DATA PROTECTION MAGAZINE
Max Schrems
Q&A with the lawyer and privacy activist
SPRING 2019 issue 3
The European Data Protection Summit & Dinner.
3 Conference Streams 50+ Industry Expert Speakers 24+ Hours of Content The European Data Protection Summit & Dinner brings together a community of data protection, privacy, governance and security professionals to share knowledge, tools and insights on the ever-evolving industry.
EUROPEAN DATA PROTECTION SUMMIT BY DATA PROTECTION WORLD FORUM
133 Houndsditch, London | Monday 3rd June 2019
SECURE YOUR PLACE TODAY
SPRING 2019 issue 2 contents 06.
Privacy is dead, long live trust
09.
GDPR: The story so far
13.
Era of mass fragmentation
16.
Breaches, breaches everywhere
20.
Max Schrems on the future of data privacy
22.
Data protection and Brexit: where things stand as the clock ticks
25.
Building an effective data protection risk management programme
29.
As GDPR starts to bite, risk management has never been more important
35.
Highway Patrol - the drive for data collection
37.
The three lines of defence in data protection
39.
Leading by example: how the GDPR is inspiring worldwide change
43.
GDPR Compliance Requirements for Enterprises and Public Administrations
45.
Criteria for selecting a compliance management platform (CMP)
53.
Pain and suspicion as catalysts for innovation
Published by Data Protection World Forum
Data Protection World Forum Singapore. 10+ Workshops 40+ Industry Expert Speakers 30+ Hours of Content
LEARN MORE
Speakers announced so far: Max Schrems
Raymond Liboro
Sheila M. Fitzpatrick
noyb
National Privacy Commission
FitzPatrick & Associates
DATA PROTECTION WORLD FORUM SINGAPORE I SINGAPORE MANAGEMENT UNIVERSITY
11th & 12th June 2019 Produced in association with...
INTRODUCTION In our first issue, we quoted European Data Protection Supervisor, Giovanni Buttarelli, who said he expected first GDPR fines to arrive “by the end of [2018]”. True to Mr Buttarelli’s predictions, in October, Knuddels was as among the first companies to fall foul of the new data law standards when the German chat app received a regulator fine of €20,000 for a customer data breach. At the other end of the spectrum, a nightmarish seven months for the tech giants culminated in a recordbreaking fine for Google, while Facebook awaits the judgement of ten separate regulator investigations for data handling transgressions. Beyond changes in action, this new era in data protection law is momentous because its effecting changes in attitudes to data privacy on an unprecedented scale and at unprecedented speeds. The Irish Data Protection Commission’s reporting of a huge leap in data breach notifications to regulators since the implementation of GDPR, should come as no surprise. The trend describes a rising consumer awareness that is finally being mirrored by attitudes in the C-suite, as business leaders and politicians from the US to China acknowledge the example set by the EU’s GDPR. In this issue, we break down the impact the GDPR is having at home and abroad, and consider its role as an influencer of policy in regimes around the world. We speak to privacy activist Max Schrems, whose epic battles in the courts have made the Austrian lawyer the face of consumer data rights. AI and machine learning also fall under the microscope, as we consider a future whose functionality looks set to depend increasingly on monitoring the metrics of our daily lives.
Privacy is dead, long live trust Long before the GDPR, before Facebook & Cambridge Analytica and before anyone realised just how much of their personal data was being collected and consumed by both private companies and governments across the globe, it has been said that privacy is in fact dead. Writtten by Richard Merrygold, Data Protection Officer, iSTORM Solutions
*Source: Social Media Today
“
Trust is one of the most powerful human feelings, it underpins everything that we do.
“
That premise is now truer today than it has ever been. It is estimated that we now spend five years and four months of our lives on social media. That’s more time than we spend eating, drinking and socialising combined!* This time is spent on sites and utilising services that are deemed ‘free’. No subscriptions, no monthly fees, no annual cheques (for those of you who remember paying by cheque). However, nothing in this world is free. The real cost of this interaction with the digital world is personal data; your information, your likes, opinions, beliefs and inner most thoughts, essentially your right to privacy. As a society, we have chosen to trade our right to privacy, in exchange for access to services that connect us with the world, make our lives easier, more convenient and more efficient. This trade off has created a new commodity, and that commodity is trust. Trust is one of the most powerful human feelings; it underpins everything that we do, who we share with, who we love, where we live, eat, sleep, even what car we drive or what route we walk to work. Once our trust has been broken it is incredibly difficult to repair.
The fundamental leading principle of the GDPR tells you all you need to know: Accountability. It is now widely accepted that our personal data is a currency that we exchange for access to the services that we feel make our lives better. We trust the banks to keep our money safe and invest it wisely and in the same breath we trust the businesses we buy from and the societal services we use to respect our data and our choices. All companies today rely on trust. There are very few services on offer that don’t require you to collect some form of personal data about your customers. How much information is required varies greatly depending on the service on offer. The more sensitive and personalised the offering, the more in depth the information required will be and the level of trust you will need increases. Of course it is easy to preach about what businesses should be doing and what consumers expect but more important is how to do it. The fundamental leading principle of the GDPR tells you all you need to know: Accountability. Saying that you care or that you “take privacy extremely seriously” is not enough. Words are empty if they are not backed up. Actions speak louder than words, something I have learnt the hard way. You need to be able to demonstrate to your customers, your regulators and the world at large, that you have taken the appropriate steps to protect your customers’ privacy and thereby maintaining their trust. The future for data protection for me belongs to those who are open, honest and accountable to their customers. Respect your customers’ wishes, respect the data they have provided you with, be open, honest, and transparent about how you use their data and why, and in turn they will reward you with their trust and a long and fruitful relationship. Privacy is dead. Long live trust.
7
GDPR:The story so far The GDPR arrived on May 25th 2018 to clean up data security, bringing higher standards of data processing and threatening non-compliant organisations with fines of up to â‚Ź20 million or 4% of annual turnover.
Written by Steve White Co-Editor, Data Protection Magazine
These penalties were a marked upgrade on Data Protection Act 1998’s ceiling fine of £500,000, but heavyweight legislation was always going to be needed to restore order in what has become a data-driven economy characterised by unnecessary hoarding and non-consensual movement of user details. Long before the new laws went live, it was clear that compliance would not be a sprint, nor a marathon, but an ongoing journey. This is because winning with GDPR depends on nurturing stronger data privacy through continual checks, reviews and improvements to satisfy the demands of the risk-based approach. The GDPR is a blueprint for cultural change, not a guidebook on how to conduct a one-time audit. The risk-based approach means implementation of the GDPR is unique for each organisation. The lack of a onesize-fits-all solution did nothing to ease general confusion in the run up to May 25th last year, but it also sent a very clear message that encouraged businesses to do all they could to embrace the GDPR’s three supporting principles of transparency, control and accountability, as explained by the ICO’s deputy commissioner, Steve Wood at Data Protection World Forum in November. By listening, learning and reaching out to the GDPR’s requirements, companies could mitigate against regulator penalties and reputational damage, while differentiating as a responsible data handler in a world where consumers are increasingly switched on to data privacy. At least, that was the dream. But how did the new laws play out in reality?
The user experience On May 25th 2018, five months on from Christmas, users took to social media to celebrate GDPR day and to share what had appeared in their inboxes overnight. News feeds full of ironic memes and gifs put #GDPR on a par with a lump of coal for all the real interest taken by the average millennial, but the derision belied the importance of emails that bore the nuts and bolts of what will protect us in the digital age. Companies were now asking for our permission to process our data, telling us how our data would be used and letting us know that we could now download all the information organisations hold on us, and ask for that data to be deleted if we so wished. Websites appeared with shorter data privacy notices designed to put an end to reams of T&Cs written in legalese, to promote the transparency, control and accountability; this was privacy awareness on an unprecedented scale. PwC’s Stewart Room would describe how outreach through the months of May and June 2018 was more than all the combined outreach conducted throughout the whole of IT history. With the requirement for explicit opt-in to receive company communications, marketing campaigns would never be the same again, and many firms reported “a decrease of about 25 to 40 percent of their addressable
market”, said senior Forrester analyst, Enza Iannopollo. The effect was heightened because many data privacy emails simply went unopened, reining in long-standing cavalier marketing of freely profiling users, processing data and firing out advertising material from the hip.
Shaming of the big brands There has been no shortage of sparks flying up as organisations have grappled for traction with the new data laws, and the big brands have been burned in 2018.
The popular social network kicked off a torrid year in data protection standards when news broke of its shadowy relationship with Cambridge Analytica. The UK-based data analytics firm had operated with Donald Trump’s election team in the run up to the 2016 presidential elections. However, the company harvested millions of Facebook profiles of US voters to create targeted advert campaigns with a view to influencing voters’ decisions. “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on,” the Observer was told by Christopher Wylie, who worked with a Cambridge University academic to obtain the data. In October, the Information Commissioner’s Office eventually fined Facebook the £500,000 maximum amount possible under the Data Protection Act 1998, after deeming that the personal information of at least 1 million UK users had been used without authorisation, and that those users had been put at risk as a result. As the reputational damage sent Facebook share prices into a nosedive, the ICO warned that Mark Zuckerberg’s firm could have faced fines of up to £1.2bn had the scandal played out on the GDPR’s watch. More alarmingly, the episode blew the lid on how data can be manipulated to undermine the most cherished institution of the free world – democracy itself. Facebook sealed its calamitous 2018 this autumn by revealing a glitch in its “view as” feature had enabled hackers to access the accounts of up to 50 billion users. With investigations ongoing, the Irish Data Protection Commission could leverage further multimillion-dollar fines against the beleaguered social network. 9
In September, news broke that credit rating agency, Equifax, would be fined the maximum £500,000 under the Data Protection Act for its mismanagement of the data of up to 15 million British users. The penalties addressed a 2017 cyber-attack which saw the personal details of around 146 million people exposed, though most of the victims lived in the US. Beyond the “multiple failures” in Equifax’s systems that had led to personal information being kept longer than necessary, through a GDPR lens the case stands out because Equifax dedicated themselves to covering up the intrusion. Originally, the firm said that the number of British victims numbered 400,000, only for that figure to be pushed up to 700,000 and then 14.5 million, leading the ICO to conclude that appropriate steps to address the breach had not been taken. Information Commissioner, Elizabeth Denham commented: “The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce. This is compounded when the company is a global firm whose business relies on personal data.”
The data protection world was rocked at the end of November when the Marriott hotel chain disclosed that it had been the victim of the biggest hacking scandal in corporate history, with the details of up to 500 million customers compromised. The breach took place between 2014 and 2018 on the multinational’s Starwood database, in an intrusion which saw unauthorised parties access data including payment details, residential addresses, email addresses, phone numbers, passport numbers and travel information. As Marriott scrambles to assess and deal with the damage from the breach, concern has peaked over how well-equipped the industry is to responsibly handle the private data of its guests and employees in the 21st century. John Burns, president of Hospitality Technology Consulting, told Bloomberg: “People trust us to allow them to sleep safely and securely. There’s a longstanding tradition of an innkeeper, that we fulfil that commitment to them. Has it extended naturally, with the same diligence, to the digital environment? Not always.” 10
The famous UK carrier recently told customers that data from around 380,000 booking transactions had been acquired by a criminal element, with credit card details, expiry dates and CCV codes also being accessed. If the BA data breach doesn’t match the magnitude of intrusions suffered by the likes of Facebook and Equifax, it stands out for the GDPR-era response of BA executives, who took just one day to reveal that it had been the victim of a cyber-attack that had taken place between 21st August and 5th September. The company’s shares took an immediate hit, but its prompt notification to victims of the hack will be a mitigating factor under the GDPR, which stipulates that firms must inform potential victims of intrusions within 72 hours of the hacking event being discovered.
Quora is one of the most recent major brands to fall victim to a data breach, with an intrusion announced on November 30th which saw the private information of up to 100 million account holders leaking into the public domain. Among details compromised were IP addresses, user IDs, account settings, public actions, blog quotes and comments and user names. It was a high-level breach because of the sensitivity of the information that was accessed – users’ names, encrypted passwords and data from platforms such as Facebook and Twitter meant hackers were suddenly able to handle multiple levels of millions of digital profiles.
“
By listening, learning and reaching out to the GDPR’s requirements, companies could mitigate against regulator penalties and reputational damage.
