Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR by Identity Methods


Published on

European Data Protection Legislation
What it Means for Us! The new rules have been estimated – by the EU, admittedly - to bring benefits of €2.3 billion per year.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

GDPR by Identity Methods

  1. 1. European Data Protection Legislation What it Means for You! By Richard McCann & Ian Collard with Steve Bailey & Jamie Capildeo IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 1
  2. 2. European Data Protection Legislation What it Means for You! By Richard McCann & Ian Collard with Steve Bailey & Jamie Capildeo Published by ©2016 Identity Methods Limited. All rights reserved. IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 2
  3. 3. Contents • Introduction 4 • Background 12 • A Quick Guide To The New Rules 15 • WantTo Know More? 17 • Red Tape Reductions! 19 • The 5 Key Points 20 • Case Study 1 22 • 8 ImportantThingsTo Remember 26 • Case Study 2 28 • Next Steps 31 • Compliance 32 • 9 ThingsYou Should Do Right Now! 33 • Conclusion 35 • Appendix 38 European Data Protection Legislation 3 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 3
  4. 4. Introduction We’ve all heard and read news reports about how criminal hackers are breaking into firms such as TalkTalk and stealing thousands of names and bank details. Or breaking in to Sony and reading all their emails. Most people know that‘Phishing’ is the attempt to acquire sensitive information such as usernames, passwords, and credit card details - and sometimes, indirectly, money - for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. And many people have also heard of ‘Ransomware’, a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. 4 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 4
  5. 5. How big is this problem? It’s huge. And growing every day. Hackers have stolen information from millions of us already. Major companies have failed to keep our private data safe.What’s happening now is a big wake up call. The BBC recently uncovered a new type of phishing email that includes the recipient's home address and has been received by thousands of people. Journalists at BBC radio were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. One security expert warned clicking on the link would install malware. BBC reporter Shari Vahl was one of the first on the team to receive an email. "The email has good spelling and grammar and my exact home address... when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address. European Data Protection Legislation 5 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 5
  6. 6. "My tummy did a bit of a somersault when I read that, because I wondered who on earth I could owe £800 to and what was about to land on my doormat." She quickly realised it was a scam and did not click on the link. Then, only a couple of minutes later, another BBC journalist received one. And then another colleague read a similar version - but sent to his home email address this time. Ransomware The BBC decided to contact the companies that were listed in the emails as being owed money. A spokesman for British Millerain Co Ltd, a waxed cotton fabric manufacturer, told the programme that the firm "had more than 150 calls from people who don't owe us money". And a spokeswoman for Manchester shelving firm Greenoaks said: "My colleague took a call from an elderly gentleman and he was very distressed because his wife had had one of these emails." Dr Steven Murdoch, principal research fellow at the department of computer science at University College London, said: "Most likely it was a retailer or other internet site that had been hacked into and the database stolen, it then could have been sold or passed through several different people and then eventually it got to the person who sent out these emails." 6 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 6
  7. 7. He added that the email bore the hallmark of previous phishing attempts from gangs in Eastern Europe and Russia. He said that clicking on the link would install malware such as Cryptolocker, which is a form of ransomware that will encrypt files on Windows-based computers and then demand a fee to unlock them. So this affects us all, not just big corporations? Although, of course, it’s the damaged big corporations that lose millions and make the big headlines, private individuals are also losing thousands. Most of us are now used to getting fake emails from hackers phishing for information. There’s often an attachment that once you’ve clicked on it the hacker has access to your laptop and every keystroke. They’ve got your name, and they know where you live.They’ve got your bank details. They’ve got YOU. As soon as the cyber criminals are in, they’ve stolen your entire digital life. But it’s not always a bad attachment that signals trouble. It’s amazing how many people who are pretty careful about security in other areas don’t seem worried about their email. It’s worth considering what a big part of your life is revealed to someone reading your email… European Data Protection Legislation 7 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 7
  8. 8. Just how easy is it to hack in to other computers? Some teenagers can break into an international corporation in minutes. Think of TalkTalk. The latest break in is the third time. It’s not a bad idea to think of a hack as a break in. You wouldn’t leave your doors unlocked so why leave your computer or your website open for people to wander in and steal what they fancy? After all, if you break into a bank it’s hard and dangerous and you’ll probably get caught. But you can break into a network from your bedroom and the chances of getting caught are pretty remote to be honest. You’re probably in a different country for a start. What can we do to protect ourselves? For a start, be vigilant. Stolen identities are so readily available to criminals on something we call the dark web that there are even ‘two for one offers’ and ‘money off all IDs sold until Friday’. It’s that competitive out there… 8 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 8
