2017-07-06 data protection by design and default under the ... · regulation and protect the rights...
TRANSCRIPT
6 July 2017
Data protection by design and by default under the GDPR
Presented by: Adrian Ross LLB (Hons), MBA
GDPR ConsultantIT Governance Ltd
6 July 2017
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Introduction
• Adrian Ross• GDPR consultant
– Infrastructure services– Business process re-engineering– Business intelligence– Business architecture– Intellectual property– Legal compliance– Data protection and information security– Enterprise risk management
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
IT Governance Ltd: GRC one-stop shop
All verticals, all sectors, all organisational sizes
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017Agenda
• Introduction to the GDPR• Data breaches in the UK• Accountability• Privacy by design• Data protection by design and default• Privacy compliance frameworks• PIMS• Lessons for DPOs
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Material and territorial scope
Natural person = a living individual
• Natural persons have rights associated with:– The protection of personal
data.– The protection of the
processing of personal data.– The unrestricted movement of
personal data within the EU.
• In material scope:– Personal data that is
processed wholly or partly by automated means.
– Personal data that is part of a filing system, or intended to be.
– The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place.
The GDPR also applies to controllers and processors not in the EU
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Entry into force and application
KEY DATES• On 8 April 2016, the European Council adopted the Regulation. • On 14 April 2016, the European Parliament adopted the Regulation• On 4 May 2016, the official text of the Regulation was published in the EU Official
Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and will apply from 25 May
2018.• http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
“This Regulation shall be binding in its entirety and directly applicable in all Member States.”
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Remedies and liabilities
Natural persons have rights
– Data subjects shall have recourse to judicial remedy where:º In the courts of the Member State where the controller or
processor has an establishment.º In the courts of the Member State where the data subject
habitually resides.
– Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor.
– The controller involved in processing shall be liable for damage caused by processing.
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Penalties
Administrative fines
– In each case, fines will be effective, proportionate and dissuasive– Fines administrated will take into account technical and
organisational measures implemented.– €10,000,000 or, in the case of an undertaking, up to 2% of the
total worldwide annual turnover of the preceding financial year. – €20,000,000 or, in case of an undertaking, up to 4% of the total
worldwide annual turnover in the preceding financial year.
Data breaches under GDPR
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Data breaches under the GDPR
Definition
• Notify supervisory authority no later than 72 hours after discovery
• Must describe the nature of the breach
• No requirement to notify if no risk to rights and freedoms of natural persons
• Failure to report within 72 hours requires explanation
• Notify the data controller of a breach without delay
• All data breaches have to be reported (no exemptions)
• European Data Protection Board (EDPB) to issue clarification with regard to ‘undue delay
Controller obligations Processor obligations
A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Data Breaches
Obligation for data controller to communicate a personal data breach to data subjects
• Appropriate technical and organisational measures were taken• A high risk to the data subjects will not materialise• Communication with data subjects would involve disproportionate effort
Exemptions
• Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights
• Communication must be in clear, plain language• Supervisory authority may compel communication with data subject
Data breaches under the GDPR
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Data breaches in the UK
• January to March 2016 − 448 new cases• Data breaches by sector
– Health (184)– Local government (43)– Education (36)– General business (36)– Finance, insurance and credit (25)– Legal (25)– Charitable and voluntary (23)– Justice (18)– Land or property services (17)– Other (41)
Source: UK Information Commissioner’s Office
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Key facts about cyber breaches
Which organisations suffered data breaches in 2015?• 69% of large organisations• 38% of small organisations
What was the median number of breaches per company?• Large organisations: 14• Small organisations: 4
What was the average cost of the worst single breach?• Large organisations: £1.46m - £3.14m • Small organisations: £75k - £311k
What will happen this year?• 59% of respondents expect more breaches this year than last
• PwC and BIS: 2015 ISBS Survey60% of breached small organisations close down within six months – National Cyber Security Alliance
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
What sort of breaches occur?
