Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

GDPR and EA Commissioning a web site part 2 - Legal Environment

31 views

Published on

Second of 8 slide decks aimed at small to medium enterprises on factors to consider when commissioning a web site. This slide deck focusing on a changing legal environment brought about because of legislation like the EU GDPR

  • Be the first to comment

  • Be the first to like this

GDPR and EA Commissioning a web site part 2 - Legal Environment

  1. 1. The Organisation As A System The Performance Organisers Structured Coherent Design The Performance Organisers Commissioning a Web Site Part Two – Legals, a Changing Environment The introduction slide deck video can be downloaded here
  2. 2. The Performance Organisers http://www.jitsoftware.co.uk Commissioning a Web Site - Legals
  3. 3. The Performance Organisers About the Author: • Allen Woods, recently retired. • Ex British Army (1971 – 1995) Taught Arctic Warfare, Several Years On Operations, Funded Himself through College to Study IT • Chartered Member of the British Computer Society for 20 years • Member of the Chartered Status Interview Panel for BCS • In 2010, Finalist of UK “Developer Of The Year” Competition for HSIS • Primarily Employed in UK Defence Supply Chain and Logistics IT since 1995 until 2019 • Credits: MoD Health and Safety Information System, Various Internal to Defence P&G Portals, CATMIS, IQB Oversight to Defence Voyager Programme IM Transformation • Linkedin Profile Commissioning a Web Site - Legals
  4. 4. The Performance Organisers Commissioning a Web Site - Legals I am not a Lawyer….. But….. • Detailed and forensic review of licence terms of an £800m outsourcing contract • The MoD Health and Safety Information System • US Arms Export Control Act • Internal MoD Security and Data/Information Management • GDPR – I have read it – Several times – It’s a game changer for us Geeks • GDPR is not the be all and end all…… • This will take about an hour…….
  5. 5. The Performance Organisers Commissioning a Web Site - Legals Caveats • Guide, not gospel • Pathfinder • Prove, validate and verify • There are no “licensed” GDPR experts • Brexit will change stuff • When building a web site, you are extending your organisation boundary.. But its YOUR boundary… • Beware of geeks bearing gifts…
  6. 6. The Performance Organisers Commissioning a Web Site - Legals The Basic Problem(s) • The bad guys don’t do compliance • For much of the last 40 years IT has been largely unregulated • Scale of computer related crime is unsustainable • IT as a consequence, is being “gripped” • Privacy in particular is causing significant concerns • Across the world, government is asserting control • Internet of things (IOT) and Bring Your Own Device (BYOD) • The need for cultural change…
  7. 7. The Performance Organisers Commissioning a Web Site - Legals Focus on Privacy
  8. 8. The Performance Organisers Commissioning a Web Site - Legals Privacy Regulation and Legislation – Where Does it Come From • The Data Protection Act 1998 (and before) • Council of Europe Treaty 108 • European Charter of Fundamental Rights • The Lisbon Treaty • General Data Protection Regulation (GDPR) • UK Data Protection Act 2018
  9. 9. The Performance Organisers Commissioning a Web Site - Legals Each incorporating EU regulation into national legislation
  10. 10. The Performance Organisers Commissioning a Web Site - Legals Not forgetting the rest of the world…. A guide….
  11. 11. The Performance Organisers Commissioning a Web Site - Legals Legal Context – Scope of UK Information Commissioners Remit • Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) • Freedom of Information Act 2000 (FOIA) • Environmental Information Regulations 2004 (EIR) • Investigatory Powers Act 2016 • Re-use of Public Sector Information Regulations 2015 • Security of Network and Information Systems Directive (NIS Directive) • Electronic Identification, Authentication and Trust Services Regulation (eIDAS) • Data Protection Act 2018 (DPA) • General Data Protection Regulation (GDPR)
  12. 12. The Performance Organisers Commissioning a Web Site - Legals Post Brexit • “Third Country” • Adequacy agreement - eventually • Standard Contract Clauses • Binding Corporate Rules • Territorial Scope and Material Presence
  13. 13. The Performance Organisers Commissioning a Web Site - Legals For the individual, there are new rights.. • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling But the rights are not absolute
  14. 14. The Performance Organisers Commissioning a Web Site - Legals For the site owner, the lawful basis for processing personal data are: • Consent - Opt In • Contract – You must hold personal data for, say, a service fulfilment purpose • Legal Obligation – Health and Safety etc • Vital Interest – Threat to life • Public Task – Directed by the authorities • Legitimate Interest • Special Category Data – especially sensitive data • Criminal Offence Data – CRB checks if your organisation is obliged to carry them out But: • You must be able to justify data collection • You must have the policy and auditable governance in place to prove policy is being adhered to • And not forgetting more mundane things like multiple languages…
  15. 15. The Performance Organisers Commissioning a Web Site - Introduction Person Client 1 Client 3 Client 2 Server room Internet Service Provider External Client Technical Legal Consultancy People Staff Personal Data Personal Information Identifiers (PII) Interaction “as a maturing conversation” Stakeholders
  16. 16. The Performance Organisers Commissioning a Web Site - Introduction Person Client 1 Client 3 Client 2 Server room Internet Service Provider External Client Technical Legal Consultancy People Staff For the site owner, the most significant change is that people now have rights they can exercise whenever and wherever they like and the site owner MUST respond to the exercise of those rights…….
