EUDAT Conference Porto 2018

2. 5 things you should know about Data Protection
2
David Foster
Head of Data Privacy Protection
January 2018

3. Opening Sing-along
My personal data are mine
To abuse them is a crime
You cannot share
You must take care
Or risk a hefty fine
3
David Foster 2018

4. 1. My Personal data are mine
• Personal data belong to the individual
• They are not yours to use as you see fit, not even if they
are public!
• Fair processing
• Legitimate Basis (hint: consent is a problem)
• Specific Purpose
• Privacy notices should declare what, how and why data are
processed
• One is unlikely to be enough!
• One notice for each independent service.
• Data Protection Impact Assessments (DPIA) may be needed.
4

5. 2. To abuse them is a crime
• The scope of personal data is wide
• Attributes, Photos, Electronic Identifiers ….
• The scope of processing is broad
• Analysing, Copying, Viewing ….
• This is complex to communicate inside an organisation
• Internal training
• Internal policies
• Accountability
• It may help to consolidate processes and infrastructure
• Approved storage systems
• Managed internal transfers
• Be wary of automated decision making and profiling
5

6. 3. You cannot share
• Without safeguards because privacy travels with
the data
• Responsibility rests with the controller
• Contracts, codes of conduct, binding corporate
rules
• Records of transfers
• Extra-territorial reach
• This may be a difficult culture change within
organisations used to freely sharing personal data
• Complexity may increase with ePrivacy
6

7. 4. You must take care
• You need to look after other peoples data
• Appropriate organisational and technical measures
• Risks with unnecessary data retention
• ISO27001 for data security and handling is a good
starting point
• Individuals have rights to their data you are
processing (even if not absolute rights)
• Must be clear mechanisms to exercise the 8 basic
rights, which should be in the privacy notice
• Privacy by default and by design
• Anonymise or pseudonymise
7

8. 5. Or risk a hefty fine
• Its all about managing risk
• “Compliance”, per-se, does not exist
• Fines can be large depending on the infraction
• Violation of principles carry the larger fine
• Mitigation of risk of large fines
• A demonstrable attempt at implementing the
legislative requirements
• Internal Training, Policies, Accountability,
Management Commitment
• Having a DPO and accepting their advice
8

9. Finally …
9

10. Key Obligations of an Organization
• A29 Advice
• “employers should always bear in mind the fundamental data
protection principles, irrespective of the technology used;
• consent is highly unlikely to be a legal basis for data
processing at work, unless employees can refuse without
adverse consequence;
• the contents of electronic communications made from
business premises enjoy the same fundamental rights
protections as analogue communications;
• employees should receive effective information about the
monitoring that takes place; and
• any international transfer of employee data should take place
only where an adequate level of protection is ensured.”
10

11. Employers Must:
• A29 Advice
• “ensure that data is processed for specified and legitimate purposes that are
proportionate and necessary;
• take into account the principle of purpose limitation, while making sure that the data
are adequate, relevant and not excessive for the legitimate purpose;
• apply the principles of proportionality and subsidiarity regardless of the applicable
legal ground;
• be transparent with employees about the use and purposes of monitoring
technologies;
• enable the exercise of data subject rights, including the rights of access and, as
appropriate, the rectification, erasure or blocking of personal data;
• keep the data accurate, and not retain them any longer than necessary; and
• take all necessary measures to protect the data against unauthorised access and
• ensure that staff are sufficiently aware of data protection obligations.”
11

12. Typical Reactions
• Fiction: “This is just administration so doesn’t
concern me”
• Fact: This is part of the professional
responsibilities
• Fiction: “OK, I will do it and then I can forget about it”
• Fact: This is an ongoing and continual process
• Fiction: “Just tell me what to do so I don’t have to
think about it”
• Fact: Privacy considerations have to become part
of the culture as simple prescriptions for all
possible situations are not possible.
12

13. Monitoring
• Principles
• Employees must be informed of the existence of any monitoring, the purposes for which
personal data are to be processed and any other information necessary to guarantee fair
processing. (Necessary but not in itself sufficient)
• Data collected that includes personal data should be for a specific legitimate purpose.
• Monitoring data should be anonymised by default.
• A29 Advice on limitations to monitoring
• “geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as
religious places and for example sanitary zones and break rooms should be prohibited),
• data-oriented (e.g. personal electronic files and communication should not be monitored),
and
• time-related (e.g. sampling instead of continuous monitoring).”
• Blocking is better than monitoring
• Questions
• Are you handling this appropriately?
• Are you “over-collecting” data with the risk of “further processing”?
• How will you separate personal and work-related data?
• Do you have a clear IT monitoring policy with appropriate safeguards?
13

14. Storage
• Principles
• Ensure that data are not accidentally processed.
• Ensure that deleted data stays deleted
• A29
• “It should be ensured that employees can designate certain
private spaces to which the employer may not gain access
unless under exceptional circumstances.”
• Some Questions
• Are all services where personal data are stored “fit for purpose”?
• Can you demonstrate adequate technical measures? (ISO27001)
• What are you policies for different classes of data on automatic
deletion?
14

15. End-user devices
• Principles
• Do not process non-work related personal data on devices
allowed for private use, or in a private context (home).
• A29
• “Select the most privacy protecting defaults”
• Provide (acceptable use) policies. “This allows employees
to adapt their behaviour to prevent being monitored when
they legitimately use IT work facilities for private use”
• Some Questions
• Do you have sufficient measures to allow for truly private
use of facilities? (Laptops, Network, Storage etc)
• Are you offering enough advice on the use of IT facilities?
15

16. Typical and generic problems
• Collecting too much data - violates data minimisation
• Because you have a single “Web form”
• Using unsecured transfer mechanisms - violates appropriate technical
measures
• Email
• Processing data without controls - violates appropriate organisational
measures
• Excel spreadsheets, Laptops etc.
• Personal Data kept because it “might be useful” - violates retention
periods.
• Archives
• Data stored on other services (internal and external) without privacy
protecting agreements - violates appropriate safeguards.
• Almost every storage system or platform
16

17. Finally, 5 things to do
1. Know where you are processing
• Data mapping
2. Know what you are doing
• Privacy notices
3. Know why you are doing it
• Internal review of processing operations
4. Know how you are doing is correct
• Technical measures and controls
5. Know when you should stop doing it
• Retention periods
17

18. Good Luck!
18
Facebooks has put together: “the largest cross functional team”
comprising “senior executives from all product teams, designers
and user experience/testing executives, policy executives, legal
executives and executives from each of the Facebook family of
companies”.
“Dozens of people at Facebook Ireland are working full time on this
effort,” it said, noting too that the data protection team at its
European HQ (in Dublin, Ireland) would be growing by 250% in
2017.
Source: https://techcrunch.com/2018/01/20/wtf-is-gdpr/