Rising to the Challenge of E.U. Data Protection Regulations
Steven F. Fox IRS
About me … • InfoSec Polymath • Experienced InfoSec implications of privacy law, but I am not a lawyer. • Contact me at sfox@securelexicon.com
Agenda • Approaches to Privacy. • Overview of the General Data Protection Regulations. • What it means to companies and consumers. • Resources This session does not represent the views of the Internal Revenue Service
Privacy - The state or condition of being free from being observed or disturbed by other people.
“Privacy is a fundamental value. How a society responds to new technological innovation that challenges privacy – that is the trick.” - J. Trevor Hughes
“You are slaves to commerce.”
Privacy as a Human Right
Market-driven Privacy
Technology Challenges to Privacy
Big Data
Mobile Applications
Ambient Computing
EU General Data Protection Regulation • Updates EU Data Protection Directive EC 95/46/EC • Response to technological trends impacting privacy and data protection. • Aims to enhance consumer confidence.
Processing of Data from EU Citizens
GDPR Timeline
Source: iapp.org
Some Companies Impacted by the GDPR • • • • •
General Electric The Coca-Cola Company Phillip Morris McDonald’s Abbott Laboratories
• • • • •
DuPont NewsCorp Ford Motor Company Honeywell Kraft Foods
Consumer Perspective • Right to be forgotten. • Right to restriction. • Consent for data collection and usage. • Privacy by Design.
Business Perspective • One continent, one law. • Reduced variability in Member State Laws. • Baseline rules for all companies. • Governance and enforcement requirements.
Consent and Control • Companies must understand when consent is needed. • Design systems that enable data transparency. • Design portable data sets.
Accountability • Data Transfer Agreement and Binding Corporate Rules. • Design systems that enable data transparency. • Data Portability
• Portfolio model for Privacy Risk Assessments.
Breach Management • Statutory requirements for technical and procedural breach management. • 72 hour incident notification required by Data Protection Agencies.
• Sanctions of 2% - 4% of annual global turnover for violations.
Privacy by Design • The “Holy Grail” for privacy and data protection. • Companies design the context of data collection and limit what they collect. • Consumers know what data is collected.
Resources • Embrace Privacy by Design principles. ▫ https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf ▫ https://www.owasp.org/index.php/OWASP_Top_10_Privacy_Risks_Pr oject
• NIST 8062 – Privacy Management Framework • IAPP.ORG