The Privacy Battlefield What does the GDPR Require?

Transcription

1 The Privacy Battlefield What does the GDPR Require? 17:00 CET 9:00am PT 12:00pm ET Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole

2 Agenda Mike Small KuppingerCole GDPR Background GDPR Some Details GDPR Action Plan Summary 2

3 From May 2018 when the upcoming EU GDPR (General Data Protection Regulation) comes into force, the requirements for managing personal data will change. What is the background to this? GDPR BACKGROUND

4 The Route to GDPR European Convention on Human Rights GDPR 1980 OECD Privacy Principles 1994 EU Privacy Directive 95/46/EC

5 GDPR Opportunities and Benefits Levels the playing field Get a grip on your customer data Clarification of Consent Build a trusted, sustainable relationship with your customers

6 Although the regulation has been published the details of what this really mean are still being clarified. GDPR SOME DETAILS

7 GDPR EU General Data Protection Regulation Adopted by EU Parliament in May 2016 Will apply to all EU Member from May Regulation same for all states Data Protection 7

8 GDPR Data Protection Principles (Summary) 1. Personal data must be processed fairly and lawfully, processed lawfully, fairly and in a transparent manner in relation to the data subject 2. Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. 3. Be adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; It must be accurate and kept up to date. 4. Kept in a form which permits identification of data subjects for no longer than is necessary. 5. Processed under the responsibility and liability of the controller, who shall ensure and demonstrate the compliance with the provisions of this Regulation Data Protection 8

9 GDPR Personal Data Key differences from current legislation (UK) Personal Data (currently 1998 DPA) data which relate to a living individual who can be identified: from those data; or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller; GDPR - any information relating to an identified or identifiable natural person. Specific references to: identification number; location data; online identifier; one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Data Protection 9

10 GDPR Sensitive Personal Data Key differences from current legislation (UK) Sensitive Data (currently 1998 DPA) : the racial or ethnic origin of the data subject; his political opinions; his religious beliefs or other beliefs of a similar nature; whether he is a member of a trade union; his physical or mental health or condition; his sexual life; the commission or alleged commission by him of any offence; or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings. GDPR: Prohibits the processing of personal data, revealing: race or ethnic origin; political opinions; religion or beliefs; trade-union membership; the processing of genetic data; or data concerning health or sex life; or criminal convictions or related security. Data Protection 10

11 Lawful Processing The data subject has given consent to the processing for specific purposes; Necessary for the performance of a contract; Necessary for compliance with a legal obligation; Necessary in order to protect the vital interests of the data subject; Necessary for a task carried out in the public interest or official authority; Necessary for the legitimate interests pursued by a controller except: where overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Processing necessary for historical, statistical or scientific research KuppingerCole 5/5/

12 Data Processing Impact Assessments Where processing operations present specific risks carry out an assessment of the impact of the envisaged processing operations on the protection of personal data: For analysing or predicting the person's economic situation, location, health, personal preferences, reliability or behaviour, based on automated processing that produce legal effects concerning the individual or significantly affect the individual; Information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale. Monitoring publicly accessible areas, especially (video surveillance) on a large scale. Personal data in large scale filing systems on children, genetic data or biometric data KuppingerCole 5/5/

13 GDPR Applicability Key differences from current legislation Applies to both controllers and processors Applies to any controller and processor not located in the EU where data relates to EU Data Protection 13

14 GDPR Data Processors Key differences from current legislation Statutory obligation to protect personal data. Statutory obligation to communicate data breaches. Extensive requirements for data processing / outsourcing agreements Data Protection 14

15 Data Protection Officer The controller and the processor shall designate a data protection officer in any case where: a) the processing is carried out by a public authority or body; or b) the processing is carried out by an enterprise employing 250 persons or more; or c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. The controller or processor shall designate the data protection officer on the basis of professional qualities and, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. KuppingerCole 5/5/

16 GDPR Non-compliance Key differences from current legislation Two levels of fines Up to larger of 2% of annual worldwide turnover or 10 Million Euro for matters of internal matters, contracts etc. Up to larger of 4% of annual worldwide turnover or 20 Million Euros for breaching principle, consent, subject rights data transfers. Mitigating factors can be considered when levying fines Data Protection 16

17 From May 2018 when the upcoming EU GDPR (General Data Protection Regulation) comes into force, the requirements for managing personal data will change. Are you ready to meet this challenge? GDPR ACTION PLAN

18 GDPR Key Actions #1 Discovery Consent Control Discover and document all the PII you hold. Check that it is necessary and minimum. Check it is correct and up to date. Models for consent and control Processes for freely given, informed, unambiguous, clear statements of affirmative actions. Per purpose and may be revoked at any point of time. Proof of age and family consent Access Control at data field level, Control of aggregation. Subject access requests Right to be forgotten and return of data Proof that data only used for consented purposes.

19 GDPR Key Actions #2 Cloud Data Protection Data Breach Assure Compliance when data held in cloud services. Control over PII in cloud Certification of Cloud Service Providers Data Protection Officers are required DPIAs (Data Protection Impact Assessment) under certain circumstances Privacy by default and design Make sure you have the right procedures to detect, report and investigate a breach. Communicate to data subjects in clear and plain language.

20 GDPR will challenge organizations doing business with EU Residents if they do not properly prepare GDPR SUMMARY

21 Summary Discovery Consent Control Cloud Breach Requirements Actions Proper Planning will Prevent Pain and Payment. KuppingerCole 5/5/

22 The Future of Information Security Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decisions making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole 5/5/2017 KuppingerCole Ltd. Headquarters Sonnenberger Str Wiesbaden Germany Tel +49 (211) Fax +49 (211)