Key Note Speech:

Overview Of The New Regulatory Regime

Garreth Cameron

Group Manager For Business And Industry

Information Commissioners Office (ICO)

Sponsored by

EU data protection reform

and the gambling industry:

Keynote address

Garreth Cameron , Group Manager for Business & Industry

85% are concerned about

how their personal

information is sold or

passed to other

organisations

Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-track-

september-2014-individuals.pdf>

77% are concerned

that organisations

are not keeping

their data secure

Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-track-

september-2014-individuals.pdf>

evolution

not revolution

Legislation

New Information

Commissioner

Derogations

Discussion on GDPR – Timeline And Key

Dates, Penalties And Sanctions

Ross McKean

Head of Data Protection, Olswang

Sponsored by

Ross McKean, Partner, Olswang

GDPR: Timeline, Key Dates, Penalties and Sanctions

|

Countdown to GDPR: timeline and key dates

30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 11

Political

Agreemen

t

December

2015

April

2016

Council to

formally

adopt

June/July?

2016

Vote by Parliament,

formal signature then

publication in OJ

July/Augus

t

2018

Regulation takes

effect

2 years + 20 days

Translation

|

Formal sanctions

30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 12

Today: national sanctions set by MS

under DPD

• Right to compensation for "damage"

(Article 23)

• MS must impose "suitable measures

to ensure full implementation of the

Directive" (Article 24)

• E.g. current UK sanctions include:

• Fines up to £500K for serious

breaches

• Undertakings

• Enforcement notices

Tomorrow: harmonised under GDPR

• Chapter VIII

• Right to compensation for material or

immaterial damage. Controller or

processor can be liable (Article 77)

• Administrative fines (Article 79)

• Up to € 20,000,000 or 4% of turnover (for breaches including: principles, data

subject rights, international transfers)

• Up to € 10,000,000 or 2% of turnover (for breaches including: security, breach

notification)

• must be "effective, proportionate and

dissuasive" penalties

|

Cross border enforcement: the not-quite one stop shop

30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 13

• The Commission's vision: one stop shop enforcement by a single lead authority

• The reality: Lead authority, concerned authorities, cooperation procedure (Ch VII)

• DPA of the “main establishment” of controller or processor = lead authority (Article 51),

however…

• other DPAs competent. if infringement relates only to that Member State (Article 51(a))

• BUT lead authority can still decide to deal with the case

• Co-operation procedure: Article 54a; Mutual assistance - Article 55

• Lengthy, multi-stage process for notification, information sharing and mutual assistance

• Joint operations possible, where multiple Member States are affected (Article 56)

• Consistency mechanism: including dispute resolution appeal to EDPB decided within 1 month of

referral by 2/3rd majority (Article 58a)

• Urgency procedure: a DPA can bypass the consistency and cooperation mechanisms and adopt

provisional measures (for up to three months)

|

Formal sanctions: when can consumer groups bring actions?

30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 14

Data subjects have the right to…

• Lodge a complaint with a DPA ("in particular" in own Member State) – Article 73

• A judicial remedy against a DPA – Article 74

• An effective judicial remedy against a controller or processor – Article 75

• Compensation for "material or immaterial damage" – Article 77

• Mandate a consumer group* or similar to exercise rights on his/ her behalf – Art 76

* body must be not for profit, public interest and active in the field of privacy protection

Current examples?

• Germany: New rules introduced Feb 2016 allowing privacy claims by consumer bodies

• France: Digital Republic Bill – similar rules in the pipeline, pre-empting GDPR

|

Beyond formal sanctions… follow on risks

30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions 15

• Reputation risk

• C-suite job losses

• Remediation costs and PCI-DSS card scheme fines

• Loss of trust in the brand leading to increased customer acquisition and

retention costs

• UK group actions: where are we?

• Rise of Article 8 ECHR and Article 8 of the EU Charter

• Increased public concern about privacy

• Damages for distress (e.g Vidall Hall)

• Class actions on the horizon?

