Jacqueline Johnson - Digital signatur & digital identitet 2015

Global Implications of the EU

General Data Protection Regulation

Trends

• Protection of privacy is becoming more important for

people. Privacy information is shared without people

knowledge

• Protection of cyber crime is on the agenda

• But… is challenged by the technical development; big

data, data mining and public cloud.

• Rules are being stricter, but some parties

are not under this stricter EU jurisdiction

2 • Jacqueline Johnson

The EU commission’s evaluation of current situation

Jacqueline Johnson 3 •

• Current legislation is from 1995 and is a directive.

• Different implementation in EU countries,

• Current national rules do not fulfill the objective

• Rules have not been updated in accordance with

the technogical development

”…establishing a stricter and common framework in EU, which are effectively enforced”.

• Data protection when using external suppliers are not sufficient

• Term of consent not sufficient

• Not sufficient transparency of gathered data

• Documentation of compliance insufficient

• No requirement of risk and consequence analyses

Harder sanctions !

Definitions


Data subject

Processing

Controller

Processor

Personal data

Scope- locations of organisations

• "Doing business in Europe" will affect companies with

head office outside EU; this means that it affect U.S.

companies.

Representative

• One stop for multinational companies with head office in

EU. The stop is the country for the head office.


• Company outside EU

• More than 5000 data

subjects registered or

sensitive data

DPA and DPO

• DPA = Data Privacy Authority

• DPO = Data Protection officer

• More than 5000 data subjects registrered -> DPO

• DPO should be consulted during

risky processes, design and

development of systems

instead of DPA

• When locating DPO remember

one stop shop


Consent

• Explicit, specific, voluntary and informed

• Burden of proof will lie at the organisation

• Must be separated from other texts (not part of terms of

service/deliverance)

• Not pre-ticked boxes

• Can be taken away at any time.

Exceptions

- Protect data subjects vital interests

- Legimate interest of the controller

- Carried out in public interest


Principles in GDPR

Principle of data minimisation

• Adequate, relative and limited to minimum necessary in relation to the purpose

Principle of data protection by design

• Appropriate technical and organisational

measures from

- very early design stage,

- deployment,

- use

- final disposal.

• Require privacy settings


Data Quality

• Processing compatible with the

purpose

• Accurate

• Kept up to date

• Permits identification of data subjects

for no longer than is necessary’


Information of:

• When it is collected

• Purpose

• Recipients

Rights to

- Access the data

- Rectify

- Erase

- Block

- Object to profiling


Rights for the data subject

Risk and Impact assessment

• Perform a (documented) risk analysis, indicating whether the process can result

in ”specific risks”; i.e. more than 5.000 registered/year, financial situation, gps

data, health, personal preferences and behavior.

• If there are specific risks, there is a requirement of impact assessment. This

should include:


Risk analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake.

• Description of handling of data

• Necessary technical and organisational security

measures

• Time plan for periodic evaluations, minimum 2 years

Compliance

Controller is responsible and liability for processing

in particular with regard to

• documentation,

• data security,

• impact assessments,

• demonstrate the compliance of each

processing operation with this Regulation.

This should be verified internal or external

auditors.


Cloud and GDPR

Jacqueline Johnson 13

The controller are accountable for that

1) Cloud service provider (CSP) uses security measures,

2) The processing conducted, and the security measures used, by the

CSP meet the regulation

The CSP cannot retain services from a third party without the permission of

the cloud client

CSP have to hand over all data after a termination of the contract

Allow onsite inspections and all information

necessary for demonstrating compliance

Both the cloud client and the cloud provider must

1) use security measures appropriate

2) conduct a risk assessment

Reporting on incidents

• When there is an incident inform Data Privacy

Authority without undue delay

• Inform the registered persons if it may have

adverse consequences for them, without undue

delay, in a clear and easily understandable

language.

• Inform the registered persons about their rights

and including right to compensation and

damages resulting from incompliance


Supervision and sanctions

• Supervising authorities shall be reinforced

• Cooperation intensified between DPA, shared

investigations and enforcement.

• Other national DPA may state intermediate actions, if

a DPA is inactive.

• Ambitions on fees on similar levels to laws on free competition,

• Starting point is fees, but possibility for warnings and periodic inspections

• Maximum fee of 2% of global turnover.

• Fees are dependant on character of the data, severity, length of incompliance, repeatability

and scope of damage.


Practical challenges

The registered person will have a right to receive

brief, transparent and accessible rules for data

processing and rights.

Consent requirements strengthened

Implement ”mechanisms” to comply with deletion

or evaluation of continual storage

Contracts with suppliers assure the appropriate

security measures and monitoring

Deleting of data includes assurance of deleting at

possible suppliers and sub suppliers

Reporting on incidents timely


Jacqueline Johnson - Digital signatur & digital identitet 2015

Technology

Transcript of Jacqueline Johnson - Digital signatur & digital identitet 2015