EU Data Protection Regulation – and what should we do about it?

BCS North London Group – 25 February 2016

Sarb Sembhi CISM

Chief Technology Officer & Acting Chief Information Security Officer

Disclaimer

• The views expressed in this presentation are those of the presenter and not BCS

• Nothing in this presentation is intended to be advice, it is presented as views of the presenter

• Please verify any actions you decide you wish to consider further – I am not a legal expert

• Things have still not been finalised … but it is pretty close

• I am not anti-US or Anti US businesses, but am against abuses of legislation which result in unfair competition against local businesses (especially if those business are in the UK)

Objectives

• Convey that although Data Protection seems complex (and it is) but when you understand the different stakeholders’ positions, it becomes clearer (except that there are too many stakeholders)

• Don’t get caught up in the details right now, there are too many of them – several have yet to be agreed

• Although lawyers can help you with the legal bits, you will need to understand and determine the practical and technical implementation aspects yourselves

• Don’t worry, there will be plenty of more detailed information sessions once supervisory authorities start to interpret the Regulation

Agenda

• Why it is all personal?

• Where we were with Data Protection before now?

• What changed and led to the draft EU GDPR?

• What was in the draft EU GDPR?

• Where is it all now?

• What’s the all fuss about Safe Harbour?

• What does all this mean for our business?

4

Why it is all personal?

• National stakeholders

• Local differences

• Technology

• Business interests

• Value of data (or lack of it)

• People only likely to relate or react when its personal (sometimes not even then) or remain unaware

5

Personal for kids and their parents

• A misconfigured database at uKnowKids.com exposed the data of 1,700 children, their personal messages, social media profiles, and images

• More than 6.8 million private text messages, nearly 2 million images (many depicting children)

• This includes first and last names, email addresses, dates of birth, GPS coordinates, social media access credentials, and more

• The insecure MongoDB installation was online for seven weeks before Vickery discovered it and reported the issue to uKnowKids

• uKnowKids goes on to accuse the security researcher who uncovered its problems of "hacking" its data

Personal for kids and their parents

• The data breach affected about 5m parent accounts & more than 6m children's' accounts

• The children profiles included names, genders, birthdates, headshots and chat logs while the parent accounts included email addresses, passwords, secret questions and answers, IP addresses, and mailing addresses

• Security researchers found multiple security flaws in VTech tablets

• VTech’s response was to change its web site T&C’s

If it’s not young children, it’s young adults

• Students’ personal information could be found via a Google search, landing Greenwich University

• Students' names, addresses, dates of birth, mobile phone numbers and signatures were all uploaded to the university's website

• In some cases, mental health and other medical problems were referenced to explain why students had fallen behind with their work

Innocent gift cards are no less a target

• The information potentially accessed included names, contact information, dates of birth, and gift card numbers. Gift card numbers could have been used to make unauthorized purchases

• In addition, Gyft log-in credentials may have been compromised. An unauthorized party who acquired credentials could have accessed a Gyft account and used any gift cards in the account with unused balances, reward points or a Coinbase-enabled account to purchase additional gift cards

• Beginning on October 3 and continuing through December 18, 2015, an unknown party accessed without authorization two cloud providers used by Gyft

And we’re back to young adults

• The University of Central Florida has admitted that hackers who broke into its systems may have snaffled the personal details of more than 60,000 staff and students

• The breach, discovered in early January but only made public in February, exposed the social security numbers and other private information

And last but not least … our politicians

Data breaches costs customers

And a lot of money

So, what personal data is out there? 1

• Telephone Call time, date, duration, originating / destination number, possibly content of call (VOIP, wiretapping)

• Unencrypted emails (Gmail, Hotmail, Yahoo, etc.)

• Perhaps even encrypted emails

• Calendar and contact data

• Other unencrypted traffic

• Including: access to all social media sites, uploading utilities, etc.

• Data collected by mobile device applications

14

So, what personal data is out there? 2

• Data collected by mobile operating systems

• Data stored by backup sites

• Data collected by voip services

• Data collected by mobile payment services

• Search request data

• VPN log data

• This is regardless of business cloud services

15

Plus more, with much more to come

• Data collected by Google Glass like products

• Data collected by smart tv’s (which watch you viewing TV)

• Data collected by smart meters & smart grid

• Data collection by driverless cars

• Data collected by Internet of Things devices around the home

• Data collected on wearable & health devices

• Mobile Payments (like Oyster card data)

• Advanced Big Data analysis and data mining tools

• Criminal use of above tools to create new business models based on data stolen from above sources

16

Yes, it is really personal

• 27 EU members each with different cultures and histories around privacy, ID cards, etc.

