DATA
PROTECTION &
THE CLOUD
CURRENT STATE AND PROBABLE FUTURE
Information & Data Quality Information Governance Data Protection
In today's interconnected
Information Age it is more
imp...
Training
ConsultingCoaching/
Mentoring
Project
Management
Quality
Assured
Information
Quality
Data
Protection
Data
Governa...
CONTACT
Web: www.castlebridge.ie
Twitter: @cbridgeinfo
Email: enquiries@castlebridge.ie
Contact Daragh directly
Twitter: @...
AGENDA
• Some Context : Data Protection in the Media (Trends)
• Current Situation
• Selected highlights from the Regulatio...
THE QUESTION
Is the probability of your data
protection problems featuring
in the media getting bigger?
THE SHORT ANSWER
THE LONG ANSWER
WHAT WE DID
1. Assume Google search hits as a surrogate for media
focus on the issue
2. Select website domains of print-me...
COMPARING 2010 AND
2011Growth in hits for Data Protection or Privacy averages 117%
between 2010 and 2011
COMPARING 2010 AND 2011
Some newspapers have significantly higher search hit rates than
others during that period - but in...
SEARCH RESULTS (JANUARY ONLY) 2010-2012
Comparison of Search results for January 2010 to January 2012
shows consistent upw...
IS THIS A NEW PHENOMENON?Analysis of search results since 2004 shows a consistent and
accelerating upward trend in search ...
DOWNLOAD
For more analysis on this topic, download
the whitepaper from our website (no
registration required, but please l...
THE CURRENT
SITUATION FOR
CLOUD/DATA
PROTECTION
http://bit.ly/Jkl5PaWatch the video tutorial
THE PROPOSED
DIRECTIVE
KEY DEVELOPMENTS
New Rights
New Duties
New Penalties
New Definitions
New Roles & Concepts
RIGHTS
Right to
be
Forgotten
Right to
Data
Portability
All rights that exist under Directive 95/46/EC continue to exist
Ex...
DUTIES
Organisations will need to focus on internal governance and training
to ensure compliance and put in place metrics ...
DOCUMENTATION
Requirement to register with DPC now replaced with requirement to
maintain internal documentation about your...
DATA PROTECTION OFFICER
Creates a formal role in the management function; Independence
guaranteed under Regulation; Not li...
DATA SECURITY
Security continues to be an important issue. Breach Notification
required within 24 hours. Impact on Process...
CROSS BORDER DATA TRANSFER
It will not matter where your Cloud service is based. If you are
based in EU, selling into EU, ...
CROSS BORDER DATA TRANSFER
The principles of Cross Border Transfer are largely unchanged.
Binding Corporate Rules simplifi...
TWEAKED DEFINITION OF “DATA SUBJECT”
The definition of Data Subject will be changing to include additional
categories and ...
PRIVACY BY DESIGN
Privacy by Design basically requires fundamental quality principles
to be applied to Data Protection to ...
PROCESSORS BECOMING CONTROLLERS
Exceeding your contracted duties will strip Processors of any de facto
protections they mi...
ONE-STOP SHOP
Potentially will simplify things for EU companies.
Mechanism still has to be clarified for how this will wor...
PENALTIES
The penalties and enforcement mechanisms are greatly strengthened
in the Regulation. Plenty of opportunity to ma...
IMPLICATIONS FOR
CLOUD?
M.A.G.G.O.T
M – Meaning, Measurement, Money
A – Accountability & Accessibility
G – Governance
G – Global Scope & Effect
O ...
TIME SCALES FOR REGULATION?
• Expected to be enacted and implemented 2013 (ish)
• Enforceable 2 years later
24 to 36 Month...
The Early Bird gets the Worm…
…or the M.A.G.G.O.T
DARAGH’S PUBLICATIONS
The Data Strategy and Governance Toolkit (2011)
Defining and Executing an Effective Data Quality Str...
Upcoming SlideShare
Loading in …5
×

20120418 Castlebridge Associates Data Protection and the Cloud, Darragh O'Brien

356 views

Published on

Castlebridge Associates Data Protection and the Cloud, Darragh O'Brien

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
356
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

