GDPR Let s get operational

Transcription

1 ISACA - GDPR GDPR Let s get operational Alain Herrmann (Technology)

2 2 Overview I. Basic concepts and abbreviations II. Scope of the GDPR III. New approach of the GDPR IV. Accountability V. Ensuring the rights of the DS VI. Complying with the obligations of DC and or DP VII. European and international aspects VIII. Conclusion

3 I. Basic concepts and abbreviations used GDPR = General Data Protection Regulation DS = Data Subjects (Personnes concernées) DC = Data Controllers (Responsables de traitement) DP = Data Processors (Sous-traitants) DPA = Data Protection Authorities DPO = Data Protection Officer DPIA = Data Protection Impact Assessment PbD = Privacy by Design (Data Protection by Design) 3

4 II. Scope of the GDPR Material: Processing of personal data by automated means (as well as manual processing if the data are contained in a filing system) The GDPR also applies to pseudonymous personal data but not to anonymized data Pseudonymous data = data which could be attributed to a person by the use of additional information Anonymous information/ personal data rendered anonymous = information which does not relate to an identified or identifiable natural person / the data subject is not or no longer (even incidentally) identifiable Extended territorial scope: The GDPR applies to DC and DP not established in the EU, which: Offer good or services to DS in the Union Monitor their behaviour 4

5 III. New approach of the GDPR Directive 95/46/EC: Ex-ante control i.e. prior authorisations and prior notifications Increased bureaucracy due to prior formalities GDPR: Ex-post supervision instead of ex-ante supervision Enhanced responsibility of the data controllers Prior formalities replaced by subsequent control i.e. investigations Exceptions: i.e. prior consultation of the national DPA following a DPIA 5

6 IV. Accountability in the new GDPR Data processing principles (Art. 5.1): Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage Limitation Integrity and confidentiality Accountability (Art. 5.2) = The controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (Data processing principles) The two sides of accountability: 1. Putting in place appropriate measures for acting in compliance with the GDPR 2. Ability to demonstrate compliance 6

7 What are appropriate measures? (1) The GDPR has a risk-based approach: What has to be assessed is the risk represented by the processing to the rights and freedoms of the affected data subjects (DS) Measures of both organizational and technical nature have to be put in place to mitigate this risk No clear set of such measures are provided Non-exhaustive list of potential measures ( i.e. provided by the Art. 29 WP, Op. 3/2010): 1. Establishment of aninternal data protection policy supported by C-level management 2. Establishment of internal procedure prior to the creation of new data processing operations (internal review, assessment etc.) 3. Setting up written and binding data protection policies to be considered and applied to new data processing operations (e.g. compliance with data quality, notice, security principles, access etc.) which should be available to the DS 4. Mapping of procedures to ensure proper identification of all data processing operations and maintenance of an inventory of data processing operations 7

8 What are appropriate measures? (2) 5. Appointment of a data protection officer (DPO) and other individuals with responsibility for data protection 6. Offering adequate data protection training and education to staff members and the allocation of sufficient resources for data protection management o i.e. Human resources directors, IT managers, developers, director of business units 7. Setting up of procedures to manage access, correction and deletion requests which should be transparent to DS 8. Establishment of an internal complaints handling mechanism 9. Setting up internal procedures for the effective management and reporting of security breaches o setting up incident management o in order to notify an incident, the DC/DP first needs to be able to (technically) identify it 10. Performance of privacy impact assessments in specific circumstances (even if it is not mandatory) 11. Internal/external audits 12. Sub-contracting management (with DP) 8

9 How to demonstrate compliance? Need to be able to show evidence of compliance : i.e. policies, procedures, records, results of audits, DPIA Transparency vis-à-vis the DS, DPAs, and the public in general (Art. 5.1a, Art. 12) i.e. through the publication of annual reports Mapping data processing activities and keeping detailed records thereof record keeping is an obligation incumbent to both DC and DP (Art. 30) The GDPR provides for a list of information to be contained in such records All records shall be written, including in electronic form Exception: enterprises or organisations employing less than 250 people unless the processing The processing is likely to result in a risk for DS The processing is not occasional The processing includes special categories of data or personal data relating to criminal convictions and offences Adherence to codes of conduct and approved certification mechanisms (Art. 40, 42): responsibility of the DC of implementing appropriate measures (Art. 24.3); sufficient guarantees provided by the DP as regards the implementation of appropriate measures (Art. 28.5); the implementation of appropriate security measures by the DC or DP (Art. 32.3) BUT: DC and DP remain responsible under the GDPR! 9

