Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Key Note Speech:
Overview Of The New Regulatory Regime
Garreth Cameron
Group Manager For Business And Industry
Information Commissioners Office (ICO)
Sponsored by
EU data protection reform
and the gambling industry:
Keynote address
Garreth Cameron , Group Manager for Business & Industry
85% are concerned about
how their personal
information is sold or
passed to other
organisations
Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-track-
september-2014-individuals.pdf>
77% are concerned
that organisations
are not keeping
their data secure
Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-track-
september-2014-individuals.pdf>
evolution
not revolution
Legislation
New Information
Commissioner
Derogations
Discussion on GDPR – Timeline And Key
Dates, Penalties And Sanctions
Ross McKean
Head of Data Protection, Olswang
Sponsored by
Ross McKean, Partner, Olswang
GDPR: Timeline, Key Dates, Penalties and Sanctions
|
Countdown to GDPR: timeline and key dates
30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 11
Political
Agreemen
t
December
2015
April
2016
Council to
formally
adopt
June/July?
2016
Vote by Parliament,
formal signature then
publication in OJ
July/Augus
t
2018
Regulation takes
effect
2 years + 20 days
Translation
|
Formal sanctions
30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 12
Today: national sanctions set by MS
under DPD
• Right to compensation for "damage"
(Article 23)
• MS must impose "suitable measures
to ensure full implementation of the
Directive" (Article 24)
• E.g. current UK sanctions include:
• Fines up to £500K for serious
breaches
• Undertakings
• Enforcement notices
Tomorrow: harmonised under GDPR
• Chapter VIII
• Right to compensation for material or
immaterial damage. Controller or
processor can be liable (Article 77)
• Administrative fines (Article 79)
• Up to € 20,000,000 or 4% of turnover (for breaches including: principles, data
subject rights, international transfers)
• Up to € 10,000,000 or 2% of turnover (for breaches including: security, breach
notification)
• must be "effective, proportionate and
dissuasive" penalties
|
Cross border enforcement: the not-quite one stop shop
30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 13
• The Commission's vision: one stop shop enforcement by a single lead authority
• The reality: Lead authority, concerned authorities, cooperation procedure (Ch VII)
• DPA of the “main establishment” of controller or processor = lead authority (Article 51),
however…
• other DPAs competent. if infringement relates only to that Member State (Article 51(a))
• BUT lead authority can still decide to deal with the case
• Co-operation procedure: Article 54a; Mutual assistance - Article 55
• Lengthy, multi-stage process for notification, information sharing and mutual assistance
• Joint operations possible, where multiple Member States are affected (Article 56)
• Consistency mechanism: including dispute resolution appeal to EDPB decided within 1 month of
referral by 2/3rd majority (Article 58a)
• Urgency procedure: a DPA can bypass the consistency and cooperation mechanisms and adopt
provisional measures (for up to three months)
|
Formal sanctions: when can consumer groups bring actions?
30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 14
Data subjects have the right to…
• Lodge a complaint with a DPA ("in particular" in own Member State) – Article 73
• A judicial remedy against a DPA – Article 74
• An effective judicial remedy against a controller or processor – Article 75
• Compensation for "material or immaterial damage" – Article 77
• Mandate a consumer group* or similar to exercise rights on his/ her behalf – Art 76
* body must be not for profit, public interest and active in the field of privacy protection
Current examples?
• Germany: New rules introduced Feb 2016 allowing privacy claims by consumer bodies
• France: Digital Republic Bill – similar rules in the pipeline, pre-empting GDPR
|
Beyond formal sanctions… follow on risks
30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 15
• Reputation risk
• C-suite job losses
• Remediation costs and PCI-DSS card scheme fines
• Loss of trust in the brand leading to increased customer acquisition and
retention costs
• UK group actions: where are we?
• Rise of Article 8 ECHR and Article 8 of the EU Charter
• Increased public concern about privacy
• Damages for distress (e.g Vidall Hall)
• Class actions on the horizon?