20120418 Castlebridge Associates Data Protection and the Cloud, Darragh O'Brien

  1. 1. DATA PROTECTION & THE CLOUD CURRENT STATE AND PROBABLE FUTURE
  2. 2. Information & Data Quality Information Governance Data Protection In today's interconnected Information Age it is more important than ever for organisations to properly manage the quality of their Information Assets. • Strategy & Consulting • Project Management • Training & Mentoring In today's Information Age "Everyone is Enterprise" making good Information Governance more important than ever. That often requires challenging changes to be made as people change their thinking about who is responsible and accountable for Information. • Strategy & Consulting • Project Management • Training & Mentoring Smart organisations realise that compliance with Data Protection rules is a key element in a trusted Information Fuelled business, and it's about more than just securing the data! • Strategy & Consulting • Project Management • Training & Mentoring Click here to Contact Us
  3. 3. Training ConsultingCoaching/ Mentoring Project Management Quality Assured Information Quality Data Protection Data Governance Information Quality Data Protection Data Governance Certified Trainers External QA Audits Irish State Approved Training Provider Quality Assured Syllabus Qualified & Experienced IQCP Certified Certified PMs Many Industries Govt Edu Utilities Fin. Svcs Non- Profit Telco
  4. 4. CONTACT Web: www.castlebridge.ie Twitter: @cbridgeinfo Email: enquiries@castlebridge.ie Contact Daragh directly Twitter: @daraghobrien Email: daragh@castlebridge.ie
  5. 5. AGENDA • Some Context : Data Protection in the Media (Trends) • Current Situation • Selected highlights from the Regulation • Implications for Cloud
  6. 6. THE QUESTION Is the probability of your data protection problems featuring in the media getting bigger?
  7. 7. THE SHORT ANSWER
  8. 8. THE LONG ANSWER
  9. 9. WHAT WE DID 1. Assume Google search hits as a surrogate for media focus on the issue 2. Select website domains of print-media newspapers in Ireland. 3. Select one International print newspaper with web site 4. Conduct Google searches within the domains of the sites 5. Analyse findings to determine trends (if any) 6. Analyse findings for relevance over time (first 10 results)
  10. 10. COMPARING 2010 AND 2011Growth in hits for Data Protection or Privacy averages 117% between 2010 and 2011
  11. 11. COMPARING 2010 AND 2011 Some newspapers have significantly higher search hit rates than others during that period - but increase in relevant hits is consistent
  12. 12. SEARCH RESULTS (JANUARY ONLY) 2010-2012 Comparison of Search results for January 2010 to January 2012 shows consistent upward trend in relevant returns
  13. 13. IS THIS A NEW PHENOMENON?Analysis of search results since 2004 shows a consistent and accelerating upward trend in search results each year. Upward inflection point in 2007/2008 Irish Times results growing faster
  14. 14. DOWNLOAD For more analysis on this topic, download the whitepaper from our website (no registration required, but please leave a comment on the site!) http://www.castlebridge.ie/blog/daragh-o- brien/2012/february/data-protection- growing-area-media-interest
  15. 15. THE CURRENT SITUATION FOR CLOUD/DATA PROTECTION
  16. 16. http://bit.ly/Jkl5PaWatch the video tutorial
  17. 17. THE PROPOSED DIRECTIVE
  18. 18. KEY DEVELOPMENTS New Rights New Duties New Penalties New Definitions New Roles & Concepts
  19. 19. RIGHTS Right to be Forgotten Right to Data Portability All rights that exist under Directive 95/46/EC continue to exist Expands on existing rights of correctionerasureblocking Requires deletion of any related links, any shared/distributed copies Not an absolute right – will need to be balanced against other rights/responsibilities Where data is in a structured and commonly used format, the Data Subject is entitled to a copy of data for further use (even with another service providers) Regulation is very “Data Subject” centric. More rights, more expansive rights. But basics remain the same.
  20. 20. DUTIES Organisations will need to focus on internal governance and training to ensure compliance and put in place metrics to evidence this “The Controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation • Documentation of Processing • Data Security • Data Protection Impact Assessments • Meeting requirements of Prior Authorisation or Prior Consultation • Implement mechanisms to ensure the verification of the effectiveness of these measures.
  21. 21. DOCUMENTATION Requirement to register with DPC now replaced with requirement to maintain internal documentation about your processing “Each Controller and processor and, if any, the controller’s representative, shall maintain documentation of all processing operations under its responsibility” • Name and contact details of the Controller/Processor/Representative • Name and contact details of Data Protection Officer • Purposes of processing • Description of categories of data subjects and categories of personal data being processed • Details of how controls are being verified Commission may define formats for process documentation
  22. 22. DATA PROTECTION OFFICER Creates a formal role in the management function; Independence guaranteed under Regulation; Not limited to 250+ employers “The Controller and the processor shall designate a Data Protection Officer in any case where…” • Processing is carried out by a Public Authority or Body • OR Processing is carried out by enterprise with 250+ employees • OR Core activities of controller or the processor consist of processing operations which… …require regular and systematic monitoring of data subjects • Office holder must have expert knowledge of Data Protection law and practices and other professional qualities • Must be “appropriately” resourced by the organisation 250 employee threshold has been criticised – other categories may still require a DPO to be appointed
