Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo 15.9.2017 European Union Agency for Network and Information Security
Fighting fraud in school exams Different decisions under Data Protection Directive 95/46/EC from National DPAs 2
Securing Europe s Information society 3
Positioning ENISA activities CAPACITY Hands on activities POLICY Support MS & COM in policy implementation Harmonisation across EU EXPERTISE Recommendations Independent Advice 4
Technologies revolutionizing IT markets (back in 2015) Big data Ability to run complex calculations on big amounts of data in a meaningful time frame Sensors and actuators Cloud computing Mobile technology Natural user interfaces Computation, storage, and networks Introduction of cheap sensors and actuators to many different appliances to collect huge amounts of data Hosting of software on centralized servers with high-speed access through the Internet Massive increase of mobile computing power, storage, and bandwidth Creation of new kinds of interfaces that allow for more intuitive handling of IT systems Possibility to store large amounts of data and transfer the data with high bandwidth between computers Source: Gartner 5
EU Policy Context Network and Information Security Directive EU Cybersecurity Strategy* General Data Protection Regulation Digital Single Market Strategy eidas Regulation Strengthening Europe s Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry Proposal for a Regulation on Privacy and Electronic Communications 6
GDPR Overview Harmonization Broader Scope Obligations Strengthened Rights of individuals One Stop Shop European Data Protection Board Wider definition of Personal Data Obligations on both controller and processor Transparency/Notices Data Protection Impact Assessment Data Protection Officer Right to erasure Data Portability Consent Security Outside EU Personal Data Breach Fines Data protection by design and by default Pseudonymisation Encryption Non - EU companies will need to appoint a representative in the EU Notification to the supervisory authority Notification to the data Subject up to 4 % of the total worldwide annual turnover Risk Based Approach 7
Data Protection: more than IT Security IT security: The adversary is Eve (or Mallory) Data protection: The adversary is Bob http://rmg.zum.de/wiki/benutzer:deininger_matt hias/facharbeit/alice_bob_und_mallory 8
More Information Security? more effort from data controllers and data processors regarding information security 9
Need for technology Article 15 Right of access by the data subject Article 16 Right to rectification Article 17 Right to erasure (right to be forgotten) Article 18 Right to restriction of processing Article 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20 Right to data portability Article 21 Right to object Article 22 Automated individual decision-making, including profiling Article 25 Data protection by design and default 10
ENISA activities in GDPR Security of personal data Privacy Enhancing Technologies Crypto Personal data breaches Certification, Seals & Marks Transparency, control, new user rights Personal Data Clouds Right to be forgotten Big data privacy 11
PETs control matrix A systematic approach for assessing online privacy tools (PETs) an assessment framework and tool for the systematic presentation and evaluation of online and mobile privacy tools for end users a practical tool that can be used for performing the assessment of a PET and presenting the relevant results. 12
PETS Maturity Assessment Beta Demo available at http:\\94.23.106.129 13
Repository 14
Possible ways forward Harmonization of cyber products, services and skills Aligned policies and technical requirements across MSs for products, services and skills Cooperation across EU Foster standardization activities at EU level Demonstrate compliance/ adherence through (lightweight) certification 15
Thank you PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu