Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to Privacy by Design - taking in account the state of the art
Similar to Privacy by Design - taking in account the state of the art (20)
Recently uploaded
Recently uploaded (20)
Privacy by Design - taking in account the state of the art
- 1. Privacy by Design Taking into account the state of the art Presentation date: 11.10.17 Presentation by: James Mulhern
- 2. A Confession Love • Rights it gives me as a citizen • Opportunity to develop trust • Prospect of deeper relationships with customers • Drive to strengthen Cyber resilience, modernise & transform Hate • Ambiguity, misunderstanding & FUD • Just seen a compliance • Elbow grease required • Challenge of addressing legacy
- 3. What Local Government is saying? …a real opportunity to identify where personal data is held …get full picture of what conditions are used for processing… …enable us to make sure robust contract clauses are in place and look for any gaps… Benefit from refreshing retention and deletion schedule… to ensure that data is not being kept longer than necessary …hoping to use as an opportunity to put good data quality and insight at the heart of driving service improvement, rather than just a compliance exercise.
- 5. Article 25 – Data Protection by design and default Article 32 – Security of Processing Taking into account the state of the art…
- 6. Privacy by Design 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality — Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric
- 7. What does it look like? Good • Analysing privacy impact • Defining privacy/security requirements upfront • Embedding privacy and security into existing processes • Privacy preserving setting enable by default • Being honest and open with users Bad • No analysis of privacy impact or risks • Addressing security as an afterthought • Copying real personal data into test systems • Standalone security and privacy processes • Onus on users to configure/ request privacy • Security through obscurity
- 8. Article 25: Data Protection by design and by default “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks…, the controller shall… implement appropriate technical and organisational measures… in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects
- 9. Article 32: Security of Processing “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,…
- 10. Goes further … Measures: •Pseudonymisation •Encryption Expectations: •Access Controls •Purpose limitation: extent/retention/access •Prevent misuse Data minimisation By Default personal data must not be accessible to all e.g. Social Networks Confidentiality, Integrity, Availability AND Resilience Ability to restore the availability and access in a timely manner Regularly testing, assessing effectiveness of measures Enforceable
- 11. Highlights: key risks & impacts Risks • Accidental or unlawful destruction • Loss • Alteration • Unauthorised disclosure • Unauthorised access Impacts • Discrimination • Identity theft or fraud • Financial loss • Reputational damage • Loss of professional secrecy • Reversal of pseudonymisation, • Economic or social disadvantage • Reveal Protected attributes • Loss of Control
- 12. Highlights: Scenarios Scenarios • Profiling - Evaluating analysing, tracking or predicting: • performance at work • economic situation • health • preferences or interests • Reliability or behaviour • Location or movements • Vulnerable persons • Children • Large amount of personal data • Large number of data subjects
- 13. Privacy Management System Determine Privacy Impact Assess Risks and Costs Implement measures Validate measures Manage Breaches Justify Evidence
- 14. Taking into account the state of the art Determine Privacy Impact Assess Risks and Costs Implement measures Validate measures Manage Breaches
- 15. Digital Strategy IT & DR Strategy Cyber Security Strategy Info Gov’ance Strategy Securing the organisation is Everyone’s responsibility Exploit the dependencies for everyone’s benefit Organisational Culture How? need to be joined up
- 16. Golden Opportunity • If you’re responsible for cyber security, get a firmer grip and reduce your overall ‘attack surface’ • If you work with data, you can Build stronger relationships with more accurate, meaningful data • If you responsible for transformation, you can use it to prioritise and address technical debt
- 17. Benefit More like to: • minimise risks & build trust • identify problems earlier • fix problems simply & cheaply • Increase privacy awareness • meet obligations Less likely to: • intrude • have negative impact • breach
- 18. So where does this leave us? 1. Privacy & Security should be job ZERO 2. Enforceable – administrative fines 3. Need a Privacy Management System 4. Privacy by Design can facilitate transformation & build trust 5. Think beyond May 2018 “Sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by businesses, third sector organisations, the state and public service.” ICO
Editor's Notes
- James Mulhern not-for-profit IT provider dedicated to helping public good organisation drive the digital revolution. work with Central and Local Government to transform their IT and best utilise the Cloud. Benefits of Privacy by design.
