Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Antti Iso-Markku - General Data Protection Regulation - Why Should I as a MSP Care?


Published on

Antti Iso-Markku, Legal Counsel of Fondia, discusses the upcoming GDPR regulations and why you as an MSP should care to take action to protect your customers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Antti Iso-Markku - General Data Protection Regulation - Why Should I as a MSP Care?

  1. 1. 16.11.2017 Miradore User Seminar / Antti Iso-Markku, Fondia Oyj General Data Protection Regulation – Why Should I as a MSP Care?
  2. 2. • The result of a long legislative process • Entered into force on 24 May 2016, applicable as of 25 May 2018 • Is directly applicable law, meaning it does not depend on national implementation • A legislative process regarding updating the Personal Data Act and special legislation is in progress in Finland • Working group memorandum published 21 June 2017 • Government’s proposition for data protection act • In a parallel track, EU is preparing a regulation on ePrivacy which is currently under discussion in the legislative bodies and hoped to be applied at the same time as GDPR 2 EU’s General Data Protection Regulation (GDPR)
  3. 3. In a nutshell: • Basically all companies of the digital age have personal data of their customers and business partners in their data systems, whether they are aware of it or not– the regulation is applicable as it is in such cases • In your case, you are the processor of your customers’ and their end-uses’ personal data • The regulation regarding processing of personal data will become more stringent with the GDPR • Processing of personal data will demand a more systematic and active approach than before • The supervisory authority has the right to demand an organization to correct its behaviour or stop the processing of data completely, if the processing is not in accordance with the laws and regulations • If the activity is not corrected or the breach is otherwise serious enough, the authority may order a administrative fine, which exists in two different sizes • 10 million € or 2 % of the worldwide turnover in the preceding financial year • 20 million € or 4 % of the worldwide turnover in the preceding financial year • In addition, in the world of increasing privacy awareness, companies are threatened by reputational risks 3 So Why Should I as a MSP Care?
  4. 4. 4
  5. 5. 5© The Preiser Project @ Flickr (CC BY 2.0) "There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” John Chambers, CEO of Cisco
  6. 6. ”Personal data means any information relating to an identified or identifiable natural person that can be associated with the person; an identifiable natural person is one who can be identified, directly or indirectly, through an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” ”Controller means natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” ”Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller” 6 Personal data, controller and processor
  7. 7. 1. Lawfulness, fairness and transparency of processing 2. Purpose limitation 3. Data minimisation 4. Data accuracy 5. Limitation of storage of data 6. Integrity and confidentiality of data 7. Accountability of the controller/processor 7 Fundamental Principles of Data Protection
  8. 8. 8 ”Of course we take care of data privacy …” ”Here is our data processing review report, based on which the privacy policy and impact assesment have been made.” © ad.mak @ Flickr (CC BY 3.0)
  9. 9. • Privacy by Design: privacy is taken into account during the entire lifespan of the processing, and in particular already when planning the collecting and processing of data • Organisational actions such as training of personnel, instructions and regulations, confidentiality, certificates, inspections and audits, data processing reports, charting of information flows • Technical actions such as general-level information security, data encryption and anonymization / pseudonymization, technical safeguards, inspection and control systems, remote access and user rights control, physical premises control • Privacy by Default: primarily the right to process concerns only data relevant for the purpose of processing; asking for this and that is not allowed only on the grounds that the information might be useful in the future • Restricts the quantity, scope, storage time and availability of the collected data 9 Privacy by Design and Default
  10. 10. • Data subject means a natural person, whose personal data is processed 1. Right to transparent information regarding the processing (privacy policy) 2. Right to access to information 3. Right to rectify information and right to be forgotten 4. Right to restriction of processing 5. Right to data portability 6. Right to object 7. Right to not to be a subject to a decision based on automated processing • With some exceptions related to pseudonymised/anonymised data, which the controller no longer can attribute to a specific person 10 Rights of the Data Subject
  11. 11. • What kind of processing of personal data may cause a considerable risk for the data subject? • Considerable risk: • Probability • Seriousness • For example identity theft, economic loss, discrimination, reputational risk, disclosure of sensitive information, lack of trust in relation to the controller • GDPR differentiates the actions required from the controller to different levels based on the risk • High risk: Impact assessment, discussions with the authority, informing the data subject of a personal data breach • Basic level: Informing the authorities of a data breach, prior planning and accountability, fulfilling the rights of the data subject • Low risk level: less requirements regarding the processing of anonymised personal data 11 Risk-Based Examination
  12. 12. 12© GotCredit @ Flickr (CC BY 2.0)
  13. 13. • Data Protection Officer (DPO) • Shall be designated if: • The body is public by virtue of its nature • The core activities of the body consist of large scale systematic monitoring of personal data • The core activities of the body consist of processing of sensitive personal data and criminal convictions • May be voluntarily chosen also in other organisations; may be shared between several organisations • DPO’s suitability requirements are sufficient knowledge and understanding of data protection matters and risks; DPO’s duty is to independently assist in and inform the organisation of the planning and implementation of data security measures and policies 13 Data Protection Officer
  14. 14. 14 Your new DPO? --> You wish! © Jlhopgoog @ Flickr (CC BY-ND 2.0)
  15. 15. • Always based on a written agreement, the minimum content of which is defined in the regulation • Subcontracting is not possible without the controller’s permission; the processor is liable for the subcontractor’s actions as for its own • EU draws up model clauses through which a level of sufficient personal data protection can be guaranteed when transferring data outside EU/EEA • Alternatively, the processor may join the Privacy Shield system and in that way prove a sufficient level of data security • Clause in privacy policy indicating the transfer of data and sufficient level of data security • The processor shall refrain from data processing that violates the regulation and notify the controller of the fact 15 Outsourcing the Processing and Transfer of Data
  16. 16. • Notification of data breach or other misapproptiation of data shall be made to the supervisory authority within 72 hours of having become aware of the breach • What data was compromised, what risks the compromised data poses, what measures have been taken to rectify the situation • The notification may be refrained from or made later only in exceptional circumstances • In cases of particularly high risk, also the data subjects themselves, whose data has fallen into the wrong hands, shall be notified • This means that when a data breach/loss of data has happened and the organisation does not have a clear policy or process for such situations, it is already in deep trouble 16 Data Security Infringements and Data Breaches
  17. 17. 17© Tim Samoff @ Flickr (CC BY-ND 2.0) "Security is always excessive until it’s not enough.” Robbie Sinclair, Head of Security, NSW Australia
  18. 18. • Accountability: document, document and document • Provide the customers (Data Controllers) with the tools and support necessary to respond to the queries made by the end-users (Data Subjects) • Ensure there are written data processing agreements (DPAs) between you and the customer before they start to use the service • Assess the risk in your data processing and design appropriate safeguards • Train your personnel about GDPR and privacy issues 18 The Most Important Changes for MSPs
  19. 19. • Understand that this, in all probability, concerns your entire organisation • It’s not yet too late, if you begin to take measures NOW • Map the current situation • Make data protection and security a part of the process from the beginning • Consider the need for a data protection officer and/or assign the responsibility internally • One step at a time, this is a marathon and not a sprint! • Seek outside help if you cannot make heads or tails out of it on your own 19 Next Steps – How to Ensure a Sufficient Level of Data Security When the Regulation Arrives
  20. 20. 16.11.2017 Miradore User Seminar / Antti Iso-Markku, Fondia Oyj 20 Thank you! Antti Iso-Markku Legal Counsel 020 7205 438