gdpr by identity methods

European Data Protection LegislationWhat it Means for You!By Richard McCann & Ian Collardwith Steve Bailey & Jamie Capildeo

IM-A5 Booklet_Layout 1 05/05/2016 12:23

European Data Protection LegislationWhat it Means for You!By Richard McCann & Ian Collardwith Steve Bailey & Jamie Capildeo

Published by FridaysMediaGroup.com ©2016 Identity Methods Limited. All rights reserved.


Contents

• Introduction 4• Background 12• A Quick Guide To The New Rules 15• Want To Know More? 17• Red Tape Reductions! 19• The 5 Key Points 20• Case Study 1 22• 8 Important Things To Remember 26• Case Study 2 28• Next Steps 31• Compliance 32• 9 Things You Should Do Right Now! 33• Conclusion 35• Appendix 38

European Data Protection Legislation 3


Introduction

We’ve all heard and read news reports about how criminal hackers are breakinginto firms such as TalkTalk and stealing thousands of names and bank details.Or breaking in to Sony and reading all their emails.

Most people know that ‘Phishing’ is the attempt to acquire sensitive informationsuch as usernames, passwords, and credit card details - and sometimes,indirectly, money - for malicious reasons, by masquerading as a trustworthyentity in an electronic communication.

And many people have also heard of ‘Ransomware’, a type of malware thatrestricts access to the infected computer system in some way, and demandsthat the user pay a ransom to the malware operators to remove the restriction.

4 European Data Protection Legislation


How big is this problem?It’s huge. And growing every day. Hackers have stolen information from millionsof us already. Major companies have failed to keep our private data safe. What’shappening now is a big wake up call.

The BBC recently uncovered a new type of phishing email that includes therecipient's home address and has been received by thousands of people.

Journalists at BBC radio were among those who received the scam emails,claiming they owed hundreds of pounds to UK firms.

The firms involved have been inundated with phone calls from worriedmembers of the public.

One security expert warned clicking on the link would install malware.BBC reporter Shari Vahl was one of the first on the team to receive an email.

"The email has good spelling and grammar and my exact home address... whenI say exact I mean, not the way my address is written by those autofill sectionson web pages, but the way I write my address.



"My tummy did a bit of a somersault when I read that, because I wondered whoon earth I could owe £800 to and what was about to land on my doormat."

She quickly realised it was a scam and did not click on the link. Then, only acouple of minutes later, another BBC journalist received one. And then anothercolleague read a similar version - but sent to his home email address this time.

RansomwareThe BBC decided to contact the companies that were listed in the emails asbeing owed money.

A spokesman for British Millerain Co Ltd, a waxed cotton fabric manufacturer,told the programme that the firm "had more than 150 calls from people whodon't owe us money".

And a spokeswoman for Manchester shelving firm Greenoaks said: "Mycolleague took a call from an elderly gentleman and he was very distressedbecause his wife had had one of these emails."

Dr Steven Murdoch, principal research fellow at the department of computerscience at University College London, said: "Most likely it was a retailer or otherinternet site that had been hacked into and the database stolen, it then couldhave been sold or passed through several different people and then eventually itgot to the person who sent out these emails."



He added that the email bore the hallmark of previous phishing attempts fromgangs in Eastern Europe and Russia.

He said that clicking on the link would install malware such as Cryptolocker,which is a form of ransomware that will encrypt files on Windows-basedcomputers and then demand a fee to unlock them.

So this affects us all, not just big corporations?Although, of course, it’s the damaged big corporations that lose millions andmake the big headlines, private individuals are also losing thousands.

Most of us are now used to getting fake emails from hackers phishing forinformation. There’s often an attachment that once you’ve clicked on it thehacker has access to your laptop and every keystroke.

They’ve got your name, and they know where you live. They’ve got your bankdetails. They’ve got YOU.

As soon as the cyber criminals are in, they’ve stolen your entire digital life.

But it’s not always a bad attachment that signals trouble. It’s amazing howmany people who are pretty careful about security in other areas don’t seemworried about their email. It’s worth considering what a big part of your life isrevealed to someone reading your email…



Just how easy is it to hack in to other computers?Some teenagers can break into an international corporation in minutes. Thinkof TalkTalk. The latest break in is the third time.

