GDPR/CBPR Are we aware? Are we ready? - ATCI · 2019. 1. 13. · Mahidol University December 11,...

GDPR/CBPR ARE WE AWARE? ARE WE READY?

Jarernsri Mitrpanont, Ph.D.

Faculty of ICT,

Mahidol UniversityDecember 11, 2018

~ Looking ahead to CBPR system certificate and GDPR compliance management ~

“Thailand and Japan Digital Governance seminar”

1

Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University

MAHIDOL UNIVERSITYORIGINATES FROM THAILAND’S FIRST HOSPITAL, SIRIRAJ HOSPITAL, FOUNDED IN 1888.

Prince Mahidol


2


MAHIDOL-ICT FACULTY PROFILEA LEADING ICT INSTITUTE FOR INNOVATIVE LEARNER AND DEDICATOR

Established in 2009 by merging the Department of Computer Science (1988), Faculty of Science and Mahidol University Computing Center (1980).

43 faculty members, 850 undergrad students, 60 grad students

www.ict.mahidol.ac.th

Strong Degree Program @ Faculty of ICT Mahidol

University (all taught in English)

CapabilityExcellence

Leading ICT Institute

AgilityFounding DEAN

Strong International and Industry Network


3


THE GENERAL DATA PROTECTION REGULATION (EU-GDPR): WHAT WE NEED TO KNOW

GDPR is the result of an effort by the European Parliament and other governmental bodies to strengthen data protection for those living in the EU

Approved in 2016 by the European Union (EU)

GDPR implementation effective on May 25, 2018

provide greater uniformity to existing data laws.

EU Residents will gain greater measure control over their data and how it is used, by parties both inside and outside the EU.

GDPR applies to organizations outside EU

Example: A U.S.-based company with a website collecting personal data of EU citizens where that website is hosted outside the Euro Zone would be subject to GDPR rules.

GDPR “the biggest change to data protection law for a generation.” Elizabeth Denham, U.K. Information Commissioner

GDPR applies to organizations both inside and outside EU !

Although the positive is for EU

citizens, these tightened regulations

presented the legal and technical challenges for companies doing business in the EU.

Fail to comply to GDPR introduces

stronger sanctions and assess a fine of up to 20 million euros (21.4 million dollars) or 4% of the prior year’s global turnover, whichever is higher.


4


Data breaches must be reported within 72

hours if that breach represents a threat to the rights or freedoms of an individual.

How personal data is defined. New definition is comprehensive from

names, emails, social media posts, medical records, IP addresses or other metadata.

GDPR protects even information that can be used to infer personal attributes.

Profiling usage of personal data. Profiling of users through their

interaction with a system or in the way a company analyzes their data comes under

regulation. If typical user profiling tools are used in a non-anonymized manner,

restrictions can apply & certain data analysis where aggregation is not used as well.

The rules governing consent. GDPR requires that consent can be

withdrawn as easily as it’s given, and that requests for consent must be clear,

intelligible, delivered in plain language and distinguishable from other materials.

The right to be forgotten. EU residents can request to erase their

data or halt dissemination. The right to third-party data processing can be revoked.

The right to be informed. Businesses must be transparent on to how

they use the data they collect.

Lawful processing. Must have a lawful basis to process personal data.

The right to data access. EU citizens retain the right to discover how

their data is being used, including where and to what purpose. They may request a

copy of stored data, which must be furnished in an electronic form free of charge.

The right to data portability. Citizens may transmit their data

between multiple controllers.

The right to breach notifications. Such notifications are now

mandatory in EU countries where security lapses could result in “a risk for the rights

and freedoms of individuals.” This alert must be issued within 72 hours.

Transferring data internationally. Certain conditions must be

satisfied before personal information can be transmitted beyond the EU.

Privacy by design. Data protections must be included during

development processes, not tacked on as an afterthought.

1) Defining personal data

2) Profiling usage of personal data

3) Privacy by design

4) Transferring data internationally

5) Rules governing consent

6) Right to be forgotten

7) Right to breach notifications

8) Right to be informed

9) Right to data portability

10) Lawful processing

11) Right to data access

COMPANY Note!!GDPR compliance changes and

challenges-AWARENESS.

GDPR applies to any organization

processing certain types of EU

citizen data regardless of that

company is in Europe or not.

Non-compliance penalty is up to

20 million euros (24.4 million

dollars) or 4% of the previous

year’s global turnover, whichever

figure is higher.

Organizations must demonstrate

how they comply with GDPR.

Data breaches must be reported

within 72 hours if that breach

represents a threat to the rights or

freedoms of an individual.

Some companies, depending on

classification and other variables,

may be required to hire a Data Protection Officer.

Ref:https://www.researchgate.net/publication/323538588_The_

General_Data_Protection_Regulation_GDPR_What_Organizations_Need_to_Know

5


GDPR REQUIREMENTS AND CONSIDERATION


THE JOURNEY TO GDPR COMPLIANCE CASES

IBMsurveyed 1,500 executives about their organizations’ GDPR preparations in 15 industries around the world

The end of the beginning: Unleashing

the transformational power of GDPR

GDPR – bane or boon?

