EUDAT, profile picture
Uploaded byEUDAT
PPTX, PDF217 views

CERN 5 Things you should know about Data Protection

The document provides an overview of key aspects of data protection that organizations should be aware of: 1) Personal data belongs to individuals and must be processed fairly and for specific purposes, with transparency about how and why data is used. 2) Inappropriately handling personal data without consent or legitimate basis is illegal. Organizations must implement training, policies, and accountability measures to ensure compliant internal data practices. 3) Personal data cannot be freely shared without appropriate safeguards like contracts, as the controller remains responsible for privacy protections. International transfers require ensuring an adequate level of protection. 4) Organizations have an obligation to appropriately secure personal data and respect individuals' rights to their data, such as access,

Embed presentation

Download to read offline
5 things you should know about Data Protection 2 David Foster Head of Data Privacy Protection January 2018
Opening Sing-along My personal data are mine To abuse them is a crime You cannot share You must take care Or risk a hefty fine 3 David Foster 2018
1. My Personal data are mine • Personal data belong to the individual • They are not yours to use as you see fit, not even if they are public! • Fair processing • Legitimate Basis (hint: consent is a problem) • Specific Purpose • Privacy notices should declare what, how and why data are processed • One is unlikely to be enough! • One notice for each independent service. • Data Protection Impact Assessments (DPIA) may be needed. 4
2. To abuse them is a crime • The scope of personal data is wide • Attributes, Photos, Electronic Identifiers …. • The scope of processing is broad • Analysing, Copying, Viewing …. • This is complex to communicate inside an organisation • Internal training • Internal policies • Accountability • It may help to consolidate processes and infrastructure • Approved storage systems • Managed internal transfers • Be wary of automated decision making and profiling 5
3. You cannot share • Without safeguards because privacy travels with the data • Responsibility rests with the controller • Contracts, codes of conduct, binding corporate rules • Records of transfers • Extra-territorial reach • This may be a difficult culture change within organisations used to freely sharing personal data • Complexity may increase with ePrivacy 6
4. You must take care • You need to look after other peoples data • Appropriate organisational and technical measures • Risks with unnecessary data retention • ISO27001 for data security and handling is a good starting point • Individuals have rights to their data you are processing (even if not absolute rights) • Must be clear mechanisms to exercise the 8 basic rights, which should be in the privacy notice • Privacy by default and by design • Anonymise or pseudonymise 7
5. Or risk a hefty fine • Its all about managing risk • “Compliance”, per-se, does not exist • Fines can be large depending on the infraction • Violation of principles carry the larger fine • Mitigation of risk of large fines • A demonstrable attempt at implementing the legislative requirements • Internal Training, Policies, Accountability, Management Commitment • Having a DPO and accepting their advice 8
Finally … 9
Key Obligations of an Organization • A29 Advice • “employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence; • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications; • employees should receive effective information about the monitoring that takes place; and • any international transfer of employee data should take place only where an adequate level of protection is ensured.” 10
Employers Must: • A29 Advice • “ensure that data is processed for specified and legitimate purposes that are proportionate and necessary; • take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose; • apply the principles of proportionality and subsidiarity regardless of the applicable legal ground; • be transparent with employees about the use and purposes of monitoring technologies; • enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data; • keep the data accurate, and not retain them any longer than necessary; and • take all necessary measures to protect the data against unauthorised access and • ensure that staff are sufficiently aware of data protection obligations.” 11
Typical Reactions • Fiction: “This is just administration so doesn’t concern me” • Fact: This is part of the professional responsibilities • Fiction: “OK, I will do it and then I can forget about it” • Fact: This is an ongoing and continual process • Fiction: “Just tell me what to do so I don’t have to think about it” • Fact: Privacy considerations have to become part of the culture as simple prescriptions for all possible situations are not possible. 12
Monitoring • Principles • Employees must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. (Necessary but not in itself sufficient) • Data collected that includes personal data should be for a specific legitimate purpose. • Monitoring data should be anonymised by default. • A29 Advice on limitations to monitoring • “geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited), • data-oriented (e.g. personal electronic files and communication should not be monitored), and • time-related (e.g. sampling instead of continuous monitoring).” • Blocking is better than monitoring • Questions • Are you handling this appropriately? • Are you “over-collecting” data with the risk of “further processing”? • How will you separate personal and work-related data? • Do you have a clear IT monitoring policy with appropriate safeguards? 13
Storage • Principles • Ensure that data are not accidentally processed. • Ensure that deleted data stays deleted • A29 • “It should be ensured that employees can designate certain private spaces to which the employer may not gain access unless under exceptional circumstances.” • Some Questions • Are all services where personal data are stored “fit for purpose”? • Can you demonstrate adequate technical measures? (ISO27001) • What are you policies for different classes of data on automatic deletion? 14
End-user devices • Principles • Do not process non-work related personal data on devices allowed for private use, or in a private context (home). • A29 • “Select the most privacy protecting defaults” • Provide (acceptable use) policies. “This allows employees to adapt their behaviour to prevent being monitored when they legitimately use IT work facilities for private use” • Some Questions • Do you have sufficient measures to allow for truly private use of facilities? (Laptops, Network, Storage etc) • Are you offering enough advice on the use of IT facilities? 15
Typical and generic problems • Collecting too much data - violates data minimisation • Because you have a single “Web form” • Using unsecured transfer mechanisms - violates appropriate technical measures • Email • Processing data without controls - violates appropriate organisational measures • Excel spreadsheets, Laptops etc. • Personal Data kept because it “might be useful” - violates retention periods. • Archives • Data stored on other services (internal and external) without privacy protecting agreements - violates appropriate safeguards. • Almost every storage system or platform 16
Finally, 5 things to do 1. Know where you are processing • Data mapping 2. Know what you are doing • Privacy notices 3. Know why you are doing it • Internal review of processing operations 4. Know how you are doing is correct • Technical measures and controls 5. Know when you should stop doing it • Retention periods 17
Good Luck! 18 Facebooks has put together: “the largest cross functional team” comprising “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”. “Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. Source: https://techcrunch.com/2018/01/20/wtf-is-gdpr/