It’s not a bad idea to think of a hack as a break in. You wouldn’t leave yourdoors unlocked so why leave your computer or your website open for peopleto wander in and steal what they fancy?

After all, if you break into a bank it’s hard and dangerous and you’ll probablyget caught. But you can break into a network from your bedroom and thechances of getting caught are pretty remote to be honest. You’re probably ina different country for a start.

What can we do to protect ourselves?For a start, be vigilant. Stolen identities are so readily available to criminals onsomething we call the dark web that there are even ‘two for one offers’ and‘money off all IDs sold until Friday’. It’s that competitive out there…



In your private life…If you get a ‘phone call offering you a refund, be aware that someone mayhave bought your name, number and address, and they’re now trying to getyour bank details too.

So be careful to whom you reveal personal information. It’s like giving a burglarthe keys to your home or business!

Don’t click on attachments without being absolutely certain who they’re from.If in doubt give the person a call. It’s always better to be safe than sorry.

If you’re paying someone money, a criminal with access to your emails can soeasily jump in with an email, maybe pretending to be from your solicitor.

Because he or she has now access to your emails, the criminal’s fake email willlook just like the ones you’re used to getting from your real solicitor.

And if your lawyer signs off ‘best wishes Tim’ then that’s exactly how the fakeemail will be signed by the criminal.

This is how loads of people are duped daily into putting their life savings intocriminal’s bank accounts when they get an email from what looks like, say,their bank, financial advisor or solicitor.

The email will look real because they’ll even know how much you are due topay. Of course they do – the criminal has just read the same email as you!



If you have a business then…Remember that any unprotected incautious employee can open up yournetwork.

There have been stories of solicitors getting duped into sending housecompletion monies to a bogus account and of clients who receive authenticlooking emails from a solicitor telling them that they need to pay money for ahouse into a different account - too late they discover the email is a fake andthe account is that of a criminal.

Because of all this, Data Protection is hot news. Something that was once regarded as a ‘good thing to have’ ranking alongsidehealth and safety and risk assessments in the brains of board directors and asa topic the public anecdotally understood to mean not selling on their emailaddress without permission, has now become a mainstream media topic.

Whereas once, journalists needed to research to discover names of companiesaffected by data breaches in order to give their stories relevancy to amainstream readership, it’s now only too easy to come up with a list of globalbusinesses that are household names affected by data breach.

And in turn, the severity of those breaches has multiplied exponentially. Whatwas initially a minor inconvenience for the PR department to diffuse has nowbecome a national or even international scandal capable of bringing a giantcorporation to its knees.



And as we shall see, plans to make directors personallyaccountable means that personal penalties are more than anembarrassing interview or a tactical management reshuffle –personal financial ruin is a very real prospect.

This is why the GDPR regulations around customer data provide an extra layerof concern for organisations to pay big attention to!

The discussions between the European Commission, the European Parliamentand the Council (the so-called ‘trilogue’) EU Data Protection Reform papers,the Data Protection Package, the Digital Single Market and the EU Agenda onSecurity, together with the public consultations, cover many scores ofdocuments and hundreds of thousands of words.

In this book we shall guide you through the parts of thelegislation that you really need to know about.

And we shall flag up the key steps enterprises need toimplement in order to protect themselves and theirstakeholders.



Background

Personal data is any information relating to an individual, whether it relatesto his or her private, professional or public life. It can be anything from a name,a photo, an email address, bank details, posts on social networking websites,medical information, or a computer's IP address.

The EU Charter of Fundamental Rights says that everyone has the right topersonal data protection in all aspects of life: at home, at work, whilst shopping,when receiving medical treatment, at a police station or on the Internet.

17 years ago less than 1% of Europeans used the internet.Today, vast amounts of personal data are transferred andexchanged, across continents and around the globe infractions of secondsi.

In the digital age, the collection and storage of personal information areessential. Data is used by all businesses – from insurance firms and banks tosocial media sites and search engines. In a globalised world, the transfer ofdata between countries has become an important factor in daily life. There areno borders online and cloud computing means data may be sent from Berlinto be processed in Boston and stored in Bangalore.

Everyone has the right to the protection of personal data.