• French and German domestic laws and right of consumer groups to represent
individual data subjects under the GDPR increase the risk of privacy class actions
| 30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions
• 40 million cards stolen
• 70 million customer records stolen
• 46% drop in 2013 Q4 profits
• $200 million estimated cost just to reissue
payment cards
• $252 million direct costs of breach related
expenses (excluding increased customer
acquisition / retention and insurance premiums)
• CEO resigned
• CIO resigned
16
Follow on risks: a recent US example
GDPR Readiness: What Should Your
Business Do Now?
Anna Soilleux
Senior Associate, Olswang LLP
Sponsored by
Data Protection Now Means Compliance
Michael Mrak
Head of Compliance and Data Protection,
Casinos Austria AG and Austrian Lottery GmbH
Sponsored by
Grafik Umsatzerlöse
DATA PROTECTION
NOW MEANS COMPLIANCE Some thoughts on the meaningful use of certification systems
30.03.2016 21
Grafik Umsatzerlöse
Agenda
• Preparing for the EU GDPR: Obligations!
• What is compliance?
• Rule based standards or risk based approach
• How to properly implement compliance
Michael Mrak
30.03.2016 22
Grafik Umsatzerlöse
DPOs – The new enemies of the marketing department?
Michael Mrak
30.03.2016 23
Grafik Umsatzerlöse
• The GDRP provides for the following administrative sanctions: • issuing of warnings
• regular and periodic data protection audits;
• an administrative fine of up to €20 million or up to 4% of annual worldwide turnover,
whichever is higher, to be imposed on anyone who intentionally or negligently
(amongst other things): • processes personal data without sufficient legal basis for doing so; or
• does not implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk; or
• does not alert or notify a data protection breach to the relevant supervisory authority or data
subject; or
• does not carry out a data protection impact assessment or processes personal data without
prior authorization from or consultation with the supervisory authority; or
• carries out or instructs an unauthorized transfer of data to a third country or an international
organization; or
• does not comply with an order or a temporary or permanent ban on processing or the
suspension of data flows by the supervisory authority.
Preparing for the EU GDPR: Obligations!
Grafik Umsatzerlöse
• The new frontier for privacy professionals • Risk management has for a long time been a critical tool for
complying with laws (i.e. AML, RG etc.)
• In die field of data protection, these efforts have often been applied
informally and in unstructured ways
• In practice, they often failed to take effective advantage of many
principles and tools of risk management that are widely accepted in
other areas
• Under the GDPR, companies must carry out DPIAs for „high risk“
data processing (Art. 33)
• Do You know Your “high risk” data collections? • Financial data?
• Player tracking information?
• Responsible gaming data?
Data Protection Impact Assessment (DPIA)
Grafik Umsatzerlöse • In general, compliance means conforming to a rule, such as a
specification, policy, standard or law.
• Regulatory compliance describes the goal that organizations aspire to
achieve in their efforts to ensure that they are aware of and take steps
to comply with relevant laws and regulations.
• Internal guidelines are based on external regulations, but also take into
account the company's values
• It's about living the values and to make ethical behavior into a
competitive advantage.
What is compliance?
30.03.2016 26
Grafik Umsatzerlöse • A protected guarantee mark
• Can be obtained by all organizations
• Is valid for three years
• Can be combined with other standards
• Builds confidence and certainty
• Certification as evidence
• Forces a systematic approach to the processing of
personal data
• Helps to build trust with consumers, government
agencies and public bodies
• Best practise-approach for compliance with the law
GoodPriv@cy data protection
30.03.2016 27
Grafik Umsatzerlöse
Best practices: Standards – do not reinvent the wheel!
Any compliance organization should always build on existing standards!
ISAE 3000
Data Protection
Anti Money Laundering
Information Security
Responsible Gaming
Quality Management
Corporate Citizenship
Anti Corruption
TÜV Rheinland
Compliance Care
IDW PS 980
Standard
Responsible Gaming
30.03.2016 28
Grafik Umsatzerlöse
• A data privacy management system (DPMS) based on a standard
can help You to enforce necessary compliance without re-inventing
the wheel
• Best practice (like common standards like ISO 9001, 27001 etc.)