• French and German domestic laws and right of consumer groups to represent

individual data subjects under the GDPR increase the risk of privacy class actions

| 30 March, 2016 GDPR: Timeline, Key Dates, Penalties and Sanctions

• 40 million cards stolen

• 70 million customer records stolen

• 46% drop in 2013 Q4 profits

• $200 million estimated cost just to reissue

payment cards

• $252 million direct costs of breach related

expenses (excluding increased customer

acquisition / retention and insurance premiums)

• CEO resigned

• CIO resigned

16

Follow on risks: a recent US example

GDPR Readiness: What Should Your

Business Do Now?

Anna Soilleux

Senior Associate, Olswang LLP

Sponsored by

Data Protection Now Means Compliance

Michael Mrak

Head of Compliance and Data Protection,

Casinos Austria AG and Austrian Lottery GmbH

Sponsored by

Grafik Umsatzerlöse

DATA PROTECTION

NOW MEANS COMPLIANCE Some thoughts on the meaningful use of certification systems

30.03.2016 21

Grafik Umsatzerlöse

Agenda

• Preparing for the EU GDPR: Obligations!

• What is compliance?

• Rule based standards or risk based approach

• How to properly implement compliance

Michael Mrak

30.03.2016 22

Grafik Umsatzerlöse

DPOs – The new enemies of the marketing department?

Michael Mrak

30.03.2016 23

Grafik Umsatzerlöse

• The GDRP provides for the following administrative sanctions: • issuing of warnings

• regular and periodic data protection audits;

• an administrative fine of up to €20 million or up to 4% of annual worldwide turnover,

whichever is higher, to be imposed on anyone who intentionally or negligently

(amongst other things): • processes personal data without sufficient legal basis for doing so; or

• does not implement appropriate technical and organizational measures to ensure a level of

security appropriate to the risk; or

• does not alert or notify a data protection breach to the relevant supervisory authority or data

subject; or

• does not carry out a data protection impact assessment or processes personal data without

prior authorization from or consultation with the supervisory authority; or

• carries out or instructs an unauthorized transfer of data to a third country or an international

organization; or

• does not comply with an order or a temporary or permanent ban on processing or the

suspension of data flows by the supervisory authority.

Preparing for the EU GDPR: Obligations!

Grafik Umsatzerlöse

• The new frontier for privacy professionals • Risk management has for a long time been a critical tool for

complying with laws (i.e. AML, RG etc.)

• In die field of data protection, these efforts have often been applied

informally and in unstructured ways

• In practice, they often failed to take effective advantage of many

principles and tools of risk management that are widely accepted in

other areas

• Under the GDPR, companies must carry out DPIAs for „high risk“

data processing (Art. 33)

• Do You know Your “high risk” data collections? • Financial data?

• Player tracking information?

• Responsible gaming data?

Data Protection Impact Assessment (DPIA)

Grafik Umsatzerlöse • In general, compliance means conforming to a rule, such as a

specification, policy, standard or law.

• Regulatory compliance describes the goal that organizations aspire to

achieve in their efforts to ensure that they are aware of and take steps

to comply with relevant laws and regulations.

• Internal guidelines are based on external regulations, but also take into

account the company's values

• It's about living the values and to make ethical behavior into a

competitive advantage.

What is compliance?

30.03.2016 26

Grafik Umsatzerlöse • A protected guarantee mark

• Can be obtained by all organizations

• Is valid for three years

• Can be combined with other standards

• Builds confidence and certainty

• Certification as evidence

• Forces a systematic approach to the processing of

personal data

• Helps to build trust with consumers, government

agencies and public bodies

• Best practise-approach for compliance with the law

GoodPriv@cy data protection

30.03.2016 27

Grafik Umsatzerlöse

Best practices: Standards – do not reinvent the wheel!

Any compliance organization should always build on existing standards!

ISAE 3000

Data Protection

Anti Money Laundering

Information Security

Responsible Gaming

Quality Management

Corporate Citizenship

Anti Corruption

TÜV Rheinland

Compliance Care

IDW PS 980

Standard

Responsible Gaming

30.03.2016 28

Grafik Umsatzerlöse

• A data privacy management system (DPMS) based on a standard

can help You to enforce necessary compliance without re-inventing

the wheel

• Best practice (like common standards like ISO 9001, 27001 etc.)

• Build synergies if you are already certified in other fields of

compliance

A possible solution: Implementing a DPMS

Grafik Umsatzerlöse

• Innovations are like the development of an unknown world

• “Customers” of the old world must become familiar with the new world

• Compliance always means “stress” for the organization

• Innovations often met with some reservation (which can possibly

invalidate) and often on fundamental hostility, which often prevent the

breakthrough

• As a DPO you need to deal with this “stress”

Is compliance innovative?

Grafik Umsatzerlöse

Risk based approach

risk

detect

measure control

• The risk based approach next to

rule-based systems is becoming

increasingly important

• Through an effective risk

management the responsibility of

the organization units will become

the focus

30.03.2016 31

Grafik Umsatzerlöse

Credo and Code

as a roof

str

uctu

res

pro

ce

sse

s

Review and

development

Incentives and

sanctions

Code of Conduct Structure of the organization

Sufficient financial

resources

Sufficient staff

Legal risk analysis,

Adoption and enforcement of rules

Training and education

Violations of the law are to sanction any case immediately

5 Basic elements of every compliance system

Law-abiding behavior should be a prerequisite

for any remuneration Periodic review of the compliance program

Guidelines

30.03.2016 32

Grafik Umsatzerlöse

The „tone at the top“

For the successful implementation of every

compliance management in the company, it is

important to positively influence the behavior

of managers and employees and to achieve

sustainable change.

30.03.2016 33

Grafik Umsatzerlöse

Search internal allies

• Internal allies are essential

• Compliance "against" the organization never works

• Possible internal allies are, for example,

– Internal Audit,

– Legal Affairs

– Risk Management

– Executive assistant

– Group Communications

– Human Resources

– …

• Lets not forget the affected business areas = possible synergies

– Information Technologies

– Marketing & Sales

– Other compliance departments (AML officer, responsible gaming etc.)

30.03.2016 34

Grafik Umsatzerlöse

Thank you for your attention!

E-Mail: michael.mrak@casinos.at

Phone: +43 664 5032331

www.linkedin.com/in/mmrak

30.03.2016 35

Keynote Speech: Data Protection Now

Means Compliance

Steve Wright

Former Global Privacy Officer,

Unilever

Sponsored by

GDPR Requirements For Breach

Monitoring And Notification

Ross McKean

Head of Data Protection, Olswang

Sponsored by

|

GDPR: Data Breach Notification

Ross McKean, Partner, Olswang LLP

22 March 2016

GDPR: Data Breach Notification 45

| 30 March, 2016 GDPR: Data Breach Notification

46

1. Lessons learned from the US

2. Current law and practice in the UK

3. New rules for breach notification under GDPR

4. What should you do now to prepare?

Agenda

| 30 March, 2016 GDPR: Data Breach Notification

47

Lessons learned from the US

| 30 March, 2016 GDPR: Data Breach Notification

• Since California introduced the first

notification law in 2002, a total of 47

US States have introduced similar

laws

• Most require notification of

unencrypted data breaches to

affected citizens

• National Conference of State

Legislatures maintains a list and

links to all State laws: www.ncsl.org

48

Lessons learned from the US

| 30 March, 2016 GDPR: Data Breach Notification

49

1. Mandatory notification laws have driven notifications – sweeping breaches

under the carpet a very high risk option

2. Most State laws require rapid notification within very short timescales (days

rather than weeks)

3. Few have any materiality threshold – majority of breaches must be notified

though some limit obligation to where “unencrypted” data is compromised.

