2017-07-06 data protection by design and default under the ... · regulation and protect the rights...

6 July 2017

Data protection by design and by default under the GDPR

Presented by: Adrian Ross LLB (Hons), MBA

GDPR ConsultantIT Governance Ltd

6 July 2017

Copyright IT Governance Ltd 2017 – v1.0

TM

© IT Governance Ltd 2017

Introduction

• Adrian Ross• GDPR consultant

– Infrastructure services– Business process re-engineering– Business intelligence– Business architecture– Intellectual property– Legal compliance– Data protection and information security– Enterprise risk management


TM


IT Governance Ltd: GRC one-stop shop

All verticals, all sectors, all organisational sizes


TM

© IT Governance Ltd 2017Agenda

• Introduction to the GDPR• Data breaches in the UK• Accountability• Privacy by design• Data protection by design and default• Privacy compliance frameworks• PIMS• Lessons for DPOs


TM


Material and territorial scope

Natural person = a living individual

• Natural persons have rights associated with:– The protection of personal

data.– The protection of the

processing of personal data.– The unrestricted movement of

personal data within the EU.

• In material scope:– Personal data that is

processed wholly or partly by automated means.

– Personal data that is part of a filing system, or intended to be.

– The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place.

The GDPR also applies to controllers and processors not in the EU


TM


Entry into force and application

KEY DATES• On 8 April 2016, the European Council adopted the Regulation. • On 14 April 2016, the European Parliament adopted the Regulation• On 4 May 2016, the official text of the Regulation was published in the EU Official

Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and will apply from 25 May

2018.• http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

“This Regulation shall be binding in its entirety and directly applicable in all Member States.”

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32016R0679


TM


Remedies and liabilities

Natural persons have rights

– Data subjects shall have recourse to judicial remedy where:º In the courts of the Member State where the controller or

processor has an establishment.º In the courts of the Member State where the data subject

habitually resides.

– Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor.

– The controller involved in processing shall be liable for damage caused by processing.


TM


Penalties

Administrative fines

– In each case, fines will be effective, proportionate and dissuasive– Fines administrated will take into account technical and

organisational measures implemented.– €10,000,000 or, in the case of an undertaking, up to 2% of the

total worldwide annual turnover of the preceding financial year. – €20,000,000 or, in case of an undertaking, up to 4% of the total

worldwide annual turnover in the preceding financial year.

Data breaches under GDPR


TM


Data breaches under the GDPR

Definition

• Notify supervisory authority no later than 72 hours after discovery

• Must describe the nature of the breach

• No requirement to notify if no risk to rights and freedoms of natural persons

• Failure to report within 72 hours requires explanation

• Notify the data controller of a breach without delay

• All data breaches have to be reported (no exemptions)

• European Data Protection Board (EDPB) to issue clarification with regard to ‘undue delay

Controller obligations Processor obligations

A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,

personal data transmitted, stored or otherwise processed.


TM


Data Breaches

Obligation for data controller to communicate a personal data breach to data subjects

• Appropriate technical and organisational measures were taken• A high risk to the data subjects will not materialise• Communication with data subjects would involve disproportionate effort

Exemptions

• Communicate with data subjects without undue delay if the breach represents a high risk to data subjects' rights

• Communication must be in clear, plain language• Supervisory authority may compel communication with data subject

Data breaches under the GDPR


TM


Data breaches in the UK

• January to March 2016 − 448 new cases• Data breaches by sector

– Health (184)– Local government (43)– Education (36)– General business (36)– Finance, insurance and credit (25)– Legal (25)– Charitable and voluntary (23)– Justice (18)– Land or property services (17)– Other (41)

Source: UK Information Commissioner’s Office


TM


Key facts about cyber breaches

Which organisations suffered data breaches in 2015?• 69% of large organisations• 38% of small organisations

What was the median number of breaches per company?• Large organisations: 14• Small organisations: 4

What was the average cost of the worst single breach?• Large organisations: £1.46m - £3.14m • Small organisations: £75k - £311k

What will happen this year?• 59% of respondents expect more breaches this year than last

• PwC and BIS: 2015 ISBS Survey60% of breached small organisations close down within six months – National Cyber Security Alliance


TM


What sort of breaches occur?