• Build synergies if you are already certified in other fields of
compliance
A possible solution: Implementing a DPMS
Grafik Umsatzerlöse
• Innovations are like the development of an unknown world
• “Customers” of the old world must become familiar with the new world
• Compliance always means “stress” for the organization
• Innovations often met with some reservation (which can possibly
invalidate) and often on fundamental hostility, which often prevent the
breakthrough
• As a DPO you need to deal with this “stress”
Is compliance innovative?
Grafik Umsatzerlöse
Risk based approach
risk
detect
measure control
• The risk based approach next to
rule-based systems is becoming
increasingly important
• Through an effective risk
management the responsibility of
the organization units will become
the focus
30.03.2016 31
Grafik Umsatzerlöse
Credo and Code
as a roof
str
uctu
res
pro
ce
sse
s
Review and
development
Incentives and
sanctions
Code of Conduct Structure of the organization
Sufficient financial
resources
Sufficient staff
Legal risk analysis,
Adoption and enforcement of rules
Training and education
Violations of the law are to sanction any case immediately
5 Basic elements of every compliance system
Law-abiding behavior should be a prerequisite
for any remuneration Periodic review of the compliance program
Guidelines
30.03.2016 32
Grafik Umsatzerlöse
The „tone at the top“
For the successful implementation of every
compliance management in the company, it is
important to positively influence the behavior
of managers and employees and to achieve
sustainable change.
30.03.2016 33
Grafik Umsatzerlöse
Search internal allies
• Internal allies are essential
• Compliance "against" the organization never works
• Possible internal allies are, for example,
– Internal Audit,
– Legal Affairs
– Risk Management
– Executive assistant
– Group Communications
– Human Resources
– …
• Lets not forget the affected business areas = possible synergies
– Information Technologies
– Marketing & Sales
– Other compliance departments (AML officer, responsible gaming etc.)
30.03.2016 34
Grafik Umsatzerlöse
Thank you for your attention!
E-Mail: [email protected]
Phone: +43 664 5032331
www.linkedin.com/in/mmrak
30.03.2016 35
Keynote Speech: Data Protection Now
Means Compliance
Steve Wright
Former Global Privacy Officer,
Unilever
Sponsored by
GDPR Requirements For Breach
Monitoring And Notification
Ross McKean
Head of Data Protection, Olswang
Sponsored by
|
GDPR: Data Breach Notification
Ross McKean, Partner, Olswang LLP
22 March 2016
GDPR: Data Breach Notification 45
| 30 March, 2016 GDPR: Data Breach Notification
46
1. Lessons learned from the US
2. Current law and practice in the UK
3. New rules for breach notification under GDPR
4. What should you do now to prepare?
Agenda
| 30 March, 2016 GDPR: Data Breach Notification
47
Lessons learned from the US
| 30 March, 2016 GDPR: Data Breach Notification
• Since California introduced the first
notification law in 2002, a total of 47
US States have introduced similar
laws
• Most require notification of
unencrypted data breaches to
affected citizens
• National Conference of State
Legislatures maintains a list and
links to all State laws: www.ncsl.org
48
Lessons learned from the US
| 30 March, 2016 GDPR: Data Breach Notification
49
1. Mandatory notification laws have driven notifications – sweeping breaches
under the carpet a very high risk option
2. Most State laws require rapid notification within very short timescales (days
rather than weeks)
3. Few have any materiality threshold – majority of breaches must be notified
though some limit obligation to where “unencrypted” data is compromised.