Evidence of notification fatigue setting in

4. Many organisations are not using privilege effectively – forensics are often

not instructed by lawyers so their reports are easy prey for class action

claimants and State Attorney Generals

5. Frequency of reported breaches is increasing

6. Cyber and data breach remains a top priority for government and the media

and continues to make daily headlines

7. There is a high risk of lasting reputational damage

Lessons learned from the US

| 30 March, 2016 GDPR: Data Breach Notification

50

1. No general obligation to notify data breaches (though sector rules apply)

2. Legal standard of care = appropriate technical and organisational measures

2. ICO guidance recommends notification of “serious breaches”

3. Limited legal sanctions for not notifying

4. Total fines to date issued by the ICO: c. £6 million fines in total. FCA / FSA 7

c. £8 million fines in total

5. Reputational damage harder to quantify but only bites if the breach becomes

public knowledge

6. In practice, many choose not to notify unless there is a serious risk of harm

to consumers and/or the ICO is likely to find out through other channels

7. Incident response is often led by IS function with little / no involvement of

legal. Privilege and document control is rarely considered during the early

stages of an investigation

UK: Current law and practice

| 30 March, 2016 GDPR: Data Breach Notification

51

In the case of a personal data breach, the controller shall without undue delay

and, where feasible, not later than 72 hours after having become aware of it,

notify the personal data breach to the supervisory authority … unless the data

breach is unlikely to result in a risk for the rights and freedoms of individuals.

The notification ... shall be accompanied by a reasoned justification in cases

where it is not made within 72 hours – Article 32

Notification to: the competent supervisory authority / authorities

Materiality threshold: low. Any data breach unless unlikely to result in “a risk”

[NB any risk] for the rights and freedoms of individuals

Deadline: tight! Within 72 hours “after having become aware of it”

What must be notified: (i) nature of the breach including categories and number

of data subjects and data records concerned; (ii) name and contact of DPO or

other contact; (iii) likely consequences of breach; (iv) measures taken or planned

to address breach and mitigate adverse effects

Do processors have to notify? Yes, though only to the relevant controller(s)

“without undue delay after having become aware”

GDPR: Breach Notification to Regulators

| 30 March, 2016 GDPR: Data Breach Notification

52

When the personal data breach is likely to result in a high risk to the rights and

freedoms of individuals the controller shall communicate the personal data

breach to the data subject without undue delay. Article 32

Notification to: affected data subjects

Materiality threshold: any breach likely to result in a “high risk” to the rights and

freedoms of individuals. No requirement to notify where controller has

implemented appropriate technical and organisational measures to render data

unintelligible (e.g. encryption) or has taken “subsequent measures” to ensure that

high risk to rights and freedoms is unlikely to materialise

Deadline: without undue delay. Phased notification permitted?

What must be notified: (i) name and contact of DPO or other contact; (ii) likely

consequences of breach; (iii) measures taken or planned to address breach and

mitigate adverse effects

GDPR: Breach Notification to Data Subjects

| 30 March, 2016 GDPR: Data Breach Notification

53

Controllers and processors must implement appropriate technical and organisational

measures, to ensure a level of security appropriate to the risk, including … as appropriate:

(i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the

ongoing confidentiality, integrity, availability and resilience of systems and services; (iii) the

ability to restore; and (iv) a process for regulary testing, assessing and evaluating the

effectiveness of these measues – Article 30

Is there an obligation to monitor for breach? Yes – as an “appropriate” technical

measure*

Is there an obligation to test security and breach response? Yes – explicit in Article 30

(point (iv) above)*

Is there an obligation to train staff in the use of technical solutions and in breach

response? Yes – this would be part of the general obligation to implement appropriate

“organisational” measures*

Is there a requirement to keep a log of data breaches? Yes – for each breach the

controller is required to log the facts, the effects and remedial action taken to allow

regulators to assess compliance – Article 31(4)

* the small print – will depend on the facts in each case and guidance as it develops!

