Jacqueline Johnson - Digital signatur & digital identitet 2015
-
Upload
dansk-it -
Category
Technology
-
view
224 -
download
1
Transcript of Jacqueline Johnson - Digital signatur & digital identitet 2015
Global Implications of the EU
General Data Protection Regulation
Trends
• Protection of privacy is becoming more important for
people. Privacy information is shared without people
knowledge
• Protection of cyber crime is on the agenda
• But… is challenged by the technical development; big
data, data mining and public cloud.
• Rules are being stricter, but some parties
are not under this stricter EU jurisdiction
2 • Jacqueline Johnson
The EU commission’s evaluation of current situation
Jacqueline Johnson 3 •
• Current legislation is from 1995 and is a directive.
• Different implementation in EU countries,
• Current national rules do not fulfill the objective
• Rules have not been updated in accordance with
the technogical development
”…establishing a stricter and common framework in EU, which are effectively enforced”.
• Data protection when using external suppliers are not sufficient
• Term of consent not sufficient
• Not sufficient transparency of gathered data
• Documentation of compliance insufficient
• No requirement of risk and consequence analyses
Harder sanctions !
Definitions
Jacqueline Johnson 4 •
Data subject
Processing
Controller
Processor
Personal data
Scope- locations of organisations
• "Doing business in Europe" will affect companies with
head office outside EU; this means that it affect U.S.
companies.
Representative
• One stop for multinational companies with head office in
EU. The stop is the country for the head office.
Jacqueline Johnson 5 •
• Company outside EU
• More than 5000 data
subjects registered or
sensitive data
DPA and DPO
• DPA = Data Privacy Authority
• DPO = Data Protection officer
• More than 5000 data subjects registrered -> DPO
• DPO should be consulted during
risky processes, design and
development of systems
instead of DPA
• When locating DPO remember
one stop shop
Jacqueline Johnson 6 •
Consent
• Explicit, specific, voluntary and informed
• Burden of proof will lie at the organisation
• Must be separated from other texts (not part of terms of
service/deliverance)
• Not pre-ticked boxes
• Can be taken away at any time.
Exceptions
- Protect data subjects vital interests
- Legimate interest of the controller
- Carried out in public interest
7 • Jacqueline Johnson
Principles in GDPR
Principle of data minimisation
• Adequate, relative and limited to minimum necessary in relation to the purpose
Principle of data protection by design
• Appropriate technical and organisational
measures from
- very early design stage,
- deployment,
- use
- final disposal.
• Require privacy settings
Jacqueline Johnson 8 •
Data Quality
• Processing compatible with the
purpose
• Accurate
• Kept up to date
• Permits identification of data subjects
for no longer than is necessary’
9 • Jacqueline Johnson
Information of:
• When it is collected
• Purpose
• Recipients
Rights to
- Access the data
- Rectify
- Erase
- Block
- Object to profiling
Jacqueline Johnson 10 •
Rights for the data subject
Risk and Impact assessment
• Perform a (documented) risk analysis, indicating whether the process can result
in ”specific risks”; i.e. more than 5.000 registered/year, financial situation, gps
data, health, personal preferences and behavior.
• If there are specific risks, there is a requirement of impact assessment. This
should include:
Jacqueline Johnson 11 •
Risk analysis won't make you sleep any better at night, but it will help ensure that the right things keep you awake.
• Description of handling of data
• Necessary technical and organisational security
measures
• Time plan for periodic evaluations, minimum 2 years
Compliance
Controller is responsible and liability for processing
in particular with regard to
• documentation,
• data security,
• impact assessments,
• demonstrate the compliance of each
processing operation with this Regulation.
This should be verified internal or external
auditors.
Jacqueline Johnson 12 •
Cloud and GDPR
Jacqueline Johnson 13
The controller are accountable for that
1) Cloud service provider (CSP) uses security measures,
2) The processing conducted, and the security measures used, by the
CSP meet the regulation
The CSP cannot retain services from a third party without the permission of
the cloud client
CSP have to hand over all data after a termination of the contract
Allow onsite inspections and all information
necessary for demonstrating compliance
Both the cloud client and the cloud provider must
1) use security measures appropriate
2) conduct a risk assessment
Reporting on incidents
• When there is an incident inform Data Privacy
Authority without undue delay
• Inform the registered persons if it may have
adverse consequences for them, without undue
delay, in a clear and easily understandable
language.
• Inform the registered persons about their rights
and including right to compensation and
damages resulting from incompliance
Jacqueline Johnson 14 •
Supervision and sanctions
• Supervising authorities shall be reinforced
• Cooperation intensified between DPA, shared
investigations and enforcement.
• Other national DPA may state intermediate actions, if
a DPA is inactive.
• Ambitions on fees on similar levels to laws on free competition,
• Starting point is fees, but possibility for warnings and periodic inspections
• Maximum fee of 2% of global turnover.
• Fees are dependant on character of the data, severity, length of incompliance, repeatability
and scope of damage.
Jacqueline Johnson 15 •
Practical challenges
The registered person will have a right to receive
brief, transparent and accessible rules for data
processing and rights.
Consent requirements strengthened
Implement ”mechanisms” to comply with deletion
or evaluation of continual storage
Contracts with suppliers assure the appropriate
security measures and monitoring
Deleting of data includes assurance of deleting at
possible suppliers and sub suppliers
Reporting on incidents timely
16 • Jacqueline Johnson