10 Legal implications of accountability Fulfilling the accountability principle does not offer a legal presumption of compliance DC may have implemented and verified the measures they has put in place but may find themselves in wrongdoing But DC who have adopted measures in robust compliance programs, are more likely to be in compliance with the law by putting in place effective measures for implementing substantive data protection principles DC are still subject to enforcement actions by DPAs But DPAs could give weight to the implementation (lack of) of such measures when assessing potential sanctions Not being able to demonstrate compliance represents an immediate cause of action for DPAs against DC 10

11 The increased enforcement power of the DPA In order to ensure compliance, the GDPR provide new enforcement powers to the DPA DPA can enforce DC to comply with new data subjects rights DPA may revoke a certification of the DC DPA may request the DC to communicate a personal data breach to the data subject DPA can impose an administrative fine up to 20 millions or 4% of the total worldwide annual turnover of the preceding financial year. The fine must be effective, proportionate and dissuasive The Member State is also allowed to grant additional enforcement powers to the DPA 11

12 Stricter rules for valid consent Information to be provided to the DS Right of access of the DS Right to rectification Right to erasure ( Right to be forgotten ) Right to restriction of processing Right to data portability Right to object Right not to be subject to a decision based solely on automated processing, including profiling 12

13 Consent under the GDPR If consent is given in the context of a written declaration which also concerns other matters the request for consent must be presented: in a manner which is clearly distinguishable from the other matters in an intelligible and easily accessible form using clear and plain language Clear possibility to withdraw consent at any time Consent has to be freely given: not the case if the performance of a contract/ provision of a service is made conditional on consent to the processing of data which is not necessary for the performance of this contract Need for the consent of the holder of paternal responsibility for children under 16 (13) 13

14 Only opt-in consent under the GDPR 14

15 Right to erasure ( right to be forgotten ) Erasure of personal data without undue delay when (Art. 17): PD = no longer necessary in relation to the purposes Consent is withdrawn (processing based on consent and not other legal ground) Successful objection to the processing by the DS Unlawful processing Compliance with a legal obligation or MS law Personal data collected in relation to offering of information society services to a child Obligation of the DC to inform other DC which are processing the data of the request of the DS to erase any link, copy, replication of the data when: The DC has made the data public & DC is obliged to erase the data Obligation of means: take all reasonable steps (incl. technical measures), taking account of available technology and cost of implementation Exceptions: Freedom of expression and information, reasons of public interest in the area of public health etc. 15

16 Right to data portability The DS has the right to receive personal data concerning him or her in a structured and commonly used and machine-readable format and have the right to transmit those data to another DC (Art. 20) Conditions: The person has provided the data to the DC The processing = based on consent or contract Possibility to have data transmitted directly from DC to DC (where technically feasible) 16

17 Right to data portability What personal data must be included? 1) Personal data concerning the data subject Any data, which is anonymous or does not relate to the individual making the request, will not be in scope 2) Data provided by the data subject Intentionally and directly: submitted via online forms Observed data: it may for example include a person search history, traffic data and location data Such observed data are actually provided by the data subject Inferred and derived data are created by the data controller => Depending on the context, these data will not be considered as provided by the data subject and thus not within scope. 17

18 Right to data portability 3) The right to data portability shall not adversely affect the rights and freedoms of others It intends to avoid: The retrieval and transmission of data, containing the personal data of another (nonconsenting) data subject, to a new data controller; and The processing of a third party data in a way that would prevent the third party from further exercising their rights. 18

19 19 Right to data portability How can the data controller identify the data subject before answering his request? Article 11(2) of the GDPR states that the data controller may refuse to comply with a request for data when the processing does not require the identification of a data subject and if he is unable to identify the data subject or if he is not able to identify which data relate to the individual making the request (Article 12(2)). This does however not prevent the data subject from providing additional information to confirm his or her identity. The data controller may request additional information if necessary (Article 12(6) of the GDPR).