More Related Content

PPTX
Cloud computing - When is Deletion Deletion?
byLancaster University Library
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
PPT
Your Employees and Information Security
byShred-it
 
PPTX
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
PPT
DPA seminar presentation
byRodonoghue72
 
PPTX
Prepare Your Firm for GDPR
byMyComplianceOffice
 
PDF
CISSP Prep: Ch 3. Asset Security
bySam Bowne
 
PPTX
Privacy experience in Plone and other open source CMS
byInteraktiv
 
Cloud computing - When is Deletion Deletion?
byLancaster University Library
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
bySam Bowne
 
Your Employees and Information Security
byShred-it
 
Privacy: The New Software Development Dilemma
bySecurity Innovation
 
DPA seminar presentation
byRodonoghue72
 
Prepare Your Firm for GDPR
byMyComplianceOffice
 
CISSP Prep: Ch 3. Asset Security
bySam Bowne
 
Privacy experience in Plone and other open source CMS
byInteraktiv
 

What's hot

PPT
3 02
byPranaya Krishna
 
PDF
2. Asset Security
bySam Bowne
 
PDF
3. Security Engineering
bySam Bowne
 
PPT
Privacy, Security & Access to Data
byCybera Inc.
 
PPTX
Umphrey hutcherson-ecu-cause2010-rev5
byumphreym
 
PPTX
Privacy by Design: White Papaer
byKristyn Greenwood
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
Employee monitoring updated
byAdvent IM Ltd
 
PPTX
CISSP - Chapter 2 - Asset Security
byKarthikeyan Dhayalan
 
PPTX
Introduction to Health Informatics Ch11 power point
bybradleyl2
 
PPTX
Privacy by Design - taking in account the state of the art
byJames Mulhern
 
PDF
1. Security and Risk Management
bySam Bowne
 
PDF
CISSP-WEB
byMEHMET FATIH YALDIZ
 
PPTX
Steal This Data - Email Security and DLP
byGalaxyTech International
 
PDF
3GRC approach to GDPR V 0.1 www.3grc.co.uk
by►David Clarke FBCS CITP
 
PDF
GDPR and ISO27001 mapping EL
byEugene Lee
 
PPTX
Digital Preservation Discussion Group
byAxiell ALM
 
PPTX
Advantage ppt data breaches km approved - final (djm notes)
byDan Michaluk
 
PDF
GDPR for Non-European Region - Financial Services EL
byEugene Lee
 
3 02
byPranaya Krishna
 
2. Asset Security
bySam Bowne
 
3. Security Engineering
bySam Bowne
 
Privacy, Security & Access to Data
byCybera Inc.
 
Umphrey hutcherson-ecu-cause2010-rev5
byumphreym
 
Privacy by Design: White Papaer
byKristyn Greenwood
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
Employee monitoring updated
byAdvent IM Ltd
 
CISSP - Chapter 2 - Asset Security
byKarthikeyan Dhayalan
 
Introduction to Health Informatics Ch11 power point
bybradleyl2
 
Privacy by Design - taking in account the state of the art
byJames Mulhern
 
1. Security and Risk Management
bySam Bowne
 
CISSP-WEB
byMEHMET FATIH YALDIZ
 
Steal This Data - Email Security and DLP
byGalaxyTech International
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
by►David Clarke FBCS CITP
 
GDPR and ISO27001 mapping EL
byEugene Lee
 
Digital Preservation Discussion Group
byAxiell ALM
 
Advantage ppt data breaches km approved - final (djm notes)
byDan Michaluk
 
GDPR for Non-European Region - Financial Services EL
byEugene Lee
 

Similar to CERN 5 Things you should know about Data Protection

PDF
GDPR webinar for business leaders
byDeeson
 
PDF
The principles of the Data Protection Act in detail - uk
by- Mark - Fullbright
 
PDF
data-privacy-egypt-what-you-need-know-en.pdf
bykiruthigajawahar6
 
PPT
Data privacy & social media
byProf. Jacques Folon (Ph.D)
 
PDF
Data Privacy Program – a customized solution for the new EU General Regulatio...
byIAB Bulgaria
 
PPTX
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
byTerry Gorry
 
PDF
data privacy handbook: A starter guide to data privacy compliance
byDesmondMontgomery2
 
PDF
Prep your app for gdpr compliance
byAsanka Nissanka
 
PPTX
3A – DATA PROTECTION: ADVICE
byCFG
 
PDF
1307 Privacy Act
byZowie Murray
 
PPT
Personal privacy and computer technologies
bysidra batool
 
PDF
Employment and Labour Law Seminar - June 13, 2013
byThis account is closed
 
PDF
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
byJean Luc Creppy
 
PPTX
Data protection training emea new joiners. mandatory quiz
byDeborahchiesa
 
PPTX
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
PPTX
Charity Law Updates for 2018: Making the Most of Change
byIBB Law
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
PPTX
GDPR: Day 1 and beyond
byNCVO - National Council for Voluntary Organisations
 
GDPR webinar for business leaders
byDeeson
 
The principles of the Data Protection Act in detail - uk
by- Mark - Fullbright
 
data-privacy-egypt-what-you-need-know-en.pdf
bykiruthigajawahar6
 
Data privacy & social media
byProf. Jacques Folon (Ph.D)
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
byIAB Bulgaria
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
byTerry Gorry
 
data privacy handbook: A starter guide to data privacy compliance
byDesmondMontgomery2
 
Prep your app for gdpr compliance
byAsanka Nissanka
 
3A – DATA PROTECTION: ADVICE
byCFG
 
1307 Privacy Act
byZowie Murray
 
Personal privacy and computer technologies
bysidra batool
 
Employment and Labour Law Seminar - June 13, 2013
byThis account is closed
 
GDPR for your Payroll Bureau
byBrightPay Payroll and Auto Enrolment Software
 
Personal Data Protection Singapore - Pdpc corporate-brochure
byJean Luc Creppy
 
Data protection training emea new joiners. mandatory quiz
byDeborahchiesa
 
What does GDPR mean for your business?
byBrightPay Payroll and Auto Enrolment Software
 
Charity Law Updates for 2018: Making the Most of Change
byIBB Law
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
byMSpadea
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
byHarrison Clark Rickerbys
 
GDPR: Day 1 and beyond
byNCVO - National Council for Voluntary Organisations
 

More from EUDAT

PDF
EUDAT_Brochure_Generica_Jan_UPDATED(5).pdf
byEUDAT
 
PDF
EUDAT Booklet Mar22 (2).pdf
byEUDAT
 
PDF
EUDAT_Brochure_Generica_Jan_UPDATED (1).pdf
byEUDAT
 
PDF
EUDAT Brochure - B2HANDLE.pdf
byEUDAT
 
PDF
EUDAT Brochure - B2DROP.pdf
byEUDAT
 
PDF
EUDAT Brochure - B2SHARE.pdf
byEUDAT
 
PDF
EUDAT Brochure - B2SAFE.pdf
byEUDAT
 
PDF
EUDAT Brochure - B2FIND(1).pdf
byEUDAT
 
PDF
EUDAT Brochure - B2ACCESS.pdf
byEUDAT
 
PDF
Rob Carrillo - Writing effective service documentation for EUDAT services
byEUDAT
 
