Kawser Hamid Lead Policy Officer at the Information Commissioner's Office talks about the challenges of Cloud Computing and complying with Data Protection Act
A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 23rd May 2013. Copyright of this presentation is held by the author, Kawser Hamid.
Strengthening current personal data protection regulation (EU 95/46), GDPR lays down rules relating to protection of natural persons with regard to processing and free movement of personal data. It applies to all entities in EU member states processing personal data by automated means and processing which form part of a filing system. Application of GDPR will be supervised in Belgium by the privacy commission.
In this Story, we follow Sophie in her life and job. In her new job, she meets Marco, who chose Microsoft Solutions to be as compliant as possible with GDPR.
If you want to hear the story behind the slides, feel free to get in touch via www.thedataprotectionoffice.eu
Strengthening current personal data protection regulation (EU 95/46), GDPR lays down rules relating to protection of natural persons with regard to processing and free movement of personal data. It applies to all entities in EU member states processing personal data by automated means and processing which form part of a filing system. Application of GDPR will be supervised in Belgium by the privacy commission.
In this Story, we follow Sophie in her life and job. In her new job, she meets Marco, who chose Microsoft Solutions to be as compliant as possible with GDPR.
If you want to hear the story behind the slides, feel free to get in touch via www.thedataprotectionoffice.eu
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
GDPR what you should know and how to minimize impact on your businessOlivier BARROT
The upcoming General Data Protection Regulation (GDPR) that will be applicable to all data of EU citizens starting May 2018 enforces new data privacy obligations on the management and the retention of personally identifiable information (PII) including data collection, retention, protection, modification and deletion processes.
Learn what are the impacts on your business and how to prepare with IBM solutions
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Slides from Niall Rooney FP Logue presentation at Food & Drink Business Europe event at Citywest Dublin on 05/09/2019 - *For Information Only, Not Legal Advice*
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
An overview of the principles of GDPR and some tips to implement it in your organization. I would be more than happy to share my views with stakeholders in your company.
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
Revising policies and procedures under the new EU GDPRIT Governance Ltd
This webinar covers:
- An overview of the regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Principles of the EU GDPR
- Policies - GDPR reference
- What if we don't have policies in place?
- What policies are required?
- How to develop a policy?
A recording of this webinar is available here:
https://www.youtube.com/watch?v=tzsXsf1058Q&feature=youtu.be
Gastcollege van Hans Drenth op de Hogeschool Windesheim, leergang Commerciële Ecomonie. Thema: Conversion en Persuasion - hoe krijg je mensen tot een 'ja'?
WFA's Girls of Promise program is a series of one-day conferences hosted at universities and designed to introduce eighth-grade girls to careers in ESTEM (economics, science, technology, engineering, and math) fields and amazing women role models at a critical time in their development.
Conferences follow one of two schedules. This slideshow is of Schedule B.
This webinar covers:
- An overview of the regulatory landscape and territorial scope
- Principles of the EU GDPR
- Breach notification rules
- Data subject rights
- Changes to consent
- Processor liabilities
- Role of the Data Protection Officer
A recording of this webinar is available here: https://www.youtube.com/watch?v=bEvXj2nhPd0
GDPR what you should know and how to minimize impact on your businessOlivier BARROT
The upcoming General Data Protection Regulation (GDPR) that will be applicable to all data of EU citizens starting May 2018 enforces new data privacy obligations on the management and the retention of personally identifiable information (PII) including data collection, retention, protection, modification and deletion processes.
Learn what are the impacts on your business and how to prepare with IBM solutions
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
Preparing for the new General Data Protection Regulation? Here is a presentation to help you to engage your employees with their new information security requirements. In this ppt presentation, you will find out: why GDPR, steps to manage compliance, important information security facts and some of the key articles.
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
The pandemic has changed the way the world works, shops, and interact; the consequences of this have included an increased reliance on technology for all of these activities and a corresponding increased sharing of personal information through technological mediums. Even before the pandemic, a global push was on to strengthen the protection of personal and health information and the results of these various influences has been an enhancement of privacy legislations globally. Compliance with global security laws is now also a larger concern for organizations everywhere.
The webinar will cover:
Global trends in privacy legislations
Some commonalities between privacy laws
Compliance requirements which can affect your organization
Recorded webinar > https://www.youtube.com/watch?v=BKWf6GTlgAM&feature=youtu.be
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001...
https://pecb.com/en/education-and-cer...
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternat...
Slideshare: http://www.slideshare.net/PECBCERTIFI...
Slides from Niall Rooney FP Logue presentation at Food & Drink Business Europe event at Citywest Dublin on 05/09/2019 - *For Information Only, Not Legal Advice*
GDPR will replace national data protection laws of all 28 EU member states in May 2018 and is applying to any organization that processes data of EU data subjects.
Be careful what you wish for! How the GDPR even now it has been finalised may not solve the key problems of rthe tech community of what is personal data and what is anonymised/pseudonymous.
An overview of the principles of GDPR and some tips to implement it in your organization. I would be more than happy to share my views with stakeholders in your company.
An In House Counsel and Privacy Practitioners update on the changed regulatory landscape.
The Privacy and Data Protection Act 2014 received Royal Assent on 2 September 2014.
The new legislation replaces the Information Privacy Act 2000, and the Commissioner for Law Enforcement Data Security Act 2005, with a unified scheme governing the handling of personal information and data by Victorian Public sector agencies.
Revising policies and procedures under the new EU GDPRIT Governance Ltd
This webinar covers:
- An overview of the regulatory landscape
- Territorial scope
- Remedies, liabilities and penalties
- Principles of the EU GDPR
- Policies - GDPR reference
- What if we don't have policies in place?
- What policies are required?
- How to develop a policy?
A recording of this webinar is available here:
https://www.youtube.com/watch?v=tzsXsf1058Q&feature=youtu.be
Gastcollege van Hans Drenth op de Hogeschool Windesheim, leergang Commerciële Ecomonie. Thema: Conversion en Persuasion - hoe krijg je mensen tot een 'ja'?
WFA's Girls of Promise program is a series of one-day conferences hosted at universities and designed to introduce eighth-grade girls to careers in ESTEM (economics, science, technology, engineering, and math) fields and amazing women role models at a critical time in their development.
Conferences follow one of two schedules. This slideshow is of Schedule B.
Navigating the social media superhighway is tough work. Learn more about these popular social media platforms, how to be successful, and find your social media balance.
Cas Schalkx of CM Telecom (mobile messaging & mobile payments provider) launched the CM Analytics tool at Mobile Convention Amsterdam 2015. CM Analytics is developed by CM and it gives their customer the insights in the metrics they matter the most for them. SMS is a critical part of many businesses, so there is a lot of need to get insights in their SMS traffic (for example their delivery rates, delivery times).
Since there are a lot of recruiters that have ‘never’ sourced but want to learn how to do it here are some great and very easy to apply sourcing tips and tools sourcers shared at Sourcing Summit Europe that I would like to share with you:
Tradetracker affiliate day - Presentatie Herman MaesHerman Maes
Presentation from the Belgian Tradetracker Affiliate day 2014 with some tips from an affiliate bloggers who is now an online marketeer at Intracto.
A Dutch blogpost about this event can be found on http://www.intracto.com/blog/tradetracker-affiliate-day-2014
Hierbij een samenvatting van het Beeckestijn college gegeven op 18 april in Leusden.
Als je vragen, opmerkingen of wat dan ook hebt mag je ook altijd even bellen of mailen natuurlijk!
Groet,
Canicas
Korte weergave van CRM/Marketing 2.0 project bij een Nederlandse schouwburg door een Canicas interim mgr. Stappenplan van mgt buy in via business case tot en met implementatie.
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...Brian Miller, Solicitor
In a more detailed look at data protection, Vicki Bowles takes a look at the new draft EU Data Protection Regulation, disclosure and BYOD (Bring Your Own Device).
