Slightly out dated introduction to GDPR, that tries to move away from the headlines on fines and emphasises the global nature of the regulation, the numerous forms of lawful processing and the absolute need to manage privacy and be transparent. Goes on to show how using public cloud can help solve part of the problem.
2. Agenda
• An Introduction
• What it really means
• What you’ve got to do about it
• But first …
• Where are you now?
• What do you already know?
3. What is GDPR?
• General Data Protection Regulation
• Supersedes current EU Directive enacted in the DPA
• Law since May 2016
• Covers all data on living individuals
• Extends existing obligations
• Stricter requirements
• Substantial consequences
• Requires expert DPO
• Enforcement effective May 2018
Transparency
Compliance
Enforcement
4. Can it really be demystified?
0
20
40
60
80
100
120
140
160
180
Articles Recitals Pages
How does GDPR compare to the DPA?
DPA GDPR
*Substantial proportion is for “Lead Supervisory Authority”
5. FUD
It will:
• Not apply to us
because of
Brexit …
• be a damp squib
– “cookie law”
• cost you millions
to implement
and isn’t
financially
viable…
• End up being
GDPR-lite …
Its incompatible
with
• Cloud …
• Marketing …
• with business …
It doesn’t apply
to:
• Using the Cloud
• Marketing
• Data processors
• Corporate
Information
• Universities and
public bodies
You need:
• explicit consent
for everything
…
• to encrypt all
data …
You’re no longer
permitted to
• share or store
data overseas
• Performing
profiling
• Collect, store,
process or
share sensitive
data or data on
children
• Retained data
for more than 12
months
Any breach will
lead to a:
• fine of 20 million
Euros or more…
• prison sentence
….
Compliance is unachievable?
6. Why it’s relevant post BREXIT
1. Regulation not a directive
2. The regulation is law now, the UK expected to be in EU
for next few years
3. For the UK to trade with EU we need to comply
4. Information Commissioner & DCMS reiterated “GDPR
will be implemented”
5. ~40K EU legal acts – likely to be adopted wholesale and
then reformed subsequently
8. What’s driving GDPR
• Harmonising legislation
• Part European Digital Single Market:
– ePrivacy Directive
– NIS Directive
• Promoting free movement of personal
data within EU
• Data Explosion
– Est 5.7TB of data per person to be
collected every year by 2020
• Enhancing and protecting the rights of
EU Citizens
• Strong message to global business.
Headlines
• “Countries continue
moving toward the EU
standard for data
protection”.
• “The GDPR has already
begun to raise the
legislative tide within the
EU and abroad”.
• “Attempts to strengthen
surveillance undermine
data protection laws”.
Forrester’s Data Privacy Heatmap
10. How do we know it’s not working?
Courtesy of:
www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
11. GDPR Sanctions
• Supervisory powers to:
• Investigate
• Correct
• Authorise & advise
• Fines
• up to the higher of €20 million or 4% global turnover for major breaches
• up to the higher of €10 million or 2% global turnover for failing to comply
• Individual Right
• to claim compensation for distress (no need to prove harm or loss)
• to judicial remedy in home state
• No need to demonstrate material damage
• Possibility of class action
• Talk of prison sentences for CEOs for wilful, deliberate mass breaches
13. First the key players …
Data
subjects
Controllers
Co-Controllers
Processor
Sub-processors
ICO (LSA)
European
Data
Protection
Board
Process on behalf of
Parental Guardian
14. What is personal information now?
• Any information from which a living person can be identified, directly or indirectly
• a name, an identification number, location data, online identifier or factors specific
to the individual.
• Online identifiers IP address, cookies and so forth are personal data if they can
be linked back to the data subject without undue effort
• no distinction between personal data about private, public or work roles
• Processed wholly or in part by automated means i.e. not incidental data
• Held in a filing system. i.e. structured
Enhanced requirements
• Sensitive personal information relates to protected attributes, race, beliefs, health,
genetics etc.
• Profiling – automated decisions and predictions
15. Enhanced Subject rights
Wider rights of
access and
information
• Confirmation
whether data
being processed
• Information
equivalent to that
provided on
collection
• Details of the
source of
information
Right to be
forgotten
• Where no longer
necessary
• Where consent
withdrawn
• Where data
unlawfully
processed
Right for
inaccuracies to
be rectified
without delay
Right to
restrict
processing
• Where accuracy
contested or
unlawful
Right to “data
portability”
• Move data to
another controller
Right to object
to
• Processing based
on “legitimate
interest”
• Decision based
upon profiling
• Decision based
on explicit
consent
16. Subject Requests
• Covering:
• Subject Access Requests
• R2BF
• Rectification
• Legitimate requests MUST now be processed within 1
month
• No longer allowed to charge for requests
• MUST be fully documented
• SHOULD be online
17. The new principles
Lawful
• processed lawfully, fairly and transparently.