What’s in store in 2019? Experts say we expect data privacy laws to take a tighter hold through 2019, with data breaches more likely to be exposed to the full force of GDPR-era penalties, as Rohan Massey, European head of privacy and cybersecurity at Ropes & Gray explains: “Companies and data protection lawyers spent the latter half of 2018 waiting in vain for the first blockbuster GDPR enforcement action. They are unlikely to be disappointed in 2019, as regulators conclude their ongoing investigations and the incidents caught by the previous law fade into the rear-view mirror. “Whilst it’s likely that there will be multiple seven-figure fines, we wouldn’t be surprised to see a EUR 10 million penalty issued — most probably by the Irish, French or UK authorities, although there are 25 other regulators that will also be keen to show their teeth.” “2019 is set to be the most important year in international data transfer compliance since the Safe Harbor agreement was struck down in 2015. This is because the ECJ is expected to rule on the validity of the European Commission’s standard contractual clauses, which many businesses use to transfer personal data outside the EU,” Massey continues. “Given that the SCCs (standard contracted clauses) are being challenged on the same grounds used to invalidate Safe Harbor — that US law does not protect European citizens’ data against the NSA’s (National Security Agency) mass surveillance programmes — we think it likely that the ECJ will also strike down the SCCs in their current form.” “The proposed ePrivacy Regulation is unlikely to be agreed before the EU parliamentary elections in May, meaning that the text won’t be finalised until 2020 — and may not take effect until 2022,” he adds. “The level of disagreement between Member States and the intense business lobbying over the text doesn’t augur well for a speedy resolution. That said, the interplay between the GDPR and the existing Directive on critical areas such as cookie consent makes the likely delay in getting the Regulation agreed somewhat less detrimental.” Dr Klaus Gheri, VP and GM of Network Security at Barracuda networks feels automation will play a key role in legal compliancy over the next 12 months. “Migration to the cloud has become a megatrend. This has led to new requirements in terms of securing services and the required infrastructure. In particular, star-shaped WAN topologies with central Internet access must be redesigned with regard to their compatibility with increasing use of cloud services - keyword SD-WAN. “IoT and Industry 4.0 also open up new areas of attack. Companies should increasingly think about device recognition in the network in order to segment out smart devices accordingly. “Even if it is a truism, email remains the primary gateway for malware. Users can now protect themselves much better against this with intelligent email security products. There is still a lot of catching up to do here. “Therefore, all necessary security technologies should
“
Even if it is a truism, email remains the primary gateway for malware. Users can now protect themselves much better against this with intelligent email security products. There is still a lot of catching up to do here.
always be preceded by a well-founded education of the employees. Companies must develop a comprehensive security awareness programme that addresses the most important security issues. The solutions will continue to evolve towards automation in 2019.” Perhaps most significantly is the legacy the GDPR is having on a global level, and the role the laws are playing in waking world communities up to the extreme relevance of data privacy. The obligation was encapsulated by the attitude of Tim Cook’s address at a conference of European privacy commissioners in Brussels last year. The Apple boss called for new digital privacy laws in the US, and advised that data privacy is a fundamental human right, before describing how the collection of large swathes of personal data is harming society. Chiming with this outlook, Chris Baker, SVP and GM EMEA at Box says that 2019 will see the world trying to live up to the legislative example set by Europe, as similar regulations are created in jurisdictions worldwide. “Organisations must ensure they are compliant with regional data privacy regulations, and more GDPR-like policies will start to have an impact. “This can present a headache when it comes to data management, especially if you’re operating internationally. However, customers will have trust in a business when they are given more control over how their data is used and processed. And customers can rest assured knowing that no matter where they are in the world, businesses must meet the highest bar possible when it comes to data security. “Starting with the USA, in 2019 we will see larger corporations opt-in to GDPR to support global business practices. At the same time, local data regulators will lift large sections of the EU legislative framework and implement these rules in their own countries. 2018 was the year of GDPR in Europe, and 2019 be the year of GDPR globally. 11
L T PO
S R
E K EA
T H IG
SP
MAX SCHREMS NOYB Introducing data privacy pioneer and noyb.eu founder, Max Schrems. In 2011, Austrian law student, Max Schrems requested his personal data from Facebook as part of college research, and was shocked by the results. Facebook had a record of his entire user history, from pages he had ‘liked’ to private messages he had sent. Even personal communications regarding a friend’s health, which Schrems had deleted, were still held on the social network’s servers. Schrems made 22 complaints to the Irish Data Protection Commission, in which he claimed that Facebook was breaking European data protection laws, in fundamental violation of user privacy. A prolonged battle with Facebook took him all the way to the European Court of Justice, where in 2015, a landmark legal victory triggered an international crisis, and saw the end of Safe Harbour, a data-transfer interface used by thousands of organisations. Today, Schrems continues to fight for global privacy rights through noyb.eu (None of Your Business), a privacy lobbying group dedicated to ensuring regulators enforce the laws that are there to protect us. The goal is to uphold data privacy, which Schrems considers “the most unenforced right” in Europe.
providing information, updates and security solutions to a delegate base that is set to include over 800 Data Protection Officers (DPOs).
European Data Protection Summit
European Data Protection Summit London and Data Protection World Forum Singapore offer exclusive engaging content, education and networking opportunities. The events are perfect for business professionals who want to develop their understanding of data privacy, meet and discuss with industry peers, and get answers from the experts at this pivotal time in data protection history.
Delegates at European Data Protection Summit London, will be able to hear Max Schrems deliver his keynote, “Data transfers after Brexit in the light of the UK surveillance laws.” Coming to 133 Houndsditch on 3rd June, the event will see leading global authorities bring clarity to the critical issues in data protection and cyber security. The summit will include keynote talks and live debate among security professionals and senior business leaders, 12
Data Protection World Forum Singapore On 11th and 12th June, Max Schrems will deliver his keynote, “Global Data Flows and Conflict of Laws” to audiences at Data Protection World Forum Singapore. As national governments take inspiration from the EU’s General Data Protection Regulation, DPWF Singapore promises to look into what ASEAN (Association of Southeast Asian Nations) member states and multinational corporations (MNCs) need to do to harmonise with global privacy standards. Bringing together over 1,000 delegates, this two-day event includes workshops, breakout sessions and a Keynote Conference theatre, where global experts in privacy and data protection will air their views. The perfect place to develop your data protection knowledge
Visit Data Protection World Forum for more information.
fragmentation
era of mass
Data has become the fuel for business success because it drives insight. Steve Norman, Head of Data Protection for Iomart, explains why comprehensive management of your secondary data is the key to unlocking its value. Here’s a question for you. Do you know how much data your organisation has and where it’s stored? This might seem like a simple enough query but for many, it’s complicated to answer. This is because we’re operating in an era of mass data fragmentation.
13
As the volume of data we collect and use continues to grow, only about 20% of it is production data – the information we use to keep our organisations up and running every day. The rest of it is what we call secondary data – your backups, your archives, and the data you use for test and development or business analytics. That’s a whopping 80% of your data and it’s not just sitting in one place – it’s spread across silos throughout your IT systems, on different software and hardware, across different data centres and in different clouds.
This is not just a major headache for your IT team. At a time when compliance and new privacy standards like the General Data Protection Regulation (GDPR) are front of mind for all of us, it’s a real security risk. While this secondary data is largely non mission-critical, it still forms a very important part of your obligations when it comes to data protection. If you can’t see and manage the data you’ve got properly, how can you be compliant? The reality of this was highlighted in research published in November 2018 which questioned more than 900 senior IT decision-makers about their secondary data. The survey (conducted by Vanson Bourne on behalf of our data management partner Cohesity) revealed four levels of data fragmentation. Level One Fragmentation across silos: backups and recovery in one silo; file and object servers in another; archiving in another, test and dev data somewhere else; and search and analytics data in another silo. Level Two Storage of the above data on a range of different systems, such as tape/media servers, etc. Level Three Storage across data centres and in cloud services in different locations. Level Four
MASS DATA FRAGMENTATION ACROSS LOCATIONS
Fragmentation from redundant copies of the same data that are stored ‘just in case’ for e-discovery.
Mass Data Fragmentation Across Locations DATA CENTRE
CLOUD
3 FRAGMENTATION ACROSS LOCATIONS
Primary
Secondary BACKUP & RECOVERY
Software
Tape
Media/Master Srvrs
FILE & OBJECT SERVERS
ARCHIVING/ LTR
1 FRAGMENTATION ACROSS SILOS TEST & DEVELOPMENT
SEARCH/ ANALYTICS
Software
Shares
Software
Servers
Servers
Policies
Servers
Software
Appliances
NAS
Indexing
Storage
Masking
Copies
Search
Storage
CLOUD BACKUP
2 FRAGMENTATION WITHIN SILOS
FILE & OBJECT STORAGE
ARCHIVING/ LTR
TEST & DEVELOPMENT
SEARCH/ ANALYTICS
2 FRAGMENTATION WITHIN SILOS 4 FRAGMENTATION FROM REDUNDANT COPIES
Courtesy of Cohesity Secondary Data Market Report
According to the respondents, as well as being hugely inefficient and incredibly complex, failure to grasp this problem was also causing major financial pain, with some IT teams wasting as much as four months of the year on secondary data management because they don’t have the right tools in place. The reality is summed up in the main conclusions of the report: 14
MASS DATA FRAGMENTATION IS REAL
Mass Data Fragmentation is Real Secondary data is fragmented and is / will become nearly impossible to manage long term
Use 6 or more solutions for managing their secondary data operations (10% use 11 or more)
Have between 4 and 15 copies of the same data (10% have 11 or more copies)
Store data in between 2 and 5 different public clouds
Spend between 30% and 100% of their time managing the complexities of secondary data
Weeks (4 months) extra effort per year due to the proper tools not being in place
Almost three quarters of those who responded said that secondary data is becoming so fragmented that it will become impossible to manage in the future. This, they believe, will put their organisation at a competitive disadvantage, eat up their IT budget and put even more pressure on already stretched IT teams. This, the survey said, was ultimately putting IT experts in constant fear of a compliance breach because of their organisation’s fragmented data. It’s worth remembering that every time you make a copy of a dataset and move it to a new location, you are reducing visibility and increasing risk. Do you even know how many copies have been made of your data and where they reside? While historically secondary storage and data management has been done by the IT team, without the rest of the business paying much attention – one writer describes it as “the ugly stepchild of the data industry” – the growing pressure to innovate has turned it into a high priority for every CIO. This previously ‘dark data’ is now in the spotlight. By getting on top of the issue of mass data fragmentation organisations can ensure GDPR compliance, make informed decisions about what data to keep and what to discard, use it to make better business decisions and monitor it for potential threats. The GDPR places a set of legal and technical requirements on organisations that process personally identifiable data. The clauses on data protection and management apply to the storage systems and vendors being used. There is a balance of responsibility which each organisation must be aware of. Therefore consistency in your approach is a huge positive when meeting your compliance requirements. By consolidating that 80% of data that’s lying across your secondary storage systems you will:
Courtesy of Cohesity Secondary Data Market Report
• • •
gain the visibility and security your organisation requires make your data easily searchable for e-discovery and compliance make it more useful for business analytic purposes
This issue is too important to overlook. Just making storage more efficient or reducing the number of copies of your data isn’t enough. The most successful companies are choosing secondary data solutions to help them become more innovative while reducing competitive exposure and enterprise IT staff burdens. Your organisation can achieve this too. Data is a business’s most important asset so start taking steps to harness it by consolidating and unifying all of your secondary data and applications. First, overcome mass data fragmentation with a single, software-defined solution that runs on-premises, in the cloud, and at the edge. Second, gain competitive advantage by improving IT agility with less management complexity, easy data mobility, and data reuse. By combining proper management with greater visibility, analysis and protection of your data, you will be taking actions that will benefit your organisation.
Written by steve norman, Head of Data Protection, iomart Steve Norman is Head of Data Protection for iomart, a provider of managed data protection, data storage and managed cloud solutions from ISO accredited UK, European and global data centres. He provides high-level strategic advice to help iomart’s customers improve their business compliance, performance and profitability. For more information visit www.iomart.com. 15
L T PO
S R
E K EA
T H IG
SP
Tamara Ballard Channel 4’s data protection and legal expert Channel 4’s data protection and legal expert, Tamara Ballard, will be among the speakers at European Data Protection Summit.