Brian Miller then covers ISO certification, how to check whether your vendor’s systems are secure, how US Safe Harbor worked in practice, how it will do so with the new Privacy Shield and the various certification/accreditation systems for cloud computing vendors.
The Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018. You should start preparing now for changes that GDPR will require to your current policies and procedures. This presentation is an overview of what it is about.
Mind Your Business: Why Privacy Matters to the Successful EnterpriseEric Kavanagh
The Briefing Room with Dr. Robin Bloor and HPE Security
There's no such thing as bad publicity? In the era of data breaches, that's not really true. Time and again in recent years, the mighty have fallen. And as sensitive data reaches the hands of bad guys the world over, so go the fates of customers and companies alike. That's why security is the fastest growing sector of enterprise IT today, with privacy issues front and center.
Register for this episode of The Briefing Room to hear veteran Analyst Dr. Robin Bloor explain why companies need to pay serious attention to the ever-growing importance of privacy, not just security. He'll be briefed by Jay Irwin of Teradata and Carole Murphy of HPE Security, who will demonstrate how their technologies can be combined to create a robust privacy infrastructure that allows organizations to avoid data breaches, or at least keep the data encrypted, thus avoiding the damage of a breach.
MyComplianceOffice presents our Oct 26th webinar, “ Prepare Your Firm for GDPR", co-hosted by MCO and Emily Mahoney a Technology Lawyer at Mason Hayes & Curran
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
This webinar covers:
- An overview of the General Data Protection Regulation (GPDR) and the Data Security and Protection (DSP) Toolkit and their impact on the healthcare sector.
-Accountability frameworks that support GDPR compliance, and the role of senior management in ensuring compliance and cyber resilience is a strategic focus.
-Embedding data protection by design and by default, and a holistic approach to achieving a cyber resilient posture.
-The practical steps that healthcare organisations need to take when looking at GDPR compliance.
-The role of a robust staff awareness programme in supporting a culture of cyber resilience and compliance.
A recording of the webinar can be found here: https://www.youtube.com/watch?v=xFEkkkwAdl4
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
This webinar covers:
-An overview of the regulatory landscape and territorial scope
-Principles of the EU GDPR
-Breach notification rules
-Data subject rights
-Changes to consent
-Processor liabilities
-Role of the Data Protection Officer
-International transfers
-Regulators and pan-European consistency
You can watch the webinar here https://www.youtube.com/watch?v=DPeJc_zfW3M&list=PLJr1Ghqr5f2i7drhKBNgRD_M4ZIt0mxn4&index=2
This webinar delivers an overview of:
- The GDPR and what it means for Cloud service providers
- The technical and organisational measures applicable to Cloud service providers
- The policies and procedures required by the GDPR
- The 'privacy by design' and 'privacy by default' requirements
- The rights of data subjects
- Breach notification obligations
- The impact of subcontracting on Cloud service providers
- ISO 27018 and implementing security controls for personally identifiable information in the Cloud.
A recording of this webinar is available here:
https://www.youtube.com/watch?v=8i7adBubDzw
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
Flight Amsterdam Presentation by Daniel Hedley and Georgie Collins, Partners, Irwin Mitchell looked at the intersection of the GDPR and open source software management and the laws which govern how organisations must respond to data breaches (including GDPR and NISD), how to prepare for a data breach, and what to do if the worst happens.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Kawser Hamid : ICO and Data Protection in the Cloud
1. Data Protection in the Cloud
Kawser Hamid
Lead Policy Officer
Information Commissioner’s Office
2. What I will talk about
•How does the Data Protection Act apply to the cloud?
•What are the key issues which need to be addressed?
•What are the potential solutions?
•Key points from our cloud guidance
•How might future changes in data protection law change things?
3. Data Protection Act - background
• Replaced the Data Protection Act 1984
• Framework for the use of personal data
• Technologically neutral
• Implements the 1995 EU Directive on Data Protection
95/46/EC
4. How does the Data Protection Act apply
to the cloud?