GDPR: Breach Infrastructure Requirements

|

Building better compliance

30 March, 2016 GDPR: Data Breach Notification

54

• Build the right team. Now. Engage your lawyers and other external vendors

now so they are on tap when you need them

• Create policies, raise awareness and normalise the risk

• Rehearse your coms: build a defendable narrative

• Use privilege and confidentiality rings

• Practice: war game. Regularly

• Ensure regular security patching

• Review cyber insurance coverage

What should you do now to prepare?

Thank you for listening

Olswang: Changing Business.

www.olswang.com

Ross McKean / Partner / Head of Data

Protection

+44 20 7067 3378

ross,mckean@olswang.com

Brussels

+32 2 647 4772

London

+44 20 7067 3000

Madrid

+34 91 187 1920

Munich

+49 89 206 028 400

Singapore

+65 6720 8278

Paris

+33 17 091 8720

Thames Valley

+44 20 7071 7300

***

***

Responding To Cyber Crime – Working

With The Police

Roy Ramm

Founding Director, ExtraYard

Sponsored by

THE STRATEGIC POLICING

REQUIREMENT

The scale of the threat from serious and organised crime has been demonstrated by high profile cases of child sexual exploitation; growing use of cyber techniques by organised criminals to commit fraud and trade illegal drugs and firearms on the internet; and the spread of banking malware responsible for losses of hundreds of millions of pounds.

National Security Strategy identifies cyber crime as a Tier One risk; it covers both cyber-dependent crime and cyber enabled crime .

A national cyber security incident, which the NSS identifies as a Tier One risk and which may require an aggregated police response under the guidelines set out by the UK’s Computer Emergency Response Team (CERT-UK) with appropriate links to NCA, civil contingencies and public order policing as needed.

WHO ARE THE

INVESTIGATORS?

GCHQ and the National Cyber Crime Unit (NCCU) work together to develop the skills and technology required to combat the elite cyber crime threat to the UK.

For the most serious national crimes, the NCCU in the National Crime Agency (NCA), leads operations.

Each of the 9 Regional Organised Crime Units has its own cyber unit.

The Metropolitan Police has also enhanced its their cyber capability. Operation FALCON (Fraud and Linked Crime Online) brought together the Metropolitan Police’s fraud squad and the cyber crime unit to disrupt and arrest cyber criminals attacking London businesses.

OPERATIONS IN PARTNERSHIP

WHAT THE NCA OR THE

POLICE WILL INVESTIGATE

Cyber crime and cyber-enabled crime, facilitated by the use and control of malicious software (malware).

Cyber crime and cyber-enabled crime, facilitated by the use of online phishing techniques.

Computer and network intrusions (with various motives and objectives).

Denial of service attacks and website defacement (with various motives and objectives).

The online trade in financial, personal and other data obtained through cyber crime or cyber- enabled crime.

The intentional and dishonest online provision of services, tools etc. to facilitate cyber crime or cyber-enabled crime.

WHAT THE NCA OR THE

POLICE WILL INVESTIGATE

Cyber crime and cyber-enabled crime, facilitated by the use and control of malicious software (malware).

Cyber crime and cyber-enabled crime, facilitated by the use of online phishing techniques.

Computer and network intrusions (with various motives and objectives).

Denial of service attacks and website defacement (with various motives and objectives).

The online trade in financial, personal and other data obtained through cyber crime or cyber- enabled crime.

The intentional and dishonest online provision of services, tools etc. to facilitate cyber crime or cyber-enabled crime.

57 ARRESTED IN NATIONWIDE

CYBER CRIME STRIKE WEEK 6 MARCH 2015

Working with partners in law enforcement, industry and government, the National Crime Agency (NCA) coordinated an intensive period of UK-wide action against cyber crime.