• Several EU leaders only interested in the NSA revelations once they knew that they calls and data had likely been intercepted

• Customers and employees may only understand the issues when it happens to them

• When there is compensation involved its personal

17

Where we were with Data Protection before 2012?

• Directive 95/46 EU

• Data Protection Act 1998

• 8 principles – 7th principle “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” relates most obviously to cyber security

• Safe Harbour Agreement 2000

18

What changed and led to the draft EU GDPR?

• Variations in interpretation of the Directive, not only in the legislations themselves, but also in interpretations of wordings

• Burden to pan-European businesses in complying to each location’s interpretation

• Greater amount of personal EU citizen data being held outside of EU

• Great amount of personal data being collected by non-EU data controllers

• Experiences of abuses of fair use, purposes, adequacy, accuracy, retention, recognition of rights, security and transfers

• More case law, less advisories from Supervisory Authorities

19

What else has changed?

• Ease of portability and transportability of data

• Regular (weekly) large scale data breaches

• Issues around control and ownership of personal data

• Recognition of the needs of Y generation to start again

• Economic climate – triple dip recession?

• Unfair competition

• Businesses that collect personal data and can leverage technology, as well as the tax system appear to be the most profitable and challenge existing business models

20

Finally …

• A recognition by many that the 1995 Directive is no longer able to be fit for purpose due to the vast changes in everything

• Draft EU GDPR goes public in February 2012

• Causes a great debate that it is too over the top

• Then Snowden effect in June 2013 onwards

• Then the respective amendments by each of the two sides

21

Clarification on proposed regimes

• Data Protection Regulation – does not need to be implemented by each member, as it becomes law when it is agreed. This will affect day to day DP operations for citizens and businesses

• Data Protection Regulation – does need to be implemented into law by each member. This is only for law enforcement and how they share data across Europe to fight and reduce crime

• Previous iterations of the Regulation are currently in force for the telecoms industry, as it was trialled there first

• Safe Harbour 2

22

What was in the EU GDPR? 1

• New expanded Data Protection Principles: o Processed lawfully, fairly, and in a transparent manner;

o Collected for specified, explicit, and legitimate purposes, and not further processed in ways incompatible with purposes;

o Adequate, relevant and limited to the minimum necessary;

o Only processed if, and as long as, the purposes of the processing could not be fulfilled by processing information that does not involve personal data;

o Accurate, kept up‐to‐date, with incorrect data being erased or rectified;

o Kept in a form that permits identification of the data subjects for no longer than necessary;

o Processed under the responsibility and liability of the data controller, who must ensure and demonstrate for each operation its compliance with the Regulation.

23

What was in the EU GDPR? 2

• Requirement for: Specific, Informed and Explicit Consent

• Protection of Children Under 13

• Expanded Definition of Sensitive Data

• Simplification of Cross Border Transfers

• Controllers and Processors to have greater accountability

• Special Rules for Data Processors and Subcontractors

• Businesses with over 500 employees to have a Data Protection Officer

24

What was in the EU GDPR? 3

• Obligation to provide adequate security

• Security breach disclosure

• Data Protection Impact Assessment

• Right to lodge a complaint with a Supervisory Authority

• Judicial Remedy against Data Controllers or Processors

• Judicial Remedy against Supervisory Authorities

• Class Actions

• Individuals’ Right to Compensation

• Penalties 4% and Sanctions

25

What was in the EU GDPR? 4

• Rights of Data Subjects:

o Transparency and better Communication

o Right of Information

o Right of Access

o Right of Rectification

o Right to Object to the Processing

o Right not to be Subject to Measures based on Profiling

o Right to be forgotten (not Erasure)

o Right to Data Portability

26

But, then Snowden happened!

• Disclosures of mass US government surveillance

• Many large US data controllers considered to be complicit in providing data to intelligence services about EU citizens

• World leaders identified as having been targets of US surveillance activities

27

Where is GDPR up to since Snowden? 1

• The privacy lobbies have been requesting: o clearer extensive rights from the outset and when things go wrong; o greater obligations for data processors

• data processors have been requesting : o less onerous obligations; o greater fuzziness in the language; o greater ease of managing relationship with a SA

• Supervisory Authorities have been requesting : o some of the above; o ease of managing issues in other member states for subjects; o powers to fine larger sums in relation to world wide turnover;

28

Where is GDPR up to since Snowden? 2

• Intelligence agencies have requested: o ability to collect data for nation security purposes – this has overtaken privacy concerns in

some cases, and created better understanding of citizen and non-citizen surveillance

• After around 4,000 amendments, where a high percentage were funded by US corporate interests – more money spent on lobbying this single legislation than all others put together, ever!