Specific and Legitimate purpose
• collected for specified, explicit and legitimate purposes
and not further processed in a manner that is
incompatible with those purposes
Adequate, relevant and limited
• to what is necessary in relation to the purposes for
which they are processed
Accurate and current
• every reasonable step must be taken to ensure that
personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or
rectified without delay
Retained for no longer than necessary
• kept in a form which permits identification of data
subjects for no longer than is necessary for the
purposes for which the personal data are processed
Protected
• processed in a manner that ensures appropriate
security to prevent unauthorised or unlawful processing,
accidental loss, destruction or damage, using
appropriate technical or organisational measures.
Demonstrable Compliance
• the controller shall be responsible for, and be able to
demonstrate, compliance with the principles.
18. What about principle 8 Data overseas?
• Still exists effectively:
• Applies to controllers and processors handling EU
citizen’s data wherever they process the data.
• Non-EU controller must have a representative in EU.
• US/EU privacy shield and EU model clauses still
relevant
19. What is lawful processing?
Unambiguous
Data Subject consent
e.g. delivery address for receipt of goods
Performance of a contract
with the data subject
(only)
e.g. preventing fraud, ensuring security
Legitimate interest of
controller (or 3rd party)
i.e. where you are otherwise required to collect, store or retain data
Compliance with legal
obligation
e.g protection of life – monitoring epidemics
Protect vital interests of
data subject
e.g. national security, scientific research
Perform task in public
interest or official authority
20. Transparency: Freely given, specific, informed
(unambiguous Consent)
Data subject can’t be
disadvantaged
• fulfilment can’t be conditional on consent
No consent bundling • Each “processing operation” requires distinct consents
No hiding it away
• clearly distinguishable as consent
• Based on affirmative action (not opt out)
• intelligible and readily accessible
Clear, concise and plain
language explaining:
• What data
• Why it is being collected and processing
• Measures taken to protect data
• How long the data is retained
• With who and how it will shared and used by others
Consent can be withdrawn
at any time
• data subject must be advised upfront how to do this
• as easy to withdraw as to give
Verifiable • Clear records must be retained as evidence
21. Data Collection: Information you need to provide
The subject is entitled to be informed of the following:
• Controller details – legal entity and contacts
• Purpose and legal basis
• Legitimate interests
• Other recipients
• Cross-border transfers
• Retention duration and reasons
• The Subject’s rights
• Automated decision making (profiling)
• Right to complain to ICO
• Whether it is a contractual or legal requirement to supply the data.
22. Even if you don’t collect the data directly
• You still need to notify the data subject (as before)
promptly
• also detailing:
• Source of the data
• Categories of data
23. Breach Notification
• When you have a breach (i.e. accidental or unlawful
destruction, loss, access, alteration or disclosure of
personal data)
• You must:
• Report to ICO within 72 hours
• Notify affected people
• Document impact and remediation
24. Cyber resilience maturity
• Incidents are inevitable so it’s important that you respond effectively.
• Ask yourselves the following critical questions:
• Are you confident that you have identified all priority business data
assets and their location?
• Who are your adversaries and are you able to defend the
organisation from a motivated adversary?
• Do you have the tools and techniques to respond to a targeted
attack?
• Do you know what your adversary is really after?
• How do these attacks affect your business?
• Do you have the right alignment, structure, team members and
other resources to execute your cybersecurity mission?
25. Ensuring your processing is compliant
GRC Regime: Appropriate
technical and organisational
measures to demonstrate
compliance
• Policies
• Audits and Reviews
• Monitoring
• DPO needs to be independent and
unfettered
Privacy and Security by design
• Require systematic, proportionate
Privacy Impact Assessments & Risk
Assessments
• Sets privacy and security requirements
• GDPR makes specific reference to
“pseudonymisation” and encryption
• Expectation of measures to ensure CIA
• Expectation of timely recovery
• Expectation of regular security testing
• Restricted only to the data and the
individuals required (views & access
control)
Record keeping (both controller
& processor)
• Processing activities (purposes,
recipients, transfers, retention periods,
controls in place)
• By you and 3rd parties
• Available for ICO upon request
26. Controllers and Processors
Both can be liable so greater regulation
Controller SHOULD
• Perform supplier due diligence
• Binding contracts setting out
• Nature of data
• Purpose of processing
• Obligations on each other
• Provide precise instructions
• Monitor processor on ongoing basis
Processors MUST
• Follow provided processing
instructions
• but notify if instructions are unlawful
• Impose confidentiality and ensure
security
• Request consent to subcontract
• Assist with requests and consultations
• Provide evidence of compliance
27. What’s involved in becoming compliant?
• Time is of the essence – you have 18 months.
