SlideShare a Scribd company logo
The Organisation As A System
The Performance Organisers
Structured Coherent Design
The Performance Organisers
Commissioning a Web Site
Part Two – Legals, a Changing
Environment
The introduction slide deck video can be downloaded here
The Performance Organisers
http://www.jitsoftware.co.uk
Commissioning a Web Site - Legals
The Performance Organisers
About the Author:
• Allen Woods, recently retired.
• Ex British Army (1971 – 1995) Taught Arctic Warfare, Several Years
On Operations, Funded Himself through College to Study IT
• Chartered Member of the British Computer Society for 20 years
• Member of the Chartered Status Interview Panel for BCS
• In 2010, Finalist of UK “Developer Of The Year” Competition for HSIS
• Primarily Employed in UK Defence Supply Chain and Logistics IT
since 1995 until 2019
• Credits: MoD Health and Safety Information System, Various Internal
to Defence P&G Portals, CATMIS, IQB Oversight to Defence Voyager
Programme IM Transformation
• Linkedin Profile
Commissioning a Web Site - Legals
The Performance Organisers
Commissioning a Web Site - Legals
I am not a Lawyer…..
But…..
• Detailed and forensic review of licence terms of an
£800m outsourcing contract
• The MoD Health and Safety Information System
• US Arms Export Control Act
• Internal MoD Security and Data/Information
Management
• GDPR – I have read it – Several times – It’s a game
changer for us Geeks
• GDPR is not the be all and end all……
• This will take about an hour…….
The Performance Organisers
Commissioning a Web Site - Legals
Caveats
• Guide, not gospel
• Pathfinder
• Prove, validate and verify
• There are no “licensed” GDPR experts
• Brexit will change stuff
• When building a web site, you are extending your organisation
boundary.. But its YOUR boundary…
• Beware of geeks bearing gifts…
The Performance Organisers
Commissioning a Web Site - Legals
The Basic Problem(s)
• The bad guys don’t do compliance
• For much of the last 40 years IT has been largely
unregulated
• Scale of computer related crime is unsustainable
• IT as a consequence, is being “gripped”
• Privacy in particular is causing significant concerns
• Across the world, government is asserting control
• Internet of things (IOT) and Bring Your Own Device
(BYOD)
• The need for cultural change…
The Performance Organisers
Commissioning a Web Site - Legals
Focus on Privacy
The Performance Organisers
Commissioning a Web Site - Legals
Privacy Regulation and Legislation – Where Does it Come From
• The Data Protection Act 1998 (and before)
• Council of Europe Treaty 108
• European Charter of Fundamental Rights
• The Lisbon Treaty
• General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018
The Performance Organisers
Commissioning a Web Site - Legals
Each incorporating EU regulation into national legislation
The Performance Organisers
Commissioning a Web Site - Legals
Not forgetting the rest of the world….
A guide….
The Performance Organisers
Commissioning a Web Site - Legals
Legal Context – Scope of UK Information
Commissioners Remit
• Privacy and Electronic Communications (EC
Directive) Regulations 2003 (PECR)
• Freedom of Information Act 2000 (FOIA)
• Environmental Information Regulations 2004 (EIR)
• Investigatory Powers Act 2016
• Re-use of Public Sector Information Regulations
2015
• Security of Network and Information Systems
Directive (NIS Directive)
• Electronic Identification, Authentication and Trust
Services Regulation (eIDAS)
• Data Protection Act 2018 (DPA)
• General Data Protection Regulation (GDPR)
The Performance Organisers
Commissioning a Web Site - Legals
Post Brexit
• “Third Country”
• Adequacy agreement - eventually
• Standard Contract Clauses
• Binding Corporate Rules
• Territorial Scope and Material Presence
The Performance Organisers
Commissioning a Web Site - Legals
For the individual, there are new rights..
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
But the rights are not absolute
The Performance Organisers
Commissioning a Web Site - Legals
For the site owner, the lawful basis for processing
personal data are:
• Consent - Opt In
• Contract – You must hold personal data for, say, a service
fulfilment purpose
• Legal Obligation – Health and Safety etc
• Vital Interest – Threat to life
• Public Task – Directed by the authorities
• Legitimate Interest
• Special Category Data – especially sensitive data
• Criminal Offence Data – CRB checks if your organisation is
obliged to carry them out
But:
• You must be able to justify data collection
• You must have the policy and auditable governance in place to
prove policy is being adhered to
• And not forgetting more mundane things like multiple
languages…
The Performance Organisers
Commissioning a Web Site - Introduction
Person
Client 1
Client 3
Client 2
Server room
Internet Service Provider
External Client
Technical Legal
Consultancy
People
Staff
Personal Data
Personal Information Identifiers (PII)
Interaction “as a maturing conversation”
Stakeholders
The Performance Organisers
Commissioning a Web Site - Introduction
Person
Client 1
Client 3
Client 2
Server room
Internet Service Provider
External Client
Technical Legal
Consultancy
People
Staff
For the site owner, the
most significant change
is that people now have
rights they can exercise
whenever and wherever
they like and the site
owner MUST respond to
the exercise of those
rights…….
The Performance Organisers