Q: What is the DPA about?
A: The DPA applies to the processing of personal data.
What does this mean?
5. Key concepts: data
Data is information within:
• A relevant filing system (or with that intention) i.e. highly structured and
readily accessible paper filing system
• Any type of information held by a body subject to the Freedom of
information Act
• An accessible record ie health, education, housing and social services
records
• Equipment operating automatically in response to instructions (or with that
intention) i.e. computerised format
6. Key concepts: personal data
The DPA defines personal data as:
“data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or
is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual”
7. Other key concepts
• Processing – basically anything you can do to personal data e.g.
hold, disclose, amend or delete
• Data Subject - an individual who is the subject of personal data
• Data Controller – a person or body which decides what happens to
the personal data it processes
• Data Processor - a person or body (other than an employee of the
data controller) who processes personal data on behalf of the data
controller
• The DPA eight principles
8. The eight principles
The DPA is based on eight principles of good personal data handling.
The data must be:
1. Fairly and lawfully processed (and an appropriate Schedule 2 and 3
condition for processing)
2. Processed for limited purposes and not further processed in a
manner which is incompatible with those purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept longer than necessary
6. Processed in accordance with the individual’s rights
7. Secure
8. Not transferred to countries outside of European Economic Area
unless adequate protection is provided
9. Seventh principle
The seventh principle states that:
“Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage
to, personal data”
10. Seventh principle
Deciding on what is “appropriate”:
• Nature of the information
• Harm which may result
Types of measures:
• Management and organisational
• Staff
• Physical security
• Computer security
If using a data processor, the data controller must:
• Make sure that they choose a processor who can offer an adequate level of security
• Have a written contact in place with the processor
• Check that the processor is complying with the security elements of the contract
11. Eighth principle
The eighth principle states that:
“Personal data shall not be transferred to a country or
territory outside the European Economic Area unless that
country or territory ensures an adequate level of protection for
the rights and freedoms of data subjects in relation to the
processing of personal data”
12. Eighth principle
How to ensure adequacy:
• General factors to consider
• Non-EEA countries already considered adequate
• European Commission model contract clauses
• Binding Corporate Rules
13. So how does this apply to the cloud?
• Information in the cloud is data because it’s computerised.
• Much of the information bodies will use in the cloud is about living
identifiable people which says something about them – therefore is
personal data.
• The people themselves will be data subjects.
• Something is going to happen to the personal data – therefore is
being processed.
• A cloud service purchaser will be the data controller because it will
make the decisions about how the personal data is used.
• A cloud service provider will be the data processor because it is
acting upon the instructions of the data controller.
• The cloud service provider will have to provide adequate security
(7th
principle).
• Cloud service providers may transfer personal data outside the
EEA (8th
principle).
14. What are the key issues which need
to be addressed?
• Large cloud service providers are dictating the terms and
conditions.
• A cloud service provider may have its servers anywhere around
the world.
• Many cloud service providers use chains of subcontractors.
• How does a data controller ensure information governance?
• Many of the large cloud service providers are US companies and
are subject to the USA PATRIOT Act.
15. What are the potential solutions?
Cloud service providers proactively addressing data protection issues:
• Flexibility over terms and conditions
Consumer power:
• Cloud service purchasers have to demand appropriate data
protection standards.
ICO action:
• Be clear about what we think
• Empowering cloud service purchasers to make the right choices
16. ICO guidance
New cloud sections on our website:
For organisations -
“Guidance on the use of cloud computing”
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/
cloud_computing.aspx
For the public –
Guidance on cloud storage
http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cloud_comp
uting.aspx
17. Guidance on the use of cloud
computing – key points
Select which data to move to the cloud
Select the right the cloud provider:
• What type of provider
• Transfers outside the EEA
• Security
• Monitoring performance
• Contracts
18. How might future changes in data
protection law change things?
