The Clock is Ticking !
  23. 23. Questions ?
  24. 24. Greece Athens 25 Kreontos St., 104 42 Athens +30 210 5193740 Israel Tel Aviv 16th Ha’ Melecha St. 48091 Rosh Ha’Ayin +972 74 7019424 United Kingdom London 16 Great Queen St., WC2B5AH Covent Garden +44 203 126 4590 Thanks for Watching !

×