Large organisations:• External attack – 69% • Malware or viruses – 84%• Denial of service – 37%• Network penetration (detected) – 37%
– If you don’t think you’ve been breached, you’re not looking hard enough
• Know they’ve suffered IP theft – 19%• Staff-related security breaches – 75%• Breaches caused by inadvertent human error – 50%
PwC and BIS: 2015 ISBS Survey
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Key facts about cyber breaches
Number of data breaches detected in 2015/16
Median number of breaches per company
Costs associated with the most disruptive breaches• Large organisations Mean: £50k Highest: £3m • Small organisations Mean: £5k Highest: £100k
IPSOS Mori: 2016 Cyber Security Breaches Survey
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Types of breach occurrence
IPSOS Mori: 2016 Cyber Security Breaches Survey
Accountability under GDPR
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
The principle of accountability and what it means
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').”
Article 5 – principles relating to the processing of personal data
Personal data shall be:
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
ICO on accountability
• “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
• “The GDPR mandates organisations to put into place comprehensive but proportionate governance measures.”
• “It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.”
• Speech to ICAEW 17 January 2017
6 July 2017
Data protection by design and by default
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Privacy by design
• International data protection and privacy commissioners– Encourage the adoption of the principles of Privacy by Design in 2010– Fostering the adoption of the seven Foundational Principles into legislation– U.S. Federal Trade Commission recognises Privacy by Design in 2012– Incorporated by the European Commission into the GDPR in 2016
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
The seven Foundational Principles
International Data Protection and Privacy Commissioners, 2010https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf
1. Proactive not Reactive; Preventative not Remedial2. Privacy as the Default Setting3. Privacy Embedded into Design4. Full Functionality – Positive-Sum, not Zero-Sum5. End-to-End Security – Full Lifecycle Protection6. Visibility and Transparency – Keep it Open7. Respect for User Privacy – Keep it User Centric
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
A trilogy of applications
Information technology
Accountable business practices
Physical design and networked
infrastructure
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Privacy by design application areas
1. CCTV/surveillance cameras in mass transit systems
2. Biometrics used in casinos and gaming facilities
3. Smart meters and the smart grid
4. Mobile devices and communications
5. Near-field communications (NFC)
6. RFIDs and sensor technologies
7. Redesigning IP geolocation data
8. Remote home health care
9. Big data and data analytics
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Who is it relevant to?
• Business executives• Data protection officers• Risk managers• Legal experts• Designers • Analysts • Software engineers• Computer scientists • Application developers
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
ICO: part of the overall systems approach?
• Data protection by design and by default• “Taking into account the nature, scope, context and purposes of processing as well as the
risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1)
• “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures…designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Article 25-1)
• “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons “ (Article 25-2).”
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Data protection by design and by default
Article 25: Data protection by design and by default• The controller shall implement appropriate technical and
organisational measures• Only data necessary for each specific purpose is processed• The obligation applies to the following:
– the amount of data collected – the extent of the processing– the period of storage – the accessibility to that data
• Personal data is not made accessible to an indefinite number of natural persons without the individual’s intervention
• Pseudonymisation and minimisation are recognised techniques in data protection by design
Data protection impact assessment (DPIA)
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Data protection impact assessment (DPIA)
Article 35: Data protection impact assessment • A DPIA assesses the likelihood and impact (i.e. the risk)
of a compromise to the confidentiality, integrity and/or availability (‘information security’) of personal data (‘asset’)
• A DPIA should therefore be a subset of an organisation’s risk management framework:– Draw on existing expertise and understanding– Integrate conclusions into existing risk treatment plans– Demonstrate data protection by design and by default– DPIA should already be part of risk management as normal
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Article 35: Data protection impact assessment• The controller shall seek the advice of the DPO when carrying
out a DPIA where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural persons.