Evidence of notification fatigue setting in
4. Many organisations are not using privilege effectively – forensics are often
not instructed by lawyers so their reports are easy prey for class action
claimants and State Attorney Generals
5. Frequency of reported breaches is increasing
6. Cyber and data breach remains a top priority for government and the media
and continues to make daily headlines
7. There is a high risk of lasting reputational damage
Lessons learned from the US
| 30 March, 2016 GDPR: Data Breach Notification
50
1. No general obligation to notify data breaches (though sector rules apply)
2. Legal standard of care = appropriate technical and organisational measures
2. ICO guidance recommends notification of “serious breaches”
3. Limited legal sanctions for not notifying
4. Total fines to date issued by the ICO: c. £6 million fines in total. FCA / FSA 7
c. £8 million fines in total
5. Reputational damage harder to quantify but only bites if the breach becomes
public knowledge
6. In practice, many choose not to notify unless there is a serious risk of harm
to consumers and/or the ICO is likely to find out through other channels
7. Incident response is often led by IS function with little / no involvement of
legal. Privilege and document control is rarely considered during the early
stages of an investigation
UK: Current law and practice
| 30 March, 2016 GDPR: Data Breach Notification
51
In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory authority … unless the data
breach is unlikely to result in a risk for the rights and freedoms of individuals.
The notification ... shall be accompanied by a reasoned justification in cases
where it is not made within 72 hours – Article 32
Notification to: the competent supervisory authority / authorities
Materiality threshold: low. Any data breach unless unlikely to result in “a risk”
[NB any risk] for the rights and freedoms of individuals
Deadline: tight! Within 72 hours “after having become aware of it”
What must be notified: (i) nature of the breach including categories and number
of data subjects and data records concerned; (ii) name and contact of DPO or
other contact; (iii) likely consequences of breach; (iv) measures taken or planned
to address breach and mitigate adverse effects
Do processors have to notify? Yes, though only to the relevant controller(s)
“without undue delay after having become aware”
GDPR: Breach Notification to Regulators
| 30 March, 2016 GDPR: Data Breach Notification
52
When the personal data breach is likely to result in a high risk to the rights and
freedoms of individuals the controller shall communicate the personal data
breach to the data subject without undue delay. Article 32
Notification to: affected data subjects
Materiality threshold: any breach likely to result in a “high risk” to the rights and
freedoms of individuals. No requirement to notify where controller has
implemented appropriate technical and organisational measures to render data
unintelligible (e.g. encryption) or has taken “subsequent measures” to ensure that
high risk to rights and freedoms is unlikely to materialise
Deadline: without undue delay. Phased notification permitted?
What must be notified: (i) name and contact of DPO or other contact; (ii) likely
consequences of breach; (iii) measures taken or planned to address breach and
mitigate adverse effects
GDPR: Breach Notification to Data Subjects
| 30 March, 2016 GDPR: Data Breach Notification
53
Controllers and processors must implement appropriate technical and organisational
measures, to ensure a level of security appropriate to the risk, including … as appropriate:
(i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the
ongoing confidentiality, integrity, availability and resilience of systems and services; (iii) the
ability to restore; and (iv) a process for regulary testing, assessing and evaluating the
effectiveness of these measues – Article 30
Is there an obligation to monitor for breach? Yes – as an “appropriate” technical
measure*
Is there an obligation to test security and breach response? Yes – explicit in Article 30
(point (iv) above)*
Is there an obligation to train staff in the use of technical solutions and in breach
response? Yes – this would be part of the general obligation to implement appropriate
“organisational” measures*
Is there a requirement to keep a log of data breaches? Yes – for each breach the
controller is required to log the facts, the effects and remedial action taken to allow
regulators to assess compliance – Article 31(4)
* the small print – will depend on the facts in each case and guidance as it develops!
GDPR: Breach Infrastructure Requirements
|
Building better compliance
30 March, 2016 GDPR: Data Breach Notification
54
• Build the right team. Now. Engage your lawyers and other external vendors
now so they are on tap when you need them
• Create policies, raise awareness and normalise the risk
• Rehearse your coms: build a defendable narrative
• Use privilege and confidentiality rings
• Practice: war game. Regularly
• Ensure regular security patching
• Review cyber insurance coverage
What should you do now to prepare?
Thank you for listening
Olswang: Changing Business.
www.olswang.com
Ross McKean / Partner / Head of Data
Protection
+44 20 7067 3378
ross,[email protected]
Brussels
+32 2 647 4772
London
+44 20 7067 3000
Madrid
+34 91 187 1920
Munich
+49 89 206 028 400
Singapore
+65 6720 8278
Paris
+33 17 091 8720
Thames Valley
+44 20 7071 7300
***
***
Responding To Cyber Crime – Working
With The Police
Roy Ramm
Founding Director, ExtraYard
Sponsored by
THE STRATEGIC POLICING
REQUIREMENT
The scale of the threat from serious and organised crime has been demonstrated by high profile cases of child sexual exploitation; growing use of cyber techniques by organised criminals to commit fraud and trade illegal drugs and firearms on the internet; and the spread of banking malware responsible for losses of hundreds of millions of pounds.
National Security Strategy identifies cyber crime as a Tier One risk; it covers both cyber-dependent crime and cyber enabled crime .
A national cyber security incident, which the NSS identifies as a Tier One risk and which may require an aggregated police response under the guidelines set out by the UK’s Computer Emergency Response Team (CERT-UK) with appropriate links to NCA, civil contingencies and public order policing as needed.
WHO ARE THE
INVESTIGATORS?
GCHQ and the National Cyber Crime Unit (NCCU) work together to develop the skills and technology required to combat the elite cyber crime threat to the UK.
For the most serious national crimes, the NCCU in the National Crime Agency (NCA), leads operations.
Each of the 9 Regional Organised Crime Units has its own cyber unit.
The Metropolitan Police has also enhanced its their cyber capability. Operation FALCON (Fraud and Linked Crime Online) brought together the Metropolitan Police’s fraud squad and the cyber crime unit to disrupt and arrest cyber criminals attacking London businesses.
OPERATIONS IN PARTNERSHIP
WHAT THE NCA OR THE
POLICE WILL INVESTIGATE
Cyber crime and cyber-enabled crime, facilitated by the use and control of malicious software (malware).
Cyber crime and cyber-enabled crime, facilitated by the use of online phishing techniques.
Computer and network intrusions (with various motives and objectives).
Denial of service attacks and website defacement (with various motives and objectives).
The online trade in financial, personal and other data obtained through cyber crime or cyber- enabled crime.
The intentional and dishonest online provision of services, tools etc. to facilitate cyber crime or cyber-enabled crime.
WHAT THE NCA OR THE
POLICE WILL INVESTIGATE
Cyber crime and cyber-enabled crime, facilitated by the use and control of malicious software (malware).
Cyber crime and cyber-enabled crime, facilitated by the use of online phishing techniques.
Computer and network intrusions (with various motives and objectives).
Denial of service attacks and website defacement (with various motives and objectives).
The online trade in financial, personal and other data obtained through cyber crime or cyber- enabled crime.
The intentional and dishonest online provision of services, tools etc. to facilitate cyber crime or cyber-enabled crime.
57 ARRESTED IN NATIONWIDE
CYBER CRIME STRIKE WEEK 6 MARCH 2015
Working with partners in law enforcement, industry and government, the National Crime Agency (NCA) coordinated an intensive period of UK-wide action against cyber crime.
Fifty-seven people were arrested in 25 separate operations, related to a range of cyber criminality including:-
- Network intrusion and data theft from multinational companies and government agencies,
- Distributed Denial of Service (DDoS) attacks
- Cyber-enabled fraud
- Malicious software and virus development
Operational activity took place across England, Scotland and Wales involving officers from the NCA’s National Cyber Crime Unit (NCCU), Metropolitan Police and Regional Organised Crime Unit’s (ROCUs) associated with local forces around the UK
VILLAIN OR VICTIM - WHO
TO CALL?
The 7th Principle : Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Where no serious cyber crime threat exists the investigative role is likely to remain with the Information Commissioner
If you have been attacked and your data protection measures are found not to be ‘appropriate’ you may be both a victim of crime and a ‘suspect’.
Call your lawyer
Call the Information Commissioner
Call Action Fraud?
Call the police?
BREACHES MAY CAUSE
REAL HARM AND DISTRESS
Fake credit card transactions;
Witnesses at risk of physical harm or
intimidation;
Offenders at risk from vigilantes;
Exposure of the addresses of service personnel, police and prison officers, and women at risk of
domestic violence;
Fake applications for tax credits; and
Mortgage fraud.