Fifty-seven people were arrested in 25 separate operations, related to a range of cyber criminality including:-

- Network intrusion and data theft from multinational companies and government agencies,

- Distributed Denial of Service (DDoS) attacks

- Cyber-enabled fraud

- Malicious software and virus development

Operational activity took place across England, Scotland and Wales involving officers from the NCA’s National Cyber Crime Unit (NCCU), Metropolitan Police and Regional Organised Crime Unit’s (ROCUs) associated with local forces around the UK

VILLAIN OR VICTIM - WHO

TO CALL?

The 7th Principle : Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Where no serious cyber crime threat exists the investigative role is likely to remain with the Information Commissioner

If you have been attacked and your data protection measures are found not to be ‘appropriate’ you may be both a victim of crime and a ‘suspect’.

Call your lawyer

Call the Information Commissioner

Call Action Fraud?

Call the police?

BREACHES MAY CAUSE

REAL HARM AND DISTRESS

Fake credit card transactions;

Witnesses at risk of physical harm or

intimidation;

Offenders at risk from vigilantes;

Exposure of the addresses of service personnel, police and prison officers, and women at risk of

domestic violence;

Fake applications for tax credits; and

Mortgage fraud.

WORKING WITH

INVESTIGATORS

Make early contact with law enforcement

Closing the door or following the trail?

“The primary object of an efficient police is the prevention of crime”:

Protect yourself/customers from further loss

“The next that of detection and punishment of offenders if crime is committed”.

Preserve evidential trail

Preserve all material

Limit knowledge

Control communication

Make careful and detailed notes of ALL actions

Destroy/delete NOTHING

Choose your witnesses carefully

DISCREET AND PROPORTIONATE

INVESTIGATIVE APPROACH

EXTRAYARD LIMITED,

123 ALDERSGATE STREET, LONDON,

EC1A 4JQ +44(0)207 553 7960

rr@extrayardsecurity.com

Responding To Cyber Crime – Working

With The Police

Chris Martin

Senior Business Manager EMEA,

Darktrace

Sponsored by

The Enterprise Immune System:

Using Machine Learning to Detect Threats

Chris Martin

Senior Business Manager EMEA

Company Background • Founded in 2013 in Cambridge, UK

• Started by mathematicians and government intelligence specialists

• Technology based on machine learning & mathematics

• HQs in Cambridge, UK & San Francisco

• Over 550 deployments worldwide

• 18 global locations

“Darktrace is a game-changer” Virgin Trains

• Winner of ‘Security Company of the

Year’ at Info Security Global

Excellence Awards 2015

• Winner of ‘Best Insider Threat

Detection and Solutions’ at Network

Products Guide IT World Awards

• Gartner ‘Cool Vendor’ 2015

• World Economic Forum ‘Technology

Pioneer’ 2015

Enterprise Immune System

Unsupervised machine learning

Develops mathematical models of

normal behavior

Inside-out view

Complete analysis and visibility of

100% network traffic

Correlation & behavioral analysis

For every individual user, device and

network

Real time & long-running

Analyzes events over long periods of

time, with playback capability

Visualization and investigation

Auto-classification of threats,

supporting workflow and collaboration

Machine Learning & Mathematics

• Advanced Bayesian mathematics pioneered

at Cambridge University

• Recursive Bayesian Estimation detects

subtle changes within data series in real

time and adaptively iterates its models

• Numerous approaches used to classify the

probability of an action based on previous

and emerging behaviors

• No ‘a priori’ assumptions about good or bad

– mathematical models are unique to your

organization

• Distribution is built from a complex set of

low-level host, network and traffic

observations or ‘features’

Darktrace in your security stack

Case Study: BT

Industry

• Telecommunications

Challenge

• Large, widely dispersed network

• Fast-evolving sophisticated threats

• Wanted a solution that could parse complex

network data and detect previously unknown

threats

Benefits

• Real-time, dynamically updated visibility of

entire network

• Confidence that previously unknown threats can

be detected within network before they do

serious damage

• Enhanced their own security offerings with

Darktrace’s expertise in unsupervised machine

learning and Bayesian mathematics

• Defended against potential insider threat

“Darktrace’s machine learning and mathematics are extremely powerful in detecting activity that is abnormal and will be critical to our future cyber security offerings.” Mark Hughes, President

BT Security

Darktrace in 2016

• 750 deployments to date

• 200+ employees

• Proven to work at scale

• Works on virtualized and cloud

environments (vSensor)

– including Amazon AWS,

Rackspace etc

Major product announcement imminent – the

machine fights back. Watch this space!