Coming to London on 3rd June, this exclusive event will bring 800 DPOs, security professionals and senior business figures together for a day of guidance and advice at a crucial time in global data protection and consumer privacy. We are delighted to welcome Tamara at European Data Protection Summit, where she will be delivering her keynote: “Embed a culture of privacy that enables compliance”.
Tamara’s keynote will sit within a packed agenda of talks delivered by fellow industry experts, including: • • • • •
Max Schrems, Founder at NOYB Sheila FitzPatrick, President & Founder at Fitzpatrick Associates Tamara Ballard, Data Protection Lawyer at Channel 4 Edward Hanson-Assan, Associate DPO at Knight Frank Steve Wright, Group DPO, Bank of England
Data privacy pioneers in the media industry Channel 4 has risen to become a data privacy champion among media groups in era of the GDPR, with the popular broadcaster standing out for its commitment to aligning privacy with modern standards and consumer expectations. Since 2016, Tamara’s provision of legal advice and analysis on data protection, privacy, regulatory and security matters has placed Channel 4’s business reputation on a firm foundation. European Data Protection Summit London Delegates at European Data Protection Summit London will be able to hear Tamara go into detail on the compliant behaviours that are needed to galvanise personnel and uphold data protection standards throughout the workplace.
Against a backdrop of increasing data breaches impacting on a global scale, European Data Protection Summit comes at a critical time in data protection and user privacy. The need for ideas, debate, advice and technological solutions has never been greater. The summit will host a dinner following the conference event, where attendees will be able to enjoy a drinks reception, three-course meal, further networking and entertainment. To register for European Data Protection Summit, visit summit.dataprotectionworldforum.com.
17
Breaches, breaches everywhere
With 2018 having drawn to a close with ever increasing momentum on daily breach notifications, 2019 shows no sign of organisations of all sizes, industry
classifications,
public
or
private
being immune from the increasing implications of the impact of data breaches. And this can only continue to build as executive officers still show scant
regard for the importance of
data protection. Written by Ian West, Executive Vice President & COO, GDPR Associates
But even the few organisations appearing to be serious about data protection aren’t immune from the implications. With over 90% of data breaches happening within organisations perpetrated by the poorly informed or badly trained, the wilfully malicious, or by those using shared or compromised access credentials, (hackers don’t often do the hard work of drilling through impenetrable firewalls that Hollywood movies would have you believe, they just steal the details from the weakest link in the chain – the employee using their email address and pass1234 or their dog’s name which is proudly paraded all over social media as their password), then the likelihood of this continuing apace is very real. Incompetence comes in many forms and is not just the sole domain of the incompetent. So, no matter what you do, there is only one certainty – you will have a data breach. A report prior to Christmas 2018 stated that UK regulator, the Information Commissioner’s Office, had received over 8,000 data breach notifications in the six months from the 25th of May to the start of December 2018 – an increase from approximately 1,000 breaches in the previous calendar year. Added to this the Danish regulator has reported being swamped with data breach notifications. With the Irish and French regulators focusing on picking huge legal fights with the likes of Facebook and Google, 2019 looks set to be a most interesting year. Hackers don’t often do the hard work of drilling through impenetrable firewalls that Hollywood movies would have you believe, they just steal the details from the weakest link in the chain – the employee using their email address and pass1234 or their dog’s name which is proudly paraded all over social media. Last year highlighted some incredibly poor data protection behaviour and raised many different business and breach scenarios with Equifax starting the significant breach implications by trying to suppress a 146 million subject notification. Heathrow Airport were fined for simply losing an insecure memory stick, and Facebook were perpetually in the news for a never-ending catalogue of breaches. These involved accessing security vulnerabilities, but also unethical and arguably criminal data sharing programmes which included the forced commercial closure of one of their partners Cambridge Analytica because of data sharing and manipulation activities. In addition to this we saw man-in-the-middle data processors breaches embarrass British Airways; Morrisons fell foul of a disgruntled employee who shared 100,000 employees’ data, and despite winning the legal case against the employee, the supermarket chain still appears to be staring down the barrel of huge potential fines in a centralised employee class action lawsuit.
Dixons Carphone Warehouse lost 10.3million UK customer records and 5.9million payment card details leaving almost every UK household open to increased phishing attacks. Many call centre businesses were falling foul of recording calls for training purposes and also recording credit card details with much of this detail being processed in offshore centres. As 2018 drew to a close Marriott International announced a 500million customer data breach affecting users on the database of the group’s global Starwood division. Heathrow Airport were fined for simply losing an insecure memory stick, and Facebook were perpetually in the news for a never-ending catalogue of breaches. These involved accessing security vulnerabilities, but also unethical and arguably criminal data sharing programmes. If these weren’t enough, the regulators started to levy fines on businesses with no EU presence whatsoever (but were processing EU citizens in other geographies). But the final item that appeared to be lost amidst the Christmas party season was the stiffening of the Privacy and Electronic Communications Regulation to make officers (executive or non-executive) personally culpable up to a maximum individual fine of £500,000 per instance, when they are caused by the action or inaction of an officer, where they have consented to or connived in the breach, or if that breach is attributable to their negligence. So, it’s safe to say that the data breach world is starting to get very interesting. You can ignore data protection if you choose. Executives can consent to this behaviour, they can connive in creating a breach or they can just neglect it and ignore that it is happening. But the regulator is after you and your organisation. Cambridge Analytica proved there is nowhere to hide and the regulators will raid your offices on a Sunday evening to remove all electronic storage devices and every piece of printed documentation. Just when you thought the worst may be over, a group a security analysts have just found 1.6 billion email addresses and passwords in a Dark Web paste bin. This will affect around 25% of the world’s online population and could easily be the largest data breach ever. There are only a few places this volume of records could have come from, either one of the big email service providers or from one of the domestic providers in China or India, but as the vast majority of details in the latest hack are in English then the likelihood this breach is from one of the major Western ISPs. Watch this space for more details, because if you are reading this and your native language is English then there is a very high likelihood that it will affect you personally. Breaches, Breaches Everywhere! - It’s only going to get worse, a lot worse before it starts to get better! 19
Lawyer and privacy activist, Max Schrems
on the future of data privacy
Max Schrems has become the face of modern consumer privacy and data protection rights, since his landmark legal victory against Facebook.
The battle began back in 2011, when Schrems asked to see all the data the social network held on him. He discovered that Facebook had his entire history still on file – including a host of personal messages that Schrems had himself deleted. He made 22 complaints to the Irish Data Protection Commission, claiming that his user privacy rights had been violated. It was the start of a course of action that would end up in the European Court of Justice, where the young lawyer would win a crucial victory. Max Schrems has since founded noyb.eu (None of Your Business), a privacy lobbying group that aims to make sure regulators exercise the laws that are there to protect consumers. We spoke to Max recently to learn more about the crucial nature of privacy in a world that’s increasingly reliant on personal data. How concerned should we be about the ways big tech firms such as Facebook currently handle our data? Max Schrems (MS): The reality is they have a lot of information and thereby a lot of power over us and we have a huge trust issue. In the areas we know what companies are doing we already see fundamental breaches of privacy laws. If you take that and apply it to the future, where much more will be possible with the existing information, we have to make sure that these powers stay within reasonable limits. What can organisations around the world learn from your fight against Facebook, in terms of compliance with data privacy laws such as the GDPR? MS: I think more organisations use data for a normal and reasonable purpose. We ourselves at noyb use data of our members to bill them or to respond to requests. This is a whole different world from organisations whose main purpose is to exploit information for a financial gain. Assuming that most organisations see data processing as a necessary tool for another purpose, they have a rather limited conflict of interest when it comes to compliance with the law compared to Facebook. On the other hand, most organisations may themselves use tech giants and may want to think twice how much of their information they entrust such platforms.
“
more organisations use data for a normal and reasonable purpose. We ourselves at noyb use data of our members to bill them or to respond to requests. This is a whole different world from organisations whose main purpose is to exploit information for a financial gain.
countries as possible, as we otherwise risk problems in international data transfers. This could lead to a ‘balkanized’ internet. Many countries around the world now adapt an “EU style” data protection law. At the same time the tech world is dominated by the US. It will therefore make a lot of economic sense for the US to follow a global model. What are your hopes for noyb through 2019 and over the next few years? MS: We have just started and our main aim is to ensure that GDPR is not just ignored. We managed to get the first € 50m fine against Google by the CNIL, but this can only be a beginning. A crucial issue is, if we will be able to scale from a small NGO with a couple of lawyers to a sustainable organization that can continuously bring major cases and generate some enforcement pressure. What are the challenges that organisations face as consumers become more data-privacy aware? MS: When GDPR came in we saw a huge raise in complaints and legal actions. Many of them are still very much grass root movements, but the more this becomes professionalised, the more we may see class actions and serious fines. It usually only takes one user that is unhappy about a GDPR violation to trigger a substantial investigation and penalty. The likeliness of this has dramatically increased. Data Protection World Forum Singapore Max Schrems will be among guest speakers at Data Protection World Forum Singapore in partnership with Straights Interactive, coming to Singapore Management University on 11th and 12th July 2019. As national governments take inspiration from the EU’s General Data Protection Regulation, Data Protection World Forum Singapore promises to look into what ASEAN (Association of Southeast Asian Nations) member states and multinational corporations (MNCs) need to do to harmonise with global privacy standards. Bringing together over 1,000 delegates, this two-day event includes workshops, breakout sessions and a Keynote Conference theatre, where global experts in privacy and data protection will air their views. Topics to be discussed include: • • • •
Global regulatory landscape Best practice for collaboration between data protection, legal and cyber security teams Cyber Crime and the threat landscape New technologies, international trade and impact of data protection laws on ASEAN Breach notifications and incidence response strategies, and many more
Should the USA adopt a GDPR-style regulation nationwide?
•
MS: I think in the long run we should ensure that we have common standards globally – or at least in as many
To register, visit summit.dataprotectionworldforum.com. 21
Data protection and Brexit: where things stand as the clock ticks
With just days before the UK is due to leave the EU, uncertainty still dominates, and businesses are far from having the clarity they need to be able to plan ahead to remain compliant with data protection regulation. As the political wrangling continues, what are the implications of the different outcomes in terms of data protection? One thing was dominant in the news after the Prime Minister (PM)’s speech on Wednesday 20 March: government is stepping up no-deal contingency plans to respond to the dramatic short delay Brussels agreed to. If the House of Commons rejects the Withdrawal Agreement for a third time, the leaving date will only be pushed to 12 April to allow the UK to decide whether or not to request a longer extension period, and, most of all, hold European elections. LET’S LOOK AT THE OPTIONS. The first scenario is if Brexit is delayed or does not happen, the UK remains a full member of the EU. This means business as usual with regards to data protection matters. However, the Prime Minister has been clear that she wants to put the EU deal back to Parliament. Should the Withdrawal Agreement be adopted by the House of Commons during the envisaged transition period (i.e. until at least 31st December 2020), the relationship with the EU would remain identical for data protection matters. This should leave enough time to prepare for the future relationship between the UK and the EU. POST TRANSITION SCENARIO In both scenarios outlined above, it is worth focusing on what the situation would be after an extension of Article 50 or a transition period. Considering the positions expressed during the negotiations, the UK is likely to become a ‘third country’ under the GDPR after Brexit. That means in the absence of an EU adequacy decision (similar to that which exists for Switzerland or even the Privacy Shield for the USA) which permits data to be transferred freely to such countries without any onerous procedures, specific measures will have to be followed by businesses. However, the EU has indicated that the transition period will present the opportunity to grant adequacy to the UK. Transfers between the UK and the EEA would be able to continue as usual, providing that some cosmetic changes are made to data protection documentation such as records of processing activities, binding corporate rules, privacy notices, and DPIAs.