• A single DPIA may particularly be required where:º “Automated processing, including profiling, informs decisions that
produce legal effects that concern, or similarly significantly affect, natural persons”
º “The processing is on a large scale of special categories of data or personal data related to criminal convictions”
º “A publicly accessible area is systematically monitored on a large scale”• A single DPIA may address sets of similar processing
operations that present similar high risks
Data protection impact assessment (DPIA)
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
• DPIA is not a one-off exercise• Conducted for all new systems and processes
– Functionality may change along the way– Risks should be re-evaluated accordingly
• Should be conducted on legacy systems– Update the risk register– Update the project plans
• The approach adopted goes towards breach mitigation• Risk assessment should be part of staff training• The application of DPIAs demonstrates accountability
Data protection impact assessment (DPIA)
Privacy compliance framework
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
What is a privacy compliance framework?
A privacy compliance framework links:• The governance
framework• The PIMS• The privacy
principlesSo the organisation can ensure it delivers privacy by design and by default
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
PIMS – demonstrating compliance
“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”
“In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default.”
Recital 78:
Recital 108:
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
It is a task of the DPO to ‘monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data”
The competent supervisory authority shall approve binding corporate rules provided that they apply the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, and data protection by design and by default
PIMS – demonstrating compliance
Article 25:
Article 29:
Article 47:
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Lessons for DPOs
• You can have the most GDPR-compliant documentation (PIMS) in the world and still, without an effective ISMS, be massively breached – occasioning reputation damage, data subject actions and significant administrative penalties
• Accountability and genuine top management engagement is essential
• DPOs must have effective, independent oversight and be able to proactively engage with cyber security teams
• DPOs must be able to articulate privacy by design and by default to delivery functions
• A business risk-based ISMS, customised to incorporate data protection impact assessments (DPIAs) and data protection by design and by default is an essential component of the privacy compliance framework
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Lessons for organisations
• Current UK statistics rely on an admin requirement in public sector.• Voluntary requirement in private sector.• Mandatory breach reporting from next May.• Logically an increase in number of breaches reported.• This will follow the pattern experienced in the U.S.• There will therefore be increased enforcement.• Where has Data Protection by Design and Default has been applied. • Increased fines for not demonstrating accountability. • It takes time for the benefits to be realised.• Existing projects need to be reviewed.• Otherwise there is a big risk that organisations will fail requirement.
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Cyber security assurance
• GDPR requirement – data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation.”– Must include appropriate data protection policies– Organisations may use adherence to approved codes of conduct or management
system certifications “as an element by which to demonstrate compliance with their obligations”
– ICO and BSI are both developing new GDPR-focused standards
• ISO 27001 already meets the “appropriate technical and organisational measures” requirement
• It provides assurance to the board that data security is being managed in accordance with the regulation
• It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Self help materials
A Pocket guidewww.itgovernance.co.uk/shop/Product/eu-gdpr-a-pocket-guide
Implementation manualwww.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide
Documentation toolkitwww.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-documentation-toolkit
Compliance gap assessment toolwww.itgovernance.co.uk/shop/Product/eu-gdpr-compliance-gap-assessment-tool
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
Training
One-Day accredited Foundation course (classroom, online, distance learning)www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-foundation-gdpr-training-course
Four-Day accredited Practitioner course (classroom, online, distance learning)www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course
One-Day data protection impact assessment (DPIA) workshop (classroom)www.itgovernance.co.uk/shop/Product/data-protection-impact-assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.0
TM
© IT Governance Ltd 2017
GDPR compliance programme support
• Gap analysis• Unless you have a team in place, external experienced support can be valuable and independent
means of assessing the exact standing of your current legal situation, security practices and operating procedures in relation to the DPA or the GDPR.
• Data flow audit• Data mapping involves plotting out all of your data flows, which involves drawing up an extensive
inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
• Implementing a personal information management system (PIMS)• Establishing a PIMS as part of your overall business management system will ensure that data
protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.
• Implementing an compliant ISMS with ISO 27001• ISO27001 is an effective foundation in complying with GDPR. It can be daunting, external help can also
help establish an ISO 27001 compliant Information Management Security System quickly and without the hassle, no matter where your authority is located.
• Cyber health check• A cyber Health Check combined with remote vulnerability assessments can be useful in assessing your
cyber risk exposure.
www.itgovernance.co.uk/dpa-compliance-consultancy
0845 070 1750www.itgovernance.co.uk