• If you’re truly compliant with the DPA then it’s an
upgrade: Strengthen policies, processes, functions and
contracts in readiness
• If you don’t and you’re starting from scratch and don’t
manage your data then it’s a much bigger undertaking.
• You should manage it as a project
(or programme if appropriate).
30. Practices to adopt
• Adopt a risk based approach prioritising:
• most obvious,
• most sensitive,
• most substantial personal data
• Align data processing closely to your business
processes
• Incorporate Privacy Impact Assessment and Security
Requirements to all significant initiatives.
• Refresh consent on a rolling 12 months basis.
31. What’s critical to success?
• Getting board level commitment
• Empowering Data Owners to be responsible
• Plan for ongoing compliance not just May 2018
• Review carefully whether there is a justifiable business
need
• Employing a strategy of Reduce, Consolidate, Record
and Protect
• Building a register of Data sources, linked to business
processes and owners
• Engage a 3rd party to assist and validate
32. Issues to be wary of
• Getting caught in the weeds
• Focussing on edge cases
• Shadow IT
• Data retention because it “might be useful one day”.
• Data inaccuracy
33. Using a Cloud Service you should
1. Know the location of where the service is processing and or
storing data.
2. Consider additional steps to protect data from loss, alteration,
or unauthorised processing.
3. Set out a data processing agreement and monitor
4. Don’t allow the service to use personal data for other
purposes.
5. Ensure that you can erase the data when you stop using the
service.
34. Further guidance on the Cloud?
• Advises on risks and
procurement
• Poses security
questions for
prospective providers
ENISA Cloud
security guide for
SMEs
• A code of practice that
focuses on protection
of personal data in the
cloud builds on
ISO27002
ISO 27018
• Emerging framework
• Prohibits the reuse of
customers’ data
• Ensures processing
and storage exclusively
in the EU
The CISPE Code
of Conduct
35. Where’s Public Cloud now?
• Employ a “Shared Responsibility Model”
• Both Amazon and Microsoft adopted the Model Clauses and
are registered with Privacy Shield
• Both AWS and Azure have EU regions
• Azure has already has a UK region and AWS UK region launch
is imminent.
• Both have comprehensive material in their compliance portals
• Both emphasize SOC2/3 regimes
• Both comply with ISO27018
36. What does the future hold …
• ICO income from registration will dry up
• Gov’t will look for ICO to be self funding from enforcement
• Supply chains will look to limit their liability
• Cloud Providers will be more interested in your data and making you attest
• Likely certification schemes and badges will be developed
• ICO likely to target gross offenders when it comes to breaches
• Bodies of good practice will be adopted e.g. ISO27018, CISPE.cloud
• SOC2 and SOC3 will continue to be pushed by US firms
• Likely there will be some “ambulance chaser” industry
• Prospect of custodial sentences either through the regulation itself or
associated regulation
37. Useful resources
Available now
• ICO’s GDPR Overview
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
• ICO’s Preparing for GDPR:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
• Lots of material online from vendors, legal firms, suppliers.
What’s coming soon
• Article 29 Working Party https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Art29
• First regulatory guidance expected before end of 2016 addressing :
• the role of the Data Protection Officer,
• the new right to data portability
• Also developing guidance for publication in February 2017:
• regarding the concept of risk under the GDPR
• and carrying out Data Privacy Impact Assessments
• And working on guidance regarding certifications under the GDPR
• ICO https://ico.org.uk
• Revised guidance on Big Data expected by the end of 2016
• Also guidance on consent and profiling expected by the end of January 2017.
Notas do Editor
Builds up on the Data protection Act and is bigger, stronger and more significant.
Transparency, Compliance and Enforcement are at its heart
It really sets out the obligation to have an effective Privacy management system that is auditable
Enforcement comes into force May 2018.
There are derogations on the requirement for the DPO but they may be a 3rd party but they must report to the board.
GDPR is big
34 articles, 72 recitals 20 pages
99 Articles, 134 recitals, 156 Pages
Articles – sets out the obligations
Recitals – sets out the reasons
However Substantial proportion is direction to “Lead Supervisory Authority (LSA)” e.g. ICO
There is an amount of fear, uncertainty and doubt that has crept up associated with the regulation
Often the FUD is based on something – typically and exaggeration or misinterpretation of the regulation
There isn’t really a play book to follow
No precedence – nearest approximation: Bundesdatenschutzgesetz (BDSG)
never happen and won’t apply to us because of Brexit …
be a damp squib – just like the “cookie law”
cost you millions to implement and isn’t financially viable…
be GDPR-lite …
However it is not an exaggeration to say it is large and it is complex
Let’s be clear this is binary – you have to comply if you don’t you are breaking the law.