  9. 9. In your private life… If you get a ‘phone call offering you a refund, be aware that someone may have bought your name, number and address, and they’re now trying to get your bank details too. So be careful to whom you reveal personal information. It’s like giving a burglar the keys to your home or business! Don’t click on attachments without being absolutely certain who they’re from. If in doubt give the person a call. It’s always better to be safe than sorry. If you’re paying someone money, a criminal with access to your emails can so easily jump in with an email, maybe pretending to be from your solicitor. Because he or she has now access to your emails, the criminal’s fake email will look just like the ones you’re used to getting from your real solicitor. And if your lawyer signs off‘best wishes Tim’ then that’s exactly how the fake email will be signed by the criminal. This is how loads of people are duped daily into putting their life savings into criminal’s bank accounts when they get an email from what looks like, say, their bank, financial advisor or solicitor. The email will look real because they’ll even know how much you are due to pay. Of course they do – the criminal has just read the same email as you! European Data Protection Legislation 9 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 9
  10. 10. If you have a business then… Remember that any unprotected incautious employee can open up your network. There have been stories of solicitors getting duped into sending house completion monies to a bogus account and of clients who receive authentic looking emails from a solicitor telling them that they need to pay money for a house into a different account - too late they discover the email is a fake and the account is that of a criminal. Because of all this, Data Protection is hot news. Something that was once regarded as a‘good thing to have’ ranking alongside health and safety and risk assessments in the brains of board directors and as a topic the public anecdotally understood to mean not selling on their email address without permission, has now become a mainstream media topic. Whereas once, journalists needed to research to discover names of companies affected by data breaches in order to give their stories relevancy to a mainstream readership, it’s now only too easy to come up with a list of global businesses that are household names affected by data breach. And in turn, the severity of those breaches has multiplied exponentially.What was initially a minor inconvenience for the PR department to diffuse has now become a national or even international scandal capable of bringing a giant corporation to its knees. 10 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 10
  11. 11. And as we shall see, plans to make directors personally accountable means that personal penalties are more than an embarrassing interview or a tactical management reshuffle – personal financial ruin is a very real prospect. This is why the GDPR regulations around customer data provide an extra layer of concern for organisations to pay big attention to! The discussions between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) EU Data Protection Reform papers, the Data Protection Package, the Digital Single Market and the EU Agenda on Security, together with the public consultations, cover many scores of documents and hundreds of thousands of words. In this book we shall guide you through the parts of the legislation that you really need to know about. And we shall flag up the key steps enterprises need to implement in order to protect themselves and their stakeholders. European Data Protection Legislation 11 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 11
  12. 12. Background Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet. 17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of secondsi . In the digital age, the collection and storage of personal information are essential. Data is used by all businesses – from insurance firms and banks to social media sites and search engines. In a globalised world, the transfer of data between countries has become an important factor in daily life.There are no borders online and cloud computing means data may be sent from Berlin to be processed in Boston and stored in Bangalore. Everyone has the right to the protection of personal data. 12 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 12
  13. 13. Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number. Peopleareworriedasneverbefore, asking‘what happens to this data?’‘Could it fall into the wrong hands?’‘What rights do we have regarding our personal information?’ It’s all very well for individual governments of member states to legislate to protect their citizens, but conflicting data protection rules in different countries would disrupt international exchanges. Individuals may be unwilling to transferpersonaldata abroad if they are uncertain of the level of protection in other countries. EU surveys reveal – somewhat predictably – that more than 90% of Europeans want the same data protection rights across the EU – and regardless of where their data is processed. Two-thirds of Europeansii (67%) are concerned about not having complete control over the information they provide online. European Data Protection Legislation 13 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 13
  14. 14. As a result of public concerns, in January 2012 the European Commission proposed a comprehensive reform of data protection rules in the EU. The objective was to give citizens back control over of their personal data, and to simplify the regulatory environment for business. Seven Europeans out of teniii worry about the potential use that companies may make of the information disclosed. Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage our personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law. Therefore,common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU. Citizens have the right to complain and obtain redress if their data is misused anywhere within the EU. The EU's Data Protection Directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad. On 15 December 2015, the three European institutions agreed an historic reform of data protection rules, establishing a modern and harmonised data protection framework across the EU. 14 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 14
  15. 15. A Quick Guide to the New Data Protection Rules This clearly cannot be an exhaustive analysis, but essentially the Reform consists of two instruments: 1. The General Data Protection Regulation – more rights for people to better control their personal data. And modernised and unified rules intended to allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust. Identity Methods also work closely to protect the police and criminal justice sector, and if this is an area of special interest to you then please contact us for more in depth assistance. But put briefly for the rest of us, there’s a second instrument to the reform… European Data Protection Legislation 15 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 15