in the EU for data protection matters. This will enable you to continue benefiting from the One-Stop-Shop rule with the local Supervisory Authority as your Lead Supervisory Authority for your activities in the different EEA states. In addition, if you are a UK organisation receiving personal data from countries currently covered by an EU adequacy decision, it is important to be aware that more and more adequate countries are currently taking steps to allow data transfers to the UK. However, you should still check potential additional requirements with the sender of the data. Additionally, if your organisation sends personal data to a business in the US which is certified under the EU-US Privacy Shield, it is essential for the US-based organisation to update their privacy notice to expressly state that their commitments to comply with the Privacy Shield apply to transfers of personal data from the UK before proceeding with the transfer. NO-DEAL GUIDANCE It is important to bear in mind that these considerations only apply to an orderly Brexit. At the present time, a ‘nodeal’ exit has re-emerged as a real possibility and if that happens then the UK will become a third country, which means standard contract clauses are the most viable option for sharing personal data. The ICO has set out a number of steps businesses should take to prepare for a no-deal scenario including continuing to comply with GDPR rules and following ICO guidance, reviewing data flows into the UK from the EEA and considering the GDPR safeguards which will need to put in place, and reviewing data flows from the UK so that the new basis for these transfers under UK transfer rules can be documented. Businesses which operate across Europe should assess how the UK’s exit from the EU will affect the data protection regimes that apply to them, review the data protection governance and internal documentation held to identify any details that will need updating, and ensure key people in the business are aware of these issues. With things still very unclear, businesses need to follow developments closely and refer to the latest advice on the ICO’s website. writtten by Ivana Bartoletti, Head of Privacy and Data Protection, AND Samuel Plantie , SENIOR DATA PROTECTION CONSULTANT, GEMSERV
ONE-STOP-SHOP RULE However, it is very unlikely UK organisations will be able to continue to rely on the ‘One-Stop-Shop’ rule, meaning they will need to deal with both the Information Commissioner’s Office (ICO) in the UK and the relevant EU Supervisory Authorities. If you have offices in more than one European country, you should consider moving some of your key decision-making activities to your most important office 23
L T PO
S R
E K EA
T H IG
SP
Ivana Bartoletti Head of Data Privacy and Protection at Gemserv Ivana Bartoletti will be speaking at European Data Protection Summit in central London on June 3rd 2019. As Head of Data Privacy and Protection at Gemserv, Ivana’s wealth of experience was accrued through senior posts across public and private sectors, including roles in the NHS, Barclays and Sky. A privacy and data protection professional, Ivana is passionate about digital ethics and data governance, and mobilises her expertise through keynote talks at leading industry events in the UK and overseas. She helps businesses to harness the data they hold, and focuses on the privacy by design programmes especially in relation to Artificial Intelligence (AI) and blockchain technology. In May 2018, Ivana launched the Women Leading in AI network, along with Dr Allison Gardner and Reema Patel, a lobby group of women from different backgrounds aimed to mobilise the tech industry and politics to set clear governance around AI so that the technology is bound by human values to support all citizens. A report published in 2018 by Women Leading in AI network garnered mass interest from tech leaders, international institutions and the media. A regular contributor to current media platforms, Ivana comments on privacy, data ethics and innovation for British and international publications, including the Victoria Derbyshire programme, BBC Radio 4, BBC world and the Guardian. She is former advisor to the Romano Prodi government in Italy. Ivana speaks at conferences around the world including, recently, at the UNESCO and OECD. A co-editor of the Fintech Circle AI book, Ivana is also writing her own publication expected to be released next year. 24
Addressing the inherent bias in AI Delegates at European Data Protection Summit London will be able to hear Ivana discuss the role of big data in today’s data privacy landscape, in her keynote: “Privacy in the age of big data and algorithms.” The BBC recently reported on the government’s acknowledgement of the “real risk of bias when relying on predictive policing programmes powered by algorithms”. Big data and algorithms challenge the traditional vision of privacy. Firstly, because big data is pervasive, persistent and can be constantly re-purposed. Secondly, because big data somehow represents the polar opposite of the concept underpinning privacy, which is about collecting as little as possible (data minimisation). Lastly, because deanonymisation techniques are increasingly sophisticated. Furthermore, we have to deal with the issue of bias and unfairness in algorithms which is worrying so many around the world. Ivana will explore the concept of privacy and ethics by design in AI, algorithmic impact assessments, barriers to explanation, and the concept of transparency in AI. She will discuss governance and ethics boards to help organisations that deploy AI to reduce risks around privacy and bias harms. Westminster has now announced that an independent review of algorithms used in justice and financial systems is to take place. Bringing AI into the debate, Ivana will shed light on the bias that can occur in algorithms when AI lacks crucial diversity and inclusivity. To register, visit summit.dataprotectionworldforum.com.
Building an effective Data Protection Risk Management Programme Written by Rowenna Fielding, Senior Data Protection Lead, Protecture
Human beings are generally rubbish at risk management. Our instincts evolved to perceive and react to physical risk as individuals or small groups – which is why we have the ‘fight or flight response’. Sabre-toothed tiger coming round the corner? Ice storm on the horizon? You know what to do. However, when it comes to abstractions like complex, long-term risks with multiple contributing factors, our instincts are of no use at all; we must rely on our higher analytical functions, and work through a process to arrive at a useful answer.
While the degree of ‘acceptable’ vs ‘unacceptable’ risk will vary from person to person, or organisation to organisation, the basic processes of risk management are unlikely to differ, no matter who is doing it. Risk Management for Data Protection
According to the GDPR, data protection risk means primarily, ‘the potential impact to the rights and freedoms of the data subject arising from the processing of their personal data’. That impact may not necessarily be negative. For example, providing tools and processes to enable data subjects to exercise their rights is an example of processing which has a positive impact. In addition, a negative impact may not necessarily be unwarranted – paying taxes might not be welcome (it certainly has a detrimental effect on the bank balance), but the processing of personal data in order to gather taxes is clearly warranted, as that’s how collective social infrastructure is paid for. It may be more helpful to think of data protection risk in terms of ‘threats to the data subjects’ rights and freedoms’ to avoid confusion with organisational risk. For clarity, I shall be using the term ‘threat’ in this way for the remainder of this article What you need:
• • •
• • • • •
Step 1: What are we even doing here?
Make sure that everyone involved in the programme understands that the purpose of managing data protection risk is to guard against unwarranted negative impact to data subjects as a result of the processing of their personal data – i.e. reduce data protection threats. This may be a new concept for your organisation, especially if you have relied solely on information security risk models in the past, which are chiefly concerned with the impact which a security hiccup might have on the organisation. Step 2: Why are we doing this?
The obvious question might be ‘because it’s the law’ – but data protection law has been in place for decades. If ‘complying with the law’ were really such an important goal, there wouldn’t have been nearly as much panic in the run-up to the GDPR enforcement date when organisations suddenly realised they had 20 years’ worth of catchingup to do. Evidently, the law isn’t a compelling enough motivator for managing data protection threats. Most organisations will usually mean ‘stay out of trouble’ when they cite the law as a reason for being good at data protection. Trouble may come in the form of regulatory action, bad publicity or even litigation; all of which are likely to be costly, time-consuming and disruptive.
Understanding of data protection principles and rights Clear, simple lines of accountability and governance Time and resources ringfenced for monitoring, assessing, reviewing and deciding on how to manage data protection threats Authority to implement decisions Clearly-defined corporate values Systems that support effective data management Policies and procedures which do not overlap or contradict each other Well-organised records
What you do not need:
• • • •
Complex algebraic models Psychic powers Expensive software 100% certainty that all threats have been eliminated
What to be wary of:
• • •
26
Using information security or financial riskmanagement models Forgetting about the data subject Cognitive and cultural biases which may affect your threat analysis
That motivator leads to another set of questions though. When aiming to stay out of trouble, do you mean a) don’t get caught doing it wrong, or b) avoid doing it incorrectly? The former is probably a cheaper and more convenient approach, but it’s a gamble. If effort is focused on cosmetic fixes, concealing problems or denying responsibility then that effort is not being exerted to prevent actual problems from arising. Sooner or later, the illusion will crumble, and at that point, things could get rather awkward. ‘B’ is therefore much safer ground. If your organisation’s primary reason for managing data protection threats is to uphold data subjects’ rights and freedoms, then you win a halo. This is the lowest-risk
approach for data protection – but it may come with a hefty dose of operational or financial impact. Doing things right is hard. In reality, most organisation will be balancing data subject rights and freedoms with business viability, walking a tightrope between the two and hoping that nothing comes along to disrupt the equilibrium. Your DP threat management team need to be realistic and honest about your approach when these two considerations come into conflict. Are integrity, compassion, and ethical behaviour part of your organisational values? If so, your data protection decisions should be leaning towards protecting individual rights and freedoms, even when that comes at a cost to the organisation. If you’re not willing to take this approach, then your organisation’s stated values could probably do with a rethink.
Step 4: Threat identification
Step 3: How do we do this?
Decide how to treat the threats according to how significant they are to data subjects’ rights and freedoms, and the resources available. Do you cease the processing, change the processing, change the data, change the infrastructure? Do you simply need to be more transparent? This is where your decision-making apparatus becomes important. Document the actions taken
There is no ‘right’ way to manage any kind of risk, no golden suite of templates or instructions that will provide a risk-proof armour for your organisation. Starting to build a management programme by creating spreadsheets, or buying a software tool however, is probably the least effective approach. At this stage, governance is more important than detail – escalation points and decisionmaking authority being the most critical aspect. Trouble may come in the form of regulatory action, bad publicity or even litigation; all of which are likely to be costly, time-consuming and disruptive.
Every identified threat needs an owner; someone who will be accountable for ensuring that the implications are understood, the management approach is agreed, and that the mitigation (if any) is implemented. However, the owner won’t necessarily be the person who has final say over how the threat is managed – that’s going to depend on the ‘nature, scope and context’ of the threat itself. For example, the IT Manager might be the owner of the risk that the login interface for a new customer help portal does not meet accessibility requirements. That’s a data protection threat, because you’re choosing to process people’s personal data in a way that undermines their right to equal access, and their freedom from disability discrimination. • • •
•
Decide who in the organisation has the ultimate, final say on DP threat decisions. Decide which decisions can be made by whom (similar to delegated authority for financial accountability). Identify and document the escalation paths for when decisions need to be made reactively and in a short time frame. Decide who is going to be responsible for monitoring, recording and tracking responses to data protection threats.
Start gathering intel on data protection threats. If you are diligently keeping your Record of Processing Activity up to date, carrying out Legitimate Interests Assessments where you’re using that basis, conducting Data Protection Impact Assessments (DP threat modelling by another name), tracking security incident reports and data subject complaints, then you should already have a rich source of information to mine for your assessment. If not, then the various reports and announcements of enforcement action taken by regulators against other organisations will give you a good idea of what to look for. Document your intel. Step 5: Manage the threats
Step 6: Business as usual
One-time threat identification and treatment is of limited value and the results will quickly become obsolete. Organisations change and evolve, systems are replaced, processes are refined, and each change brings with it a need to re-evaluate data protection threats. Only by building data protection threat assessment into project and change management procedures, by auditing departmental processes against data protection by design and by default principles, by learning and applying lessons from past assessments and incidents, can you reach a comfortable degree of assurance. In conclusion:
Managing data protection risk requires a different perspective from that used for information security or financial risk models, because the focus is on the impact on the individual, not the organisation. Someone needs to be accountable for making decisions where the interests of data subjects and those of the organisation are in conflict. Information is not a substitute for action. Piles of risk data or risk management software are only useful if they are used as a source of actionable business intelligence. Data protection threats are more easily managed when identified early on. Managing data protection threats proactively reduces organisational risk of regulatory enforcement, bad publicity, litigation and disruption. Function is more important than form – use what works for your organisation, even if that looks different from what others are doing. 27
STREAM Integrated Risk Manager
Fast, flexible, scalable and easy-to-use GRC software for cyber and privacy risk management
Contact us for a FREE 30-day STREAM Trial https://acuityrm.com/
Acuity Risk Management
@AcuityRM
As GDPR starts to bite, risk management has never been more important In September 2018, the UK Information Commissioner’s Office (ICO) issued the UK branch of credit rating agency, Equifax with a £500,000 fine for failing to protect the personal information of up to 15 million UK citizens during a cyber-attack in 2017.
29
The ICO investigation revealed multiple failures at the credit reference agency which led to personal information being retained for longer than necessary and vulnerable to unauthorised access. The failings occurred before GDPR came into force in May 2018, which meant the investigation was carried out under the Data Protection Act 1998 and the fine issued was the highest possible under that legislation. If the failing had occurred after GDPR became law the fine could have been much higher.