New (draft) Data Protection Regulation:
• Article 17 – Right to be forgotten.
• Article 18 – Right to data portability.
• Article 30 - the European Commission may specify the technical and
organisational measures required in a particular sector.
• Article 31 – Breach notification
• Article 33 – Mandatory data protection impact assessments for processing
that represents specific risks to the rights and freedoms of data subjects.
• Article 34 - Prior authorisation and consultation for international transfers.
• Article 77 - places liability on data processors as well as data controllers.
RFS - TEMP TEST PA – NOT IN RFS / UNSTRUCTURED – IS DATA ACCESSIBLE R – HISTORIC ACCESS RIGHTS – DPA CANT GIVE LESS MST RELEVANT TO CLOUD: CLOUD CLEARLY COMPUTERISED - THEREFORE WILL ALWAYS BE DATA
BASICALLY ANY INFORMATION THAT IDENTIFIES A LIVING INDIVIDUAL AND TELLS YOU SOMETHING ABOUT THEM – EG HEALTH INFORMATION SENSITIVE PERSONAL DATA IE Racial or ethnic origin Political opinions Religious opinions (or similar in nature) Membership of a trade union Physical or mental condition Sexual life Commission (or alleged commission) of an offence Any proceedings for any offence committed (or alleged to have been committed), the disposal of such proceedings or the sentence of any court in such proceedings.
DC – legal liability THIRD PARITES EXCLUDE DATA SUBJECT DATA PROCESSOR
Most self explanatory – but require little more explaining PRINCIPLE 1 and some particularly relevant to CLOUD C PRINCIPLE 7 AND 8
regard to the state of technological development and the cost of implementing any measures APPROPRIATE TO: NATURE OF INFORMATION, AND HARM WHICH MAY RESULT NOT ONE SIZE FITS ALL – MORE SENSITIVE / GREATER HARM = BETTER SECURITY VICE VERSA MEASURES: ORG - EG APPOINT A PERSON / DEPARTMENT SPECIFIC RESPONSIBILITY AND HAVE POLICY STAFF – AWARE OF POLICIES AND TRAINED ON DPA RESTRICTIONS ON USE OF PD PHYSICAL – LOCKS / ALARMS / CCTV / DISPOSAL - SHREDDING COMPUTER – PASSWORDS / ENCRYPTION PRIVACY BY DESIGN – PETS – DATA MINMISATION PSEUDONYMS BLIND SIGNATURES TRUSTED THIRD PARTIES ENCRYPTION PRIVACY IMPACT ASSESSMENTS
TRANSFER: NOT TRANSIT THROUGH – ARRIVAL AT ADEQUACY: GENERAL - NATURE OF INFO / HOW DATA USED / LAWS PRACTICES OF COUNTRY (ENFORCABLE /) NON EEA OK – INCLUDE ARGENTINA / CANADA / USA – COMPANIES OK UNDER SAFE HABOR SCHEME – SIGN UP PRINCIPLE AND ACCOUNTABLE TO FEDERAL TRADE COM OR OTHER OVERSIGHT MODEL – IF YOU USE CLAUSES DON’T NEED TO MAKE OWN ADEQUACY ASSESSMENT / CANNOT CHANGE PARTS OF CLAUSE / BCR – APPLIES TO TRANSFER WITHIN MULTINATIONAL COMPANIES / MUST BE APPROVED BY EURO DP REGULATOR EG ICO LEGAL CLAIMS NECESARY: LEGAL PROCEEDINGS LEGAL ADVICE DEFENC LEGAL RIGHTS
DC/DP – DC LEGALLY RESPONSIBLE NOT DP
MAIN ONES: Large cloud service providers are dictating the terms – INCOMPATIBLE WITH STANDARD DPA DC/DP MODEL A cloud service provider may have its servers anywhere around the world, therefore knowing exactly WHERE personal data is being processed will be an issue in terms of the 8 th principle. SUBCRONTRACTORS – DON’T KNOW WHO IS ACTUALLY DOING THE REAL PROCESSING OF DATA – SAAS,PAAS,IAAS – DROP BOX/FACEBOOK/NETFLIX - 8 TH PRINCIPLE INFORMATION GOVERNANCE ENSURE SECURITY – DC MUST TAKE REASONABLE STEPS – BUT WHAT ARE THEY WHO CAN SEE THE DATA WHO HAS ACCESS TO THE DATA WHAT HAS IF CLOUD FAILS – RESILIENCE? INTHE CLOUD YOU HAVE NO DIRECT CONTROL! PAT ACT – DP WILL HAND OVER STUFF TO US AUTHORITY WITHOUT DC APPROVAL – DC CLIENT LEGAL CONCERNS Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