  16. 16. 2. TheDataProtectionDirective – this is for the police and criminal justice sector and is intended to ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. More harmonised laws are also intended to facilitate cross-border co-operation of police or prosecutors to combat crime and terrorism more effectively across Europe. Fines Fall foul of the new rules and penalties can be €1 million or up to 2% of the global annual turnover of a company. And there are rumours that this could be dramatically increased in the future. A figure of €100 million has been mentioned in some quarters! 16 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 16
  17. 17. Want to Know More about the General Data Protection Regulation? We’re glad you’re still with us and still interested! OK here goes… For Individuals The new rules address personal data concerns by strengthening people’s existing rights and empowering individuals with more control over their personal data. Most notably, these include: 1. Easier access to your own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. 2. A right to data portability: it will be easier to transfer your personal data between service providers. 3. A clarified "rightto be forgotten": when you no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. 4. The right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures. European Data Protection Legislation 17 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 17
  18. 18. For Businesses 1. One continent, one law: The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU. 2. One-stop-shop: businesses will only have to deal with one single supervisory authority. 3. European rules on European soil: companies based outside of Europe will have to apply the same rules when offering services in the EU. So a data centre in, say, India, won’t be an excuse! 4. Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and tailor them to the respective risks. 5. Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (Data Protection by Design). Privacy-friendly techniques such as pseudonomysation (replacing personally identifiable material with artificial identifiers) will be encouraged, to reap the benefits of big data innovation while protecting privacy. 18 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 18
  19. 19. Red Tape Reductions! The lawmakers reckon that enterprises will benefit from four reductions in red tape: 1. No more notifications: Notifications to supervisory authorities are a formality that represent a cost for business of €130 million every year. The reform will scrap these entirely. 2. Every penny counts: Where requests to access data are manifestly unfounded or excessive, enterprises will be able to charge a fee for providing access. 3. Data Protection Officers: enterprises are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity. 4. Impact Assessments: enterprises will have no obligation to carry out an impact assessment unless there is a high risk. European Data Protection Legislation 19 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 19
  20. 20. The 5 Key Points 1. A "right to be forgotten": When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press. 2. Easier access to one's data: Individuals will have more information on how their data is processed and this information should be available in a clear and understandable way. A right to data portability will make it easier for individuals to transmit personal data between service providers. 3. The right to know when one's data has been hacked: Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can take appropriate measures. 20 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 20
  21. 21. 4. Data protection by design and by default:‘Data protection by design’ and‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps. 5. Stronger enforcement of the rules: Data protection authorities will be able to fine companies who do not comply with EU rules up to 4% of their global annual turnover. Won’t the New Rules Cost Businesses Lots of Cash? Not necessarily. Properly planned, you could actually save money. One planned advantage behind the single, pan-European law for data protection is that companies will simply deal with one law, not the current 28. The new rules have been estimated – by the EU, admittedly - to bring benefits of €2.3 billion per year. European Data Protection Legislation 21 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 21
  22. 22. Case Study 1: A chain of shops has its head office in France and franchised shops in many other EU countries. Each shop collects data relating to clients and transfers it to the head office in France for further processing. At present: French data protection laws would apply to the processing done by head office, but individual shops would still have to report to their national data protection authority, to confirm they were processing data in accordance with national laws in the country where they were located. This means the company’s head office would have to consult local lawyers for all its branches to ensure compliance with the law. The total costs arising from reporting requirements in all countries could easily exceed €12,000. With the Data Protection Reform: The data protection law across all EU countries will be the same – one European Union – one law. This will eliminate the need to consult with local lawyers to ensure local compliance for the franchised shops. The result is direct cost savings and legal certainty. 22 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 22
  23. 23. It’s been said that the Reform could actually encourage innovation and the use of Big Data. How? ‘Dataprotectionbydesignandbydefault’will become an essential principle. It will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data. According to some estimates, the value of European citizens’ personal data could grow to nearly €1 trillion annually by 2020. Used in conjunction with data protection impact assessments, businesseswillhaveeffectivetoolsto createtechnologicaland organisational solutions. The Regulation promotes techniques such as: • Anonymisation - removing personally identifiable information where it is not needed. • Pseudonymisation - replacing personally identifiable material with artificial identifiers. • Encryption - encoding messages so only those authorised can read it, to protect personal data. These techniques will encourage the use of "big data" analytics, which can done using anonymised or pseudonymised data. European Data Protection Legislation 23 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 23
  24. 24. While it’s a data protection principle that when personal data is collected for one or more purposes it should not be further processed in a way that is incompatible with the original purposes, this does not prohibit processing for a different purpose or restrict 'raw data' for use in analytics. A key factor in deciding whether a new purpose is incompatible with the original purpose is whether it is fair. Fairnesswillconsiderfactors such as; the effects on the privacy of individuals (e.g. specific and targeted decisions about identified persons) and whether an individual has a reasonable expectation that their personal data will be used in the new way. So raw data from, say, driverless cars can still be used to analyse where the most accidents take place and how future accidents could be avoided. It can also be used to analyse traffic flows in order to reduce traffic jams. 24 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 24
  25. 25. Businesses need to think whether their data can be anonymised for future processing, allowing raw data to be retainedforbigdata,whileprotectingtherightsofindividuals. Companies are free to base processing on a contract, on a law or on - in the absence of other bases - on a "balancing of interests". These 'formal requirements', such as consent, are set out in the rules to provide the necessary control by individuals over their personal data and to provide legal certainty for everyone. The new EU rules will provide flexibility on how to meet those requirements. European Data Protection Legislation 25 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 25
  26. 26. 8 ImportantThingsTo Remember 1. Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors, the Regulation provides for increased responsibility and accountability for those processing personal data. 2. For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours). 3. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed. 4. People can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. 5. People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This is likely to increase competition among services. 26 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 26
  27. 27. 6. A‘right to be forgotten’ means people will be able to delete their data if there are no legitimate grounds for retaining it. 7. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens. 8. A new Directive will apply general data protection principles and rules for police and judicial co-operation in criminal matters. The rules will apply to both domestic and cross-border transfers of data. OK, I get it… But how will the new rules work in practice? European Data Protection Legislation 27 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 27
  28. 28. Case Study 2: A multinational company with several establishments in EU Member States has an online navigation and mapping system across Europe. This system collectsimagesofallprivateandpublicbuildings,andmayalsotakepictures of individuals. At present: The data protection safeguards upon data controllers vary substantially from one Member State to another. In one Member State, the deployment of this service led to a major public and political outcry, and some aspects of it were considered to be unlawful. The company then offered additional guarantees and safeguards to the individuals residing in that Member State after negotiation with the competent DPA, however the company refused to commit to offer the same additional guarantees to individuals in other Member States. Currently: Data controllers operating across borders need to spend time and money (for legal advice, and to prepare the required forms or documents) to comply with different, and sometimes contradictory, obligations. 28 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 28
  29. 29. With the new rules: The new rules will establish a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Any company - regardless of whether it is established in the EU or not - will have to apply EU data protection law should they wish to offer their services in the EU. When will the new laws apply? Following political agreement reached in trilogue, the final texts will be formally adopted by the European Parliament and Council at the beginning 2016. The new rules will become applicable two years thereafter. So that means early 2018. The Commission will work together with the Member States and the Data protection authorities – the future European Data Protection Board - to ensure a uniform application of the new rules. European Data Protection Legislation 29 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 29
  30. 30. Case Study: a UK company wants to expand its activities into Germany. With the current rules: Its data processing activities will be subject to a separate set of rules in Germany and the company will have to deal with a new regulator. The costs of obtaining legal advice and adjusting business models in order to enter this new market may be prohibitive. For example, some Member States charge notification fees for processing data. With the new rules: The new data protection rules will scrap all notification obligations and the costs associated with these. The aim of the data protection regulation is to remove obstacles to cross- border trade. 30 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 30
  31. 31. Next Steps The Commission will work closely with Member State Data protection authorities to ensure a uniform application of the new rules. During the two-year transition phase, the Commission will inform citizens about their rights and companies about their obligations. Data Protection Authorities will work more closely together in the future, especially through the one-stop shop mechanism to solve cross-border data protection cases. European Data Protection Legislation 31 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 31