Every day within the EU, businesses, public authorities and individuals transfervast amounts of personal data across borders. Whenever you open a bankaccount, join a social networking website or book a flight online, you handover vital personal information such as your name, address, and credit cardnumber.

People are worried as never before, asking ‘what happens to this data?’ ‘Couldit fall into the wrong hands?’ ‘What rights do we have regarding our personalinformation?’

It’s all very well for individual governments of member states to legislateto protect their citizens, but conflicting data protection rules in differentcountries would disrupt international exchanges.

Individuals may be unwilling to transfer personal data abroadif they are uncertain of the level of protection in othercountries.

EU surveys reveal – somewhat predictably – that more than 90% of Europeanswant the same data protection rights across the EU – and regardless of wheretheir data is processed.

Two-thirds of Europeansii (67%) are concerned about nothaving complete control over the information they provideonline.



As a result of public concerns, in January 2012 the European Commissionproposed a comprehensive reform of data protection rules in the EU. Theobjective was to give citizens back control over of their personal data, and tosimplify the regulatory environment for business.

Seven Europeans out of teniii worry about the potential usethat companies may make of the information disclosed.

Under EU law, personal data can only be gathered legally under strictconditions, for a legitimate purpose.

Furthermore, persons or organisations which collect and manage our personalinformation must protect it from misuse and must respect certain rights of thedata owners which are guaranteed by EU law.

Therefore, common EU rules have been established to ensure that personaldata enjoys a high standard of protection everywhere in the EU. Citizens havethe right to complain and obtain redress if their data is misused anywherewithin the EU.

The EU's Data Protection Directive also foresees specific rules for the transferof personal data outside the EU to ensure the best possible protection of yourdata when it is exported abroad.

On 15 December 2015, the three European institutions agreed an historicreform of data protection rules, establishing a modern and harmonised dataprotection framework across the EU.



A Quick Guide to the New Data Protection Rules

This clearly cannot be an exhaustive analysis, but essentially the Reform consistsof two instruments:

1. The General Data Protection Regulation – more rights for people to better control their personal data. And modernised and unified rules intended to allow businesses to make the most of the opportunities ofthe Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.

Identity Methods also work closely to protect the police andcriminal justice sector, and if this is an area of special interestto you then please contact us for more in depth assistance.But put briefly for the rest of us, there’s a second instrumentto the reform…



2. The Data Protection Directive – this is for the police and criminal justicesector and is intended to ensure that the data of victims, witnesses, andsuspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. More harmonised laws are also intended to facilitate cross-border co-operation of police or prosecutors to combat crime and terrorism more effectively across Europe.

Fines

Fall foul of the new rules and penalties can be €1 million or up to 2% of the globalannual turnover of a company.

And there are rumours that this could be dramatically increased in the future. A figure of €100 million has been mentioned in some quarters!



Want to Know More about theGeneral Data Protection Regulation?We’re glad you’re still with us and still interested! OK here goes…

For Individuals

The new rules address personal data concerns by strengthening people’sexisting rights and empowering individuals with more control over theirpersonal data. Most notably, these include:

1. Easier access to your own data: individuals will have more informationon how their data is processed and this information should be availablein a clear and understandable way.

2. A right to data portability: it will be easier to transfer your personal data between service providers.

3. A clarified "right to be forgotten": when you no longer want your datato be processed, and provided that there are no legitimate grounds forretaining it, the data will be deleted.

4. The right to know when your data has been hacked: For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users cantake appropriate measures.



For Businesses

1. One continent, one law: The regulation will establish one single set ofrules which will make it simpler and cheaper for companies to do business in the EU.

2. One-stop-shop: businesses will only have to deal with one single supervisory authority.

3. European rules on European soil: companies based outside of Europewill have to apply the same rules when offering services in the EU. So a data centre in, say, India, won’t be an excuse!

4. Risk-based approach: the rules will avoid a burdensome one-size-fits-all obligation and tailor them to the respective risks.

5. Rules fit for innovation: the regulation will guarantee that data protection safeguards are built into products and services from the earliest stage of development (Data Protection by Design).

Privacy-friendly techniques such as pseudonomysation (replacing personallyidentifiable material with artificial identifiers) will be encouraged, to reap thebenefits of big data innovation while protecting privacy.



