16th International InfoSec & Data Storage16th International InfoSec & Data Storage Protection level...
Transcript of 16th International InfoSec & Data Storage16th International InfoSec & Data Storage Protection level...
16th International InfoSec & Data Storage
Protection level PUBLIC
Fernando Silva, DPO
Sofia, 28 September 2017
Legal Framework for the Protection of the Information
Environment
Requirements imposed by the General Data Protection Regulation (GDPR)
Legal Framework for the Protection of the Information
Environment
Protection level PUBLIC
Information Environment – GDPR requirements
Agenda
• eu-LISA
• GDPR Requirements
– Major questions
– Data Governance
– Demonstrating compliance
– Penalties
eu-LISA
Protection level PUBLIC
• Established in 2011 (Regulation (EU) No 1077/2011); operational since 1 December 2012
• HQ - Tallinn, EE
• Operations site - Strasbourg, FR
• Back-up site – St. Johann im Pongau, AT
• Liaison office – Brussels, BE
• Employs 175 people
• Annual budget of EUR 153 million in 2017
• Key stakeholders:
• EU MS and Associated Countries,
• EU institutions and Agencies (JHA)
European Agency for the operational management of large-scale IT systems in the area of freedom,
security and justice
Protection level PUBLIC
24/7 operational
management of large-scale
IT systems
24/7 support to MS
System evolution & developmen
t of new systems
Eurodac Eurodac VIS VIS SIS II SIS II
R&D
Training Statistics
Dubli-Net
Dubli-Net
SIRENE Mail
Relay
SIRENE Mail
Relay
VISMail VISMail
Our mandate
Protection level PUBLIC
Data Protection @ eu-LISA – Importance
• Eu-LISA needs to process personal data
• Eu-LISA deals with personal data
• Data protection is a one factor of trust
Protection level eu-LISA PUBLIC
Requirements imposed by the General Data Protection Regulation
(GDPR)
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR replaces former Directive 95/46/EU
Entry into force 25 May 2018
Operations on Personal Data (PD) - Controller:
• Collect
• Store
• Use data
You have to abide by the rules
You have to abide by the rules Process PD for others
Harmonisation and Trust, but also new obligations and responsibilities
Protection level PUBLIC
Information Environment – GDPR requirements
Major questions:
• Implementation challenges and how to overcome them?
• DPO: a new role? Cultural changes?
• How effectively protect highly relevant data subject’s rights?
• How to implement concepts as Privacy-by-design and by default?
• How to use and when do a Privacy Impact Assessment?
• How detect and right procedure for personal data breaches?
• What legal aspects when transferring personal data internationally?
• Sanctions?
Protection level PUBLIC
Information Environment – GDPR requirements
Data Governance – enterprise risk management
• Governance risk compliance
• Personal Information Management Systems (PIMS)
• Privacy principles
• Certifications
Privacy compliance framework
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Recital 78 states:
The protection of the rights and freedoms of natural persons with regard to the
processing of personal data require that appropriate technical and
organisational measures be taken to ensure that the requirements of this
Regulation are met.
In order to be able to demonstrate compliance with this Regulation, the
controller should adopt internal policies and implement measures which meet in
particular the principles of data protection by design and data protection by
default.
Demonstrating privacy compliance
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Recital 78 states:
The protection of the rights and freedoms of natural persons with regard to the
processing of personal data require that appropriate technical and
organisational measures be taken to ensure that the requirements of this
Regulation are met.
In order to be able to demonstrate compliance with this Regulation, the
controller should adopt internal policies and implement measures which meet in
particular the principles of data protection by design and data protection by
default.