Ref:https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=86015886USEN

6




IBM journey to GDPR

IBM is one of the first to have a data privacy officer and an ethics statement that is woven into all new products and services to include built-in privacy and security.

GDPR is about personal data

Key for GDPR is the focus on personal data, any data that can directly or indirectly identify living individuals — we need to know what personal data the business uses, where it's stored, how it's processed and its lineage —where it comes from, what we do with it and where it ends up.

There are GDPR essentials every organization should have in place: Defining, discovering, cataloging, and protecting personal data and managing consent.

IBM Pathways for

GDPR readinessPreparing your business for the changingrealities of data privacy and protection in the EU

1. Rights of EU Data Subjects

2. Security of Processing

3. Lawfulness and Consent

4. Accountability of Compliance5. Design and Default

Ref:IBM hybrid-cloud-analytics-platform-white-paper-external-asw12436usen-20180516.pdf7




IBM Pathways for GDPR readiness Framework

5 Phases

Assess, Design, Transform, Operate, and Conform

A complete and accurate data

inventory or catalogue (Figure 4) can

create the foundation for a unified

information governance strategy for

the GDPR. It helps answer questions

about where personal data is located,

why it is being collected and stored,

and who has access.

As such, its benefits are not limited to

GDPR readiness: it can help you

comply with other rules and

regulations that might affect you, now

or in the future.

Design: Unified Governance Catalogue

Ref:IBM hybrid-cloud-analytics-platform-white-paper-external-asw12436usen-20180516.pdf

8




KPMG GDPR Discovery

and Maturity Assessment ARE YOU READY FOR THE GENERAL DATA PROTECTION REGULATION?

Ref:https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2018/03/gdpr-discovery-maturity.pdf

9



THE JOURNEY TO GDPR COMPLIANCE CASESKPMG GDPR Discovery and

Maturity Assessment ARE YOU READY FOR THE GENERAL DATA PROTECTION REGULATION?

Present the overall GDPR readiness of the organization. Compare current state against target state of privacy maturity

Ref:https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2018/03/gdpr-discovery-maturity.pdf

10




Set up of working team and allocation of jobs

Phase I: GDPR Readiness

Work streams allocation1. DPO & DPA

2. Data Privacy Policy

3. Change Management

4. Data Subjects Rights

5. Data Protection Impact Assessment : DPIA

6. Consent Management

7. Data Flow & Process

8. Data Retention & Backup

9. Contract Management

10. Cross-Border Data Transfers

11. Data Breach

TG Pathways for GDPR readiness FrameworkAre you ready for GDPR? How we start?

Phase II: GDPR Compliance

www.law.chula.ac.th/home/file.aspx?ID=732 THAI GDPR Project. Dr.SitdhinaiChantranon. Director, Office of the EVP,. Legal and General Administration. -THAI GDPR Working Team (Legal).

11


http://www.law.chula.ac.th/home/file.aspx?ID=732


KPMG Thailand explored the implications of the General Data

Protection Regulation (GDPR) enforced by the EU. Bangkok, 24 August 2018

Implications of GDPR in Thailand: Gaining competitive edge through your data strategy

Where are we? How far?

KPMG Given that Thailand is the EU’s third-largest commercial

partner in ASEAN, businesses in Thailand need to be aware and

integrate GDPR regulations within their business processes.

KPMG revealed that from a recent

survey consumers are increasingly

concerned about data privacy and

how their personal data is being

used. For example,

78% of consumers think that offline

targeted ads (e.g. electronic

billboards) that knows personal

product preference and details, are

‘creepy’ rather than ‘cool’.

A finding from the survey of the participants:

45% of the participants admits that they do not

fully understand the interaction between Thai

regulations & GDPR;

47% have yet to start preparing for possible

future privacy regulations applicable to Thailand

but are planning to;

40% already have a privacy program in place;

74% admits that they do not understand how

and when to report a breach affecting EU

customers to the relevant supervisory authority.

GDPR builds competitive advantage rather than simply a regulatory requirement by creating a privacy-aware culture

strengthen governance infrastructure focus on customers’ right to data privacy & transparency.

THAILAND Draft Personal Data Protection Act

Thailand, on 22 May 2018, the Thai Cabinet

approved in principle a revised draft of Thailand’s first

personal data protection act (Draft Act) which is

currently under consideration by the Council of State.

Thailand currently does not have any specific law

regulating data protection. The Office of the Prime

Minister first published the Draft Act in 2014. The

Draft Act has undergone several rounds of changes.

Key definitions

Extraterritorial application

General protections

Collection of personal data

Cross-border transfer of

personal data

No official announcement of the enforce time frame yet.Ref:Mark Thompson, Global Privacy Lead, KPMG in the UK,

https://home.kpmg.com/th/en/home/ media/press-releases/2018

/08/th-press-release-24082018-implications-of-gdpr-nglish.html

The Draft Act has been revised to replicate many of

the concepts and obligations which are common

across global data protection laws and in particular the GDPR such as

Rights of data subject

Fines and penalties

Grandfathering

provisions

Ref:https://www.dataprotectionreport.com/2018/08/overview-of-thailand-draft-personal-data-protection-act/

12


THE JOURNEY TO GDPR IN THAILAND


APEC PRIVACY FRAMEWORK (2015) DRAWS ON CONCEPTS INTRODUCED IN OECD GUIDELINES (2013)AIMS TO PROMOTE E-COMMERCE THROUGHOUT THE ASIA PACIFIC REGION.