Commissioning a Web Site - Legals
Some Basic Operating Principles:
• Liability – Joint, Vicarious and Fiduciary (at least)
• “Privacy by design” means what it says
• The concept of “Ownership” of data has been reversed.
• Those collecting personal data in particular are its custodians
• The minimum data for the minimum time consistent with lawful
processing standards
• Validation, verification are key
• Data means “structured” and “unstructured” data
• Get it wrong and there are penalties
• GDPR and Privacy regulation provides a means to focus on your
legal situation…
• Compliance is a quality assurance matter.
• Unless agreed and properly contracted, no data crosses your
organisation boundary such that third parties “do stuff” with it.
You WILL need legal advice in due course…..
The Performance Organisers
Commissioning a Web Site - Legals
Other considerations:
• Controller/Processor – whose code and data does what
• Data Protection Officer – Do you need one
• The Information Commissioner – Policeman and Registration
• Brexit – Adequacy, transfer of data into the EU and vice versa
• Marketing and Cookies - PECR
• Policy and Governance
• Management of Location
• Understanding Ownership
• Risk Management
• Increasingly, data management is architectural in nature
The Performance Organisers
Commissioning a Web Site - Legals
But Privacy Is Not The Only Legal Concern
The Performance Organisers
Commissioning a Web Site - Legals
Primary Legislation
• Companies Act
• Health and Safety Regulations
• International Law
• EU Regulation and Directives
• Accessibility
• And more besides……
The Performance Organisers
Commissioning a Web Site - Legals
Standards and Compliance
• IFRS
• ISO 27001
• ISO 9000
• Cyber Essentials
• Professional standards
• Business Sector Standards
The Performance Organisers
Commissioning a Web Site - Legals
But there is no legally sanctioned
accreditation scheme….. Yet…..
The Performance Organisers
Commissioning a Web Site - Legals
7P’s – A simple preparatory exercise..
The Performance Organisers
Commissioning a Web Site - Legals
Plan and Prepare Compliance Effort:
• Download, read and study the regulations
• Download and read this guide
• The “Nightmare Letter”
• The nightmare letter first exercise
• The nightmare letter second exercise
• The nightmare letter third exercise
• Review all three exercises
• Develop policy and governance
• Prepare web site requirements
• Then decide on external expertise. If you need it.
• Start compliance effort… Register, or take registration test.
The Performance Organisers
Commissioning a Web Site - Legals
Exercise Deliverables:
• Data Dictionary
• Document Librarian
• DPIA Audit Tool
• Records of Processing Activity
• Risk Register
• Asset Register
• Understanding of Location of “stuff”
• Positioning of Data Protection as an activity
• Understanding of data protection roles
• Training Needs Analysis
• And more…..
The Performance Organisers
People who can help………
Tara Taubman-Bassarian
Paul Gillingwater
Dave Dickson
Daniel Suciu
Humperdinck Chapman
Rosario Murga Ruiz
Kris Long
Philipa Jane Farley
Graeme McGowan
Anthony Rocha
Rowenna Fielding
In the US
Jason Sarfati
Diana Candela
Oxebridge
Debbie Reynolds
Chris Roberts
Commissioning a Web Site - Legals
The Performance Organisers
Commissioning a Web Site - Legals
On Expertise…… Caveat Emptor…..
The Performance Organisers
Reading List
• The Legal Environment of Computing
• Transatlantic Data Protection In Practice
• Privacy Impact Assessment
• IT Governance
• Regulatory IT Policies
• Build a Better Privacy Policy
• Managing Cyber Security Risk
• Big Data Governance
• The Mythical Man Month
• The Art of Software Testing
Commissioning a Web Site - Legals
The Performance Organisers
• Useful Organisations
• The Law Society
• The UK Information Commissioners Office
• The UK National Cyber Security Centre
• Irish Data Protection Commission
• CNIL
• The US National Institute of Standards in Technology
• The Open Web Application Security Project
• The British Computer Society
• The International Association of Privacy Professionals
• The British Standards Institute
• The Centre for Information Technology and Law
Commissioning a Web Site - Legals
The Performance Organisers
The Portal
Commissioning a Web Site - Legals
Its all about the Architecture…..
The Performance Organisers
Summary
The world of compliance for IT has changed and will continue to
change (amongst other things case law and technological pace f
change will drive a need to amend and update legislation)
7P’s. Compliance is not a simple matter
This slide deck explains, as a starter for 10, some of the legal
considerations that will need to be given when commissioning a web
site.
The key principle is that the controller is responsible for the
guardianship of personal data (and other data come to that). You no
longer “own” personal data…
While privacy is significant, it is not the only legislation you may need
to consider
You will need three kinds of expertise.. Legal, Security and Technical
but depending on your circumstances there may be a need to involve
other professional disciplines
The next slide deck in the series.. Developing Policy and Governance
Commissioning a Web Site - Legals
http://www.jitsoftware.co.uk
Tel: +44 07780 568449
Email: allenwoods@jit-software.com
Skype: apw808
The Performance Organisers
Commissioning a Web Site - Legals