Red Tape Reductions!

The lawmakers reckon that enterprises will benefit from four reductions inred tape:

1. No more notifications: Notifications to supervisory authorities are a formality that represent a cost for business of €130 million every year. The reform will scrap these entirely.

2. Every penny counts: Where requests to access data are manifestly unfounded or excessive, enterprises will be able to charge a fee for providing access.

3. Data Protection Officers: enterprises are exempt from the obligation to appoint a data protection officer insofar as data processing is not theircore business activity.

4. Impact Assessments: enterprises will have no obligation to carry out an impact assessment unless there is a high risk.



The 5 Key Points

1. A "right to be forgotten": When an individual no longer wants her/hisdata to be processed, and provided that there are no legitimate groundsfor retaining it, the data will be deleted. This is about protecting the privacy of individuals, not about erasing past events or restricting freedom of the press.

2. Easier access to one's data: Individuals will have more information onhow their data is processed and this information should be available ina clear and understandable way. A right to data portability will make iteasier for individuals to transmit personal data between service providers.

3. The right to know when one's data has been hacked: Companies andorganisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high risk breaches as soon as possible so that users can takeappropriate measures.



4. Data protection by design and by default: ‘Data protection by design’and ‘Data protection by default’ are now essential elements in EU data protection rules. Data protection safeguards will be built into productsand services from the earliest stage of development, and privacy-friendlydefault settings will be the norm – for example on social networks or mobile apps.

5. Stronger enforcement of the rules: Data protection authorities will beable to fine companies who do not comply with EU rules up to 4% of their global annual turnover.

Won’t the New Rules Cost Businesses Lots of Cash?Not necessarily. Properly planned, you could actually save money.

One planned advantage behind the single, pan-European law for dataprotection is that companies will simply deal with one law, not the current 28.

The new rules have been estimated – by the EU, admittedly -to bring benefits of €2.3 billion per year.



Case Study 1: A chain of shops has its head office in France and franchisedshops in many other EU countries. Each shop collects datarelating to clients and transfers it to the head office in Francefor further processing.

At present:French data protection laws would apply to the processing done by head office,but individual shops would still have to report to their national data protectionauthority, to confirm they were processing data in accordance with national lawsin the country where they were located.

This means the company’s head office would have to consult local lawyers for allits branches to ensure compliance with the law.

The total costs arising from reporting requirements in all countries could easilyexceed €12,000.

With the Data Protection Reform: The data protection law across all EU countries will be the same – one EuropeanUnion – one law.

This will eliminate the need to consult with local lawyers to ensure localcompliance for the franchised shops.

The result is direct cost savings and legal certainty.



It’s been said that the Reform could actually encourageinnovation and the use of Big Data. How?

‘Data protection by design and by default’ will become an essential principle.It will incentivise businesses to innovate and develop new ideas, methods, andtechnologies for security and protection of personal data.

According to some estimates, the value of European citizens’ personal datacould grow to nearly €1 trillion annually by 2020.

Used in conjunction with data protection impact assessments,businesses will have effective tools to create technological andorganisational solutions.

The Regulation promotes techniques such as: • Anonymisation - removing personally identifiable information where it

is not needed.• Pseudonymisation - replacing personally identifiable material with

artificial identifiers.• Encryption - encoding messages so only those authorised can read it,

to protect personal data.

These techniques will encourage the use of "big data" analytics, which candone using anonymised or pseudonymised data.



While it’s a data protection principle that when personal datais collected for one or more purposes it should not be furtherprocessed in a way that is incompatible with the originalpurposes, this does not prohibit processing for a differentpurpose or restrict 'raw data' for use in analytics.

A key factor in deciding whether a new purpose is incompatible with theoriginal purpose is whether it is fair.

Fairness will consider factors such as; the effects on the privacy of individuals(e.g. specific and targeted decisions about identified persons) and whether anindividual has a reasonable expectation that their personal data will be usedin the new way.

So raw data from, say, driverless cars can still be used to analyse where themost accidents take place and how future accidents could be avoided. It canalso be used to analyse traffic flows in order to reduce traffic jams.