PROVIDER ACTION - Transparency about the location of processing and by whom (8 th ). - Security audit (7 th ) independent third-party to conduct a detailed security audit of the service and be able to provide a copy of this assessment to prospective cloud customers. CUSTOMER POWER – MARKET SOLUTION, IN THEIR COMMERCIAL INTERESTS WE DON’T TAKE UP THEIR SERVICES THEY LOSE BUSINESS MAY FORCE A CHANGE IN THEIR STANCE. ICO ACTION: BE CLEAR – pat act PROVIDER IS DC FOR DISCLOSURE PURCHASER NO ACTION SIMPLY FOR CHOOSING NOT LIKELY TO TAKE ACTION AGAINST PROVIDER BECAUSE HAD TO COMPLY SENSITIVE PD EMPOWERING PURCHASER CLOUD STANDARDS - PROVIDERS SIGNING UP TO AN INDEPENDENTLY RECOGNISED STANDARD Standard data protection contract clauses PRIVACY LEVEL AGREEMENT BY CLOUD SECURITY ALLIANCE EUROPEAN COMMISSION – EURO-WIDE CERTIFICATION / STANDARD T/C
Other useful stuff eg Article 29 Opinion on cloud computing QMUL Cloud Legal Project CPNI’s information security briefing on cloud computing Public 1. Think carefully about who can access your files 2. Choose your passwords carefully 3. Check the storage provider’s terms and conditions and privacy notice
Select which data to move to the cloud Person with DP / Privacy responsibilities needs to consider: Not all needs to go in cloud – may decide low sensitivity PD can go in, high sensitivity stays on local servers May decide that all PD is going in but certain categories require higher security Need to review all PD in DC possession and decide which should go in cloud / what level of security and keep record of decisions Need to assess privacy implications – cloud use can create metadata which may be personal data – consider using a PIA Selecting cloud provider Once selection made, DPO needs to liaise with procurement staff to select appropriate cloud provider: What type of cloud service / provider Different types of cloud eg IAAS, PAAS, SAAS – some may specialise further - decide which is right Transfers outside the EEA Does the cloud provider have servers outside EEA? If so, how can P8 be complied with? Does provider have policy on PAT ACT or similar requests? Security What guarantees is the provider giving in relation to PD: Confidentiality – will the provider be able to access the PD? Integrity - what happens if providers systems go down, is PD recoverable / how quickly? Is data deleted completely when required? Availability – can provider cope with fluctuations in demand / can users access when they need it? Is PD encrypted? Monitoring performance How can see if the provider is living up to their guarantees (P7 – reasonable steps): Must be a continuing process throughout time with provider Is it possible for DC to do an inspection? If not, is a third party auditor used, if so how detailed will report be that’s given to DC? Is a standard being applied? Contract P7 requires that a written contract is in place with your provider: Are the terms and conditions fixed by the provider or is there room to negotiate? Does the contract compel the provider to deliver your needs?
The European Commission has recently released its proposal for a new general Data Protection Regulation CAN SAY TOO MUCH ABOUT THIS BECAUSE ITS STILL A PROPOSAL Article 30 Security of processing (3) The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default , unless paragraph 4 applies. Art 77(1) Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered. REPRESENTS BIG CHANGE – IF STAYS AS IS IN REG