More Related Content

What's hot

Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security:  Risk Management and AvoidancePrivacy and Data Security:  Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?
walescva
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Atif Ghauri
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
mrmwood
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Michael Adamberry
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
Eryk Budi Pratama
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
EU GDPR (training)
EU GDPR (training)  EU GDPR (training)
EU GDPR (training)
Elizabeth Baker, JD, CRCMP
 
Data protection
Data protectionData protection
Data protection
Lewis Silkin
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
Cloud primer
Cloud primerCloud primer
Cloud primer
Zeno Idzerda
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
Priyanka Aash
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
Integrate
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
Home
 

What's hot (20)

Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security:  Risk Management and AvoidancePrivacy and Data Security:  Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
Websites: do you tick all the boxes?
Websites: do you tick all the boxes?Websites: do you tick all the boxes?
Websites: do you tick all the boxes?
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...Introduction to EU General Data Protection Regulation: Planning, Implementati...
Introduction to EU General Data Protection Regulation: Planning, Implementati...
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17Data Protection Seminar_GDPR_ISOLAS_26-06-17
Data Protection Seminar_GDPR_ISOLAS_26-06-17
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
 
EU GDPR (training)
EU GDPR (training)  EU GDPR (training)
EU GDPR (training)
 
Data protection
Data protectionData protection
Data protection
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Cloud primer
Cloud primerCloud primer
Cloud primer
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 

Similar to GDPR and EA Commissioning a web site part 2 - Legal Environment

General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
Browne Jacobson LLP
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislation
IRIS
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
m-hance
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset Management
Donal O'Connell
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
Dovetail Software
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
BartLieben
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset Management
Donal O'Connell
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulation
James Mulhern
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
Priyab Satoshi
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
Shawn Tuma
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
OCTF Industry Engagement
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
shekharkanodia
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
ImogenRutherford
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngine
ManageEngine
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
Salman Baset
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
NCVO - National Council for Voluntary Organisations
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 

Similar to GDPR and EA Commissioning a web site part 2 - Legal Environment (20)

General Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, LondonGeneral Data Protection Regulation, May 2017, London
General Data Protection Regulation, May 2017, London
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 
Game changing legislation
Game changing legislationGame changing legislation
Game changing legislation
 
GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...GDPR – what does it mean for charities and what you need to consider - Iain P...
GDPR – what does it mean for charities and what you need to consider - Iain P...
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset Management
 
#HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance #HR and #GDPR: Preparing for 2018 Compliance
#HR and #GDPR: Preparing for 2018 Compliance
 
Domain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPRDomain management and brand protection in the era of the EU's GDPR
Domain management and brand protection in the era of the EU's GDPR
 
Trade Secret Asset Management
Trade Secret Asset ManagementTrade Secret Asset Management
Trade Secret Asset Management
 
Gdpr demystified - making sense of the regulation
Gdpr demystified  - making sense of the regulationGdpr demystified  - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Introduction to GDPR
Introduction to GDPRIntroduction to GDPR
Introduction to GDPR
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
 
Legal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber RiskLegal Issues Associated with Third-Party Cyber Risk
Legal Issues Associated with Third-Party Cyber Risk
 
Cyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counselCyber Threat Overview for Euro IT counsel
Cyber Threat Overview for Euro IT counsel
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Data Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPRData Protection: Transitioning to the GDPR
Data Protection: Transitioning to the GDPR
 
Ease out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngineEase out the GDPR adoption with ManageEngine
Ease out the GDPR adoption with ManageEngine
 
GDPR and Blockchain
GDPR and BlockchainGDPR and Blockchain
GDPR and Blockchain
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?A5: Data protection: Your charity's biggest risk?
A5: Data protection: Your charity's biggest risk?
 
Kawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the CloudKawser Hamid : ICO and Data Protection in the Cloud
Kawser Hamid : ICO and Data Protection in the Cloud
 

More from Allen Woods

GDPR and EA - Commissioning a web site
GDPR and EA - Commissioning a web siteGDPR and EA - Commissioning a web site
GDPR and EA - Commissioning a web site
Allen Woods
 
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developerGDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
Allen Woods
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
Allen Woods
 
GDPR and EA Commissioning a web site part 5, writing a web page
GDPR and EA Commissioning a web site part 5, writing a web pageGDPR and EA Commissioning a web site part 5, writing a web page
GDPR and EA Commissioning a web site part 5, writing a web page
Allen Woods
 
GDPR and EA Commissioning a web site. 1 of 8. Introduction
GDPR and EA Commissioning a web site. 1 of 8.  IntroductionGDPR and EA Commissioning a web site. 1 of 8.  Introduction
GDPR and EA Commissioning a web site. 1 of 8. Introduction
Allen Woods
 
GDPR and EA - Commissioning a web site Part 4. The nature of the web
GDPR and EA - Commissioning a web site Part 4. The nature of the webGDPR and EA - Commissioning a web site Part 4. The nature of the web
GDPR and EA - Commissioning a web site Part 4. The nature of the web
Allen Woods
 
Data warehousing
Data warehousingData warehousing
Data warehousing
Allen Woods
 
Dimensions
DimensionsDimensions
Dimensions
Allen Woods
 
Information management architecture concept model
Information management architecture concept modelInformation management architecture concept model
Information management architecture concept model
Allen Woods
 

More from Allen Woods (9)

GDPR and EA - Commissioning a web site
GDPR and EA - Commissioning a web siteGDPR and EA - Commissioning a web site
GDPR and EA - Commissioning a web site
 
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developerGDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
GDPR and EA - Commissioning a web site part 7 - Choosing a web site developer
 
GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8GDPR and EA Commissioning a web site Part 6 of 8
GDPR and EA Commissioning a web site Part 6 of 8
 
GDPR and EA Commissioning a web site part 5, writing a web page
GDPR and EA Commissioning a web site part 5, writing a web pageGDPR and EA Commissioning a web site part 5, writing a web page
GDPR and EA Commissioning a web site part 5, writing a web page
 
GDPR and EA Commissioning a web site. 1 of 8. Introduction
GDPR and EA Commissioning a web site. 1 of 8.  IntroductionGDPR and EA Commissioning a web site. 1 of 8.  Introduction
GDPR and EA Commissioning a web site. 1 of 8. Introduction
 
GDPR and EA - Commissioning a web site Part 4. The nature of the web
GDPR and EA - Commissioning a web site Part 4. The nature of the webGDPR and EA - Commissioning a web site Part 4. The nature of the web
GDPR and EA - Commissioning a web site Part 4. The nature of the web
 
Data warehousing
Data warehousingData warehousing
Data warehousing
 
Dimensions
DimensionsDimensions
Dimensions
 
Information management architecture concept model
Information management architecture concept modelInformation management architecture concept model
Information management architecture concept model
 

Recently uploaded

Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
digital marketing in a new world faced with lots of challenge
digital marketing in a new world faced with lots of challengedigital marketing in a new world faced with lots of challenge
digital marketing in a new world faced with lots of challenge
ZaraZarai1
 