20 Right to data portability What is the expected data format? in a structured, commonly used and machine-readable format The terms structured, commonly used and machine-readable are a set of minimal requirements that should guarantee the interoperability of the data format provided by the data controller. In that way, structured, commonly used and machine readable are specifications for the means, whereas interoperability is the desired outcome. 20

21 Right to data portability How can portable data be secured? How to ensure that personal data are securely delivered to the right person? As data portability aims to get personal data out of the information system of the data controller, the transfer may become a possible source of risk regarding those data The data controller remains responsible for taking all the security measure needed to ensure that personal data is securely transferred to the right destination How to help user in securing the storage of their personal data in their own system? By retrieving their personal data from an online service, users may store them in a less secured system than the one provided by the service. The data subject should be made aware of this in order to take steps to protect the information they have received. The data controller could also recommend appropriate format(s) and encryption measures to help the data subject to achieve this goal. 21

22 Right to object and automated decision making Right to object (Art. 21) Objection on grounds relating to the particular situation of the DS Processing based on Art. 6(1) e, f (task carried out in the public interest, legitimate interest of the DC) Stop processing unless overriding compelling legitimate grounds of DC Objection to processing for direct marketing purposes (incl. profiling) DS has the right not to be subject to a decision based solely on automated processing including profiling (Art.22) Conditions: Legal effects on the DS/ significantly affects the DS (ex. Creditworthiness) Exceptions: Processing is necessary for entering into/ performing a contract between the DS and the DC The processing is authorized by Union or MS law Explicit consent of the DS 22

23 VI. Obligations of DC and or DP Security of personal data Notification of personal data breaches Data protection by design and by default Data protection impact assessment Prior consultation of national DPAs Data protection officer 23

24 Security of personal data Obligation of DC and DP to implement technical and organizational measures appropriate to the risk (Art. 32), taking into account: State of the art, costs of implementation Nature, scope, context and purposes of processing Risk for the DS (from accidental or unlawful destruction, loss, alteration, unauthorized disclosure etc.) to be considered Such measures may include: Pseudonymisation, encryption Ability to ensure confidentiality, integrity, availability, resilience of systems and services Ability to restore availability and access to data in case of an incident A process for regular testing, assessing the effectiveness of the measures for ensuring security 24

25 Personal data breaches Personal data breach = breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Art. 4.12) Mandatory notification/ communication of data breaches to: National DPA Without undue delay and maximum within 72 hours after having become aware of it Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons The content of the notification is prescribed by the GDPR (Art. 33.3) The affected data subjects When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons The communication shall be made in a clear and plain language the nature of the personal data breach and contain a minimum of information provided for in Art Exception: the DC has implemented appropriate technical and organisational protection measures applied to the personal data affected by the breach ex. encryption; the DC has taken subsequent measures so that the high risk to the rights and freedoms of is not likely to materialise; it would involve disproportionate effort, but public communication or similar measure needed 25

26 Data Protection Impact Assessment (DPIA) Obligation of the DC prior to processing (Art. 35): when high risk for the rights and freedoms of individuals (Esp. processing using new technologies) the nature, scope, context and purposes of the processing to be considered A single DPIA is allowed for similar operations Assistance of the DPO Examples: a systematic and extensive evaluation of personal aspects based on automated processing, including profiling processing on a large scale of special categories of data or of data relating to criminal convictions a systematic monitoring of a publicly accessible area on a large scale. List of min. information to be contained in a DPIA (35.7) Lists of processing requiring/not requiring a DPIA to be established by the national DPA (in collaboration with other DPAs) Need for prior consultation of the DPA when a DPIA indicates high risks 26

27 Prior consultation of the national DPA as a result of a DPIA When a data protection impact assessment (DPIA) indicates that processing operations involve a high risk for the DS which the controller cannot mitigate he has to consult the national DPA prior to processing (Art. 36) Obligation of DPA to respond giving written advice: Within 8 weeks of receipt of the request for consultation Possibility to extend by 6 weeks for complex cases Obligation of DPA to inform the controller about the extension within one month of the receipt of the request Obligation of DC to provided information to the DPA about: The responsibilities of the actors (controller, joint controllers, processors) The purposes and means of processing The measures and safeguards provided to protect the rights of the DS The contact details of the DPO The DPIA Any other information requested by the DPA 27

28 28 When personal data is : Lack of Data Protection (Impacts on individuals) Individual at risk of inadequate, insufficient or out of date excessive or irrelevant kept for too long improperly disclosed to others used in ways that are unacceptable or unexpected by the person it is about used or misused not kept securely physical harm threat to emotional wellbeing financial loss fear of identity theft damage to personal relationships humiliation/ embarrassment harassment annoyance