WORKING WITH
INVESTIGATORS
Make early contact with law enforcement
Closing the door or following the trail?
“The primary object of an efficient police is the prevention of crime”:
Protect yourself/customers from further loss
“The next that of detection and punishment of offenders if crime is committed”.
Preserve evidential trail
Preserve all material
Limit knowledge
Control communication
Make careful and detailed notes of ALL actions
Destroy/delete NOTHING
Choose your witnesses carefully
DISCREET AND PROPORTIONATE
INVESTIGATIVE APPROACH
Responding To Cyber Crime – Working
With The Police
Chris Martin
Senior Business Manager EMEA,
Darktrace
Sponsored by
The Enterprise Immune System:
Using Machine Learning to Detect Threats
Chris Martin
Senior Business Manager EMEA
Company Background • Founded in 2013 in Cambridge, UK
• Started by mathematicians and government intelligence specialists
• Technology based on machine learning & mathematics
• HQs in Cambridge, UK & San Francisco
• Over 550 deployments worldwide
• 18 global locations
“Darktrace is a game-changer” Virgin Trains
• Winner of ‘Security Company of the
Year’ at Info Security Global
Excellence Awards 2015
• Winner of ‘Best Insider Threat
Detection and Solutions’ at Network
Products Guide IT World Awards
• Gartner ‘Cool Vendor’ 2015
• World Economic Forum ‘Technology
Pioneer’ 2015
Enterprise Immune System
Unsupervised machine learning
Develops mathematical models of
normal behavior
Inside-out view
Complete analysis and visibility of
100% network traffic
Correlation & behavioral analysis
For every individual user, device and
network
Real time & long-running
Analyzes events over long periods of
time, with playback capability
Visualization and investigation
Auto-classification of threats,
supporting workflow and collaboration
Machine Learning & Mathematics
• Advanced Bayesian mathematics pioneered
at Cambridge University
• Recursive Bayesian Estimation detects
subtle changes within data series in real
time and adaptively iterates its models
• Numerous approaches used to classify the
probability of an action based on previous
and emerging behaviors
• No ‘a priori’ assumptions about good or bad
– mathematical models are unique to your
organization
• Distribution is built from a complex set of
low-level host, network and traffic
observations or ‘features’
Darktrace in your security stack
Case Study: BT
Industry
• Telecommunications
Challenge
• Large, widely dispersed network
• Fast-evolving sophisticated threats
• Wanted a solution that could parse complex
network data and detect previously unknown
threats
Benefits
• Real-time, dynamically updated visibility of
entire network
• Confidence that previously unknown threats can
be detected within network before they do
serious damage
• Enhanced their own security offerings with
Darktrace’s expertise in unsupervised machine
learning and Bayesian mathematics
• Defended against potential insider threat
“Darktrace’s machine learning and mathematics are extremely powerful in detecting activity that is abnormal and will be critical to our future cyber security offerings.” Mark Hughes, President
BT Security
Darktrace in 2016
• 750 deployments to date
• 200+ employees
• Proven to work at scale
• Works on virtualized and cloud
environments (vSensor)
– including Amazon AWS,
Rackspace etc
Major product announcement imminent – the
machine fights back. Watch this space!