  17. 17. The Performance Organisers Commissioning a Web Site - Legals Some Basic Operating Principles: • Liability – Joint, Vicarious and Fiduciary (at least) • “Privacy by design” means what it says • The concept of “Ownership” of data has been reversed. • Those collecting personal data in particular are its custodians • The minimum data for the minimum time consistent with lawful processing standards • Validation, verification are key • Data means “structured” and “unstructured” data • Get it wrong and there are penalties • GDPR and Privacy regulation provides a means to focus on your legal situation… • Compliance is a quality assurance matter. • Unless agreed and properly contracted, no data crosses your organisation boundary such that third parties “do stuff” with it. You WILL need legal advice in due course…..
  18. 18. The Performance Organisers Commissioning a Web Site - Legals Other considerations: • Controller/Processor – whose code and data does what • Data Protection Officer – Do you need one • The Information Commissioner – Policeman and Registration • Brexit – Adequacy, transfer of data into the EU and vice versa • Marketing and Cookies - PECR • Policy and Governance • Management of Location • Understanding Ownership • Risk Management • Increasingly, data management is architectural in nature
  19. 19. The Performance Organisers Commissioning a Web Site - Legals But Privacy Is Not The Only Legal Concern
  20. 20. The Performance Organisers Commissioning a Web Site - Legals Primary Legislation • Companies Act • Health and Safety Regulations • International Law • EU Regulation and Directives • Accessibility • And more besides……
  21. 21. The Performance Organisers Commissioning a Web Site - Legals Standards and Compliance • IFRS • ISO 27001 • ISO 9000 • Cyber Essentials • Professional standards • Business Sector Standards
  22. 22. The Performance Organisers Commissioning a Web Site - Legals But there is no legally sanctioned accreditation scheme….. Yet…..
  23. 23. The Performance Organisers Commissioning a Web Site - Legals 7P’s – A simple preparatory exercise..
  24. 24. The Performance Organisers Commissioning a Web Site - Legals Plan and Prepare Compliance Effort: • Download, read and study the regulations • Download and read this guide • The “Nightmare Letter” • The nightmare letter first exercise • The nightmare letter second exercise • The nightmare letter third exercise • Review all three exercises • Develop policy and governance • Prepare web site requirements • Then decide on external expertise. If you need it. • Start compliance effort… Register, or take registration test.
  25. 25. The Performance Organisers Commissioning a Web Site - Legals Exercise Deliverables: • Data Dictionary • Document Librarian • DPIA Audit Tool • Records of Processing Activity • Risk Register • Asset Register • Understanding of Location of “stuff” • Positioning of Data Protection as an activity • Understanding of data protection roles • Training Needs Analysis • And more…..
  26. 26. The Performance Organisers People who can help……… Tara Taubman-Bassarian Paul Gillingwater Dave Dickson Daniel Suciu Humperdinck Chapman Rosario Murga Ruiz Kris Long Philipa Jane Farley Graeme McGowan Anthony Rocha Rowenna Fielding In the US Jason Sarfati Diana Candela Oxebridge Debbie Reynolds Chris Roberts Commissioning a Web Site - Legals
  27. 27. The Performance Organisers Commissioning a Web Site - Legals On Expertise…… Caveat Emptor…..
  28. 28. The Performance Organisers Reading List • The Legal Environment of Computing • Transatlantic Data Protection In Practice • Privacy Impact Assessment • IT Governance • Regulatory IT Policies • Build a Better Privacy Policy • Managing Cyber Security Risk • Big Data Governance • The Mythical Man Month • The Art of Software Testing Commissioning a Web Site - Legals
  29. 29. The Performance Organisers • Useful Organisations • The Law Society • The UK Information Commissioners Office • The UK National Cyber Security Centre • Irish Data Protection Commission • CNIL • The US National Institute of Standards in Technology • The Open Web Application Security Project • The British Computer Society • The International Association of Privacy Professionals • The British Standards Institute • The Centre for Information Technology and Law Commissioning a Web Site - Legals
  30. 30. The Performance Organisers The Portal Commissioning a Web Site - Legals Its all about the Architecture…..
  31. 31. The Performance Organisers Summary The world of compliance for IT has changed and will continue to change (amongst other things case law and technological pace f change will drive a need to amend and update legislation) 7P’s. Compliance is not a simple matter This slide deck explains, as a starter for 10, some of the legal considerations that will need to be given when commissioning a web site. The key principle is that the controller is responsible for the guardianship of personal data (and other data come to that). You no longer “own” personal data… While privacy is significant, it is not the only legislation you may need to consider You will need three kinds of expertise.. Legal, Security and Technical but depending on your circumstances there may be a need to involve other professional disciplines The next slide deck in the series.. Developing Policy and Governance Commissioning a Web Site - Legals
  32. 32. http://www.jitsoftware.co.uk Tel: +44 07780 568449 Email: allenwoods@jit-software.com Skype: apw808 The Performance Organisers Commissioning a Web Site - Legals

×