Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Gdpr demystified - making sense of the regulation

Cargando en…3

Eche un vistazo a continuación

1 de 37 Anuncio

Gdpr demystified - making sense of the regulation

Descargar para leer sin conexión

Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.

Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.


Más Contenido Relacionado

Presentaciones para usted (20)

Similares a Gdpr demystified - making sense of the regulation (20)


Más reciente (20)

Gdpr demystified - making sense of the regulation

  1. 1. GDPR Demystified Making sense of the regulation James Mulhern
  2. 2. Agenda • An Introduction • What it really means • What you’ve got to do about it • But first … • Where are you now? • What do you already know?
  3. 3. What is GDPR? • General Data Protection Regulation • Supersedes current EU Directive enacted in the DPA • Law since May 2016 • Covers all data on living individuals • Extends existing obligations • Stricter requirements • Substantial consequences • Requires expert DPO • Enforcement effective May 2018 Transparency Compliance Enforcement
  4. 4. Can it really be demystified? 0 20 40 60 80 100 120 140 160 180 Articles Recitals Pages How does GDPR compare to the DPA? DPA GDPR *Substantial proportion is for “Lead Supervisory Authority”
  5. 5. FUD It will: • Not apply to us because of Brexit … • be a damp squib – “cookie law” • cost you millions to implement and isn’t financially viable… • End up being GDPR-lite … Its incompatible with • Cloud … • Marketing … • with business … It doesn’t apply to: • Using the Cloud • Marketing • Data processors • Corporate Information • Universities and public bodies You need: • explicit consent for everything … • to encrypt all data … You’re no longer permitted to • share or store data overseas • Performing profiling • Collect, store, process or share sensitive data or data on children • Retained data for more than 12 months Any breach will lead to a: • fine of 20 million Euros or more… • prison sentence …. Compliance is unachievable?
  6. 6. Why it’s relevant post BREXIT 1. Regulation not a directive 2. The regulation is law now, the UK expected to be in EU for next few years 3. For the UK to trade with EU we need to comply 4. Information Commissioner & DCMS reiterated “GDPR will be implemented” 5. ~40K EU legal acts – likely to be adopted wholesale and then reformed subsequently
  7. 7. 8 DPA Principles for Data Controllers
  8. 8. What’s driving GDPR • Harmonising legislation • Part European Digital Single Market: – ePrivacy Directive – NIS Directive • Promoting free movement of personal data within EU • Data Explosion – Est 5.7TB of data per person to be collected every year by 2020 • Enhancing and protecting the rights of EU Citizens • Strong message to global business. Headlines • “Countries continue moving toward the EU standard for data protection”. • “The GDPR has already begun to raise the legislative tide within the EU and abroad”. • “Attempts to strengthen surveillance undermine data protection laws”. Forrester’s Data Privacy Heatmap
  9. 9. Enforcement is not working 0 5 10 15 20 25 30 35 Enforcements
  10. 10. How do we know it’s not working? Courtesy of:
  11. 11. GDPR Sanctions • Supervisory powers to: • Investigate • Correct • Authorise & advise • Fines • up to the higher of €20 million or 4% global turnover for major breaches • up to the higher of €10 million or 2% global turnover for failing to comply • Individual Right • to claim compensation for distress (no need to prove harm or loss) • to judicial remedy in home state • No need to demonstrate material damage • Possibility of class action • Talk of prison sentences for CEOs for wilful, deliberate mass breaches
  12. 12. So
  13. 13. First the key players … Data subjects Controllers Co-Controllers Processor Sub-processors ICO (LSA) European Data Protection Board Process on behalf of Parental Guardian
  14. 14. What is personal information now? • Any information from which a living person can be identified, directly or indirectly • a name, an identification number, location data, online identifier or factors specific to the individual. • Online identifiers IP address, cookies and so forth are personal data if they can be linked back to the data subject without undue effort • no distinction between personal data about private, public or work roles • Processed wholly or in part by automated means i.e. not incidental data • Held in a filing system. i.e. structured Enhanced requirements • Sensitive personal information relates to protected attributes, race, beliefs, health, genetics etc. • Profiling – automated decisions and predictions
  15. 15. Enhanced Subject rights Wider rights of access and information • Confirmation whether data being processed • Information equivalent to that provided on collection • Details of the source of information Right to be forgotten • Where no longer necessary • Where consent withdrawn • Where data unlawfully processed Right for inaccuracies to be rectified without delay Right to restrict processing • Where accuracy contested or unlawful Right to “data portability” • Move data to another controller Right to object to • Processing based on “legitimate interest” • Decision based upon profiling • Decision based on explicit consent
  16. 16. Subject Requests • Covering: • Subject Access Requests • R2BF • Rectification • Legitimate requests MUST now be processed within 1 month • No longer allowed to charge for requests • MUST be fully documented • SHOULD be online
  17. 17. The new principles Lawful • processed lawfully, fairly and transparently. Specific and Legitimate purpose • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes Adequate, relevant and limited • to what is necessary in relation to the purposes for which they are processed Accurate and current • every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay Retained for no longer than necessary • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed Protected • processed in a manner that ensures appropriate security to prevent unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures. Demonstrable Compliance • the controller shall be responsible for, and be able to demonstrate, compliance with the principles.
  18. 18. What about principle 8 Data overseas? • Still exists effectively: • Applies to controllers and processors handling EU citizen’s data wherever they process the data. • Non-EU controller must have a representative in EU. • US/EU privacy shield and EU model clauses still relevant
  19. 19. What is lawful processing? Unambiguous Data Subject consent e.g. delivery address for receipt of goods Performance of a contract with the data subject (only) e.g. preventing fraud, ensuring security Legitimate interest of controller (or 3rd party) i.e. where you are otherwise required to collect, store or retain data Compliance with legal obligation e.g protection of life – monitoring epidemics Protect vital interests of data subject e.g. national security, scientific research Perform task in public interest or official authority
  20. 20. Transparency: Freely given, specific, informed (unambiguous Consent) Data subject can’t be disadvantaged • fulfilment can’t be conditional on consent No consent bundling • Each “processing operation” requires distinct consents No hiding it away • clearly distinguishable as consent • Based on affirmative action (not opt out) • intelligible and readily accessible Clear, concise and plain language explaining: • What data • Why it is being collected and processing • Measures taken to protect data • How long the data is retained • With who and how it will shared and used by others Consent can be withdrawn at any time • data subject must be advised upfront how to do this • as easy to withdraw as to give Verifiable • Clear records must be retained as evidence
  21. 21. Data Collection: Information you need to provide The subject is entitled to be informed of the following: • Controller details – legal entity and contacts • Purpose and legal basis • Legitimate interests • Other recipients • Cross-border transfers • Retention duration and reasons • The Subject’s rights • Automated decision making (profiling) • Right to complain to ICO • Whether it is a contractual or legal requirement to supply the data.
  22. 22. Even if you don’t collect the data directly • You still need to notify the data subject (as before) promptly • also detailing: • Source of the data • Categories of data
  23. 23. Breach Notification • When you have a breach (i.e. accidental or unlawful destruction, loss, access, alteration or disclosure of personal data) • You must: • Report to ICO within 72 hours • Notify affected people • Document impact and remediation
  24. 24. Cyber resilience maturity • Incidents are inevitable so it’s important that you respond effectively. • Ask yourselves the following critical questions: • Are you confident that you have identified all priority business data assets and their location? • Who are your adversaries and are you able to defend the organisation from a motivated adversary? • Do you have the tools and techniques to respond to a targeted attack? • Do you know what your adversary is really after? • How do these attacks affect your business? • Do you have the right alignment, structure, team members and other resources to execute your cybersecurity mission?
  25. 25. Ensuring your processing is compliant GRC Regime: Appropriate technical and organisational measures to demonstrate compliance • Policies • Audits and Reviews • Monitoring • DPO needs to be independent and unfettered Privacy and Security by design • Require systematic, proportionate Privacy Impact Assessments & Risk Assessments • Sets privacy and security requirements • GDPR makes specific reference to “pseudonymisation” and encryption • Expectation of measures to ensure CIA • Expectation of timely recovery • Expectation of regular security testing • Restricted only to the data and the individuals required (views & access control) Record keeping (both controller & processor) • Processing activities (purposes, recipients, transfers, retention periods, controls in place) • By you and 3rd parties • Available for ICO upon request
  26. 26. Controllers and Processors Both can be liable so greater regulation Controller SHOULD • Perform supplier due diligence • Binding contracts setting out • Nature of data • Purpose of processing • Obligations on each other • Provide precise instructions • Monitor processor on ongoing basis Processors MUST • Follow provided processing instructions • but notify if instructions are unlawful • Impose confidentiality and ensure security • Request consent to subcontract • Assist with requests and consultations • Provide evidence of compliance
  27. 27. What’s involved in becoming compliant? • Time is of the essence – you have 18 months. • If you’re truly compliant with the DPA then it’s an upgrade: Strengthen policies, processes, functions and contracts in readiness • If you don’t and you’re starting from scratch and don’t manage your data then it’s a much bigger undertaking. • You should manage it as a project (or programme if appropriate).
  28. 28. Breaking it down Discovery Gap Analysis Define Implement Assess
  29. 29. Practices to adopt • Adopt a risk based approach prioritising: • most obvious, • most sensitive, • most substantial personal data • Align data processing closely to your business processes • Incorporate Privacy Impact Assessment and Security Requirements to all significant initiatives. • Refresh consent on a rolling 12 months basis.
  30. 30. What’s critical to success? • Getting board level commitment • Empowering Data Owners to be responsible • Plan for ongoing compliance not just May 2018 • Review carefully whether there is a justifiable business need • Employing a strategy of Reduce, Consolidate, Record and Protect • Building a register of Data sources, linked to business processes and owners • Engage a 3rd party to assist and validate
  31. 31. Issues to be wary of • Getting caught in the weeds • Focussing on edge cases • Shadow IT • Data retention because it “might be useful one day”. • Data inaccuracy
  32. 32. Using a Cloud Service you should 1. Know the location of where the service is processing and or storing data. 2. Consider additional steps to protect data from loss, alteration, or unauthorised processing. 3. Set out a data processing agreement and monitor 4. Don’t allow the service to use personal data for other purposes. 5. Ensure that you can erase the data when you stop using the service.
  33. 33. Further guidance on the Cloud? • Advises on risks and procurement • Poses security questions for prospective providers ENISA Cloud security guide for SMEs • A code of practice that focuses on protection of personal data in the cloud builds on ISO27002 ISO 27018 • Emerging framework • Prohibits the reuse of customers’ data • Ensures processing and storage exclusively in the EU The CISPE Code of Conduct
  34. 34. Where’s Public Cloud now? • Employ a “Shared Responsibility Model” • Both Amazon and Microsoft adopted the Model Clauses and are registered with Privacy Shield • Both AWS and Azure have EU regions • Azure has already has a UK region and AWS UK region launch is imminent. • Both have comprehensive material in their compliance portals • Both emphasize SOC2/3 regimes • Both comply with ISO27018
  35. 35. What does the future hold … • ICO income from registration will dry up • Gov’t will look for ICO to be self funding from enforcement • Supply chains will look to limit their liability • Cloud Providers will be more interested in your data and making you attest • Likely certification schemes and badges will be developed • ICO likely to target gross offenders when it comes to breaches • Bodies of good practice will be adopted e.g. ISO27018, • SOC2 and SOC3 will continue to be pushed by US firms • Likely there will be some “ambulance chaser” industry • Prospect of custodial sentences either through the regulation itself or associated regulation
  36. 36. Useful resources Available now • ICO’s GDPR Overview • ICO’s Preparing for GDPR: • Lots of material online from vendors, legal firms, suppliers. What’s coming soon • Article 29 Working Party • First regulatory guidance expected before end of 2016 addressing : • the role of the Data Protection Officer, • the new right to data portability • Also developing guidance for publication in February 2017: • regarding the concept of risk under the GDPR • and carrying out Data Privacy Impact Assessments • And working on guidance regarding certifications under the GDPR • ICO • Revised guidance on Big Data expected by the end of 2016 • Also guidance on consent and profiling expected by the end of January 2017.