- Thought I’d start Simultaneously love hate relationship Data subject rights develop trust build better data and relationships Even before the UK Data Protection Bill hard work and hassle Addressing things festered Tangential Snake Oil solutions Sure I’m not alone
- Know – I’m not alone - Executive briefing programme feedback from Local Government But so much more … is possible GDPR provides an opportunity to be truly transformative ICO survey (March)– good work been done but still much more to do ¼ councils no DPO 1/3 no PIA no 15% no training Why are we here?
- This is how I like to picture GDPR GDPR is an evolution like the Data Protection Big, bolder, faster, harder, more intense. If compliant with DPA = upgrade: Strengthen policies, processes, functions and contracts in readiness If not bigger undertaking. Like to call a Privacy Management System GDPR’s 156 pages is big relative to DPA 20 pages 99 Articles, 134 recitals, 156 Pages Articles – sets out the obligations Recitals – sets out the reasons However Substantial proportion is direction to “Lead Supervisory Authority (LSA)” e.g. ICO 40% growth in number of staff at ICO. (200 more staff)
- Focus 8 words out of 100,000 that sometimes missed with the focus subject rights, consent and lawful processing Repeated across 2 similar articles building blocks of privacy by design What does that mean – Sinclair C5- Means you need to modernise – transform – keep up-to-date Modernise now law – so more than necessity, more than budget, more than it being a good idea or right thing to do.
- Not new – article 17 DPD - Around longer than some people in this room Premise: privacy assurance must be default mode of operation anticipates and prevent privacy cannot be assured solely by compliance Full functionality – have your cake – not privacy vs security
- In a council what does GOOD and BAD look like according to Privacy by Design. When you’re planning your new GIS roll out As part of your business as usual processes you analysis potential impact on privacy you set out security requirements Implement privacy preserving controls by default give people the opportunity to define their profile. What it doesn’t look like Is when you rush the roll out of a new HR system assume that users will changes their settings so that their personal details aren’t leaked copy the data to your test system and inadvertently email the whole workforce.
- Is about protecting data subjects rights – balance state of the art against costs and risks Taking into account the state of the art, the cost, nature, scope, context, purposes and risks Both at time of design and also when processing Implement appropriate technical & organisational measures Safeguard and protect rights of data subjects
- Is about securing systems and processes – again balancing state of the art against costs and risks Taking into account the state of the art, costs, nature, scope, context and purposes and risk You shall implement technical and organisational measures to ensure a level of security appropriate to the risk
- Than the DPD Explicitly sets out suitable
- The regulation tries to be helpful by setting out example risks and impacts to consider
- In the articles and recitals explicitly set out example risks and impacts to consider and some Scenarios where risk more likely across: Profiling, the vulnerable Children and Volume
- What’s needed is a privacy management system Assessed impact on privacy and risks – by carrying out a privacy impact assessment and a technical risk assessment Addressed cyber risks and tested them - Through effective, proportionate controls and pen tests Able detect breaches and respond to them? By employing relevant monitoring and a proven incident response process (aka cyber resilience). What’s proportionate? – what you can justify and evidence.
- But It’s a cycle Taking into account the state of the art Technology and vulnerability evolves Not always for the better – not sure if this an advancement or a vulnerability You’ve got to look beyond 25th May 2018
- Why have separate strategies? An IT strategy that doesn’t consider security isn’t and IT Strategy Cyber Security Strategy that doesn’t manage Information Governance Strategy How are you going to define your business needs for GDPR if you haven’t set out what you want to achieve Effective Data Protection and data management will lead to better relationships with your end users
- And if you do you have a golden opportunity In your council Attack surface Better Data Help you prioritise
- And you should benefit In your council services whether it be care, planning or revenue and benefits Less like to intrude and build trust Build confidence in your organisation Less likely to mess up
- What are the takeaways? Privacy and Security MUST be job ZERO Now privacy and security by default and design are a legal obligation Law as a catalyst for change? - that’s a debate - doesn’t hurt to highlight and makes decision making more binary A management system is needed to show your workings out … Technology and vulnerability don’t stand still so taking into account the state of the art you need to look beyond May 2018. And maybe if we think bigger we might all just love GDPR.
- If you want to carry on the conversation you can reach out to me on linkedin.