PDF
Ariyo - EUDAT CDI B2 services documentation
byEUDAT
 
PDF
Introduction to eudat and its services
byEUDAT
 
PPTX
Using B2NOTE: The U.Porto Pilot
byEUDAT
 
PPT
OpenAIRE Advance - Kick off last week
byEUDAT
 
PPT
European Open Science Cloud - Skills workshop
byEUDAT
 
PPT
Linking service capabilities to data stweardship competences for professional...
byEUDAT
 
PPT
FAIRness of training materials
byEUDAT
 
PPT
Training by EOSC-hub - Integrating and Managing services for the European Ope...
byEUDAT
 
PDF
Draft Governance Framework for the EOSC
byEUDAT
 
PDF
Building Interoperable AAI for Researchers
byEUDAT
 
EUDAT_Brochure_Generica_Jan_UPDATED(5).pdf
byEUDAT
 
EUDAT Booklet Mar22 (2).pdf
byEUDAT
 
EUDAT_Brochure_Generica_Jan_UPDATED (1).pdf
byEUDAT
 
EUDAT Brochure - B2HANDLE.pdf
byEUDAT
 
EUDAT Brochure - B2DROP.pdf
byEUDAT
 
EUDAT Brochure - B2SHARE.pdf
byEUDAT
 
EUDAT Brochure - B2SAFE.pdf
byEUDAT
 
EUDAT Brochure - B2FIND(1).pdf
byEUDAT
 
EUDAT Brochure - B2ACCESS.pdf
byEUDAT
 
Rob Carrillo - Writing effective service documentation for EUDAT services
byEUDAT
 
Ariyo - EUDAT CDI B2 services documentation
byEUDAT
 
Introduction to eudat and its services
byEUDAT
 
Using B2NOTE: The U.Porto Pilot
byEUDAT
 
OpenAIRE Advance - Kick off last week
byEUDAT
 
European Open Science Cloud - Skills workshop
byEUDAT
 
Linking service capabilities to data stweardship competences for professional...
byEUDAT
 
FAIRness of training materials
byEUDAT
 
Training by EOSC-hub - Integrating and Managing services for the European Ope...
byEUDAT
 
Draft Governance Framework for the EOSC
byEUDAT
 
Building Interoperable AAI for Researchers
byEUDAT
 

Recently uploaded

PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Workflow and decision Automation with Flowable
bychakib ch
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 