For the security-related risks, organisations should consider the need for pseudonymisation and encryption of personal data. Other risk-based measures must be taken to ensure the ongoing: • • •
“
GDPR requires a risk-based approach to compliance with organisations required to consider the risks of varying likelihood and severity to the rights and freedoms of natural persons.
These should be backed up by processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures. Various guidance is available to assist with privacy risk management, including: •
Fines under GDPR will be imposed in accordance with the risk profile of the operation and the extent to which the risks were appropriately addressed. Over the next few years, GDPR will start to bite and organisations that suffer a serious privacy breach and who can’t demonstrate a diligent risk-based approach to their handling of personal data will find themselves subject to very serious penalties. On the other hand, organisations may face reduced fines or avoid fines all together by addressing the risks to their operations, even if such measures fail to prevent a breach.
confidentiality, integrity, availability and resilience of processing systems and services ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident compliance with data protection principles.
• •
BS ISO/IEC 27002:2013 — Code of practice for information security controls BS ISO/IEC 29151:2017— Code of practice for personally identifiable information protection Measures for the Privacy Risk Treatment — Commission Nationale de l’Informatique et des Libertés (CNIL, the French data protection authority)
It is important that processes are ongoing and are reviewed, tested and updated regularly. These are not one-time activities that can be completed once and forgotten about.
GDPR: A risk-based regulation
Processing of high-risk data
GDPR requires a risk-based approach to compliance with organisations required to consider the risks of varying likelihood and severity to the rights and freedoms of natural persons. This is a different emphasis from the management of risks to the business which typically focus on financial, reputational and other impacts on the organisation rather than on individuals. Appropriate risk-based technical and organisational measures must be implemented to:
For the processing of high-risk data, such as data of a highly personal nature, data concerning vulnerable data subjects and large-scale processing, additional obligations apply: •
• • • •
Demonstrate processing in accordance with the regulation (Article 24) Design processing to implement the data protection principles and integrate the necessary safeguards (Article 25) Ensure a level of security appropriate to the risk (Article 32).
These are ongoing requirements meaning that organisations must monitor, review and update their processing to continue to comply with the regulation.
•
data protection impact assessments (DPIAs) may be required, providing a systematic description of processing and (amongst other requirements) describing how risks to the rights and freedoms of data subjects are managed prior consultation with the relevant Data Protection Authority may be required unless the controller implements appropriated measures to mitigate the risk notification of a data breach to the individuals affected may be required unless, again appropriate measures (such as encryption) have been implemented.
While high-risk data attracts additional scrutiny, organisations should remember that the requirement for a risk-based approach applies to the processing of all personal data, not just high-risk processing.
Risks to privacy Practicalities of a risk-based approach Risks to privacy align with the data protection principles: Lawfulness and fairness; Transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity; Confidentiality and Availability; and Accountability. 30
A risk-based approach requires risks to be identified and assessed, and then appropriate technical and organisational measures to be implemented effectively and maintained.
The problem is that things change: processing of personal data changes to exploit new opportunities which changes the risk profile and the required mitigations. If a breach occurs then organisations may need to to show that, at the time of the breach, reasonable risk-based measures were in place and operating effectively – this requires evidence and history to be retained. The following are recommended minimum requirements for a risk-based approach to compliance with GDPR: • • • • •
an asset register of personal data with mappings to supporting assets a risk register with assessments of privacy and security risks to the rights and freedoms of individuals mappings of technical and organisational measures to risks with test results to show that they are operating effectively ongoing visibility and monitoring of risk status and the effectiveness of mitigations evidence, history and accountability to show a continuing risk-based approach.
Except in very simple, low risk situations it is unlikely to be practical or efficient to manage these processes with a
manual, spreadsheet-based approach. Instead, Governance, Risk Management and Compliance (GRC) software platforms, such as Acuity’s STREAM Integrated Risk Manager, should be considered to operationalise risk-based compliance with GDPR.
“
For the security-related risks, organisations should consider the need for pseudonymisation and encryption of personal data. The requirements for a continuing risk-based approach run through GDPR and organisations should put appropriate risk management processes in place to protect the rights and freedoms of individuals. It is impossible to guarantee 100% privacy or security, but among organisations that suffer a serious data breach, those that can demonstrate a diligent risk-based approach are likely to receive lower fines than would otherwise have been the case, or even avoid them altogether. Written By Simon Marvell, Partner, Acuity Risk Management 31
A SINGLE PLATFORM TO MANAGE PRIVACY RISKS AND COMPLIANCE OneTrust is the global leader for GDPR and Privacy Management Software used by over 2,000 organisations to manage privacy risks and compliance with a comprehensive platform for Privacy Programme Management and Marketing Compliance.
PRIVACY PROGRAMME MANAGEMENT TOOLS Assessment Automation
Data Inventory & Mapping
MARKETING & WEB COMPLIANCE TOOLS Data Subject Rights Management
Website Compliance Scanning
Streamline privacy assessments (PIA/DPIA) and generate regulator-ready reporting
Create a comprehensive data inventory and map for processing activities and assets
Facilitate, document, and resolve data subject requests via a secure messaging portal
Conduct a privacy scan of websites to identify and categorise tracking technologies
GDPR Articles 5, 24, 25, 35 & 36
GDPR Articles 6, 30 & 32
GDPR Articles 12-22
ePrivacy
Vendor Risk Management
Incident & Breach Management
Cookie Consent Management
Universal Consent & Preference Management
Review and remediate vendor risks with detailed privacy and security templates
Assess incidents to inform breach notification decisions and provide reporting
Manage user consent and preferences with adaptable settings for various consent standards
Generate, store and sync consent records to demonstrate accountability
GDPR Articles 28, 24, 29, 46
GDPR Articles 33 & 34
GDPR Articles 4(11), 7, 21, & ePrivacy
GDPR Articles 4(11), 6-9
WHY OVER 2,000 ORGANISATIONS CHOOSE ONETRUST
Most Comprehensive TECHNOLOGY
World-Class Privacy RESEARCH
200 Member R&D Team Driving Product Innovation with 20 Patents Awarded
Over 100 Certified Privacy Professionals In-house with Continuous Privacy Research
2000
CUSTOMERS
600
EMPLOYEES
Expert Global SERVICES Multi-lingual, 50 Person Consulting Team and Large Global Partner Network
6
GLOBAL LOCATIONS
Large Active User COMMUNITY Thousands of Members Sharing Best Practices in 55 Global PrivacyConnect Workshops.
50
LANGUAGES
L T PO
S R
E K EA
T H IG
SP
Sheila Fitzpatrick global data & GDPR expert As president and founder of FitzPatrick & Associates, Sheila FitzPatrick is a specialist in global data privacy and sovereignty laws, and a GDPR expert.
She has worked with the US government, the Council of the European Union and country-specific data protection agencies in Europe, Asia/Pacific, and the Americas, operating with National Works Councils, European Works Councils and Law Enforcement Agencies. As the liaison between management and the Works Councils, Sheila has written over 150 model contracts and bargaining agreements in over 60 countries, and has achieved Binding Corporate Rules (BCRs) approvals for six multinational companies. European Data Protection Summit London Sheila FitzPatrick will deliver a keynote talk, “What regulators are likely to focus on in an audit”, at the European Data Protection Summit London. Taking place on June 3rd, European Data Protection Summit will bring leading authorities on data security together to deliver advice and guidance on the issues that matter in data protection. The event will include keynote talks and engaging panel discussions from security professionals and senior business leaders, providing information, updates and security solutions to a delegate base that is set to include over 800 Data Protection Officers (DPOs).
Data Protection World Forum Singapore On 11th and 12th June, Sheila will also speak to audiences at Data Protection World Forum Singapore. As national governments take inspiration from the EU’s General Data Protection Regulation, DPWF Singapore promises to look into what ASEAN (Association of Southeast Asian Nations) member states and multinational corporations (MNCs) need to do to harmonise with global privacy standards. Bringing together over 1,000 attendees, this two-day event includes workshops, breakout sessions and a Keynote Conference theatre. Fine-tune understanding of the core data protection issues Both events present the perfect opportunity for executives and industry professionals to meet, share ideas, and listen to those who are driving data privacy forward in the digital era. Visit Data Protection World Forum for more information on attending.
33
Highway Patrol the drive for data collection This year, after a period of car ownership dictated by the need to get multiple children, two large dogs and many, many bicycles into a single vehicle, we finally got rid of the monster, polluting diesel. Off to the scrap heap courtesy of one careless owner.
New cars come with lots of frills these days. Even before you have the key in your hand it is possible to check the progress of your purchase through whichever digital tool the manufacturer shares with you. Though how valuable this user experience is when your vehicle goes from ‘awaiting build slot’ to ‘on the ship’ in less than 30 minutes, is debatable. Given that my primary aim for owning any car that isn’t an Aston Martin DB9 is to get from A to B in good time and relative comfort, I didn’t pay a great deal of attention to how long it was taking the other half to ‘set up’ the vehicle once it arrived all shiny in our driveway. It involved the constant borrowing of my phone, key matching and a couple of evenings sitting in the garage with the manual (that should have been a red flag). That is until I was charging it at a service station 40 miles from home and he cancelled the session from the comfort of our living room. I should just say that he was just being nosy and pressed the wrong button on the app, and knew it wasn’t going to end well when he realised he couldn’t turn it back on again remotely. Electric cars mean no traipsing to the petrol station to fill up, but it does mean interacting with an emerging (and decidedly patchy) charging infrastructure. Who knew there were so many different providers, each coming with their own app and requests to access every file on your phone. Standing in the pouring rain, with the fast charge cable in your hand and a simple desire to plug in and head for a coffee, paying attention to complex consent questions isn’t a priority. In his book ‘Privacy’s Blueprint’, Woodrow Hartzog quotes Marx and calls this a form of “mandatory volunteerism” or “disingenuous communications that seek to create the impression that one is volunteering when that really isn’t the case”. In other words, when under pressure to get to the service we want, we agree to privacy invasive practices because we simply don’t have the time (or the patience) to work out whether there is an alternative.
“
when under pressure to get to the service we want, we agree to privacy invasive practices because we simply don’t have the time (or the patience) to work out whether there is an alternative. For fleet managers there is an added headache. Vehicles now collect a plethora of personal data, including call data, contact lists, home addresses and location information. Anesh Chauhan, founder of Vehicle Data Clear (VDC), told Fleet News in November 2018: “Vehicles are commonly transferred, sold or disposed of without proper consideration given to the data they may hold.” All of a sudden, linking your mobile phone to that holiday rental doesn’t seem quite such a good idea, particularly if you don’t know how to make sure it is all deleted when you take it back to the airport.
Come to think of it – who is charged with deleting that information – and is there a ‘we take no responsibility’ clause that will have been slipped into the terms and conditions that no one has the time to read? Industry sources that represent fleet owners say that they should erase clearing data at the time of collection – going so far as to say it would be a leap to expect that fleets should take responsibility for erasing all the data. But if not them, who?
“
Organisations that offer technology, whether this is for social or essential services, cannot sidestep their duties when it comes to data protection obligations
Tech leaders with their eye on the innovation prize say that users know what is being collected and how it is used, adding that most people don’t care anyway. But that absolutely isn’t true. Tim May, in his manifesto of the cypherpunk worldview, Cyphernomicon, talks about the ‘clueless 95%’. Taking this out of the revolutionary context espoused by this community, the phrase is an apt way of describing how the majority of individuals sleepwalk into giving up personal data in every aspect of their daily lives. Organisations that offer technology, whether this is for social or essential services, cannot sidestep their duties when it comes to data protection obligations. Within the GDPR, the obligations to enact Privacy by Design and Privacy by Default tell organisations very clearly that thoughtlessness will land them in just as much trouble as data loss due to external or internal bad actors. Clearly, the earlier story of the car charging controlled from afar illustrates that the app in question was created with little emphasis on privacy engineering ethics. Subsequent investigation has shown that the only criteria needed to take ownership of the car and the app was to state that you were the keeper of the vehicle and the VIN number (visible through the windscreen). If someone beats you to it then you have to go through a long process with the manufacturer to get their consent to change things, which will include them emailing the previous primary user. It’s then up to you to reset your vehicle’s infotainment centre to factory settings to start all over again. Remember, this is an app which can: locate your vehicle at all times; control the heating settings; start and stop charging; see call history, etc. For the majority of people this is brilliant, enjoyable technology… Imagine however, how vulnerable this makes a victim of domestic violence, coercive control or stalking. Somehow, these scenarios seem to have bypassed the car designers in their pursuit of motoring excellence. With data collection now forming a large and integral part of every vehicle, it is time the manufacturers took a more serious approach to the risks they are creating. WRITTEN BY Hellen Beveridge , Privacy Lead AT Data Oversight 35
Read more at www.dporganizer.com
THE
When doing the test, we will need to involve our business/ customer understanding, the law, and our gut feeling. I call it the Easy (ECE – Expectations, Compliance, Ethics) Privacy test. As a business, customers should be your main priority. Understanding and managing their expectations is everything, so we start with the customer before moving on to other considerations.