Demonstrating privacy compliance
Protection level PUBLIC
Information Environment – GDPR requirements
• Adequate, relevant and not excessive
• Need to know principle / Least privilege principle
• Processed lawfully, fairly and in a transparent way
• Obtained/Collected only for specified purposes
• Accurate and up-to-date
• Processed in line with the rights afforded to individuals
• Retained only for as long as necessary
• Not transferred to countries outside the EEA without adequate
protection
• Kept Secure
DP principles:
Demonstrating privacy compliance
Article 5.2 Accountability
Article 5.2 Accountability
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Article 25.2 – General obligations:
Demonstrating privacy compliance
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Protection level PUBLIC
Information Environment – GDPR requirements
Demonstrating privacy compliance
GDPR Article 32 – Security of processing:
The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
• the pseudonymisation and encryption of personal data;
• the ability to ensure the ongoing confidentiality, integrity, availability and
resilience of processing systems and services;
• the ability to restore the availability and access to personal data in a timely
manner in the event of a physical or technical incident;
• a process for regularly testing, assessing effectiveness technical…
Protection level PUBLIC
Information Environment – GDPR requirements
Demonstrating privacy compliance
GDPR Article 33 – Notification of a personal data breach to the supervisory
- The controller notify the supervisory authority of any personal data breach - Without undue delay, not later than 72 hours after becoming aware - Unless the personal data breach is unlikely to result in a risk;
- The processor shall notify the controller;
- Information may be provided in phases;
- Document any PDB;
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Article 35 – Data protection impact assessment:
Demonstrating privacy compliance
Where a type of processing (…) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
• Systematic and extensive evaluation (profiling);
• Large scale processing of special categories (sensitive data – article 9, convictions);
• Systematic monitoring;
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Article 37 – Designation of a Data protection officer:
Demonstrating privacy compliance
- processing is carried out by a public authority or body, except for courts;
- Core activities require regular and systematic monitoring on a large scale;
- Processing on large scale special categories of data and criminal
convictions and offences;
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Article 39.1 – tasks of a data protection officer:
Demonstrating privacy compliance
b) to monitor compliance with this Regulation, with other Union or Member
State data protection provisions and with the policies of the controller or
processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff involved
in processing operations, and the related audits
Protection level PUBLIC
Information Environment – GDPR requirements
GDPR Article 39.1 – tasks of a data protection officer:
Demonstrating privacy compliance
- Promote the Principle of Privacy by Design
- Promote that projects and systems include PIA
- Cooperate with Stakeholders in terms of Data protection
- Inventory and register of notification operations
- Establishing data protection best practices
- Provision of information, cooperation and respond to EDPS requests
- Upholding data subjects’ rights and freedoms.
- Investigate any breaches of data protection related.
Protection level PUBLIC
Information Environment – GDPR requirements
DPOs experience:
Demonstrating privacy compliance
- Accountability and genuine top management engagement is essential;
- DPOs must have effective independent oversight;
- Proactively engage with security teams;
- Business risk-based ISMS essential component of privacy compliance
framework by:
- Incorporate Data protection impact assessments and,
- Data protection by design and by default
Protection level PUBLIC
Information Environment – GDPR requirements
Demonstrating privacy compliance
- GDPR mandates organisations to put in place comprehensive but
proportionate measures;
- Creates an obligation to the companies to understand the risks that they
create for others, and mitigate those risks;
- Is not a ticking box exercise;
- Work on a framework used to build a culture of privacy on the
organisation;
Protection level PUBLIC
Information Environment – GDPR requirements
Demonstrating privacy compliance
GDPR compliance programme:
- Implementing an compliant ISMS with an ISO;
- Gap analysis;
- Data flow audit;
- Implement a PIMS;
- Security or Cyber Security check;
- Develop a privacy awareness programme, policies and procedures;
When in doubt consult your DPO and contact your
National Data Protection Authority
Protection level PUBLIC
Information Environment – GDPR requirements
Penalties
GDPR Article 83 – General conditions for imposing fines
Protection level PUBLIC
Information Environment – GDPR requirements
References
Data protection http://ec.europa.eu/justice/data-protection/
General Data Protection Regulation (EU) 679/2016
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
Data Protection Infographic:
http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm
Protection level PUBLIC
Contact details:
Fernando Silva, DPO
eu-LISA website: http://www.eulisa.europa.eu
Thank you