Regulations are law, Directive are open to national interpretation and implementation.
Whilst we are members of the EU it is law. It could only be repealed after we have formally left
The regulation is designed to protect EU citizen’s rights.
(Elizabeth Denham) Info Commissioner
(National Association of DP and FOI Officers Conference keynote 21st Nov)
E.G Irish Republic
It would seem extremely unlikely for it to be repealed immediately.
It would be an extremely risky strategy to bet against it and do nothing – unless you;ve got a 1 way ticket to Rio…- You are setting your self up to fail.
So because the Regulation builds upon the DP directive it’s helpful remind ourselves of that – the 8 principles are:
Lawful
Limited
Not excessive
Accurate
Retained no longer than necessary
In line with rights
Secure
Not transferred outside EU/EEA
Focus is on the data and registration
Which often means – Obfuscation and opaqueness and detachment: very broad data protection registrations, privacy policies hidden away, opt out tick boxes, deterrents to reluctant subject access requests and there’s a focus on not “storing” data outside the EU.
Where everything is a bit ambiguious
All feeling a bit of an optional tick box exercise, that’s best avoided.
A sense of ‘best endeavours’ that doesn’t put the data subject at its heart.
Where everything is a bit ambiguious
All feeling a bit of an optional tick box exercise, that’s best avoided.
A sense of ‘best endeavours’
Where the reason for data protection is forgotten
And all feeling a bit optional
Harmonising legislation in the EU
Part of a wider series of initiations under European Digital Single Market:
ePrivacy Directive
NIS Directive
Expect 5.7TB of data per person to be collected every year by 2020
Enhancing and protecting the rights of EU Citizens
Strong message to global business
Enforcement Notices going back to 2014
Focussed on unsolicited emails and self reported breaches by health orgs
Less than 50% have led to fine or prosecution
Largest fine 400K Talktalk breach
Fines require material harm or financial loss to have occurred
Just look at the news every day …
So lets get the big scary headline out of the way first – enforcement has far bigger teeth.
Whether something is tier 1 or tier 2 depends on the specific articles breached
Major breaches e.g. failure to meet principles, lawful processing etc..
Minor breaches e.g. late notification of breach etc.. Administrative breach – i.e no incident is necessary.
ON the up side you no longer need to register with ICO annually.
You could say it’s a bit like Usane Bolt
Bigger (teeth),
Bolder,
Faster
And perhaps more intense than what came before…
Now when looking at the regulation I’m going to focus on the core and hopefully most relevant aspects and not stuff that I suspect
Isn’t just about the obligations of Controllers but processors
Also a concept of co-controllers
The regulation makes the definition clearer
In particular about online identifiers
Processing means pretty much anything
In theory the regulation doesn’t apply to:
incidental information (i.e information that’s not used or processed)
Data not held in a structured format
However - Caution!
The purpose of data is to be useful
The obligation for data to be portable – requires it to be structured.
Sensitive personal information relates to protected attributes: health, race etc…
Has greater restrictions and obligations e.g protection and explicit consent.
It is possible that some of the data you collect is sensitive
There are special considerations relating to children
You need to ensure that your systems and services support Data subjects enhanced rights.
There are some derogations with R2BF but they’re unlikely to apply to jobs.ac
Broadly similar to the 8 previous principles
Just more specific and less open to interpretation
Transparency
Justifiable business need “purpose limitation”
Data minimisation
Errors must be corrected without delay
“Storage limitation”
Integrity and Confidentiality
“accountability
Principle 6 “in line with right of the data subject” incorporated across ALL the principles but particular Lawful
There will be no flags of convenience where data can be processed
If you are an EU entity and you processs overseas you still have to comply
If you are non EU entity and you offer goods or services to EU citizens or you monitor their behaviour _within_ the EU you still have to comply
Explicit consent isn’t the only way achieving Lawful processing there are 6 pathways
It still likely to be the most common, most applicable to you and straightforward
Legitimate interests MUST not undermine rights of the data subject, needs to proven and can’t be employed by public bodies
Legal obligation can be more than a statuary law it can be common law – e.g financial regulations
Also includes precedence (i.e common law)
Public interest must be set out by law
It’s important to note that other routes pathways do provide a derogation from wider obligations to inform and protect etc..
No more inadvertent consent
Time to upgrade your consent functions
Easy come, Easy go
Under 16 requires parental authorisation
Explicit consent required for sensitive and special categories of personal data
N.B if the purpose changes you need to do it again.
Implementing an ISO27001/2 ISMS
Implementing least privilege and data minimisation
Pseudonymisation and Encryption
Pen testing
Lots of record keeping to satisfy subject requests and ICO
e.g. Criminal Justice and Immigration Act 2008 makes unlawfully obtaining personal data punishable by up to two years in prison.