Businesses need to think whether their data can beanonymised for future processing, allowing raw data to beretained for big data, while protecting the rights of individuals.

Companies are free to base processing on a contract, on a law or on - inthe absence of other bases - on a "balancing of interests".

These 'formal requirements', such as consent, are set out in the rules to providethe necessary control by individuals over their personal data and to providelegal certainty for everyone.

The new EU rules will provide flexibility on how to meet those requirements.



8 Important Things To Remember1. Instead of the current obligation of all companies to notify all data

protection activities to data protection supervisors, the Regulation provides for increased responsibility and accountability for those processing personal data.

2. For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).

3. Wherever consent is required for data to be processed, it is clarified thatit has to be given explicitly, rather than assumed.

4. People can refer to the data protection authority in their country, evenwhen their data is processed by a company based outside the EU.

5. People will have easier access to their own data and be able to transferpersonal data from one service provider to another more easily (right todata portability). This is likely to increase competition among services.



6. A ‘right to be forgotten’ means people will be able to delete their data ifthere are no legitimate grounds for retaining it.

7. EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.

8. A new Directive will apply general data protection principles and rules for police and judicial co-operation in criminal matters.

The rules will apply to both domestic and cross-border transfers of data.

OK, I get it… But how will the new rules work in practice?



Case Study 2: A multinational company with several establishments in EU Member Stateshas an online navigation and mapping system across Europe. This systemcollects images of all private and public buildings, and may also take picturesof individuals.

At present:The data protection safeguards upon data controllers vary substantially from oneMember State to another.

In one Member State, the deployment of this service led to a major public andpolitical outcry, and some aspects of it were considered to be unlawful.

The company then offered additional guarantees and safeguards to the individualsresiding in that Member State after negotiation with the competent DPA, howeverthe company refused to commit to offer the same additional guarantees toindividuals in other Member States.

Currently: Data controllers operating across borders need to spend time and money (forlegal advice, and to prepare the required forms or documents) to comply withdifferent, and sometimes contradictory, obligations.



With the new rules:The new rules will establish a single, pan-European law for data protection,replacing the current inconsistent patchwork of national laws.

Any company - regardless of whether it is established in the EU or not - will haveto apply EU data protection law should they wish to offer their services in the EU.

When will the new laws apply? Following political agreement reached in trilogue, the final texts will be formallyadopted by the European Parliament and Council at the beginning 2016. Thenew rules will become applicable two years thereafter.

So that means early 2018.

The Commission will work together with the Member States and the Dataprotection authorities – the future European Data Protection Board - to ensurea uniform application of the new rules.



Case Study: a UK company wants to expand its activities into Germany.

With the current rules:Its data processing activities will be subject to a separate set of rules in Germanyand the company will have to deal with a new regulator.

The costs of obtaining legal advice and adjusting business models in order toenter this new market may be prohibitive.

For example, some Member States charge notification fees for processing data.

With the new rules:The new data protection rules will scrap all notification obligations and thecosts associated with these.

The aim of the data protection regulation is to remove obstacles to cross-border trade.



Next StepsThe Commission will work closely with Member State Data protectionauthorities to ensure a uniform application of the new rules.

During the two-year transition phase, the Commission will inform citizens abouttheir rights and companies about their obligations.

Data Protection Authorities will work more closely together in the future,especially through the one-stop shop mechanism to solve cross-border dataprotection cases.



Compliance

No EU business can ignore this. We’ve been given two yearsto get ready, starting in January 2016. The clock is ticking.

It’s not going away and ‘compliance with UK legislation’ will not be a defence.

Independent national data protection authorities will be strengthened so theycan better enforce the EU rules and they will be empowered to fine companiesthat violate EU data protection rules.

Penalties for non-compliance Don’t forget that penalties can be €1 million or up to 2% of the global annualturnover of a company.

There are rumours that this could be soon dramatically increased.

A figure of €100 million has been mentioned in some quarters.

And one source close to the legislature has already mentionedplans to make the fine at least 4% and €20m, rising to for thebig offenders to an eye-watering €30m and 5% of turnover!



9 Things You Should Do Right Now!1. Culture… does your accountability policy meet the new standards?

2. Establish… a culture of monitoring, reviewing and assessing your dataprocessing procedures, aiming to minimise data processing and retentionof data, and building in safeguards.