CERN 5 Things you should know about Data Protection

  • 2.
    5 things youshould know about Data Protection 2 David Foster Head of Data Privacy Protection January 2018
  • 3.
    Opening Sing-along My personaldata are mine To abuse them is a crime You cannot share You must take care Or risk a hefty fine 3 David Foster 2018
  • 4.
    1. My Personaldata are mine • Personal data belong to the individual • They are not yours to use as you see fit, not even if they are public! • Fair processing • Legitimate Basis (hint: consent is a problem) • Specific Purpose • Privacy notices should declare what, how and why data are processed • One is unlikely to be enough! • One notice for each independent service. • Data Protection Impact Assessments (DPIA) may be needed. 4
  • 5.
    2. To abusethem is a crime • The scope of personal data is wide • Attributes, Photos, Electronic Identifiers …. • The scope of processing is broad • Analysing, Copying, Viewing …. • This is complex to communicate inside an organisation • Internal training • Internal policies • Accountability • It may help to consolidate processes and infrastructure • Approved storage systems • Managed internal transfers • Be wary of automated decision making and profiling 5
  • 6.
    3. You cannotshare • Without safeguards because privacy travels with the data • Responsibility rests with the controller • Contracts, codes of conduct, binding corporate rules • Records of transfers • Extra-territorial reach • This may be a difficult culture change within organisations used to freely sharing personal data • Complexity may increase with ePrivacy 6
  • 7.
    4. You musttake care • You need to look after other peoples data • Appropriate organisational and technical measures • Risks with unnecessary data retention • ISO27001 for data security and handling is a good starting point • Individuals have rights to their data you are processing (even if not absolute rights) • Must be clear mechanisms to exercise the 8 basic rights, which should be in the privacy notice • Privacy by default and by design • Anonymise or pseudonymise 7
  • 8.
    5. Or riska hefty fine • Its all about managing risk • “Compliance”, per-se, does not exist • Fines can be large depending on the infraction • Violation of principles carry the larger fine • Mitigation of risk of large fines • A demonstrable attempt at implementing the legislative requirements • Internal Training, Policies, Accountability, Management Commitment • Having a DPO and accepting their advice 8
  • 9.
  • 10.
    Key Obligations ofan Organization • A29 Advice • “employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence; • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications; • employees should receive effective information about the monitoring that takes place; and • any international transfer of employee data should take place only where an adequate level of protection is ensured.” 10
  • 11.
    Employers Must: • A29Advice • “ensure that data is processed for specified and legitimate purposes that are proportionate and necessary; • take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose; • apply the principles of proportionality and subsidiarity regardless of the applicable legal ground; • be transparent with employees about the use and purposes of monitoring technologies; • enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data; • keep the data accurate, and not retain them any longer than necessary; and • take all necessary measures to protect the data against unauthorised access and • ensure that staff are sufficiently aware of data protection obligations.” 11
  • 12.
    Typical Reactions • Fiction:“This is just administration so doesn’t concern me” • Fact: This is part of the professional responsibilities • Fiction: “OK, I will do it and then I can forget about it” • Fact: This is an ongoing and continual process • Fiction: “Just tell me what to do so I don’t have to think about it” • Fact: Privacy considerations have to become part of the culture as simple prescriptions for all possible situations are not possible. 12
  • 13.
    Monitoring • Principles • Employeesmust be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. (Necessary but not in itself sufficient) • Data collected that includes personal data should be for a specific legitimate purpose. • Monitoring data should be anonymised by default. • A29 Advice on limitations to monitoring • “geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited), • data-oriented (e.g. personal electronic files and communication should not be monitored), and • time-related (e.g. sampling instead of continuous monitoring).” • Blocking is better than monitoring • Questions • Are you handling this appropriately? • Are you “over-collecting” data with the risk of “further processing”? • How will you separate personal and work-related data? • Do you have a clear IT monitoring policy with appropriate safeguards? 13
  • 14.
    Storage • Principles • Ensurethat data are not accidentally processed. • Ensure that deleted data stays deleted • A29 • “It should be ensured that employees can designate certain private spaces to which the employer may not gain access unless under exceptional circumstances.” • Some Questions • Are all services where personal data are stored “fit for purpose”? • Can you demonstrate adequate technical measures? (ISO27001) • What are you policies for different classes of data on automatic deletion? 14
  • 15.
    End-user devices • Principles •Do not process non-work related personal data on devices allowed for private use, or in a private context (home). • A29 • “Select the most privacy protecting defaults” • Provide (acceptable use) policies. “This allows employees to adapt their behaviour to prevent being monitored when they legitimately use IT work facilities for private use” • Some Questions • Do you have sufficient measures to allow for truly private use of facilities? (Laptops, Network, Storage etc) • Are you offering enough advice on the use of IT facilities? 15
  • 16.
    Typical and genericproblems • Collecting too much data - violates data minimisation • Because you have a single “Web form” • Using unsecured transfer mechanisms - violates appropriate technical measures • Email • Processing data without controls - violates appropriate organisational measures • Excel spreadsheets, Laptops etc. • Personal Data kept because it “might be useful” - violates retention periods. • Archives • Data stored on other services (internal and external) without privacy protecting agreements - violates appropriate safeguards. • Almost every storage system or platform 16
  • 17.
    Finally, 5 thingsto do 1. Know where you are processing • Data mapping 2. Know what you are doing • Privacy notices 3. Know why you are doing it • Internal review of processing operations 4. Know how you are doing is correct • Technical measures and controls 5. Know when you should stop doing it • Retention periods 17
  • 18.
    Good Luck! 18 Facebooks hasput together: “the largest cross functional team” comprising “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”. “Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. Source: https://techcrunch.com/2018/01/20/wtf-is-gdpr/