29 OWASP Top 10 Privacy Risks Project (Context: web applications) P1 Web Application Vulnerabilities P2 Operator-sided Data Leakage P3 Insufficient Data Breach Response P4 Insufficient Deletion of personal data P5 Non-transparent Policies, Terms and Conditions P6 Collection of data not required for the primary purpose P7 Sharing of data with third party P8 Outdated personal data P9 Missing or Insufficient Session Expiration P10 Insecure Data Transfer 29

30 Data protection by design and by default 30

31 DP by design: designed to implement data protection principles (data minimization) and to integrate the necessary safeguards to comply with the GDPR When determining the means of processing and during the processing itself Measures depend: Data protection by design and by default state of the art and cost of implementation nature, scope, context and purposes of the processing the risks for rights and freedoms of individuals: ex. pseudonimisation DP by default: ensure that only personal data which are necessary for each specific purpose of the processing are processed and that by default personal data are not made accessible without the individual s intervention to an indefinite number of individuals amount of data collected, the extent of their processing, the period of their storage and their accessibility 31

32 From Privacy by design to Data protection by design Origins of this principle: Ann Cavoukian s Privacy by design The 7 Foundational Principles; Information management principles applicable to specific technologies, business operations, physical architectures and networked infrastructure: 1. Proactive not Reactive; Preventative not Remedial Anticipates and prevents privacy invasive events before they happen 2. Privacy as the Default Personal data are automatically protected in any given IT system or business practice; if an individual does nothing, their privacy still remains intact 3. Privacy is Embedded into Design ( and architecture of IT systems) Privacy is integral to the system, without diminishing functionality 4. Full Functionality Positive-Sum, not Zero-Sum: Avoids trade offs such as privacy vs. security: transforms privacy into a win-win situation 5. End-to-End Security Lifecycle Protection Privacy is embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved 6. Visibility and Transparency 7. Respect for User Privacy 32

33 Enisa s analysis Multilateral security: Whereas system design very often does not or barely consider the end-users interests, but primarily focuses on owners and operators of the system, multilateral security demands to take into account the privacy and security interests of all parties involved. To realise that, each party should determine the individual interests as well as privacy and security goals and express them. Privacy-Enhancing Technologies Setup Global Privacy Standards 33

34 Enisa s analysis The Privacy Principles of ISO/IEC specifies a common privacy terminology; defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and provides references to known privacy principles for information technology. Privacy Protection Goals: unlinkability, transparency, and intervenability Working with protection goals means to balance the requirements derived from the six protection goals (ICT security and privacy) concerning data, technical and organisational processes. Considerations on lawfulness, fairness and accountability provide guidance for balancing the requirements and deciding on design choices and appropriate safeguards. 34

35 Data protection by design and by default Unlinkability (key element for data minimization): Aims at separating data and processes Operate processes in such a way that the privacy-relevant data is unlinkable to any other set of privacy-relevant data outside of the domain (or disproportionate efforts) Intervenability: Possibility for parties involved in any privacy-revelant data processing to interfere with the ongoing or planned data processing Application of corrective measures and counterbalances when necessary 35

36 Transparency Data protection by design and by default To provide an adequate level of clarity of the processes in privacy-relevant data processing so that the collection, processing and use of the information is able to be understood and reconstructed at any time For all parties: legal, technical and organizational Anonymity, and pseudonymity Plausible deniability (vs non-repudiation) Undetectability and unobservability: hiding the user s activities Confidentiality 36

37 Privacy by Design 37 Privacy enhancing technologies a coherent system of ICT measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system incorporating legal principles into technical specifications The choice of PET techniques depends on the level of security needed to match the level of risks represented by the personal data.

38 Privacy by Design Privacy enhancing technologies (Privacy preserving PETS) Usage of cryptography for: Data storage Authorization Data access and data disclosure (at an application level, rather than at a DB level) Data transport (network and other means) Keys management Biometrics: an opportunity and threat at the same time Creation of audit trails Usage of pseudo-identities: TTP Tracking protection lists in Internet Explorer 38

39 PETS: Encryption Encryption is a fundamental security technique, which transforms data in a way that only authorized parties can read it, and a strong protection measure for personal data. Usage of suitable encryption algorithms and key sizes Encryption keys need to be adequately secured Not only Encrypt all of nothing Emerging techniques: Attribute Based Encryption, functional encryption Encrypted search: Property Preserving encryption (if a>b, enc(a) > enc(b) Structured Encryption Homomorphic encryption, Oblivious RAM, Secure multi-party computation 39

40 Transparency enhancing technologies (Privacy friendly PETS) A category of tools that supports: The right to be informed The right for the subject to know what happens to his personal data Examples: - Privacy icons - Dashboard functionality on a website - Browser Addons: Privacy Bird, Collusion, Web Of Trust, - Guichet.lu: logs of access performed by administration on your data from the RNPP. => To promote trust of the users and willingness to use a particular online service 40

41 Data Protection Officer (DPO) (1) Obligation of controller and processor to designate a DPO (Art. 37) when: Processing by public authority/body Core activities = processing requiring regular and systematic monitoring of DS on a large scale Core activities = processing of special categories of data/ data relating to criminal convictions or offences on a large scale Employed by the DC/DP or based on a service contract Possibility to appoint 1 DPO for a group of undertakings DPO = expert knowledge of data protection law and practices 41

42 Position and tasks of a DPO (2) Main contact point of the data subjects Proper and timely involvement in all relevant data protection issues by the DC/DP Adequate support by the DC/DP in the performance of his tasks Adequate resources Access to personal data Possibility to maintain his knowledge Independence and stability: The DPO shall not receive instructions as regards the fulfillment of this tasks The shall not be dismissed or penalized for performing his tasks Can perform other tasks as long s no conflict of interest Bound by secrecy and confidentiality (Art.38) The GDPR provides a minimum of tasks (Art. 39): Advising and informing the DC/DP/employees of their obligations Monitoring compliance with data protection laws Provide advice with regard to and monitor the performance of DPIA Act as a contact point and cooperate with the national DPA 42

43 VII. European and International aspects The one-stop-shop The consistency mechanism 43

44 The One stop shop and the consistency mechanism In cross-border cases, the DC/DP has a unique contact point named the lead DPA linked to its main establishment (Art. 4.16) or its only establishment (Art. 56.1). The lead DPA and the concerned DPA collaborate with each other through the one stop shop mechanism in order to reach a consensus (Art. 60). With the involvement of the European Data Protection Board (having legal personality) through the consistency mechanism (Art. 63). Appeal against the decisions of the EDPB is possible within 2 months directly to the CJEU in application of art. 263 TFEU.

45 The One-stop-shop mechanism New regulation system in relation to cross-border processings: Processing of personal data which takes place in the context of activities of establishments of the DC/DP based in more than one Member State, or Processing of personal data which takes place in the context of activities of a single establishment of the DC/DP but which substantially affects or is likely to affect to susbtantially affect DS in more than one Member State. Advantages: For DS: better defence of their rights since they can directly complain to their country s DPA (proximity, unique point of contact). For DC/DP: Simplicity/reduced administrative burden (unique point of contact) and enhanced legal certainty.

46 The Consistency mechanism Central role of the EDPB within the consistency mechanism. It contributes to the consistent implementation of the GDPR through: Compulsory opinion when the DPA wish to adopt certain measures (Art. 64.1) (eg.: list of processings requiring a DPIA) Binding decision when the EDPB resolve conflicts (Art. 65.1) Urgency procedure (Art. 66), derogatory procedure to the one-stop-shop and consistency mechanism Advantages: For DS: Common understanding within the whole of the EU of the rights provided by the GDPR For DC/DP: Common understanding within the whole of the EU of the obligations imposed by the GDPR

47 Example with 5 DPA Company X Main Establishment ex. LU Other establishment ex. DE, BE Complaint ex. AT DS affected by the processing ex. NL 1 Lead DPA One stop shop 4 concerned DPA

48 VIII. Conclusion No ready-made but a customized solution for compliance Combination of business management, legal data protection requirements and information security Data protection becomes a matter the highest management of a company will have to be involved in Data protection needs a holistic approach The existence of a constructive dialog between the legal experts and the IT specialists to ensure overall compliance with the new data protection rules Data protection seen as a competitive advantage instead of a constraint 48

49 49 LAW Legal competence TECHNOLOGY Information security DATA PROTECTION GOVERNANCE

50 50

51 Start now! GDPR becomes applicable from the 25 th of May 2018 Start now! revise current policies and procedures (consent, DS rights etc.) revise ongoing contracts (i.e. with sub-processors) put in place new procedures (i.e. management of data breaches, data protection trainings etc.) appoint privacy specialists (DPO) Consider: Gap analysis Plan for implementation Monitoring of the implementation Following opinions and policy papers of of EU and national DPAs for more guidance 51

52 52

53 Commission nationale pour la protection des données 1, avenue du Rock n Roll L-4361 Esch-sur-Alzette (Belval) info@cnpd.lu