LINES OF
If you pass the first line of defence, move to the second one.
THREE DEFENCE IN DATA PROTECTION
1. Would the processing be in line with your customers’ expectations?
Only you can answer this. Your experience and expertise regarding your business and customers — your brains — has the answer. Your customers will differ from everyone else’s customers. Expectations vary.
2. Would the processing be lawful?
You don’t get to decide what is lawful, so you need to understand the law. This is where you read and interpret relevant regulations — you need your books. And perhaps a lawyer or two. Passed the second line? Great, third question. 3. Would you be comfortable having someone in your family be subject to the processing?
Egil Bergenlind, CEO of DPOrganizer, and former data protection officer, has spent years navigating the rapidly changing context of privacy compliance. In building a solution for efficient privacy management, he finds it useful to consider the following thought: “What is good for customers, what is lawful, and what is ethical is not always the same thing.” Most businesses rely on the use of personal data. In many cases, data is a key ingredient in a business’ offering. It’s an important aspect of staying both relevant with customers, and competitive in the market. However, the future is not only data driven. You also need to be conscious about not overstepping certain boundaries, boundaries set by your customers’ expectations, boundaries set by law, and boundaries set by ethics. Finding the right balance can be tricky, but it’s vital that you do. The risk of not doing so is lost business, brand damage and fines. Obviously, you can’t stop processing data. The risk of doing that is even worse — irrelevance. Introducing the easy (ECE) privacy test
The test asks three questions, and only if you pass all these three lines of defence , should the new data processing evaluated get a “go” decision.
The customer is not always right. The legislator doesn’t always get it right. But you should do your best to do what is right. Ethical standards are based on values of the societies we live in. What is ethical differs for different people in different cultures, and they change over time. So what is ethical data processing is not something you will necessarily find in the law, or hear from your customers. So get personal. After all, ethics and processing of personal data is a very personal thing. Use your gut feeling. Any business claiming to take privacy seriously should consider what’s good for their customers, what’s lawful and what’s right. Don’t process data unless you’ve considered all relevant aspects, and enable people to understand what you do. Inform and engage through helpful information so people can form an opinion. Empower people to be in control of their own privacy. Written by Egil Bergenlind, CEO , DPOrganizer
Egil Bergenlind is the CEO of DPOrganizer, a company that offers privacy management software, designed specifically for privacy professionals. DPOrganizer was founded in 2015 by Egil, a former Data Protection Officer himself, and is headquartered in Stockholm, Sweden. 37
Leading by example: how the GDPR is inspiring worldwide change Advances in EU data law have tightened the way organisations handle the data of the bloc’s residents, but new legislation such as the GDPR, is opening the eyes of leaders worldwide to the real value of data security in the digital era. Written by Steve White Co-Editor, Data Protection Magazine
Google are finding out the hard way, following a £44m (€50m) fine from French regulator, Commission Nationale de l’Informatique et des Libertés (CNIL), for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” the tech giant said. Beyond fines, the statement shows that companies must align with evolving consumer needs, and this is what the GDPR is really all about. If the stick has driven compliance in the short-term, then the long-term carrot of ethical data handling and safer societies is what’s capturing the imagination of government and business executives on a global level. Below we take a look at how regimes around the world are adapting the GDPR’s philosophy into existing working cultures. South East Asia As the EU’s largest commercial partner in ASEAN (Association of Southeast Asian Nations), Singapore accounts for just under a third of EU-ASEAN trade in goods and services. The Singapore Data Protection Act (PDPA) borrows many of the GDPR’s principles, with consent playing a similarly central role. Malaysia, and neighbouring countries are picking up on the protection value that regulation can offer citizens, understanding how new legal frameworks can help local and national businesses to build operations that are credible on a global security level. Malaysia’s communications and multimedia minister, Gobind Singh Deo has now deemed data protection and interoperability a matter of urgency for ASEAN organisations following the signing of a regional ecommerce agreement. The accord will help galvanise trust and confidence among ASEAN consumers in ecommerce, and allow ASEAN businesses to grow on all regional and international levels, according to Singapore’s Trade and Industry Minister, Chan Chun Sing.
Malaysia’s communications and multimedia minister, has now deemed data protection and interoperability a matter of urgency for ASEAN organisations.
Mr Singh Deo recently announced the 2019-2023 Strategic Plan for the Malaysian ministry’s departments and agencies, a scheme that comprises six initiatives designed to enhance reliable, affordable, and accessible telecommunications infrastructure. He has described how the Personal Data Protection Department will embark on “an initiative to prepare the
Public Sector Personal Data Protection Best Practices Draft,” as part of a review of the Personal Data Protection Act 2010. Hong Kong has entered the regulatory limelight less ceremoniously, following the Cathay Pacific data breach which saw the personal details of around 9.4m travellers exposed. Hong Kong’s Privacy Commissioner for Personal Data, Stephen Wong admitted the intrusion may have constituted “a contravention of a requirement under the law,” but the breach has stimulated calls from industry insiders to refresh the city’s 22-year-old Personal Data Privacy Ordinance (PDPO), last updated in 2012. Charles Mok, Hong Kong’s legislative councillor for information technology, emphasised the need for the city’s ageing data protection laws to be brought in line with European standards. “Hong Kong’s laws lacks not only teeth, but updated definitions, obligations for data processing firms, and rights for individuals. Our data protection law must evolve. The present PDPO is at least a decade away from the ongoing regulation regime in the EU.” Echoing these sentiments, Stephen Wong, Privacy Commissioner for Personal Data (PCPD) said: “The European Union has a new regulation…and we also see some major data leaks in Hong Kong. I think it is time.” Since the Cathays Pacific data breach, Mok and Wong are just two influential opinions to champion a revision of the PDPO while highlighting the need for accountability, not least to try to stop organisations from taking seven months to admit a data breach problem exists. Brazil In July 2018, Brazil’s Federal Senate approved the Lei Geral de Proteção de Dados or (LGPD) which promises to deliver an agency to enforce the nation’s existing data protection laws. The LGDP has similar definitions on key issues as the GDPR, in areas such as personal data, and establishes restrictions on the processing of sensitive data. LGPD’s article 5 defines ‘sensitive data’ as any data pertaining to racial or ethnic origin, religious beliefs, political opinions, membership of syndicates or religious, philosophical or political organizations, data relating to health or sexual life, and genetic or biometric data when linked to a natural person. The law applies broadly to data processing taking place in Brazil, and aims to protect personal data, whether obtained electronically or physical, or by private or public sectors. User consent is another familiar core ethic, with LGPD’s article 7 limiting the number of situations whereby personal data processing is allowed. Explicit consent given by the data subject is required for the collection, use or processing of the data, and this consent must be given in writing. New rights are also provisioned regarding data access, updating and deletion and data portability. Besides civil liability, non-compliance with LGPD can attract further penalties such as warnings, fines, suspension and cease of data processing orders. Again, annual net revenue would be used to calculate any fines issued, which 39
in turn would be capped at fifty million Brazillian reais (R$50m), the equivalent of around $13m US. USA Addressing the International Conference of Data Protection and Privacy Commissioners in Brussels in October last year, Apple boss, Tim Cook, condemned his country’s datahoarding climate that has allowed the likes of Alphabetowned Google, and Facebook to thrive. “This is surveillance…these stockpiles of data serve only to make rich the companies that collect them. We at Apple are in full support of a comprehensive federal privacy law in the [US],” he said. Cisco’s chief legal and compliance officer, Mark Chandler picked up the thread in January, highlighting the GDPR’s promotion of freedom, control and accountability. “With a few differences, [it] should be brought in in the US as well,” he said. On the whole, big tech in the States hasn’t been as keen, with many preferring self-regulation and a begrudging push for weaker federal rules. California is marching ahead in terms of state regulation, through the Consumer Protection Act (CCPA which was passed in less than a week last summer. Built on principles that value data privacy as a fundamental human right, the laws call upon organisations to know what data is collected and how it is used; retain the data in a readable format; maintain good access to data so that it can be easily used, moved and updated; be able to easily erase data when necessary, and to notify regulatory bodies and potential victims of data breaches in a timely manner.
“This is surveillance…these stockpiles of data serve only to make rich the companies that collect them. We at Apple are in full support of a comprehensive federal privacy law in the [US],” Tim cook Addressing the International Conference of Data Protection and Privacy Commissioners in Brussels in October last year,
There’s a year to go until the CCPA comes into being, but organisations are readying themselves for the its arrival. Meanwhile, a lobbying battle in Washington DC has been reignited, with groups such as the Association of National Advertisers (ANA) and the Interactive Advertising Bureau both demanding clarity in certain elements of the legislation while stressing that the new laws may disrupt business continuity. Head of the ANA’s Government Relations office in Washington, Dan Jaffe said that in its current state, the CCPA could force some brands’ bonus schemes into 40
dangerous waters, as it could prove difficult to issue equal incentives to those who choose to consent, or refuse to consent, to data sharing. Companies would have to formulate “massive data pools” dedicated to honouring consumer personal information requests, which could at the same time become a big attraction to hacking, Jaffe said. The CCPA will at least guarantee a busy 2019 in data protection for the USA. As GDPR conducts its global shake-down, companies state-side will be compelled to take California’s new regulations seriously, and to comply within the prescribed 12-month window. Other states are following suit. In early January, Massachusetts committed to updating its data breach notification law, which will go into effect on April of next year. Under the new amendments, companies suffering data breaches involving social security numbers will have to provide free support to victims for 18 months, and the state’s regulator will have to post information about breaches on its website. Washington State also proposes its own version of the CCPA. South Africa Building upon the Electronic Communications and Transaction Act 2002 (ECTA) and the Consumer Protection Act (CPA), South Africa’s Protection of Personal Information (POPI) Act has been signed by the president Cyril Ramaphosa, but the rules have not yet come into being. Both GDPR and POPI are similar in flavour, and firms in South Africa that have been preparing for the latter will be well-positioned to align with obligations of the former, give or take a few tweaks. South Africa has a major trade partner in the EU, which means the POPI will have to fall in line with GDPR. This may be achieved through parliamentary amendments, or through variances in regulatory interpretation. With the POPI Act predicted to come into being in the first half of 2019, organisations in South Africa are being encouraged to bring a global view into their compliance journeys, so that laws including the GDPR and the ePrivacy Regulation are fully respected. Ghana The west African nation has been an active presence in Brussels this year, engaging in global discussions on technology and digital trends. Resonating with the Ghanaian government’s National Transformation Agenda, Ghana is among the first four African nations to have ratified the Malabo Convention on cyber security and data protection – a key treaty for data security. Ghana’s deputy minister of communications, Mr Vincent Sowah, described Ghana’s Data Protection Act 2012 as pivotal in terms of striking a balance between economic productivity and supporting individuals’ rights. As Ghana heralds “A New Chapter Enforcing Accountability and Empowering Data Subjects,” Mr
Sowa emphasised his government’s recognition of the advantages of a digital economy and in the revolutionary powers for transformation such an environment could engender, particularly in the financial services sector. He also highlighted the importance of protecting personal data, and how this must be achieved through transparency, fairness and accuracy. “Across Africa, Ghana is seen as a trail blazer in this effort and one of only four countries in Africa, that has passed the law,� Mr. Vincent Sowah said, before underlining the role digitisation plays in enabling innovation in Artificial Intelligence, machine learning and IoT development. The Executive Director of the Data Protection Commission in Ghana, Ms Patricia Adusei-Poku followed up by saying that data controllers who breach the Data Protection
Law would be liable to prosecution, and that those guilty would be named and shamed in national dailies for their irresponsible conduct. Ms Adusei-Poku added that data controllers who were not registered with the Commission left themselves open to prosecution and subsequent financial penalties. Working in collaboration with the World Bank, the Commission is implementing new computer systems, set to go live in April, which should facilitate registration processes and to help organisations on their journeys to legislative compliance in Ghana. Since its inception, the Commission has trained around 60 data controller practitioners and has implemented education campaigns to raise data privacy awareness among consumers. 41
The European Data Protection Summit & Dinner.