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
olivia singh
 
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
shalvikaprincessparv
 
Which career option is better to choose - Full-time job, Freelancing, Self-em...
Which career option is better to choose - Full-time job, Freelancing, Self-em...Which career option is better to choose - Full-time job, Freelancing, Self-em...
Which career option is better to choose - Full-time job, Freelancing, Self-em...
Million-$-Knowledge {Million Dollar Knowledge}
 
Heather Elizabeth Hamood Heather Elizabeth Hamood
Heather Elizabeth Hamood Heather Elizabeth HamoodHeather Elizabeth Hamood Heather Elizabeth Hamood
Heather Elizabeth Hamood Heather Elizabeth Hamood
FirHeather Elizabeth LastHamoodst
 
How Blockchain is Transforming Online Retail Security
How Blockchain is Transforming Online Retail SecurityHow Blockchain is Transforming Online Retail Security
How Blockchain is Transforming Online Retail Security
SOFTTECHHUB
 
Marketing Strategies for Authors with White Falcon Publishing
Marketing Strategies for Authors with White Falcon PublishingMarketing Strategies for Authors with White Falcon Publishing
Marketing Strategies for Authors with White Falcon Publishing
nysataylor1990
 
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
shalvikaprincessparv
 

Recently uploaded (9)

Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Private Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
digital marketing in a new world faced with lots of challenge
digital marketing in a new world faced with lots of challengedigital marketing in a new world faced with lots of challenge
digital marketing in a new world faced with lots of challenge
 
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
High Class Girls Call Mumbai 9910780858 Provide Best And Top Girl Service And...
 
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Ranchi Girls Call Ranchi 0X0000000X Doorstep High-Profile Girl Service Ca...
 
Which career option is better to choose - Full-time job, Freelancing, Self-em...
Which career option is better to choose - Full-time job, Freelancing, Self-em...Which career option is better to choose - Full-time job, Freelancing, Self-em...
Which career option is better to choose - Full-time job, Freelancing, Self-em...
 
Heather Elizabeth Hamood Heather Elizabeth Hamood
Heather Elizabeth Hamood Heather Elizabeth HamoodHeather Elizabeth Hamood Heather Elizabeth Hamood
Heather Elizabeth Hamood Heather Elizabeth Hamood
 
How Blockchain is Transforming Online Retail Security
How Blockchain is Transforming Online Retail SecurityHow Blockchain is Transforming Online Retail Security
How Blockchain is Transforming Online Retail Security
 
Marketing Strategies for Authors with White Falcon Publishing
Marketing Strategies for Authors with White Falcon PublishingMarketing Strategies for Authors with White Falcon Publishing
Marketing Strategies for Authors with White Falcon Publishing
 
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
VIP Raipur Girls Call Raipur 0X0000000X Doorstep High-Profile Girl Service Ca...
 

