16.11.2017 Miradore User Seminar / Antti Iso-Markku, Fondia Oyj

General Data Protection Regulation– Why Should I as a MSP Care?

• The result of a long legislative process

• Entered into force on 24 May 2016, applicable as of 25 May 2018

• Is directly applicable law, meaning it does not depend on national implementation

• A legislative process regarding updating the Personal Data Act and special legislationis in progress in Finland

• Working group memorandum published 21 June 2017

• Government’s proposition for data protection act

• In a parallel track, EU is preparing a regulation on ePrivacy which is currently underdiscussion in the legislative bodies and hoped to be applied at the same time as GDPR

2

EU’s General Data Protection Regulation (GDPR)

In a nutshell:

• Basically all companies of the digital age have personal data of their customers and business partners in their data systems, whether they are aware of it or not– the regulation is applicable as it is in such cases

• In your case, you are the processor of your customers’ and their end-uses’ personal data

• The regulation regarding processing of personal data will become more stringent with the GDPR

• Processing of personal data will demand a more systematic and active approach than before

• The supervisory authority has the right to demand an organization to correct its behaviour or stop theprocessing of data completely, if the processing is not in accordance with the laws and regulations

• If the activity is not corrected or the breach is otherwise serious enough, the authority may order a administrative fine, which exists in two different sizes

• 10 million € or 2 % of the worldwide turnover in the preceding financial year

• 20 million € or 4 % of the worldwide turnover in the preceding financial year

• In addition, in the world of increasing privacy awareness, companies are threatened by reputational risks

3

So Why Should I as a MSP Care?

4

5© The Preiser Project @ Flickr (CC BY 2.0)

"There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”

John Chambers, CEO of Cisco

”Personal data means any information relating to an identified or identifiable natural person that can be associated with the person; an identifiable natural person is one who can be identified, directly or indirectly, through an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

”Controller means natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”

”Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

6

Personal data, controller and processor

1. Lawfulness, fairness and transparency of processing

2. Purpose limitation

3. Data minimisation

4. Data accuracy

5. Limitation of storage of data

6. Integrity and confidentiality of data

7. Accountability of the controller/processor

7

Fundamental Principles of Data Protection

8

”Of course we take careof data privacy …”

”Here is our data processing reviewreport, based on whichthe privacy policy and impact assesment havebeen made.”

© ad.mak @ Flickr (CC BY 3.0)

• Privacy by Design: privacy is taken into account during the entire lifespan of the processing, and in particular already when planning the collecting and processing of data

• Organisational actions such as training of personnel, instructions and regulations, confidentiality, certificates, inspections and audits, data processing reports, charting of information flows

• Technical actions such as general-level information security, data encryption and anonymization / pseudonymization, technical safeguards, inspection and control systems, remote access and user rights control, physical premises control

• Privacy by Default: primarily the right to process concerns only data relevant for the purpose of processing; asking for this and that is not allowed only on the grounds that the information might beuseful in the future

• Restricts the quantity, scope, storage time and availability of the collected data

9

Privacy by Design and Default

• Data subject means a natural person, whose personal data is processed

1. Right to transparent information regarding the processing (privacy policy)

2. Right to access to information

3. Right to rectify information and right to be forgotten

4. Right to restriction of processing

5. Right to data portability

6. Right to object

7. Right to not to be a subject to a decision based on automated processing

• With some exceptions related to pseudonymised/anonymised data, which the controller no longercan attribute to a specific person

10

Rights of the Data Subject

• What kind of processing of personal data may cause a considerable risk for the data subject?

• Considerable risk:

• Probability

• Seriousness

• For example identity theft, economic loss, discrimination, reputational risk, disclosure of sensitive information, lack of trust in relation to the controller

• GDPR differentiates the actions required from the controller to different levels based on the risk

• High risk: Impact assessment, discussions with the authority, informing the data subject of a personal data breach

• Basic level: Informing the authorities of a data breach, prior planning and accountability, fulfilling the rights of the data subject

• Low risk level: less requirements regarding the processing of anonymised personal data

11

Risk-Based Examination

12© GotCredit @ Flickr (CC BY 2.0)

• Data Protection Officer (DPO)

• Shall be designated if:

• The body is public by virtue of its nature

• The core activities of the body consist of large scale systematic monitoring of personal data

• The core activities of the body consist of processing of sensitive personal data and criminal convictions

• May be voluntarily chosen also in other organisations; may be shared between several organisations

• DPO’s suitability requirements are sufficient knowledge and understanding of data protection mattersand risks; DPO’s duty is to independently assist in and inform the organisation of the planning and implementation of data security measures and policies

13

Data Protection Officer

14

Your new DPO? -->

You wish!

© Jlhopgoog @ Flickr (CC BY-ND 2.0)

• Always based on a written agreement, the minimum content of which is defined in the regulation

• Subcontracting is not possible without the controller’s permission; the processor is liable for thesubcontractor’s actions as for its own

• EU draws up model clauses through which a level of sufficient personal data protection can beguaranteed when transferring data outside EU/EEA• Alternatively, the processor may join the Privacy Shield system and in that way prove a sufficient level of data

security

• Clause in privacy policy indicating the transfer of data and sufficient level of data security

• The processor shall refrain from data processing that violates the regulation and notify the controllerof the fact

15

Outsourcing the Processing and Transfer of Data

• Notification of data breach or other misapproptiation of data shall be made to the supervisoryauthority within 72 hours of having become aware of the breach

• What data was compromised, what risks the compromised data poses, what measures have been taken to rectify the situation

• The notification may be refrained from or made later only in exceptional circumstances

• In cases of particularly high risk, also the data subjects themselves, whose data has fallen into thewrong hands, shall be notified

• This means that when a data breach/loss of data has happened and the organisation does not have a clear policy or process for such situations, it is already in deep trouble

16

Data Security Infringementsand Data Breaches

17© Tim Samoff @ Flickr (CC BY-ND 2.0)

"Security is always excessive until it’s not enough.”

Robbie Sinclair, Head of Security,

NSW Australia

• Accountability: document, document and document

• Provide the customers (Data Controllers) with the tools and support necessary to respond to the queries made by the end-users (Data Subjects)

• Ensure there are written data processing agreements (DPAs) between you and thecustomer before they start to use the service

• Assess the risk in your data processing and design appropriate safeguards

• Train your personnel about GDPR and privacy issues

18

The Most Important Changes for MSPs

• Understand that this, in all probability, concerns your entire organisation

• It’s not yet too late, if you begin to take measures NOW

• Map the current situation

• Make data protection and security a part of the process from the beginning

• Consider the need for a data protection officer and/or assign the responsibilityinternally

• One step at a time, this is a marathon and not a sprint!

• Seek outside help if you cannot make heads or tails out of it on your own

19

Next Steps – How to Ensure a SufficientLevel of Data Security When the RegulationArrives

16.11.2017 Miradore User Seminar / Antti Iso-Markku, Fondia Oyj

20

Thank you!

Antti Iso-MarkkuLegal Counselantti.iso-markku@fondia.com020 7205 438