  32. 32. Compliance No EU business can ignore this. We’ve been given two years to get ready, starting in January 2016. The clock is ticking. It’s not going away and‘compliance with UK legislation’ will not be a defence. Independent national data protection authorities will be strengthened so they can better enforce the EU rules and they will be empowered to fine companies that violate EU data protection rules. Penalties for non-compliance Don’t forget that penalties can be €1 million or up to 2% of the global annual turnover of a company. There are rumours that this could be soon dramatically increased. A figure of €100 million has been mentioned in some quarters. And one source close to the legislature has already mentioned plans to make the fine at least 4% and €20m, rising to for the big offenders to an eye-watering €30m and 5% of turnover! 32 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 32
  33. 33. 9 ThingsYou Should Do Right Now! 1. Culture… does your accountability policy meet the new standards? 2. Establish… a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimise data processing and retention of data, and building in safeguards. 3. Check… are your staff trained to understand their new obligations? Conduct auditable privacy impact assessments review any risky processing activities and steps taken to address specific concerns. 4. Prepare& practise… for data security breaches by putting clear policies and procedures in place so you can react quickly. 5. Embed… privacy into any new processing or product at the design stage.This is also likely to demonstrate your compliance as well as giving you competitive advantage. 6. Analyse… the type of data processing you do. Are your interests not over-ridden by the data subject? Can you prove consent? European Data Protection Legislation 33 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 33
  34. 34. 7. Check… is your information such as privacy notices in clear and plain language, transparent and easily accessible as will be required by law? 8. Consider… if you are a supplier whether your new obligations are built into your policies, procedures and agreements. 9. Understand… the rights of data subjects, because it will be for you to prove by demonstration if you claim grounds to over-ride their interests. Plus you will be prepared to challenge individuals who may have ‘unrealistic expectations’! 34 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 34
  35. 35. Conclusion If you’re unsure – and who isn’t? – then get help as soon as possible. Then make a plan… President Abraham Lincoln explained the value of planning when he said: “Give me six hours to chop down a tree, and I’ll spend the first four hours sharpening my axe.” Things to Remember… • The requirement for companies and organisations to notify the national supervisory authority of serious data breaches within 24 hours will likely spur companies to hasten their security auditing processes and force them to deploy new risk analysis and management tools. • Remembertoo,thatdataprocessorswillbeheldresponsiblefordata protection, so under the new regulation any company or individual that processes data - including third parties such as cloud providers - will also be held responsible for its protection. • Some cloud service providers, especially those based outside the EU, may not believe that the regulation applies to them. It does. European Data Protection Legislation 35 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 35
  36. 36. • So ifyou or anyone else touches or has access to your data, wherever they are based, you are all responsible in the case of a data breach! • You will need to be extra vigilant when it comes to securing the data of others, and if you’re a data owner you must thoroughly vet your partners. • If you fail… get ready for US-style class-action compensation claims • Which household name will be the first to suffer catastrophic financial and reputational damage? • Don’t wait for users to contact you – it’s now going to be your responsibility to inform users of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more stringent than the current directive and companies that fall foul of these measures will face larger fines. 36 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 36
  37. 37. It’s not all bad news… Remember that you will only be required to meet individuals’ ”reasonable expectations” of data privacy. And elsewhere, the regulations stipulate that tokenised, encrypted or pseudonomysed data does meet these expectations. So an organisation that encrypts or tokenises data before uploading to the cloud meets the new standard. If you keep your own encryption keys, any data loss is much less likely and, if it does happen, you can show the regulators that you took steps to “meet individuals’ reasonable expectations of data privacy”. European Data Protection Legislation 37 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 37
  38. 38. Decisions, decisions… When an aeroplane comes in to land, the co-pilot counts down the approach. 8 miles, 10,000 feet. 6 miles, 6,000 feet 4 miles, 2,000 feet Finally, the co-pilot says ‘2 miles to run. 1,000 feet. DECIDE.’ And at this point the pilot must respond‘LAND’ or‘GO AROUND’. The pilot can’t say ‘Err, bear with me, let me think about it and I’ll try to get back to you.’ Preparing for the new data protection legislation is like that right now. It’s coming in to land and the time has come to decide. Make a start …or ‘go around’. You’re in charge. It’s your call. Appendix i EU Justice Commissioner Viviane Reding ii Eurobarometer survey 2015 iii Eurobarometer survey 2015 38 European Data Protection Legislation IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 38
  39. 39. Richard McCann MBA PhD Richard is a writer, journalist, lecturer and broadcaster. Ian Collard Managing Director Identity Methods Ltd Ian is a well-known government, banking and police digital security consultant and IdAM (Identity & Access Management) professional, Ian’s broad knowledge extends through enterprise, cloud , industrial control and other CNI (Critical National Infrastructure) cyber-security areas. Formerly security practice leader at Siemens, Ian has led successful consultancy, sales and implementations within various government departments and leading financial services companies, his cross-vertical knowledge is considerable. European Data Protection Legislation 39 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 39
  40. 40. Identity Methods Limited Tower Point 44 North Road Brighton East Sussex BN1 1YR +44 (0)1273 448080 IM-A5 Booklet_Layout 1 05/05/2016 12:23 Page 40