Day1 1415 Plenary Keynote HawkesBilly
-
Upload
vaibhav-gandhi -
Category
Documents
-
view
216 -
download
0
Transcript of Day1 1415 Plenary Keynote HawkesBilly
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
1/18
Data Protection in the
Cloud unclouding theIssues
Billy HawkesIrish Data Protection Commissioner
Cloud Security AllianceFrankfurt, 9 May 2012
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
2/18
Back to the Future.?
Data Controller to Data Processor(Cloud)
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
3/18
The Cloud What are theData Protection Issues? Security of Personal Data Location of Personal Data
Access to Personal Data
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
4/18
What is Personal Data? any information relating to an
identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified,directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Data Protection Directive 95/46/EC, A2)
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
5/18
Who is Responsible? The Data Controller ( the natural or legal
person, public authority, agency or any otherbody which alone or jointly with othersdetermines the purposes and means of theprocessing of personal data)
Data Controller remains responsible if dataoutsourced to Data Processor ( a personwho processes personal data on behalf of adata controller)
Cloud Provider
http://www.europa.eu.int/abc/symbols/emblem/index_en.htm -
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
6/18
What Responsibilities? Transparency (A. 10,11)adequate information
Process fairly & lawfully(A.6)
Consent, contract, legal obligation, vital interests,public interest task, legitimate
interests (A.7) Specified , explicit and
legitimate purpose (A.6) Adequate, Relevant &
not excessive (A. 6)
Accurate, up-to-date (A.6) Retain for no longer
than is necessary (A.6)
Right of Access (A. 12) Data Security (A. 17)
Intl. Transfers
Right to Object (A. 14)Marketing, Other
Restrictions on AutomatedDecisions (A. 15)
http://www.europa.eu.int/abc/symbols/emblem/index_en.htm -
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
7/18
What Security Obligations? ..Appropriate technical and organizational
measures to protect personal data againstaccidental or unlawful destruction or accidental loss,alteration, unauthorized disclosure or access, inparticular where the processing involves thetransmission of data over a network, and against allother unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure alevel of security appropriate to the risksrepresented by the processing and the nature of the data to be protected.
(Data Protection Directive, A17)
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
8/18
Outsourcing Obligations? . The controller must, where processing is carried
out on his behalf, choose a processor providingsufficient guarantees in respect of the technicalsecurity measures and organizational measuresgoverning the processing to be carried out, andmust ensure compliance with those measures
..governed by a contract or legal act binding the processor tothe controller and stipulating in particular that- the processorshall act only on instructions from the controller
- the (security) obligations set out in paragraph 1, asdefined by the law of the Member State in which the processoris established, shall also be incumbent on the processor .
http://images.google.ie/imgres?imgurl=http://agora.ex.nii.ac.jp/digital-typhoon/latest/globe/2048x2048/ir.jpg&imgrefurl=http://agora.ex.nii.ac.jp/digital-typhoon/&h=2048&w=2048&sz=2696&tbnid=7OtjpJiqgRsJ:&tbnh=150&tbnw=150&prev=/images%3Fq%3Dglobe%26hl%3Den%26lr%3D&oi=imagesr&start=1http://www.europa.eu.int/abc/symbols/emblem/index_en.htm -
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
9/18
Location of Personal Data? OK if transferred within EU/EEA. Also OK if:
To Approved countries: Switzerland, Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [Safe Harborites & PNR data only] [soon New Zealand and Uruguay]
Covered by Model Contracts or Binding Corporate Rules (BCRs)
Article 26 (1) Exceptions (contract requirements etc)
http://images.google.ie/imgres?imgurl=http://agora.ex.nii.ac.jp/digital-typhoon/latest/globe/2048x2048/ir.jpg&imgrefurl=http://agora.ex.nii.ac.jp/digital-typhoon/&h=2048&w=2048&sz=2696&tbnid=7OtjpJiqgRsJ:&tbnh=150&tbnw=150&prev=/images%3Fq%3Dglobe%26hl%3Den%26lr%3D&oi=imagesr&start=1http://www.europa.eu.int/abc/symbols/emblem/index_en.htm -
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
10/18
New EU Law: DataControllers Privacy by Design
Privacy Impact Assessments Data Portability Right to be Forgotten
Requirement for retention policy
On request, delete unless clash with other rights (freedom of expression etc) Strengthened Data Security
Data Breach Notification
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
11/18
New EU Law: Data Processors
More prescriptive Obligations :Documentation Data Protection Officer Cooperation with DPA
International Transfers:BCRs for Processors Contractual Clauses (as for Controllers)
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
12/18
Data Security in The Cloud .the clouds economies of scale and flexibility
are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost- effective
European Network and Information Security Agency (ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- computing-risk-assessment
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
13/18
Data Protection Challenge Cloud computing poses several data protection risks
for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g.,between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g.,SAS70 certification
ENISA Report, November 2009
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
14/18
Challenges for Outsourcer Are you satisfied your data will be secure in the
cloud? security certification: ISO 27001, SAS 70/SSAE 16 Access controls, data recoverability, data breaches Right to Audit
Location of Data (inside or outside EEA) Does your contract with the CP give yousufficient control?
Ultimately, you can outsource responsibility but you can't outsource accountability (ENISA)
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
15/18
Challenges for Cloud Provider
Are you willing to take on the separate datasecurity obligations under EU Data ProtectionLaw?
Is this reflected in your contracts? Are you willing to accommodate EU restrictions
on international data transfers?Clarity on location of data?
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
16/18
Data Protection Guidance: Sopot Memorandum (1)
Recommendations of International Working Group on Data Protection in Telecommunications (Berlin Group): WorkingPaper on Cloud Computing, April 2012
http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083
EU Working Party 29 Guidance soon
http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083http://www.datenschutz-berlin.de/attachments/873/Sopot_Memorandum_Cloud_Computing.pdf?1335513083 -
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
17/18
Sopot Memorandum (2) Data Controllers : carry out privacy impact
and privacy assessments Cloud Providers : greater transparency,
security and accountability:More information on potential data security breaches more balanced contractual clauses to promote data portability and data control by cloud users
-
7/30/2019 Day1 1415 Plenary Keynote HawkesBilly
18/18
Thank YouOffice of the Data Protection CommissionerCanal HouseStation RoadPortarlington
Co LaoisPhone: LoCall 1890 252231057 8684800
Fax: 057 8684757Email: [email protected]: www.dataprotection.ie