Large organisations:• External attack – 69% • Malware or viruses – 84%• Denial of service – 37%• Network penetration (detected) – 37%

– If you don’t think you’ve been breached, you’re not looking hard enough

• Know they’ve suffered IP theft – 19%• Staff-related security breaches – 75%• Breaches caused by inadvertent human error – 50%

PwC and BIS: 2015 ISBS Survey


TM


Key facts about cyber breaches

Number of data breaches detected in 2015/16

Median number of breaches per company

Costs associated with the most disruptive breaches• Large organisations Mean: £50k Highest: £3m • Small organisations Mean: £5k Highest: £100k

IPSOS Mori: 2016 Cyber Security Breaches Survey


TM


Types of breach occurrence

IPSOS Mori: 2016 Cyber Security Breaches Survey

Accountability under GDPR


TM


The principle of accountability and what it means

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').”

Article 5 – principles relating to the processing of personal data

Personal data shall be:


TM


ICO on accountability

• “The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”

• “The GDPR mandates organisations to put into place comprehensive but proportionate governance measures.”

• “It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.”

• Speech to ICAEW 17 January 2017

6 July 2017

Data protection by design and by default


TM


Privacy by design

• International data protection and privacy commissioners– Encourage the adoption of the principles of Privacy by Design in 2010– Fostering the adoption of the seven Foundational Principles into legislation– U.S. Federal Trade Commission recognises Privacy by Design in 2012– Incorporated by the European Commission into the GDPR in 2016


TM


The seven Foundational Principles

International Data Protection and Privacy Commissioners, 2010https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf

1. Proactive not Reactive; Preventative not Remedial2. Privacy as the Default Setting3. Privacy Embedded into Design4. Full Functionality – Positive-Sum, not Zero-Sum5. End-to-End Security – Full Lifecycle Protection6. Visibility and Transparency – Keep it Open7. Respect for User Privacy – Keep it User Centric

https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf


TM


A trilogy of applications

Information technology

Accountable business practices

Physical design and networked

infrastructure


TM


Privacy by design application areas

1. CCTV/surveillance cameras in mass transit systems

2. Biometrics used in casinos and gaming facilities

3. Smart meters and the smart grid

4. Mobile devices and communications

5. Near-field communications (NFC)

6. RFIDs and sensor technologies

7. Redesigning IP geolocation data

8. Remote home health care

9. Big data and data analytics


TM


Who is it relevant to?

• Business executives• Data protection officers• Risk managers• Legal experts• Designers • Analysts • Software engineers• Computer scientists • Application developers


TM


ICO: part of the overall systems approach?

• Data protection by design and by default• “Taking into account the nature, scope, context and purposes of processing as well as the

risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1)

• “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures…designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Article 25-1)

• “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons “ (Article 25-2).”


TM


Data protection by design and by default

Article 25: Data protection by design and by default• The controller shall implement appropriate technical and

organisational measures• Only data necessary for each specific purpose is processed• The obligation applies to the following:

– the amount of data collected – the extent of the processing– the period of storage – the accessibility to that data

• Personal data is not made accessible to an indefinite number of natural persons without the individual’s intervention

• Pseudonymisation and minimisation are recognised techniques in data protection by design

Data protection impact assessment (DPIA)


TM



Article 35: Data protection impact assessment • A DPIA assesses the likelihood and impact (i.e. the risk)

of a compromise to the confidentiality, integrity and/or availability (‘information security’) of personal data (‘asset’)

• A DPIA should therefore be a subset of an organisation’s risk management framework:– Draw on existing expertise and understanding– Integrate conclusions into existing risk treatment plans– Demonstrate data protection by design and by default– DPIA should already be part of risk management as normal


TM


Article 35: Data protection impact assessment• The controller shall seek the advice of the DPO when carrying

out a DPIA where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural persons.

• A single DPIA may particularly be required where:º “Automated processing, including profiling, informs decisions that

produce legal effects that concern, or similarly significantly affect, natural persons”

º “The processing is on a large scale of special categories of data or personal data related to criminal convictions”

º “A publicly accessible area is systematically monitored on a large scale”• A single DPIA may address sets of similar processing

operations that present similar high risks



TM


• DPIA is not a one-off exercise• Conducted for all new systems and processes

– Functionality may change along the way– Risks should be re-evaluated accordingly

• Should be conducted on legacy systems– Update the risk register– Update the project plans

• The approach adopted goes towards breach mitigation• Risk assessment should be part of staff training• The application of DPIAs demonstrates accountability


Privacy compliance framework


TM


What is a privacy compliance framework?