• Pause for thoughts: Do our privacy and Data Protection laws come from the US internet giants? Do Europeans only get what the US corps give us?

• Several tripartite (European Commission, European Parliament and European Council) discussions and agreements have taken place to produce the final version which is likely to be out by year end

• It is likely that businesses will have around 18-24 months to implement compliance measures

29

What’s the all fuss about Safe Harbour? 1

• Safe Harbour scheme set up in 2000

• EU DP law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those in the EU

• The Safe Harbour agreement between the EC and the US government essentially promised to protect EU citizens’ data if transferred by companies in the US. It allowed companies like Facebook to self-certify that they would protect EU citizens’ data when transferred and stored within US data centres

• It is a self-certification scheme managed by the Federal Trade Commission under the oversight of the US Department of Commerce

30

What’s the all fuss about Safe Harbour? 2

• In 2008 Australian research firm (Galexia) found "the ability of the US to protect privacy through self-regulation, backed by claimed regulator oversight was questionable‘

• After Snowden, an Austrian Max Schrems challenged FaceBook that it wasn’t keeping his data safe from the US intelligence agencies, by taking the Irish ICO to court. This was referred to the EU Court of Justice, where the Court ruled that Safe Harbour principles were invalid

• 2 key findings: o US federal government agencies could use personal data under US law, but were not required

to opt in. o EU citizens did not have the same protection or rights in cases of wrong doing under Safe

Harbour as they do under EU law

• Enter Safe Harbour 2, coming your way soon

• Stop Press: EU Model Clauses may also be invalid, however binding corporate rules still most likely OK

31

What does all this mean for your business? 1

• If you are using US based cloud services, you are transferring data, therefore you do need to consider your response to both:

o a) Pre-GDPR o b) Compliance with GDPR

• If you think you are not using any US cloud based services, audit all activities – it is more likely that you are but just don’t know it!

• Identify all the data you currently hold or use and the data you intend to hold or use and separate it according to your obligations and risks – this first (big) step will demonstrate to a Supervisory Authority that you have at least started the process of understanding what is required of you

• Use this data to undertake a privacy impact assessment

• Consider any data you hold or collect that may be excessive for the use it was collected for, and decide a way forward which respects the new rights

• Consider the consent you currently hold and how it will need to change

32

What does all this mean for your business? 2

• Update privacy policies especially: what data you collect; how you will use it; subject rights and how you assist in subjects exercising them; your responsibilities; who and how to complain to

• Consider all your suppliers and all those to whom you supply services to in the context of who holds what data and the assurance you or they need to comply to the Regulation

• Revisit your Incident Response procedures and ensure that they work for you minimising your risks and maximising your response

• Consider the use of specialist services on a retainer basis to assist you doing the above plus more to instil a compliance regime, Virtual DPO, Virtual CIRO, Legal, Incident Response Team

• Consider the use of Cyber Insurance

33

TRUSTe Survey 1

• Across US and Europe

• 100 medium to large organisations

• Respondents had responsibilities for IT or regulatory compliance

• 20% well prepared

• 26% just started

• 44% unaware of vaguely aware

TRUSTe Survey 2

If you remember nothing else …

• Regardless of whether the UK is a member of the EU or not, businesses in the UK will have to comply with the Regulation, since the Regulation relates to anyone handling data about EU citizens

• If you want to export data from the EU, then the territory that you intend to export it to must be able to provide the same safeguards as exists in the EU

• The chances are that if you can show that you have taken a risk based approach, you will most likely not be fined by a Supervisory Authority (ICO in the UK), its where you are unable to demonstrate your approach that you are most likely to be fined

• Equally, it is better to give subjects rights under the GDPR earlier than later than required by law

• Think of compliance to the EU GDPR like health and safety – certain industries / sectors or business types / model will need to do more than others

• There will always the “data protection gone mad” syndrome, but just don’t become part of it

36

What to do, what to do

• Identify who be responsible

• Assess current policies

• Assess current use of personal and sensitive data

• Brief all senior managers – as they will determine the work for their staff in complying or not as the case may be

• Assess current 3rd party suppliers

• Create a knowledge base to share with others

• Develop an overall strategy to change

• Develop a plan with details on who will do what and by when

• Act on the plan

Finally

We will be back here within 8-10 years from now!

http://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-february-2016/

sarb.sembhi@noord-group.com

Sarb Sembhi CISM

Chief Technology Officer & Acting Chief Information Security Officer

Questions