3. Check… are your staff trained to understand their new obligations? Conduct auditable privacy impact assessments review any risky processing activities and steps taken to address specific concerns.

4. Prepare & practise… for data security breaches by putting clear policiesand procedures in place so you can react quickly.

5. Embed… privacy into any new processing or product at the design stage. This is also likely to demonstrate your compliance as well as givingyou competitive advantage.

6. Analyse… the type of data processing you do. Are your interests not over-ridden by the data subject? Can you prove consent?



7. Check… is your information such as privacy notices in clear and plain language, transparent and easily accessible as will be required by law?

8. Consider… if you are a supplier whether your new obligations are builtinto your policies, procedures and agreements.

9. Understand… the rights of data subjects, because it will be for you toprove by demonstration if you claim grounds to over-ride their interests.Plus you will be prepared to challenge individuals who may have ‘unrealistic expectations’!



ConclusionIf you’re unsure – and who isn’t? – then get help as soon as possible.

Then make a plan…

President Abraham Lincoln explained the value of planningwhen he said: “Give me six hours to chop down a tree, andI’ll spend the first four hours sharpening my axe.”

Things to Remember…• The requirement for companies and organisations to notify the

national supervisory authority of serious data breaches within 24 hourswill likely spur companies to hasten their security auditing processes andforce them to deploy new risk analysis and management tools.

• Remember too, that data processors will be held responsible for dataprotection, so under the new regulation any company or individual thatprocesses data - including third parties such as cloud providers - will alsobe held responsible for its protection.

• Some cloud service providers, especially those based outside the EU,may not believe that the regulation applies to them. It does.



• So if you or anyone else touches or has access to your data, whereverthey are based, you are all responsible in the case of a data breach!

• You will need to be extra vigilant when it comes to securing the dataof others, and if you’re a data owner you must thoroughly vet your partners.

• If you fail… get ready for US-style class-action compensation claims

• Which household name will be the first to suffer catastrophic financialand reputational damage?

• Don’t wait for users to contact you – it’s now going to be your responsibility to inform users of their rights. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems.

This is more stringent than the current directive andcompanies that fall foul of these measures will face largerfines.



It’s not all bad news… Remember that you will only be required to meet individuals’ ”reasonableexpectations” of data privacy.

And elsewhere, the regulations stipulate that tokenised, encrypted orpseudonomysed data does meet these expectations.

So an organisation that encrypts or tokenises data before uploading to thecloud meets the new standard.

If you keep your own encryption keys, any data loss is much less likely and, ifit does happen, you can show the regulators that you took steps to “meetindividuals’ reasonable expectations of data privacy”.



Decisions, decisions…When an aeroplane comes in to land, the co-pilot counts down the approach. 8 miles, 10,000 feet.6 miles, 6,000 feet4 miles, 2,000 feetFinally, the co-pilot says ‘2 miles to run. 1,000 feet. DECIDE.’And at this point the pilot must respond ‘LAND’ or ‘GO AROUND’. The pilot can’t say ‘Err, bear with me, let me think about it and I’ll try to get backto you.’

Preparing for the new data protection legislation is like thatright now. It’s coming in to land and the time has come to decide. Make a start …or ‘go around’.You’re in charge. It’s your call.

Appendixi EU Justice Commissioner Viviane Redingii Eurobarometer survey 2015iii Eurobarometer survey 2015



Richard McCann MBA PhD Richard is a writer, journalist, lecturer and broadcaster.

Ian Collard Managing Director Identity Methods LtdIan is a well-known government, banking and police digitalsecurity consultant and IdAM (Identity & AccessManagement) professional, Ian’s broad knowledge extendsthrough enterprise, cloud , industrial control and other CNI(Critical National Infrastructure) cyber-security areas.

Formerly security practice leader at Siemens, Ian has led successful consultancy,sales and implementations within various government departments andleading financial services companies, his cross-vertical knowledge isconsiderable.



Identity Methods LimitedTower Point44 North RoadBrightonEast SussexBN1 1YR+44 (0)1273 [email protected]


gdpr by identity methods

Data & Analytics