A privacy compliance framework links:• The governance

framework• The PIMS• The privacy

principlesSo the organisation can ensure it delivers privacy by design and by default


TM


PIMS – demonstrating compliance

“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.”

“In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default.”

Recital 78:

Recital 108:


TM


The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

It is a task of the DPO to ‘monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data”

The competent supervisory authority shall approve binding corporate rules provided that they apply the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, and data protection by design and by default

PIMS – demonstrating compliance

Article 25:

Article 29:

Article 47:


TM


Lessons for DPOs

• You can have the most GDPR-compliant documentation (PIMS) in the world and still, without an effective ISMS, be massively breached – occasioning reputation damage, data subject actions and significant administrative penalties

• Accountability and genuine top management engagement is essential

• DPOs must have effective, independent oversight and be able to proactively engage with cyber security teams

• DPOs must be able to articulate privacy by design and by default to delivery functions

• A business risk-based ISMS, customised to incorporate data protection impact assessments (DPIAs) and data protection by design and by default is an essential component of the privacy compliance framework


TM


Lessons for organisations

• Current UK statistics rely on an admin requirement in public sector.• Voluntary requirement in private sector.• Mandatory breach reporting from next May.• Logically an increase in number of breaches reported.• This will follow the pattern experienced in the U.S.• There will therefore be increased enforcement.• Where has Data Protection by Design and Default has been applied. • Increased fines for not demonstrating accountability. • It takes time for the benefits to be realised.• Existing projects need to be reviewed.• Otherwise there is a big risk that organisations will fail requirement.


TM


Cyber security assurance

• GDPR requirement – data controllers must implement “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with this Regulation.”– Must include appropriate data protection policies– Organisations may use adherence to approved codes of conduct or management

system certifications “as an element by which to demonstrate compliance with their obligations”

– ICO and BSI are both developing new GDPR-focused standards

• ISO 27001 already meets the “appropriate technical and organisational measures” requirement

• It provides assurance to the board that data security is being managed in accordance with the regulation

• It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats


TM


Self help materials

A Pocket guidewww.itgovernance.co.uk/shop/Product/eu-gdpr-a-pocket-guide

Implementation manualwww.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide

Documentation toolkitwww.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-documentation-toolkit

Compliance gap assessment toolwww.itgovernance.co.uk/shop/Product/eu-gdpr-compliance-gap-assessment-tool

http://www.itgovernance.co.uk/shop/Product/eu-gdpr-a-pocket-guide?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-documentation-toolkit?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-gdpr-compliance-gap-assessment-tool?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars


TM


Training

One-Day accredited Foundation course (classroom, online, distance learning)www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-foundation-gdpr-training-course

Four-Day accredited Practitioner course (classroom, online, distance learning)www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course

One-Day data protection impact assessment (DPIA) workshop (classroom)www.itgovernance.co.uk/shop/Product/data-protection-impact-assessment-dpia-workshop

http://www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-foundation-gdpr-training-course?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/data-protection-impact-assessment-dpia-workshop?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars


TM


GDPR compliance programme support

• Gap analysis• Unless you have a team in place, external experienced support can be valuable and independent

means of assessing the exact standing of your current legal situation, security practices and operating procedures in relation to the DPA or the GDPR.

• Data flow audit• Data mapping involves plotting out all of your data flows, which involves drawing up an extensive

inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.

• Implementing a personal information management system (PIMS)• Establishing a PIMS as part of your overall business management system will ensure that data

protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.

• Implementing an compliant ISMS with ISO 27001• ISO27001 is an effective foundation in complying with GDPR. It can be daunting, external help can also

help establish an ISO 27001 compliant Information Management Security System quickly and without the hassle, no matter where your authority is located.

• Cyber health check• A cyber Health Check combined with remote vulnerability assessments can be useful in assessing your

cyber risk exposure.

www.itgovernance.co.uk/dpa-compliance-consultancy

http://www.itgovernance.co.uk/dpa-compliance-consultancy?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

[email protected]

0845 070 1750www.itgovernance.co.uk

mailto:[email protected]

http://www.itgovernance.co.uk/

2017-07-06 data protection by design and default under the ... · regulation and protect the rights...

Documents