Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Size: px

Start display at page:

Download "Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe"

Jade Ross
5 years ago
Views:

Respecting Privacy, Securing Data and Enabling Trust a view from Europe Robert Bond, Partner & Notary Public Robert Bond Robert Bond has nearly 40 years' experience in advising national and

1 Respecting Privacy, Securing Data and Enabling Trust a view from Europe Robert Bond, Partner & Notary Public Robert Bond Robert Bond has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. He is a recognised legal expert and author in the fields of IT, e- commerce, computer games, media and publishing, data protection, information security and cyber risks. He is Secretary of the Board of the Society for Corporate Compliance & Ethics, Chairman of the Big Data Governance committee of techuk, a member of the UN Data Privacy Advisory Group to the United Nations and an Ambassador for Privacy by Design. 2 1

2 3 4 2

3 5 6 3

4 7 8 4

5 9 10 5

6 11 Respecting Privacy 6

7 Is compliance a tick box exercise? Isn t it all about tools and data mapping? 13 PROTECTION OF PERSONAL INFORMATION is nothing new Right to privacy according to Samuel Warren and Walter Brandeis 1890 Right to be let alone European continental countries right to privacy embedded in early constitutions Private life referred in the French Constitution of 1791 Portuguese Constitution of 1822 set up the secrecy of letters Greatest recent examples of misuse of personal information WW2 German occupied countries 20 th century European dictatorships Privacy of personal information is not exclusive of the internet connected era! 14 7

Lost the strong connection with tangible world Data protection legislation developed from the early

8 AND THEN IT GOT COMPLICATED! Advent of computerised world: storage / exchange of large quantities of information Facilitated Lost the strong connection with tangible world Data protection legislation developed from the early 70s onwards Land of Hesse Act (1970) Swedish Data Act (1973) Portuguese Constitution (1976) UK Data Protection Act And now it is more complicated.but don t panic! 16 8

Understanding Jurisdictional Privacy Frameworks Historical influences and empires English common law influences European civil law influences OECD Guidelines Convention 108 17 EU General Data

9 Understanding Jurisdictional Privacy Frameworks Historical influences and empires English common law influences European civil law influences OECD Guidelines Convention EU General Data Protection Regulation Definitions of Personal data Consent Children s (Parental) consent Information Data Subject rights & access Right to be forgotten Data portability Controller and Processor responsibilities Data protection by design and default Designation for non-eu controllers Documentation Breach notification Regulator & Data subject Privacy Impact Assessments Compulsory DPOs Certifications and seals International transfers One-stop shop regulation Cooperation and consistency EU Data Protection Board Fines Sector exemptions e.g. Media & Health 18 9

10 Safeguarding Data 10

11 Breach Notification Requirements Get Ready Which law will apply to you? EU General Data Protection Regulation All companies processing and mishandling personal data fall into scope Current draft mandates notification to Supervisory Authorities within 72 hours Affected individuals must be notified only of breaches that are likely result in high risks for the freedom of individuals Network and Information Security Directive Aim to regulate against cyber threats Operators must notify competent authority of incidents that have significant impact on services Energy, transport, banking industries, credit institutions, health, water industries, digital service providers will be subject to the law Most likely it will come into force in 2019 in each member state Local data protection authorities imposing their own law From 1 Jan 2016 Netherlands: controllers are required to notify immediately local data protection authority of any security breaches Already existing laws in Austria, Germany, Norway and Russia and many regulators recommend voluntary notification 21 Preparing for a Data Breach Have an incident response plan, and an incident response team, in advance Have a pre-selected incident response team leader Have outside vendors (outside counsel; fraud protection provider; forensics investigator; public relations expert) selected in advance Consider whether to separate Information Security and Information Technology departments Determine whether insurance coverage is adequate Conduct incident response drills at least annually Check terms and conditions of company website; do not promise more than you should Check employee policies and procedures Consider developing relationship with law enforcement authorities before the incident 11

Responding to a Data Breach Immediately notify incident response team leader Retain outside forensics investigator to determine extent of breach Do not have internal IT department investigate breach

12 Responding to a Data Breach Immediately notify incident response team leader Retain outside forensics investigator to determine extent of breach Do not have internal IT department investigate breach If appropriate, retain outside counsel Check insurance coverage Consider whether to notify law enforcement Determine required breach/incident notifications Be cautious about premature notification; don t over-notify Consider when/how to notify employees Designate person to handle external communications Consider posting notice to company website Consider impact of any stolen intellectual property/trade secrets Keep ongoing record of response Enabling Trust 12

13 13

Preparing for GDPR Sanctions for non-compliance Sanctions for non-compliance two levels of fines Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million for

14 TRAINING Great policies are useless without training! Training should be targeted to the specific audience Audit trail Attendance records Feedback provided Training programme best way to ensure compliance with current obligations 27 Data Protection Preparing for GDPR Sanctions for non-compliance Sanctions for non-compliance two levels of fines Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million for matters re internal record keeping, data processor contracts, data protection officers, data protection by design and default Up to the greater of 4% annual worldwide revenues of preceding financial year or EUR 20 million for matters re breaching data protection principles, conditions for consent, data subjects rights and international data transfers 28 14

15 Questions? 29 Questions? 30 15

16 Thank you Bristows LLP 100 Victoria Embankment London EC4Y 0DH T +44(0) robert.bond@bristows.com This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document. Bristows LLP is a limited liability partnership registered in England under registration number OC and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205)

GDPR: A QUICK OVERVIEW

GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance