Data Privacy in a Digital Age - ISACA Kenya Chapter Holi - Data Privacy in a... · DATA PRIVACY IN...
Transcript of Data Privacy in a Digital Age - ISACA Kenya Chapter Holi - Data Privacy in a... · DATA PRIVACY IN...
DATA PRIVACY IN A DIGITAL ERA
SHARON HOLI – Head of Masoko
Safaricom PLC
Information Security Breaches Survey 2017Source PwC Belgium
Data is a corporate asset, like any other
Data is the life blood of decision making
Corporate data is at a higher risk of theft or misuse than ever before
Companies have obligations to protect data
• The right to privacy is a basic human right recognized in the Kenyan Constitution and other global legislation like the EU Charter on Fundamental Rights.
• This right seeks to protect the inviolable personality, independence and dignity of all individuals.
Right to privacy
•The right to personal data protection is another fundamental right
•It guarantees the right to privacy by implementing necessary controls to protect personal data
•Where personal data is required, the purposes should be clearly defined
•Regulation should balance between the need for personal data by the data controller vs the need for protection
Right to data protection
• Globally there is renewed interest in data security, privacy, and confidentiality
Global trends
Privacy, security and trust are increasingly vital and intertwined in our data-driven society
Data protection is about securing data against unauthorized access, essentially
a technical issue
Data privacy is about authorized access, a legal issue
Data Protection vs Data Privacy
Which data warrants protection?
Personal Identifiable Information (PII)
Can be linked to a specific individual e.g. name, e-mail, full postal address, birth date, identity number, driver’s license number, bank account details
Sensitive Personal DataInformation concerning a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
Legislation touching on data privacy in Kenya
CHAPTER FOUR––THE BILL OF RIGHTS KENYAN
CONSTITUTION
• Article 31
• Every person has the right to privacy
DRAFT CYBER SECURITY AND PROTECTION BILL,
2016
• Prescribes removal of personal details that may identify a specific person not directly related to a cyber-security threat when parties are sharing information
• Prohibits sharing of information relating to the health status of another person without the prior written consent of the person to whom the information relates.
DRAFT DATA PROTECTION BILL 2013
• It is hoped the regulation will increase accountability in the way individuals and institutions handle confidentialinformation given to them by customers in the course of their operations.
• Penalties prescribed include a fine not exceeding Sh100,000or imprisonment for a term not exceeding two years or both
GDPR
GDPR Explained in 2 Minutes -VIDEO
Source: Youtube published by Oberlo
GDPRGDPR
� The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
� It becomes enforceable from 25 May 2018
� It does not require national governments to pass any enabling legislation and so it is directly binding and applicable
� "The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents.
� Maximum penalties of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year."
� The GDPR also brings a new set of "digital rights" for EU citizens in an age of an increase of the economic value of personal data in the digital economy.
GDPR
GDPR Chapter 3 Article 17 Right to erasure (‘right to be
forgotten’)1. The data subject shall
have the right to obtain from the controller the erasure of
personal data concerning him or her without undue delay
and the controller shall have the obligation to erase
personal data without undue delay
The challenge in a digital age
Data Growth
Data Speed
Data Diversity
Data privacy breaches what’s the harm?
Damage to reputation
Disruption of operations
Legal liability under applicable laws, regulations or contracts
Financial costs
Facebook data breach-VIDEO
Source: Youtube published by euronews
The latest publicised data breach
The Breach:
A political consulting firm, Cambridge Analytica, obtained personal data from more than 50 million Facebook users without their permission
Cambridge Analytica acquired the 50m profiles from a researcher in 2014.
It appears the information was harvested by a researcher who collected data not only on the 270,000 or so users who Facebook said took his survey but also on their friends, who knew nothing about the survey and did not consent. The researcher then passed this data to Cambridge Analytica.
Financial: Facebook Inc. shares posted their steepest drop since 2015.Almost $20bn (£14bn) was wiped off the social network company’s market cap in the first few minutes of trading. By midday, the company’s share price losses had multiplied to more than $40bn, making the day its worst in more than five yearsLegal/Regulatory: Facebook has been invited to testify before a US congressional committee in the coming weeksReputation: The Cambridge Analytica scandal has done immense damage to the brand, sources across the company believe. It will now take a Herculean effort to restore public trust in Facebook's commitment to privacy and data protection
I m p a c t
Other recent data breaches Source: www.csoonline.com
October 9, 2017: In December 2016, it was reported that “more than 1 billion user accounts” may have been impacted by the 2013 Yahoo breach. 4 months after Verizon acquired Yahoo’s core internet assets, it was revealed that every single customer account was impacted by that breach; 3 billion Yahoo accounts were affected. or the core
operations of Yahoo, a cut of $350 million as part of
revised terms because of the data breachYahooSept 7, 2017: Equifax, one of the three largest credit
agencies in the U.S., suffered a breach that may have affected 143 million consumers. Sensitive data was stolen—including Social Security numbers, driver’s license numbers, names, addresses, dates of birth, credit card numbers etc — arguably one of the worst breaches ever. Hackers were able to gain access to the company’s system from mid-May to July; the breach was discovered by Equifax on July 29th, 2017
Equifax
A global survey of data use governance
Key findings from The Global State of Information Security®
Survey 2018
..to build digital trust
• Create a “culture of security” from top down
• Make information security a risk management issue, as well as a technology issue
• Understand which laws apply, ensure compliance with them
• Educate employees, business partners
“Many organizations worldwide need stronger privacy risk management that is better integrated with cybersecurity, according to our 2018 Global State of Information Security®
Survey (GSISS)”
Trust takes years to build, Trust takes years to build, Trust takes years to build, Trust takes years to build,
seconds seconds seconds seconds to break, to break, to break, to break,
and and and and forever to repairforever to repairforever to repairforever to repair....
United Nations Conference on Trade
and Development (UNCTAD)
Data protection principles
Data Privacy
Laws, regulations at a
national/international level
Data Privacy & Protection policies/
guidelines at company level
Contracts with third parties to
define data protection
responsibilities
Information system security
controls
User awareness on data
protection
Privacy Impact Assessments/Priva
cy audits
Privacy Impact Assessment
Privacy Impact Assessment-VIDEO
Source: Youtube published by Capgemini Group
Privacy Impact Assessment
Privacy Impact
Assessment
Identify exposure to
data privacy,
data security risks
Consider and
implement changes to
minimize risks
Develop and adopt
best practices
going forward
Review contracts with vendors that
collect or provide
sensitive/personal data to
company
Review policies and practices for data:
• Collection,
• Storage
• Use
• Disclosure
• Protection
• Destruction
Data privacy and
security are not just IT
issues; instead, they
touch on all parts of
the company
Some best practices: Data Security
Take stock:•What information do you have?
•Where is it stored?•Who has access to it?
•Who should have access to it?