APEC PRIVACY FRAMEWORK (2015)- A Principle-based and

accountability-based approach which recognize the importance of

protecting information privacy while maintaining information flows

among APEC economies and among their trading partners while

avoiding the creation of unnecessary barriers to information flows.

1)Personal Information

2)Personal Information

Controller

3)Publicly available

Information

4)CBPR System

APEC Privacy FrameworkInformation Privacy Principles

1)Preventing Harm

2)Collection Limitation

3)Uses of Personal Information

4)Notice

5)Choice

6)Integrity of Personal Information

7)Security Safeguards

8)Access and Correction

9)Accountability

Ref:Malcolm Crompton APEC Information Privacy Principles: Relationship https://slideplayer.com/slide/8792319/

5)CPEA (APEC Cross-border Privacy

Enforcement Arrangement)

6)Privacy Enforcement Authority

7)Privacy Law

8)PRP System (APEC Privacy

Recognition for Processors System)

9)Application

six participating APEC CBPR economies: USA, Mexico, Japan, Canada, Singapore, and the Republic of Korea

APEC Privacy Framework

Clear extent of Scope and Definitions

Ref: APEC Privacy Framework 2015 ISBN 981-05-4471-5 APEC#217-CT-01.9

13


APEC CROSS-BORDER PRIVACY RULES SYSTEMAPEC CBPR SYSTEM

About the APEC CBPR system, endorsed by APEC Leaders in 2011, is a

voluntary, accountability-based system that facilitates privacy-respecting data flows

among APEC economies.

The APEC CBPR system has four main components:

1. recognition criteria for organisations wishing to become

an APEC CBPR System certified Accountability Agent;

2. an intake questionnaire for organisations that wish to

be certified as APEC CBPR System compliant by a

third-party CBPR system certified Accountability Agent;

3. assessment criteria for use by APEC CBPR System

certified Accountability Agents when reviewing an

organisation's answers to the intake questionnaire; and

4. a regulatory cooperative arrangement (the CPEA) to

ensure that each of the APEC CBPR system program

requirements can be enforced by participating APEC

economies.

Ref: APEC Privacy Framework 2015 ISBN 981-05-4471-5 APEC#217-CT-01.9six participating APEC CBPR economies: USA, Mexico, Japan, Canada, Singapore, and the Republic of Korea

14


https://cbprs.blob.core.windows.net/files/Cross Border Privacy Enforcement Arrangement.pdf


THE READINESS OF APEC ECONOMIES WITH CBPRS

The survey on whether an economy could satisfy basic requirements to participate in APEC CBPRs: 1. the existence of data privacy law2. enforcement authority on privacy3. trust-mark providers4. the consistency between privacy legislation with APEC Privacy Framework

Survey on the Readiness for Joining Cross Border Privacy Rules System - CBPRs Final Report Electronic Commerce Steering Group January 2017

16 out of 21 APEC Economies have alaw on privacy for their own

14 out of 21 APEC Economies have a Privacy Enforcement Authority

10 out of 21 APEC Economies have at least one trust-mark provider

13 out of 21 APEC Economies appears the consistency between their own privacy legislation and the APEC Privacy Framework.

Survey of Intention of joining CBPRs

Survey on Obstacles

- lack of privacy law - lack of State Institution - lack of industrial needs

1

2

3

4

56

15



Ref:https://iapp.org/resources/article/a-brief-history-of-safe-harbor/

Ref:http://ubir.bolton.ac.uk/1398/1/Griffiths%20D%20%20Preprint%20Hoel%20Griffiths%20Chen%20LAK17.pdf

https://www.slideshare.net/JanDhont1/roadmap-to-the-gdpr-governance-and-accountability-v30

ANOTHER VIEW OF GDPR / CBPR

Ref:https://www.clickz.com/1980-next-may-evolution-gdpr/203155/

2018 GDPR1980 OECD

2015 APEC PRIVACY FRAMEWORK

2018 GDPR ENFORCEMENT

16

Example of a research study the

Privacy Framework to see how to

design the Learning Analytics System

and NOT to violate the Privacy Laws!!

EU-GDPR / APEC-CBPR

ARE WE AWARE? ARE WE READY?

Jarernsri Mitrpanont, Ph.D.

Faculty of ICT,

Mahidol UniversityDecember 11, 2018

~ Looking ahead to CBPR system certificate and GDPR compliance management ~


THANK YOU

17

GDPR/CBPR Are we aware? Are we ready? - ATCI · 2019. 1. 13. · Mahidol University December 11,...

Documents

Transcript of GDPR/CBPR Are we aware? Are we ready? - ATCI · 2019. 1. 13. · Mahidol University December 11,...