Accountability under the GDPR: What does it mean for Boards & Senior Management?

Size: px

Start display at page:

Download "Accountability under the GDPR: What does it mean for Boards & Senior Management?"

Gilbert Fletcher
5 years ago
Views:

1 Accountability under the GDPR: What does it mean for Boards & Senior Management? Alan Calder Founder & Executive Chairman IT Governance Ltd 19 January

Introduction Alan Calder Founder IT Governance

to Data Security and ISO 27001/ISO 27002, 6 th

2 Introduction Alan Calder Founder IT Governance Ltd The single source for everything to do with IT governance, cyber risk management and IT compliance IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6 th Edition (Open University textbook)

3 IT Governance Ltd: GRC One-stop shop All verticals, all sectors, all organisational sizes

4 Agenda Introduction Material scope Territorial scope Remedies, liabilities and penalties Entry into force Related legislation The principle of accountability and what it means The application of the principle of accountability The requirement to conduct data privacy audits and impact assessments The task of developing policies and procedures that comply with the Regulation The need to raise GDPR awareness and provide employees with training The board s responsibility to appoint a dedicated data privacy team or DPO 4

5 The nature of European law Two main types of legislation: Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a Directive º UK Data Protection Act 1998 Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a Regulation

6 Articles 1 3: Who, and where? Natural person = a living individual Natural persons have rights associated with: The protection of personal data The protection of the processing personal data The unrestricted movement of personal data within the EU In material scope: Personal data that is processed wholly or partly by automated means; Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. It applies to controllers not in the EU

7 Remedies, liabilities and penalties Natural Persons have rights Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. Controller involved in processing shall be liable for damage caused by processing. Administrative fines Imposition of administrative fines will in each case be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year

8 Article 33: Personal Data Breaches The definition of a Personal Data Breach in GDPR: A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Obligation for data processor to notify data controller Notification without undue delay after becoming aware No exemptions All data breaches have to be reported Obligation for data controller to notify the supervisory authority Notification without undue delay and not later than 72 hours Unnecessary in certain circumstances Description of the nature of the breach No requirement to notify if unlikely to result in a high risk to the rights and freedoms of natural persons Failure to report within 72 hours must be explained

9 Article 99: Entry into force and application This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES On 8 April 2016 the Council adopted the Regulation. On 14 April 2016 the Regulation was adopted by the European Parliament. On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. The Regulation entered into force on 24 May 2016, and applies from 25 May ICO AND UK GOVERNMENT CONFIRM THAT GDPR WILL APPLY IN THE UK IRRESPECTIVE OF BREXIT Final Text of the Directive: REV-1/en/pdf

10 Rights of Data Subjects The controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language (Article 11-1) The controller shall facilitate the exercise of data subject rights (Article 11-2) Rights to º Consent º Access º Rectification º Erasure º Restriction º Objection the right to data portability; the right to withdraw consent at any time; the right to lodge a complaint with a supervisory authority; The right to be informed of the existence of automated decision-making, including profiling, as well as the anticipated consequences for the data subject.

11 The principle of Accountability and what it means Article 5: Principles relating to processing of personal data The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability'). 1 Processed lawfully, fairly and in a transparent manner 2 Collected for specified, explicit and legitimate purposes 3 Adequate, relevant and limited to what is necessary 4 Accurate and, where necessary, kept up to date 5 Retained only for as long as necessary 6 Processed in an appropriate manner to maintain security Accountability

12 ICO on Accountability The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation. The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. It means a change to the culture of an organisation. That isn t an easy thing to do, and it s certainly true that accountability cannot be bolted on: it needs to be a part of the company s overall systems approach to how it manages and processes personal data. Speech to ICAEW 17 January 2017

13 Part of the overall systems approach? Data Protection by Design and by Default Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. (Article 24-1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. (Article 25-1) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons (Article 25-2)

14 Sixth Principle Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

15 Interpretation Sixth Principle The measures must: Ensure a level of security appropriate to the nature of the data and the harm that might result from a breach of security Take account of state of technological developments and costs in doing so The data controller must take reasonable steps to ensure the reliability of any employees who have access to the personal data Organisations need to: Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach Be clear about who in your organisation is responsible for ensuring information security Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff and Be ready to respond to any breach of security swiftly and effectively

Application of the principle of accountability Governance: Board accountability Corporate risk register Nominated responsible director Clear roles and responsibilities Data Protection Officer Privacy

16 Application of the principle of accountability Governance: Board accountability Corporate risk register Nominated responsible director Clear roles and responsibilities Data Protection Officer Privacy Compliance Framework PIMS/ISMS Cyber incident response Cyber Essentials a minimum security standard Certification and data seals (Article 42) ISO Data Protection by Design and by Default Data Flow Audits Data Protection Impact Assessments (DPIA) º Mandatory for many organizations º Legal requirements around how performed and data collected

17 Cyber Essentials Cyber Essentials Plus Five basic controls that any organization should implement to mitigate the risk from common internetborne threats. Self Assessment Questionnaire Attestation of Compliance External vulnerability scan Independent Certification CREST-accredited 23

18 Data Flow Audit Identify: Data Items Data Formats Transfer methods Locations Chapter 9 of The Object Primer 3rd Edition: Agile Model Driven Development with UML 2

19 DPIA (per EU DPIA Template) 1. Pre-assessment and criteria determining the need to conduct a DPIA 2. Initiation 3. Identification, characterisation and description of systems/applications processing personal data 4. Identification of relevant risks (threats, vulnerabilities) 5. Data protection risk assessment (likelihood and impact) 6. Identification and recommendation of controls and residual risks 7. Documentation and drafting of the DPIA Report 8. Review and maintenance. NB: Risk assessment methodology matches ISO guidance

20 Privacy Compliance Framework A personal information management system provides a framework for maintaining and improving compliance with data protection requirements and good practice.