Notas del editor

  • Builds up on the Data protection Act and is bigger, stronger and more significant.

    Transparency, Compliance and Enforcement are at its heart

    It really sets out the obligation to have an effective Privacy management system that is auditable
    Enforcement comes into force May 2018.

    There are derogations on the requirement for the DPO but they may be a 3rd party but they must report to the board.
  • GDPR is big

    34 articles, 72 recitals 20 pages
    99 Articles, 134 recitals, 156 Pages

    Articles – sets out the obligations
    Recitals – sets out the reasons

    However Substantial proportion is direction to “Lead Supervisory Authority (LSA)” e.g. ICO

  • There is an amount of fear, uncertainty and doubt that has crept up associated with the regulation
    Often the FUD is based on something – typically and exaggeration or misinterpretation of the regulation

    There isn’t really a play book to follow
    No precedence – nearest approximation: Bundesdatenschutzgesetz (BDSG)

    never happen and won’t apply to us because of Brexit …
    be a damp squib – just like the “cookie law”
    cost you millions to implement and isn’t financially viable…
    be GDPR-lite …

    However it is not an exaggeration to say it is large and it is complex
  • Let’s be clear this is binary – you have to comply if you don’t you are breaking the law.

    Regulations are law, Directive are open to national interpretation and implementation.
    Whilst we are members of the EU it is law. It could only be repealed after we have formally left
    The regulation is designed to protect EU citizen’s rights.