GDPR and EA Commissioning a web site part 2 - Legal Environment

  • 1. The Organisation As A System The Performance Organisers Structured Coherent Design The Performance Organisers Commissioning a Web Site Part Two – Legals, a Changing Environment The introduction slide deck video can be downloaded here
  • 3. The Performance Organisers About the Author: • Allen Woods, recently retired. • Ex British Army (1971 – 1995) Taught Arctic Warfare, Several Years On Operations, Funded Himself through College to Study IT • Chartered Member of the British Computer Society for 20 years • Member of the Chartered Status Interview Panel for BCS • In 2010, Finalist of UK “Developer Of The Year” Competition for HSIS • Primarily Employed in UK Defence Supply Chain and Logistics IT since 1995 until 2019 • Credits: MoD Health and Safety Information System, Various Internal to Defence P&G Portals, CATMIS, IQB Oversight to Defence Voyager Programme IM Transformation • Linkedin Profile Commissioning a Web Site - Legals
  • 4. The Performance Organisers Commissioning a Web Site - Legals I am not a Lawyer….. But….. • Detailed and forensic review of licence terms of an £800m outsourcing contract • The MoD Health and Safety Information System • US Arms Export Control Act • Internal MoD Security and Data/Information Management • GDPR – I have read it – Several times – It’s a game changer for us Geeks • GDPR is not the be all and end all…… • This will take about an hour…….
  • 5. The Performance Organisers Commissioning a Web Site - Legals Caveats • Guide, not gospel • Pathfinder • Prove, validate and verify • There are no “licensed” GDPR experts • Brexit will change stuff • When building a web site, you are extending your organisation boundary.. But its YOUR boundary… • Beware of geeks bearing gifts…
  • 6. The Performance Organisers Commissioning a Web Site - Legals The Basic Problem(s) • The bad guys don’t do compliance • For much of the last 40 years IT has been largely unregulated • Scale of computer related crime is unsustainable • IT as a consequence, is being “gripped” • Privacy in particular is causing significant concerns • Across the world, government is asserting control • Internet of things (IOT) and Bring Your Own Device (BYOD) • The need for cultural change…
  • 7. The Performance Organisers Commissioning a Web Site - Legals Focus on Privacy
  • 8. The Performance Organisers Commissioning a Web Site - Legals Privacy Regulation and Legislation – Where Does it Come From • The Data Protection Act 1998 (and before) • Council of Europe Treaty 108 • European Charter of Fundamental Rights • The Lisbon Treaty • General Data Protection Regulation (GDPR) • UK Data Protection Act 2018
  • 9. The Performance Organisers Commissioning a Web Site - Legals Each incorporating EU regulation into national legislation
  • 10. The Performance Organisers Commissioning a Web Site - Legals Not forgetting the rest of the world…. A guide….
  • 11. The Performance Organisers Commissioning a Web Site - Legals Legal Context – Scope of UK Information Commissioners Remit • Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) • Freedom of Information Act 2000 (FOIA) • Environmental Information Regulations 2004 (EIR) • Investigatory Powers Act 2016 • Re-use of Public Sector Information Regulations 2015 • Security of Network and Information Systems Directive (NIS Directive) • Electronic Identification, Authentication and Trust Services Regulation (eIDAS) • Data Protection Act 2018 (DPA) • General Data Protection Regulation (GDPR)
  • 12. The Performance Organisers Commissioning a Web Site - Legals Post Brexit • “Third Country” • Adequacy agreement - eventually • Standard Contract Clauses • Binding Corporate Rules • Territorial Scope and Material Presence
  • 13. The Performance Organisers Commissioning a Web Site - Legals For the individual, there are new rights.. • The right to be informed • The right of access • The right to rectification • The right to erasure • The right to restrict processing • The right to data portability • The right to object • Rights in relation to automated decision making and profiling But the rights are not absolute
  • 14. The Performance Organisers Commissioning a Web Site - Legals For the site owner, the lawful basis for processing personal data are: • Consent - Opt In • Contract – You must hold personal data for, say, a service fulfilment purpose • Legal Obligation – Health and Safety etc • Vital Interest – Threat to life • Public Task – Directed by the authorities • Legitimate Interest • Special Category Data – especially sensitive data • Criminal Offence Data – CRB checks if your organisation is obliged to carry them out But: • You must be able to justify data collection • You must have the policy and auditable governance in place to prove policy is being adhered to • And not forgetting more mundane things like multiple languages…
  • 15. The Performance Organisers Commissioning a Web Site - Introduction Person Client 1 Client 3 Client 2 Server room Internet Service Provider External Client Technical Legal Consultancy People Staff Personal Data Personal Information Identifiers (PII) Interaction “as a maturing conversation” Stakeholders
  • 16. The Performance Organisers Commissioning a Web Site - Introduction Person Client 1 Client 3 Client 2 Server room Internet Service Provider External Client Technical Legal Consultancy People Staff For the site owner, the most significant change is that people now have rights they can exercise whenever and wherever they like and the site owner MUST respond to the exercise of those rights…….
  • 17. The Performance Organisers Commissioning a Web Site - Legals Some Basic Operating Principles: • Liability – Joint, Vicarious and Fiduciary (at least) • “Privacy by design” means what it says • The concept of “Ownership” of data has been reversed. • Those collecting personal data in particular are its custodians • The minimum data for the minimum time consistent with lawful processing standards • Validation, verification are key • Data means “structured” and “unstructured” data • Get it wrong and there are penalties • GDPR and Privacy regulation provides a means to focus on your legal situation… • Compliance is a quality assurance matter. • Unless agreed and properly contracted, no data crosses your organisation boundary such that third parties “do stuff” with it. You WILL need legal advice in due course…..
  • 18. The Performance Organisers Commissioning a Web Site - Legals Other considerations: • Controller/Processor – whose code and data does what • Data Protection Officer – Do you need one • The Information Commissioner – Policeman and Registration • Brexit – Adequacy, transfer of data into the EU and vice versa • Marketing and Cookies - PECR • Policy and Governance • Management of Location • Understanding Ownership • Risk Management • Increasingly, data management is architectural in nature
  • 19. The Performance Organisers Commissioning a Web Site - Legals But Privacy Is Not The Only Legal Concern
  • 20. The Performance Organisers Commissioning a Web Site - Legals Primary Legislation • Companies Act • Health and Safety Regulations • International Law • EU Regulation and Directives • Accessibility • And more besides……
  • 21. The Performance Organisers Commissioning a Web Site - Legals Standards and Compliance • IFRS • ISO 27001 • ISO 9000 • Cyber Essentials • Professional standards • Business Sector Standards
  • 22. The Performance Organisers Commissioning a Web Site - Legals But there is no legally sanctioned accreditation scheme….. Yet…..
  • 23. The Performance Organisers Commissioning a Web Site - Legals 7P’s – A simple preparatory exercise..
  • 24. The Performance Organisers Commissioning a Web Site - Legals Plan and Prepare Compliance Effort: • Download, read and study the regulations • Download and read this guide • The “Nightmare Letter” • The nightmare letter first exercise • The nightmare letter second exercise • The nightmare letter third exercise • Review all three exercises • Develop policy and governance • Prepare web site requirements • Then decide on external expertise. If you need it. • Start compliance effort… Register, or take registration test.
  • 25. The Performance Organisers Commissioning a Web Site - Legals Exercise Deliverables: • Data Dictionary • Document Librarian • DPIA Audit Tool • Records of Processing Activity • Risk Register • Asset Register • Understanding of Location of “stuff” • Positioning of Data Protection as an activity • Understanding of data protection roles • Training Needs Analysis • And more…..
  • 26. The Performance Organisers People who can help……… Tara Taubman-Bassarian Paul Gillingwater Dave Dickson Daniel Suciu Humperdinck Chapman Rosario Murga Ruiz Kris Long Philipa Jane Farley Graeme McGowan Anthony Rocha Rowenna Fielding In the US Jason Sarfati Diana Candela Oxebridge Debbie Reynolds Chris Roberts Commissioning a Web Site - Legals
  • 27. The Performance Organisers Commissioning a Web Site - Legals On Expertise…… Caveat Emptor…..
  • 28. The Performance Organisers Reading List • The Legal Environment of Computing • Transatlantic Data Protection In Practice • Privacy Impact Assessment • IT Governance • Regulatory IT Policies • Build a Better Privacy Policy • Managing Cyber Security Risk • Big Data Governance • The Mythical Man Month • The Art of Software Testing Commissioning a Web Site - Legals
  • 29. The Performance Organisers • Useful Organisations • The Law Society • The UK Information Commissioners Office • The UK National Cyber Security Centre • Irish Data Protection Commission • CNIL • The US National Institute of Standards in Technology • The Open Web Application Security Project • The British Computer Society • The International Association of Privacy Professionals • The British Standards Institute • The Centre for Information Technology and Law Commissioning a Web Site - Legals
  • 30. The Performance Organisers The Portal Commissioning a Web Site - Legals Its all about the Architecture…..
  • 31. The Performance Organisers Summary The world of compliance for IT has changed and will continue to change (amongst other things case law and technological pace f change will drive a need to amend and update legislation) 7P’s. Compliance is not a simple matter This slide deck explains, as a starter for 10, some of the legal considerations that will need to be given when commissioning a web site. The key principle is that the controller is responsible for the guardianship of personal data (and other data come to that). You no longer “own” personal data… While privacy is significant, it is not the only legislation you may need to consider You will need three kinds of expertise.. Legal, Security and Technical but depending on your circumstances there may be a need to involve other professional disciplines The next slide deck in the series.. Developing Policy and Governance Commissioning a Web Site - Legals
  • 32. http://www.jitsoftware.co.uk Tel: +44 07780 568449 Email: allenwoods@jit-software.com Skype: apw808 The Performance Organisers Commissioning a Web Site - Legals