EU data security and privacy trends

Size: px

Start display at page:

Download "EU data security and privacy trends"

Leslie Pope
6 years ago
Views:

1 EU data security and privacy trends Top issues for HR and global mobility October 2014

2 Disclaimer EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a clientserving member firm of Ernst & Young Global Limited operating in the US. This presentation is 2014 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party. Views expressed in this presentation are those of the speakers and do not necessarily represent the views of Ernst & Young LLP. This presentation is provided solely for the purpose of enhancing knowledge on tax matters. It does not provide tax advice to any taxpayer because it does not take into account any specific taxpayer s facts and circumstances. These slides are for educational purposes only and are not intended, and should not be relied upon, as accounting advice. Page 2

3 Data privacy and security vs. human resources and mobility Page 3

4 Data privacy and security as ever growing topics Yes we scan Page 4

5 Data privacy and security in HR HR data always sensitive Cloud computing creates uncertainty about storage location Data privacy scandals for HR data abuse triggered by compliance Internal investigations must consider privacy to save use as evidence in litigation Page 5

6 Personal data any information relating to an individual Religion Trade union membership ID numbers Career experience Personal data Residence permit number Educational background Family situation Sex life Page 6

7 Data privacy and global mobility data export outside the EU critical EU model clauses Safe Harbor Binding corporate rules Countries with EU-compliant data privacy level Page 7

8 Global trend toward more data privacy regulation South Korea: Act on the Protection of Personal Data 2011 Philippines: Costa Rica and Colombia: Data protection legislation based on the 1995 EU Data Protection Directive US: Consumer Privacy Bill of Rights Federal Trade Commission FTC) recommendations on privacy on the internet India: Strives to become a safe third country Enacts new Data Protection Act (regarding IT topics) in 2011 Bill on data protection based on EU Directive 95/46 (March 2012), which is supposed to reduce the concerns regarding outsourcing to Philippine companies Singapore: New privacy law since 2012 Peru: Brazil: New Data Protection Act (2011) inspired by the Spanish Data Protection Act and the APEC (Asia-Pacific Economic Cooperation) Privacy Framework Work in progress: Data Protection Act based on the EU Directive Australia and Hong Kong: Intend to strengthen data protection New Zealand: Safe third country Page 8

9 Privacy-critical areas in the HR environment Global positioning system (GPS) Bring your own device (BYOD) Compliance Social media Interoperability Closed circuit television (CCTV) Page 9

10 Current and future regulations Page 10

11 Upcoming EU data protection regulations Status: Draft by EU Commission in 2012 EU Parliament-agreed version in early 2014 Trialogue in 2015 Alterations: Full harmonization Privacy impact assessment Explicit consent Mandatory data protection officer (DPO) Profiling limited Breach notification Policies and procedures (accountability) Annex to financial statements Approval for information request from abroad Penalties up to 100 million or 5% of the annual turnover Page 11

12 Data security Binding data security regulations: Art.17 of EU Data Protection Directive Art. 30 of the draft EU Data Protection Regulation Proposal for a directive on network and information security across the EU, COM(2013) 48 final Germany draft for an IT Security Act, which focuses on critical infrastructures Page 12

13 Data security under draft EU Data Protection Regulation Art. 30: Security of processing: 1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing. 1a. Having regard to the state of the art and the cost of implementation, such a security policy shall: (a) Ensure that the integrity of the personal data is validated (b) Ensure the ongoing confidentiality, integrity, availability and resilience of systems (c) Restore the availability and access to data in the event of a physical or technical incident (e) Include a process for regularly testing, assessing and evaluating the effectiveness of security policies and procedures Art. 31: Notification of a personal data breach to the supervisory authority (accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) 1. In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority. 2. The processor shall alert and inform the controller without undue delay after the establishment of a personal data breach. Art. 32 Communication of a personal data breach to the data subject Page 13

14 Privacy principles Page 14

15 Data protection principles Need to know principle Authorization concept Legal ground for processing Consent Use for employment Legitimate interest Purpose limitation Proportionality Notice Page 15

16 Deletion of data Deletion of personal data when it is no longer necessary Right to be forgotten Google Spain v. AEPD (ECJ Case C-131/12) Deletion (and retention) a complex task Page 16

17 Lessons learned Data privacy and security are becoming more and more important by regulation and for reputation. In business-to-business companies, HR data is the main area for privacy compliance. Data export outside the EU is critical this can happen through mobility programs or cloud computing. Processing HR data must be justified by agreement, consent or legitimate interest. Pending regulation asks for more privacy in processes (policies, security, private internet access (PIA), deletion). Privacy shall be considered in applications and processes from the beginning (privacy by design). Page 17

14331 25951 Telefax +49 181 3943 25951 Mobil +49 160

18 Questions? Dr. Peter Katko Partner, Head of IP/IT Law Telefon Telefax Mobil Ernst & Young Law GmbH Arnulfstrasse München Page 18

Data Leak Protection legal framework and managing the challenges of a security breach

Data Leak Protection legal framework and managing the challenges of a security breach ACC Europe's Annual Conference 2009 June 7-9, 2009 Geneva Alexander Duisberg Partner, Bird & Bird LLP About Bird &