Conclusion
• The threat is inside
• Rules & signatures are not enough
• Enterprise Immune System is unique
– Powered by machine learning and mathematics
– Understands ‘normal’ and detects emerging insider and external threats
– No rules or signatures
– Installs in 1 hour
Thank you
Context: Working An Incident
Mark Raeburn
CEO, Context Information Security
Sponsored by
Working an Incident
30/03/2016
Insiders
Hacktivists
Cyber Threat Landscape
• Intellectual property
• Merger & Acquisition data
• Military technologies
• Web server data
• Social Media credentials
• Information related to key employees
Organised Crime
Nation States
• Payment card data
• Financial market data
• Full identification data
• Data Theft
• Accidental Loss
• Misconfigurations
Monitoring & Response: why it is important
30/03/2016
Meet your team
Coordinate + align key
resource, minimise
impact + restore
operations
INCIDENT RESPONSE
TEAM
TEAM
LEADER
LEAD
INVESITGATOR
PR Insurer LEGAL
INVESTIGATION COMMUNICATION
• Prioritise assets &
capture baselines,
threat info
• Incident triage
procedures
• Effective ways to
investigate and
recover data
• Team member
contact info
• External contacts
• Internal + external
strategy
• Press lines
30/03/2016
1. Define
Cyber Security
Strategy
What good looks like
The Science of Sufficiency
30/03/2016
Ris
k
Maturity
Capabilit
y
Script Kiddies
Cyber Crime
Hackivists
Espionage
Measuring Success
30/03/2016
Considerations
What is normal?
Behavioural Impact
Capability Improvements
Accepted Risk Appetite
Options
Return to Operation
Time to Closure
# Alerts or Incidents
Red/Blue Team
Peer Comparison
Vs.
Any Questions
Marketing, Profiling And Consent
Anna Soilleux
Senior Associate, Olswang LLP
Sponsored by
International Transfers
Ross McKean
Head of Data Protection, Olswang
Sponsored by
Ross McKean, Partner, Olswang
International Transfers Today and Tomorrow
|
Rules and options for international transfers
30 March, 2016 International Transfers Today and Tomorrow 10
7
Today: under DPD
• General principle: transfers to a third
country (i.e. non EEA) permitted only if
third country ensures "adequate"
protection - Article 25
• Adequacy findings: Article 25(6)
including:
• White List decisions
• Model clauses
• Derogations: Article 26 including:
• unambiguous consent
• performance of a contract
• transfer necessary or legally
required on important public interest
grounds
Tomorrow: under GDPR Chapter V
• General principle: No transfers to third
countries unless Chapter V conditions
are met. Applies to controllers and
processors – Art 40
• Fines – 4% / € 20 million bracket
• Adequacy decisions (White List) - Article 41
• "Appropriate safeguards" including model clauses,
codes of conduct and certification mechanisms - Article
42
• BCRs: Front and centre – now has its own Article 43
• DPD findings – remain valid until amended, replaced
or repealed – Art 42
• Derogations: Article 44 including
• explicit consent
• performance of a contract
• necessary for important public interest reasons
|
US transfers: Safe Harbor, Privacy Shield – where are we now?
30 March, 2016 International Transfers Today and Tomorrow
10
8
• 6 October 2015: CJEU invalidates Safe Harbor in Schrems decision
• 16 October 2015: Article 29 Working Party statement
• 2 February 2016: agreement on EU-US Privacy Shield announced
• 29 February 2016: Privacy Shield documentation published
• 12/13 April: Article 29 Working Party due to adopt opinion on adequacy of
Privacy Shield at plenary meeting
• Art 29 WP due to opine after plenary meeting on other transfer mechanisms eg
binding corporate rules and standard contractual clauses
• Another positive opinion is required of the Article 31 committee before the
Commission can formerly adopt an adequacy decision.
• Reports that Commission want Privacy Shield adopted by June
|
…all subject to what this man may do next
30 March, 2016 International Transfers Today and Tomorrow 10
9
|
International transfers: practical take aways
30 March, 2016 International Transfers Today and Tomorrow 11
0
• Bad news:
• post the Schrems ruling there will continue to be legal uncertainty and it is possible
that a new Privacy Shield regime could also be challenged
• some regulators in Germany have already started enforcing against companies
relying solely on the now defunct safe harbor
• Good news:
• the ICO and the Irish regulator are much more relaxed about international transfers,
but:
• Practical advice:
• you need to have a defendable narrative if the regulators come knocking on your door
– such as model clauses and/or consent - recognising that no solution is entirely
robust
• you should start planning transfer compliance under GDPR now. Privacy Shield and
BCR will take significant time and resource to implement
UK OFFICE
Saddlers House
44 Gutter Lane
London
EC2V 6BR
Tel: +44(0)2079219980
www.gamblingcompliance.com