Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich,...
-
Upload
henry-fisher -
Category
Documents
-
view
216 -
download
0
Transcript of Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich,...
![Page 1: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/1.jpg)
Data protection: putting a policy in place and making sure it works
Monday 1 June 2015
Munich, Germany
![Page 2: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/2.jpg)
Ana Mingo
Counsel
BP Legal
Spain
Hannes Saarinen
Privacy Manager
F-Secure Corporation
Finland
Jonathan Armstrong
Partner
Cordery
UK
2
![Page 3: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/3.jpg)
3
“PERSONAL DATA” ?
any data on person and his/her personal characteristics, where these can be linked to him/her/household with feasible efforts.
![Page 4: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/4.jpg)
Would you want to share everything about your life with everyone, everywhere, all the time, forever?
4
![Page 5: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/5.jpg)
Data Privacy to do’s
• Privacy Notice
• Notification/Authorisation
• Data Protection Officer
![Page 6: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/6.jpg)
Data transfer options
• EU Model Terms• Individual DTAs• Binding Corporate Rules• Safe Harbor
Note: consent is less likely to be a viable option
6
![Page 7: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/7.jpg)
Employees’ data
Fair Processing Statement
• Applicants: websites and forms.
• Employees: employment contracts, Intranet, email.
• It shall accurately reflect how applicants/employees’ personal information will be used.
![Page 8: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/8.jpg)
Categories of data• Basic data
• Sensitive data:
• Racial or ethnic origin, sexual life.
• Religious beliefs or beliefs of a similar nature.
• Political opinions or trade union membership (or non-membership).
• Physical or mental health or conditions.
• Commission or alleged commission of any offence.
• Generally only with the employee’s consent.
• High level security measures.
![Page 9: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/9.jpg)
Retention
• Personal information shall be kept accurate and up to date.
• Personal information shall be kept only for as long as is really necessary.
![Page 10: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/10.jpg)
Main risk
Data protection is one of the easiest ways to put the company in trouble by an upset employee.
– Applicants who have been unsuccessful in securing a job
– Employees involved in a disciplinary process
– Employees being made redundant or terminated from the company
– Employees who are in dispute with other members of staff
– ….
![Page 11: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/11.jpg)
Hot Topics
• Pre-employment vetting
• Internet /email/telephone monitoring and recording
• BYOD
• CCTV in the workplace
• Whistleblowing
![Page 12: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/12.jpg)
FIRST STEPS OF APRIVACYOFFICER *)
HANNES SAARINEN
F-SECURE (c) Till Westermayer CC/by-sa/2.0
![Page 13: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/13.jpg)
PIA’s
13
cookie notice
Transfer agreements
DPA notification(s)
Policy (public)Policy
(internal)
Security
New Regulation
Subcontracting
Privacy by Design @
R&D
Train employees
Management buy-in
![Page 14: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/14.jpg)
14
COMPLIANCE OFFICER BUSINESS ENABLER
© Disney © Hollywood Pictures & Cinergi Pictures Entertainment
HOW ARE YOU SELLING YOURSELF TO CEO ?
![Page 15: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/15.jpg)
PHOTO: Ryan Lowry for The New York Times
15
![Page 16: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/16.jpg)
ANATOMY OF A PRIVACY POLICY
• WHY WE COLLECT YOUR DATA• WHAT WE COLLECT• WHAT WE DO WITH IT• WHOM DO WE TRANSFER IT TO• HOW LONG WE KEEP IT• DO WE KEEP IT SECURE • WHAT RIGHTS YOU HAVE AND HOW
YOU CAN EXERCISE THOSE• EXCLUSIONS / OTHER POLICIES• CHANGES• CONTACT INFORMATION
16
WHAT IS RELEVANT FOR ME, THE PRIVACY OFFICER
![Page 17: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/17.jpg)
ANATOMY OF A PRIVACY POLICY
• WHY WE COLLECT YOUR DATA• WHAT WE COLLECT• WHAT WE DO WITH IT• WHOM DO WE TRANSFER IT TO• HOW LONG WE KEEP IT• DO WE KEEP IT SECURE • WHAT RIGHTS YOU HAVE AND HOW
YOU CAN EXERCISE THOSE• EXCLUSIONS / OTHER POLICIES• CHANGES• CONTACT INFORMATION
17
WHAT IS RELEVANT FOR THE CUSTOMER
![Page 18: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/18.jpg)
18
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
![Page 19: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/19.jpg)
19
![Page 20: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/20.jpg)
WHEN YOU GET BACK TO THE OFFICE…
1. GO FOR A STROLL AND THINK WHY YOU ARE NEEDED
2. TELL THE ANSWER TO YOUR CEO
3. POLISH THE POLICY
20
4. TAKE YOUR SECURITY OFFICER FOR LUNCH
![Page 21: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/21.jpg)
Data Security - Landscape
• Personal data has a value
• Different political reactions
• Different legal systems worldwide
• Different enforcement even within Europe
• Contrasting approach Europe v. US
• Snowden has changed the game
![Page 22: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/22.jpg)
UK Legislative background
“Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction
of, or damage to, personal data.”
![Page 23: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/23.jpg)
Example: Bank of Scotland
• Robbie Hastie• Revealed details of Hibs players’ wages• Pleaded guilty to DP offence of knowingly or
recklessly disclosing information without consent• £400 fine• Bank of Scotland co-operated
23
![Page 24: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/24.jpg)
Example: Big Brother
• €1,081,822 total fine• €150,250 fine for lack of IS training,
policy etc.• Appeal failed
24
![Page 25: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/25.jpg)
Example: Staysure• Holiday insurer hacked• Hackers hacked credit card details & some medical details –
some credit card details used • ICO investigation found
– card acquirer found the issue– no policy or procedures – failed to patch
• Company received monetary penalty of £175,000 in February 2015
• Agreed to take steps to minimize harm e.g. free Experian reports
• Possible class action? 25
![Page 26: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/26.jpg)
Prevention
Dutch CBP:
“Contingency planEvery organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation...”
![Page 27: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/27.jpg)
New EU Data Rules
• Proposed Regulation not Directive• Fines of 2% of global turnover• Toughened enforcement bodies• Consent less of an option• Breach reporting in 24 hours?
27
![Page 28: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/28.jpg)
New EU Data Rules
• Suppliers outside EU in scope• Right to be forgotten• More SARs
28
![Page 29: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/29.jpg)
The Perfect Storm… More (& Less)• More…
• Reliance on 3rd parties, e.g. outsourcing; SaaS; Cloud
• Cost pressure• Regulation and enforcement• Geography• Social networking• Value in stolen data• Speed • Whistleblowers• Chance of getting caught• Focus on investigations• People trying to re-write
history, because they can• Rise in class actions?
• Less…• Care• Compliance and legal
resources• Attention to contractual terms• Vendor accountability
29
![Page 30: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/30.jpg)
Resources
• Book – www.tinyurl.com/jpa001• New EU Data Rules – http://bit.ly/1HUHai4 • Right to be forgotten – http://bit.ly/1tB8Osb • Cordery news – http://bit.ly/1vnFHJm • Podcasts – www.bit.ly/techlaw10• Class actions – http://bit.ly/1E8aNcU
30
![Page 31: Data protection: putting a policy in place and making sure it works Monday 1 June 2015 Munich, Germany.](https://reader036.fdocuments.us/reader036/viewer/2022062516/56649dba5503460f94aab76e/html5/thumbnails/31.jpg)
Ana Mingo
Counsel
BP Legal
Spain
Hannes Saarinen
Privacy Manager
F-Secure Corporation
Finland
Jonathan Armstrong
Partner
Cordery
UK
31