Developing policies and procedures that comply with the Regulation implement appropriate technical and organisational measures Notification procedures Data protection policy Training and awareness

21 Developing policies and procedures that comply with the Regulation implement appropriate technical and organisational measures Notification procedures Data protection policy Training and awareness programme Audit and compliance policy Information management policy Document and record control policy Public trust charter Information security policy Compliance standards Data collection procedures fair/lawful/adequate Data quality procedures Subject access procedures Risk management strategy Data processor standards and agreements Internal audit procedures Due diligence and third parties audit procedures Data use procedures System/dataspecific procedures Third-party exchange agreements Data retention and archive procedures Data disposal procedures Complaints procedures Information notices procedures Enforcement notices procedures Security policies and procedures

22 Raise GDPR awareness and provide employees with training implement appropriate technical and organisational measures Train staff in functional roles and lines of business General GDPR awareness Specific GDPR responsibilities Include GDPR in all information/cyber security and assurance activities Include information security awareness training in all roles that touch PII

23 Appoint a dedicated data privacy team or DPO implement appropriate technical and organisational measures Requires current and ongoing specialist knowledge Board, management and staff need continual access to such knowledge Data Protection has to have a functional owner cf HR, H&S

Do you need a data protection officer? Roles & Responsibilities Who is responsible for information security? Who is responsible for meeting legal, regulatory & GDPR obligations?

24 Do you need a data protection officer? Roles & Responsibilities Who is responsible for information security? Who is responsible for meeting legal, regulatory & GDPR obligations? Who is responsible for oversight of legal, regulatory & GDPR obligations? Who is responsible for contracts with data processors? Who is responsible for identifying and managing privacy risks?

25 Data protection officers Article 37: Designation of the data protection officer Mandatory DPO appointed in three situations: Where the processing is carried out by a public body; Where core activities require regular and systematic monitoring of personal data on a large scale; Where core activities involve large-scale processing of sensitive personal data. Good practice appointment in all other circumstances NB: Holidays, illness, succession Module IV

26 Section 4: Data protection officers Article 37: Designation of the data protection officer Group undertakings can appoint a single DPO Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size DPO can represent categories of controllers and processors DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified May fulfill the role as part of a service contract Controller or processor must publish DPO and notify supervisory authority

27 Section 4: Data protection officers The realities of the role of the data protection officer Legal knowledge of data protection Regulation is not enough Must also have information security knowledge and skills An understanding of how to deliver C, I and A within a management framework A good understanding of risk management and risk assessments Familiarity with and adherence to codes of conduct for industry sector A good understanding of compliance standards and data marks Able to carry out and interpret internal audits information security standard Understand and be able to articulate privacy by design to delivery functions Able to coordinate and advise on data breaches and notification Able to make a cyber security incident response process work. Leads co-operation with supervisory authority

28 Section 4: Data protection officers Where does the role sit within the organisation Outside delivery functions of IT or Business The role is about delivering compliance You cant have compliance under the direction of the delivery team The DPO should sit within a Risk, Compliance or Governance function. Independent of the business with direct access to the Board An effective DPO should ensure that Data Protection is on Board Agenda Begin with EU GDPR Foundation Course

29 ICO Final Words Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice. That s the carrot for getting it right. And there s a pretty big stick too. I mentioned earlier that the GDPR will increase regulatory powers. For the most serious violations of the law, my office will have the power to fine companies up to twenty million Euros or four per cent of a company s total annual worldwide turnover for the preceding year. In an ideal world we wouldn t need to use those sticks, but policy makers are clear that breaches of personal privacy are a serious matter. Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it s not a power we re afraid to use. And our enforcement powers aren t just for typical data breaches, like laptops left on trains or information left open to a cyber attack. The GDPR gives regulators the power to enforce in the context of accountability data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can t show that good data protection is a cornerstone of their practices, they re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation. Speech to ICAEW 17 January 2017

30 IT Governance: GDPR self-help 1-Day accredited Foundation course (classroom, online, distance learning 4-Day accredited Practitioner course (classroom, online, distance learning) Pocket guide Implementation Manual Documentation toolkit

31 IT Governance: GDPR Consultancy Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the DPA or the GDPR. Data flow audit Data mapping involves plotting out all of the organisations data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. Information Commissioner notification support (a legal requirement for DPA compliance) Organisations that process personal data must complete a notification with the Information Commissioner under the DPA. Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will ensure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. Implementing an ISMS compliant with ISO We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO consultancy services, that will help you implement an ISO compliant ISMS quickly and without the hassle, no matter where your business is located. Cyber health check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.

32 Questions?