3 Conference Streams 50+ Industry Expert Speakers 24+ Hours of Content The European Data Protection Summit & Dinner brings together a community of data protection, privacy, governance and security professionals to share knowledge, tools and insights on the ever-evolving industry.
EUROPEAN DATA PROTECTION SUMMIT BY DATA PROTECTION WORLD FORUM
133 Houndsditch, London | Monday 3rd June 2019
SECURE YOUR PLACE TODAY
GDPR Compliance Requirements for Enterprises and Public Administrations – Challenges in the use of cloud services
“
The new General Data Protection Regulation (GDPR) is a game changer and applies to any organisations and public administrations that process personal data. This means that the former distinction between public and non-public bodies has been removed, so that the GDPR applies to all companies processing personal data of EU residents, regardless of whether the processing takes place in the EU or not. As a matter of fact, since the public sector is increasingly moving to cloud services for resource consolidation to significantly reduce the cost and effort for IT infrastructure and end-user support, the same requirements have to be fulfilled as in the private sector. Reaching compliance with the GDPR creates new risks and at the same time hinders cloud adoption in the public sector because of fewer experiences in this area. Generally speaking, complying with the regulation includes to implement, among others, the right to be forgotten (“erasure”), the right to obtain all personal information, which data are collected where and since when, as well as the obligation to notify data breaches with high fines. The implementation of GDPR compliance enforces privacy by design and by default, meaning that within the overall service life cycle exists the principle of minimising the amount of personal data collection is required for each phase. Thus, it is a technical challenge to fulfil those requirements. With regard to cloud services the GDPR places many task burdens on cloud service providers (CSP) and cloud customers when changing the principles of privacy and data protection. Data controllers and data processors are accountable for implementing the appropriate level of protection concerning personal data they process. So, both CSP and cloud customers share the responsibility for data processing in terms of liability of data processor and data controller. Thus, the CSP is responsible for implementing the technical measures for compliance, while the cloud customer needs to perform due diligence in terms of defining their own data protection and compliance requirements, for example. This responsibility also applies to the analysis and assessment of the risks by performing a data protection impact assessment (DPIA) (Art. 35 GDPR). The increased risk-based approach stipulates the controller must ensure that all effective measures are taken.
GDPR places a lot of tasks on cloud service providers and cloud customers when changing the principles of privacy.
Written by: Linda Strick, Director Cloud Security Alliance EMEA
Beside the risk-based approach, the principles of accountability and transparency are the GDPR key factors which change the way personal data is handled. For example, when collecting data from data subjects on behalf of a data processor, accountability obliges the data controller to be transparent so that regulatory compliance is achieved. Thus, the principle of transparency proves a clear understanding of how personal data is handled. GDPR envisages a Code of Conduct (Art. 40 GDPR) and certifications (Art. 42 GDPR) as tools for demonstrating compliance. The Code of Conduct’s mechanism of adherence to self-assessment provides CSPs with a tool that evaluates the risks, and checks the implemented measures to mitigate the risks. As such, the CSP can achieve compliance for all levels of data protection for personal data offered. The statement of adherence specifies that all technical, physical and organisational measures are in place to protect personal data. With this statement of adherence cloud customers have an instrument at hand which enables them to evaluate and compare the level of protection for personal data offered by CSPs. A certificate will be issued by qualified auditors and is a 3rd-party audit, as another mechanism of adherence. More details for the CSA CoC for GDPR compliance can be found in: gdpr.cloudsecurityalliance.org 43
CRITERIA FOR SELECTING A
Consent Management Platform (CMP) As CMPs for website technologies are a recent development, below are some objective criteria resulting from legal and technical
on servers in the EU. The CMP should also be able to offer on-premise hosting of consent data.
implications that should be considered when selecting a CMP.
Voluntariness
Criteria for selecting the right Website Consent Management Platform
The user should initially be given both the option of accepting and rejecting. A cookie wall that leaves the user with no other option but to agree does not comply with the requirements of a freely-given consent.
A simple situation that becomes complex under the GDPR is visiting a website. If a website has integrated tags (cookies, pixels, fingerprints, and similar technologies), it needs the prior consent of the website visitor if its purpose is something like tracking, retargeting or profiling, as the data collected by tags is considered personal data under the GDPR. Obtaining and documenting that consent of website visitors requires a technical solution. This can be done inhouse, but as it is a whole product of its own requiring a lot of maintenance, monitoring of jurisdictions and entails high liability risks, it does make sense to outsource consent management to a specialised provider. Documentation and storage Resulting from the obligation to document and proof the consent, server-side and not client-side storage of consents is important. If possible, the consent data should be stored
Respect consent-first It should be possible to choose to load technologies requiring consent, only after an opt-in. After an opt-out, technologies should not be loaded anymore, not even the opt-out itself. Sending the user to an external third-party provider website for an opt-out does not constitute an easy withdrawal. Flexibility It is very important to be able to control and change the rules for loading tags. In some cases, a company might want to implement ‘soft’ settings – e.g., to load certain technologies such as pure web analysis tags without consent. However, if the verdict of a data authority is to prohibit that, a quick switch to a zero-cookie load setting must be possible. 45
Granularity
Compatibility
Consent has to be concrete and therefore granular, so on the website there must be consent to certain technologies. Resulting from that and the principle of data minimalism, consent should only be obtained for technologies that are actually in use on a website.
The CMP software should be developed agnostically, so that it is compatible with any tag management and website system.
Subconsents, consent-sharing and piggybacking cases The CMP should also cover subconsents and consentsharing, e.g. for affiliated companies within a group, as well as detect piggybacking cases, such as a tag on the website which automatically transfers data to other piggybacked tags that are not on the website themselves, e.g., affiliate tags, which are partially reloaded.
Integration in Privacy Policy As the controller has to comply with the information obligation, it is useful to be able to integrate the legallyrelevant texts of the web technologies (automatically) into a general privacy policy, e.g., through an iFrame.
Design and UI/UX
Other third-party technologies The requirement of consent is not only applicable for tags, but also for other web technologies such as plug-ins and integrated content (e.g., embedded YouTube videos and Google fonts). The obligation for consent might result from factors such as if they entail a data transfer to a third country, such as the US.
PRIVACY BY DESIGN
Complete customisation of the frontend is a key feature of the CMP, as it must be ensured that website visitors do not feel irritated and annoyed by cookie messages - which would destroy any CI and UI/UX efforts.
Business purpose of the CMP provider
To prevent the CMP from becoming the next ‘data octopus’, client data should be stored separately during the processing. That can be retrieved by not tracking and connecting user agent data, meaning, if the identical user gives consent on one website, the CMP should by default not be able to map that consent to consent on another website, as this would be profiling pursuant to GDPR, which itself requires consent.
IAB Transparency and Consent Framework The IAB Transparency and Consent Framework is the first industry standard proposing a format of how consent can be transferred programmatically. The selected CMP should support the IAB standard, as in the future personalised advertising will only be controlled with ConsentID in the bid request. 46
The sole business purpose of the provider should be to obtain consent so that the use of the CMP can be based on Article 6 (1) c GDPR. If a provider pursues further business purposes, it might be assumed that consent data will be used for business purposes. Therefore, either a proprietary development with a separate neutral company, or an external provider with privacy-by-design is recommended. About Usercentrics Usercentrics is the leading independent Consent Management Platform for obtaining, managing, documenting and transferring the consent of users across platforms. The solution is IAB-certified, fully customizable and easy-to-implement. The German company is headquartered in Munich and processes several million consents per second. WRITTEN BY LISA GRADOW Lisa Gradow is Co-Founder of Usercentrics. Prior to that, the data protection and information security expert implemented GDPR and ISO 27001:2013 at Scalable Capital, one of Europe’s largest digital investment managers.
Preference Management Software One customer many preferences How do you know?
Go to consenteye.com
BigID, Inc., the leader in data privacy and protection, have unveiled new data access intelligence capabilities that enhance BigID’s Data Intelligence Platform by allowing security and risk management professionals to pinpoint systems and employees with access to personal information.
As a result, organisations can leverage the BigID platform to better comply with regulations with strong data access management requirements, such as the EU’s General Data Protection Regulation (GDPR), New York Department of Financial Services Cybersecurity Regulation and SarbanesOxley, by knowing what personal data is over-exposed while gaining enhanced privacy-related insight to data usage. .@bigidsecure adds new data access intelligence capabilities to its data privacy platform. Today’s data-driven organisations increasingly leverage cloud services, such as Amazon Web Services (AWS), Microsoft Azure, Google Drive and Box, in addition to existing on-premise data stores to store and process personal and private data. By adding data access insights to its data privacy platform, BigID expands the data protection and intelligence it provides security professionals. BigID’s Data Privacy and Protection Platform uses advanced machine learning technology to provide organisations a first-of-its-kind ability to find and map all personal information across the enterprise to help automate privacy functions for GDPR and California Consumer Privacy Act. The new data access intelligence capabilities give organisations a unified platform to find and de-risk their customer and employee data. “BigID’s Data Intelligence Platform was created to provide a first-of-its-kind identity-centric view of data necessary to meet emerging privacy regulations like GDPR and California
Consumer Privacy Act,” said Nimrod Vax, Co-Founder and Chief Product Officer, BigID. “BigID is the industry’s first solution to find any personal information, across any data, and automatically classify it by type and critically for privacy by person. With the new access intelligence enhancements, BigID provides security and risk professionals new insight into what and whose data they collect and process, as well as what employees and systems have access to that data,” he added. About BigID
Based in New York and Tel Aviv, BigID uses advanced machine learning and identity intelligence to help enterprises better protect their customer and employee data at petabyte scale. Using BigID, enterprises can better safeguard and assure the privacy of their most sensitive data, reducing breach risk and enabling compliance with emerging data protection regulations like the EU’s General Data Protection Regulation and California Consumer Privacy Act. BigID has raised $46M in funding since its founding in 2016 and has been recognized for its privacy innovation as the 2018 RSA Conference Innovation Sandbox winner, a CB Insights 2018 Cyber Defender, Network Products Guide 2018 IT World Awards “Hot Company of the Year” winner, a 2019 InformationWeek Vendor to Watch, and a 2019 Business Insider enterprise vendor “to bet your career on.” Visit us at http://bigid.com/demo to schedule a demo. 49
Data Protection World Forum Singapore. 10+ Workshops 40+ Industry Expert Speakers 30+ Hours of Content
LEARN MORE
Speakers announced so far: Max Schrems
Raymond Liboro
Sheila M. Fitzpatrick
noyb
National Privacy Commission
FitzPatrick & Associates
DATA PROTECTION WORLD FORUM SINGAPORE I SINGAPORE MANAGEMENT UNIVERSITY
11th & 12th June 2019 Produced in association with...
PAUL CONATY Lead Consultant and Solutions Architect at CWSI Data Protection and the mobile era At any time, the introduction of GDPR would have forced massive change on how companies approached the challenge of managing data. But coming (as it did) at a time when Enterprise Mobility was emerging as the key focus for many businesses, the impact of GDPR on this particular sector has been especially acute and it has forced companies to grapple with issues which they had never had to consider before.
Read Of course, the responsibilities that GDPR imposes on organisations don’t change because it’s pursuing a programme of Enterprise Mobility. But the practical implications of the GDPR regime for such programmes are massive; indeed, those aspects of Enterprise Mobility which are so attractive to businesses in the first place including the portability and ubiquity of mobile devices add massively to the challenge of meeting the new GDPR regulations.