  23. 23. DATA SECURITY Security continues to be an important issue. Breach Notification required within 24 hours. Impact on Processors regardless of contract “Article 30 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC, extending that obligation to processors, irrespective of the contract with the controller • Requirements include MANDATORY Breach Notification. • Apply to Processors and Controllers equally. • “Belt and Braces” on contractual provisions re: Security. Security and Privacy are becoming a source of competitive advantage.
  24. 24. CROSS BORDER DATA TRANSFER It will not matter where your Cloud service is based. If you are based in EU, selling into EU, monitoring behaviour of people in EU, EU laws will apply “Regulation applies to • processing of personal data by organisations based in EU • Processing of personal data by organisations based outside EU • Offering goods or services to data subjects in the EU • Conducting monitoring of behaviour • Where national law of Member State applies under public International Law ” Sets EU Principles as a benchmark for other nations Puts focus on protection of the Data Subject
  25. 25. CROSS BORDER DATA TRANSFER The principles of Cross Border Transfer are largely unchanged. Binding Corporate Rules simplified; Some new elements proposed “Transfer overseas is permitted when: • To “Safe Countries” (adequacy decision) • Appropriate safeguards in CONTRACT (BCR, Standard Contract Clauses) • Binding Corporate Rules (BCR – process simplified) • Similar to existing frameworks • Binding Corporate Rules process simplified • Key focus is on SAFEGUARDS and enforceability. Still not without complexity for Cloud services. Countries can now be declared UNSAFE.
  26. 26. TWEAKED DEFINITION OF “DATA SUBJECT” The definition of Data Subject will be changing to include additional categories and types of data. “an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person Definition is expanded beyond 95/46/EC to include a wider range of data, including location data, and on-line identifiers (including Usernames and IP addresses… we assume…) Doesn’t quite match A29 Working Group definition… some scope for change
  27. 27. PRIVACY BY DESIGN Privacy by Design basically requires fundamental quality principles to be applied to Data Protection to PREVENT problems. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Requirement is to build quality in. Requirement is to ensure quality is managed Recommended practice for all data, Mandatory for SENSITIVE Data
  28. 28. PROCESSORS BECOMING CONTROLLERS Exceeding your contracted duties will strip Processors of any de facto protections they might have availed of as Processors acting under orders If you are a Processor who acts outside the terms of your engagement with a Data Controller, you will be treated as a Data Controller • Full penalties apply to you. • Important to have DOCUMENTED contracts outlining the nature of the processing being performed • Important to have Change Control.
  29. 29. ONE-STOP SHOP Potentially will simplify things for EU companies. Mechanism still has to be clarified for how this will work EU27 Data Protection Authorities will engage in greater co-operation and collaboration. • Important to know where your “base” is as they are the DPC you will deal with. • Customers in other EU countries will deal with you via their national DPA, who will liaise with the Irish DPC • Precise mechanism still to be confirmed..
  30. 30. PENALTIES The penalties and enforcement mechanisms are greatly strengthened in the Regulation. Plenty of opportunity to make legal history. Up to €2million or 5% of Global Turnover • EU member states may implement further administrative sanctions. • Potential to be sued in Court by a Data Subject • Don’t forget Brand damage Mechanisms for application of penalties are still to be fully defined and fleshed out. Expect to see mechanisms between “slap on wrist” and “sell the house”
  31. 31. IMPLICATIONS FOR CLOUD?
  32. 32. M.A.G.G.O.T M – Meaning, Measurement, Money A – Accountability & Accessibility G – Governance G – Global Scope & Effect O – Oversight & Operations T - Transparency
  33. 33. TIME SCALES FOR REGULATION? • Expected to be enacted and implemented 2013 (ish) • Enforceable 2 years later 24 to 36 Months to make changes in your organisation, your operating model, and with your partners
  34. 34. The Early Bird gets the Worm… …or the M.A.G.G.O.T
  35. 35. DARAGH’S PUBLICATIONS The Data Strategy and Governance Toolkit (2011) Defining and Executing an Effective Data Quality Strategy (2008) Taking an “Information Quality” perspective, and building on his 2008 publication, this book explores the drivers for Information Quality and Data Governance in modern organisations, regardless of size, as well as exploring the role of Governance and Information Quality in areas such as Cloud Computing and Regulatory Compliance. O Brien also takes readers through tools and methodologies for communicating the value of information quality, data governance, and related disciplines such as • Defining a Value Deliver System • Strategy Maps • Story Telling Both published by Ark Group, available on Amazon Managing Information and Data Quality requires organisations to take a strategic approach in order to ensure success. This report summarises a number of best practice methodologies for Information/Data Quality Management, key drivers for managing and improving quality of information, and useful approaches for mapping and communicating the strategic importance of high quality information and data in your organisation. Buy: http://bit.ly/HWKdXD

×