    (Elizabeth Denham) Info Commissioner
    (National Association of DP and FOI Officers Conference keynote 21st Nov)
    E.G Irish Republic
    It would seem extremely unlikely for it to be repealed immediately.

    It would be an extremely risky strategy to bet against it and do nothing – unless you;ve got a 1 way ticket to Rio…- You are setting your self up to fail.
  • So because the Regulation builds upon the DP directive it’s helpful remind ourselves of that – the 8 principles are:

    Not excessive
    Retained no longer than necessary
    In line with rights
    Not transferred outside EU/EEA

    Focus is on the data and registration

    Which often means – Obfuscation and opaqueness and detachment: very broad data protection registrations, privacy policies hidden away, opt out tick boxes, deterrents to reluctant subject access requests and there’s a focus on not “storing” data outside the EU.

    Where everything is a bit ambiguious
    All feeling a bit of an optional tick box exercise, that’s best avoided.
    A sense of ‘best endeavours’ that doesn’t put the data subject at its heart.

    Where everything is a bit ambiguious
    All feeling a bit of an optional tick box exercise, that’s best avoided.
    A sense of ‘best endeavours’

    Where the reason for data protection is forgotten

    And all feeling a bit optional
  • Harmonising legislation in the EU
    Part of a wider series of initiations under European Digital Single Market:
    ePrivacy Directive
    NIS Directive
    Expect 5.7TB of data per person to be collected every year by 2020
    Enhancing and protecting the rights of EU Citizens
    Strong message to global business
  • Enforcement Notices going back to 2014
    Focussed on unsolicited emails and self reported breaches by health orgs
    Less than 50% have led to fine or prosecution
    Largest fine 400K Talktalk breach
    Fines require material harm or financial loss to have occurred
  • Just look at the news every day …
  • So lets get the big scary headline out of the way first – enforcement has far bigger teeth.
    Whether something is tier 1 or tier 2 depends on the specific articles breached
    Major breaches e.g. failure to meet principles, lawful processing etc..
    Minor breaches e.g. late notification of breach etc.. Administrative breach – i.e no incident is necessary.

    ON the up side you no longer need to register with ICO annually.
  • You could say it’s a bit like Usane Bolt
    Bigger (teeth),
    And perhaps more intense than what came before…

    Now when looking at the regulation I’m going to focus on the core and hopefully most relevant aspects and not stuff that I suspect
  • Isn’t just about the obligations of Controllers but processors
    Also a concept of co-controllers
  • The regulation makes the definition clearer
    In particular about online identifiers

    Processing means pretty much anything

    In theory the regulation doesn’t apply to:
    incidental information (i.e information that’s not used or processed)
    Data not held in a structured format

    However - Caution!
    The purpose of data is to be useful
    The obligation for data to be portable – requires it to be structured.

    Sensitive personal information relates to protected attributes: health, race etc…
    Has greater restrictions and obligations e.g protection and explicit consent.
    It is possible that some of the data you collect is sensitive
    There are special considerations relating to children

  • You need to ensure that your systems and services support Data subjects enhanced rights.
    There are some derogations with R2BF but they’re unlikely to apply to
  • Broadly similar to the 8 previous principles
    Just more specific and less open to interpretation

    Justifiable business need “purpose limitation”
    Data minimisation
    Errors must be corrected without delay
    “Storage limitation”
    Integrity and Confidentiality

    Principle 6 “in line with right of the data subject” incorporated across ALL the principles but particular Lawful
  • There will be no flags of convenience where data can be processed

    If you are an EU entity and you processs overseas you still have to comply
    If you are non EU entity and you offer goods or services to EU citizens or you monitor their behaviour _within_ the EU you still have to comply
  • Explicit consent isn’t the only way achieving Lawful processing there are 6 pathways
    It still likely to be the most common, most applicable to you and straightforward

    Legitimate interests MUST not undermine rights of the data subject, needs to proven and can’t be employed by public bodies
    Legal obligation can be more than a statuary law it can be common law – e.g financial regulations
    Also includes precedence (i.e common law)
    Public interest must be set out by law

    It’s important to note that other routes pathways do provide a derogation from wider obligations to inform and protect etc..
  • No more inadvertent consent
    Time to upgrade your consent functions
    Easy come, Easy go

    Under 16 requires parental authorisation

    Explicit consent required for sensitive and special categories of personal data
  • N.B if the purpose changes you need to do it again.
  • Implementing an ISO27001/2 ISMS
    Implementing least privilege and data minimisation
    Pseudonymisation and Encryption
    Pen testing
    Lots of record keeping to satisfy subject requests and ICO
  • e.g. Criminal Justice and Immigration Act 2008 makes unlawfully obtaining personal data punishable by up to two years in prison.