In our experience, the key elements of GDPR from an Enterprise Mobility perspective are: • • • •
Privacy by Design Explicit Consent Subject Access Rights Data Breach Notification
Read Each of these elements imposes onerous responsibilities on the relevant organisation. Privacy by Design, for example, requires companies to understand what data is on a corporate mobile device by conducting a data flow mapping exercise to identify what data resides on, is transmitted to or from or is collected by the mobile device of an employee (their own device or a company device). The same principle will increasingly require third party vendors to offer clients privacy designs as part of core contracts going forward. Data breach notification, as another example, requires companies to have procedures in place to be able to notify the relevant supervisory authority within 72 hours of the data controller becoming aware of the breach.
Read Much of the debate over the past year or so has focussed on the costs required to comply with GDPR. But there are benefits for businesses too; we’ve already seen examples of client companies identifying significant data weaknesses through the work they were required to do to comply with GDPR and addressing these weaknesses now has undoubtedly saved them from serious financial and reputational loss at some point in the future. We have seen other companies realise the level of sensitive information – including financial information and sensitive competitor information – which departing employees had easy access to via their mobile devices and which would otherwise have walked out of the business with them. 51
The European Data Protection Summit & Dinner.
3 Conference Streams 50+ Industry Expert Speakers 24+ Hours of Content The European Data Protection Summit & Dinner brings together a community of data protection, privacy, governance and security professionals to share knowledge, tools and insights on the ever-evolving industry.
EUROPEAN DATA PROTECTION SUMMIT BY DATA PROTECTION WORLD FORUM
133 Houndsditch, London | Monday 3rd June 2019
SECURE YOUR PLACE TODAY
Pain and suspicion as catalysts for innovation
“
Reading the news about data and privacy in the first two months of the year suggests that companies are responding in a very human way to the pressure from privacy regulations. When we are faced with a new threat or painful experience, we become suspicious of the possible causes of those threats and start looking for new ways to avoid them, so we can go back to the way things were before. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are eliciting a similar reaction from companies. Let’s first explore a couple of examples of this human phenomenon. Take health, for example. When we discover a new health threat (e.g., cholesterol), we become suspicious of its possible causes (i.e., different foods and fats), and we invest significant resources to find innovative medications that would let us to go back to how we used to live before (i.e., eat all that fatty junk we love so much). Similarly, when law enforcement first adopted laser speed guns and cameras for catching speeding drivers, we learned to be suspicious of curves in the road, or other obstacles that may hide a speed trap. The desire to avoid a speeding ticket led to the innovation of radar detectors and license plate covers; all that so we can speed without the consequences. We are now going through a similar path in response to privacy regulations. GDPR and CCPA require a new level of transparency that poses a threat to how companies used to handle personal information. Both regulations bring on greater weight and compliance challenges to an old privacy transparency principle, commonly referred to as Data Subjects Access Requests (DSAR). Beyond the DSAR requirements, the GDPR adds a dose of painful transparency with breach notification requirements. In California, which already has a breach notification regulation in place, the CCPA requires an additional level of transparency on how companies share personal information with third parties. This form of transparency is painful for companies as it forces them to open up on areas they would have preferred not to: the inappropriate handling of information and the wide spread practices of sharing personal information with vendors and partners. Our current predicament with GDPR and CCPA leads companies to reach to innovation in search of solutions that will allow personal information to flow with limited consequences.
GDPR and CCPA require a new level of transparency that poses a threat to how companies used to handle personal information. Both regulations bring on greater weight and compliance challenges to an old privacy transparency principle.
Written by: Sagi Leizerov, Ph.D., SVP of Enterprise Privacy Solutions, Dataguise
We should remember that privacy regulations put us on a similar path in the past. In 2003, California passed the first breach notification regulation in the US, to be soon followed by 47 other states. Reputable companies found themselves on the front pages of newspapers, having to take responsibility for poor information handling practices. The pain and embarrassment of breach notification had to be contained, so innovation quickly followed with a solution – Data Leakage Prevention (DLP) technology. DLP is far from a panacea for breaches, but it is the common solution companies adopted so they can feel comfortable enough to continue to operate quickly and efficiently with data as before. There is a race going on these days to develop a winning technological approach to the granular control that the GDPR and CCPA require. What solution will take the lead in addressing these operational pain points, as DLP did for the breach notification regulations of early 2000? For now, it is too early to tell, but it’s definitely worth keeping track of this critical issue. 53
Internal Audit, Risk, Business & Technology Consulting
FACE THE FUTURE WITH CONFIDENCE Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders face the future with confidence. Through our network of more than 75 offices in over 20 countries, Protiviti and our independently owned Member Firms provide our clients with consulting solutions in finance, technology, operations, data analytics, governance, risk and internal audit. We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
protiviti.co.uk
© Protiviti Limited 2019. PRO-0419
Are privacy regulations truly effective in improving corporate privacy practices? Written by Sagi Leizerov, SVP, Enterprise Privacy Solutions More privacy regulations are coming—that much is clear. In the U.S., we hear the States do not want to sit idly by while the federal government procrastinates on passing a comprehensive regulation. Meanwhile, large companies are lobbying Congress for an omnibus regulation that will preempt the patchwork of state regulations. The recent outcry to break up the big tech companies will likely lead to more lobbying by these deep-pocketed companies to pass a regulation that pacifies politicians and consumers. Internationally, we see different countries taking steps to enact new or update existing regulations that are more in line with Europe’s GDPR. However, are omnibus privacy regulations like the GDPR, PIPEDA in Canada, or recently POPI in South Africa, to name a few, truly effective at improving the privacy practices of companies? The problem with such regulations is that they are so high-level and address so many topics that they don’t yield true compliance, but rather a more superficial response. Look at the GDPR. Yes, companies have updated their notices, and we certainly have to consent more often to cookies every time we visit a website, but do companies that claim to comply with the GDPR really have better control over the petabytes of personal information they process? Do they know under what notice the personal information of different individuals was collected? What obligations apply to different data subjects? When those companies receive a data subject access request, do they really look across their systems for the data? Do they know which of their many processors have access to GDPR-impacted data? The list of questions about effective compliance is long, and the answer to the questions is often ‘no’. Enforcement does not seem to encourage a real change in how companies treat data. We see headlines about big online companies being fined, but most companies tend to think that enforcement is for the edge cases of leading global brands, rather than the marketplace as a whole. Even when regulators do enforce some aspects of these laws, they don’t go for the real data details, because more often than not, they either don’t understand the details or don’t have the capacity to dig deep—or they don’t believe they could expect any major change even if they were to dig deep. As a European regulator told me recently when I asked why his agency does not call out companies about not even
knowing where all their personal information is: “We don’t want to discourage them.” Regulations can be made more effective in changing companies’ attitudes and behaviour by adding implementation specifications to make regulations “stick.” Here are a few ideas on how the right degree of specificity can make a difference in privacy regulations… Make it about the data—all of it Regulations tend to focus on the individuals and the actions companies will need to take once the regulation comes into force. That leaves a lot of legacy personal information taking a lower priority in any compliance preparatory work. To be effective, regulations should require companies to take steps to find all the personal information that may exist or be processed (or hidden) across their enterprise—to know who it refers to, why and when it was collected, how relevant and accurate it is, where copies are kept, and whether it is protected appropriately. The regulations should also be clear about what companies should do with personal information that cannot be validated to that extent. Make it real with sector-specific requirements Effectiveness in privacy management can vary greatly between industries. A regulation that calls for the development of industry-specific implementation requirements can be helpful for both the implementing companies and for the regulators that need to enforce those regulations fairly. Take a cue from the SoX model Section 404 of the Sarbanes-Oxley Act set high-level requirements for the handling of financial systems of publicly traded companies. To operationalize these requirements in a manner that meets these regulatory requirements with consistency, the market—with encouragement from the regulators—adopted a detailed framework of controls: Control Objectives for Information and related Technology (COBIT). This control framework allowed organizations to design and implement effective controls for their accounting and financial systems and their auditors to test the effectiveness of the controls and attest to it. Why can’t we have a privacy COBIT to follow? A detailed privacy controls framework, one that is regulation-agnostic but addresses the implementation of common privacy principles, can bring about the effective regulations we need. Let’s not repeat past mistakes. There is a real gap between omnibus privacy regulations and the data reality most companies face. Without acknowledging this gap and addressing it with a new approach for regulations development and enforcement, the progress we will see in driving real change in how companies manage personal information will be slow to come.
Leveraging GDPR Compliance Initiatives to Comply with the CCPA (California Consumer Privacy Act) and LGPD (Brazilian General Data Protection Law) On 1 January 2020 the California Consumer Privacy Act (CCPA) will enter into application. A few weeks later, the new Brazilian Data Protection Law (LGPD) will start to apply. Both new laws will provide for extensive consumer rights, including a right of access, data portability and deletion. And even though the application date is still some time away, many impacted organizations have already started their preparations to comply with the law. This is yet another big law to comply with, so shortly after the EU General Data Protection Regulation (GDPR) has entered into application. This may seem daunting to many, but it doesn’t need to be. If you have put in place the right accountability mechanisms or even a more comprehensive privacy program infrastructure to maintain compliance with the GPDR, it may be relatively easy to leverage your work to deal with CCPA and LGPD compliance. In this short paper, we will show how an accountability approach to privacy management can produce compliance outcomes for both the GDPR, CCPA, LGPD and a multitude of other laws with similar compliance obligations.
Scope of GDPR vs. CCPA
It is worth noting that GDPR, CCPA and the LGPD are not fully comparable. First of all, GDPR and LGPD are omnibus laws, applicable in the full territories of 1 (Brazil) respectively 31 countries (the 28 EU Member States and the 3 countries of the European Economic Area: Norway, Iceland and Liechtenstein), whereas CCPA applies solely in the State of California and mainly deals with consumer rights. Topics like data transfers, data security and data breaches are not covered by this law.
General Data Protection Regulation (GDPR) • Applies in the EU and the EEA and to organisations offering goods and services to persons in the EU • Omnibus legislation covering most aspects of data protection law • Fundamental right > no nationality requirement for rights to apply • In force since 25 May 2018 – accompanying laws in 19 EU Member States in place
California Consumer Privacy Act (CCPA)
LGPD Brazilian General Data Protection Law
• Applies in the State of California and to organisations doing business there
• Applies in Brazil and to organisations offering goods and services to persons in Brazil
• Legislation focuses on data subject rights
• Omnibus legislation covering most aspects of data protection law
• Rights only extended to California residents
• Will apply as of 15 February 2020
• Will apply as of 1 January 2020; changes to the body of law still possible
• No supervisory authority in place yet
Using the Nymity Privacy Management Accountability Framework™
An accountability approach to compliance means organizations implement and embed relevant policies, procedures and other measures throughout the organization, and assign responsibility for these activities to be completed. Ideally, the activities are also reviewed on a regular (for example annual) basis. Such reviews lead to documentation, such as minutes of meetings, memo’s preparing decisions, the actual policies and procedures, and log files, which can serve as evidence to demonstrate compliance to regulators and other stakeholders. Through years of research and hundreds of on the ground workshops with organizations and Regulators around the globe, Nymity has developed the Nymity Privacy Management Accountability Framework™ (“Framework”): a menu of 139 privacy management activities, or technical and organizational measures. It is a practical Framework to help organizations operationalize privacy management and can be used to implement, maintain and demonstrate compliance with a a privacy program and a multitude of laws. Thousands of organizations around the world use the Nymity Framework to structure, plan and report on privacy compliance and specifically, GDPR compliance. When preparing organizations for the GDPR, Nymity mapped the text of the Regulation to the Framework and identified 39 Articles of the GDPR that require evidence of a technical or organizational measure in order to demonstrate compliance. Those 39 Articles mapped to fifty-five privacy management activities (technical and organizational measures) that if implemented, may produce documentation to demonstrate compliance with the requirements. The other 60 provisions of the GDPR do not require evidence of technical or organizational measure to demonstrate compliance from organizations, but deal with definitions, the role of the DPAs and the Commission and other non-operational legal requirements.
Mapping the Framework to the CCPA and LGPD
For the CCPA, Nymity has made a similar mapping. Out of the 23 provisions of CCPA, we have identified nine provisions that require evidence of a technical or organizational measure in order to demonstrate compliance, linked to 9 privacy management activities. The fact that there are fewer mandatory activities than for GDPR, is caused by the different scope of the two laws. For the LGPD, Nymity has identified 42 privacy management activities, linked to 24 provisions of the law.
© 2019 Nymity Inc.
www.dataprotectionworldforum.com @DataProtectWF