Conclusion

• The threat is inside

• Rules & signatures are not enough

• Enterprise Immune System is unique

– Powered by machine learning and mathematics

– Understands ‘normal’ and detects emerging insider and external threats

– No rules or signatures

– Installs in 1 hour

Thank you

Context: Working An Incident

Mark Raeburn

CEO, Context Information Security

Sponsored by

Working an Incident

30/03/2016

Insiders

Hacktivists

Cyber Threat Landscape

• Intellectual property

• Merger & Acquisition data

• Military technologies

• Web server data

• Social Media credentials

• Information related to key employees

Organised Crime

Nation States

• Payment card data

• Financial market data

• Full identification data

• Data Theft

• Accidental Loss

• Misconfigurations

Monitoring & Response: why it is important

30/03/2016

Meet your team

Coordinate + align key

resource, minimise

impact + restore

operations

INCIDENT RESPONSE

TEAM

TEAM

LEADER

LEAD

INVESITGATOR

PR Insurer LEGAL

INVESTIGATION COMMUNICATION

• Prioritise assets &

capture baselines,

threat info

• Incident triage

procedures

• Effective ways to

investigate and

recover data

• Team member

contact info

• External contacts

• Internal + external

strategy

• Press lines

30/03/2016

1. Define

Cyber Security

Strategy

What good looks like

The Science of Sufficiency

30/03/2016

Ris

k

Maturity

Capabilit

y

Script Kiddies

Cyber Crime

Hackivists

Espionage

Measuring Success

30/03/2016

Considerations

What is normal?

Behavioural Impact

Capability Improvements

Accepted Risk Appetite

Options

Return to Operation

Time to Closure

# Alerts or Incidents

Red/Blue Team

Peer Comparison

Vs.

Any Questions

Marketing, Profiling And Consent

Anna Soilleux

Senior Associate, Olswang LLP

Sponsored by

International Transfers

Ross McKean

Head of Data Protection, Olswang

Sponsored by

Ross McKean, Partner, Olswang

International Transfers Today and Tomorrow

|

Rules and options for international transfers

30 March, 2016 International Transfers Today and Tomorrow 10

7

Today: under DPD

• General principle: transfers to a third

country (i.e. non EEA) permitted only if

third country ensures "adequate"

protection - Article 25

• Adequacy findings: Article 25(6)

including:

• White List decisions

• Model clauses

• Derogations: Article 26 including:

• unambiguous consent

• performance of a contract

• transfer necessary or legally

required on important public interest

grounds

Tomorrow: under GDPR Chapter V

• General principle: No transfers to third

countries unless Chapter V conditions

are met. Applies to controllers and

processors – Art 40

• Fines – 4% / € 20 million bracket

• Adequacy decisions (White List) - Article 41

• "Appropriate safeguards" including model clauses,

codes of conduct and certification mechanisms - Article

42

• BCRs: Front and centre – now has its own Article 43

• DPD findings – remain valid until amended, replaced

or repealed – Art 42

• Derogations: Article 44 including

• explicit consent

• performance of a contract

• necessary for important public interest reasons

|

US transfers: Safe Harbor, Privacy Shield – where are we now?

30 March, 2016 International Transfers Today and Tomorrow

10

8

• 6 October 2015: CJEU invalidates Safe Harbor in Schrems decision

• 16 October 2015: Article 29 Working Party statement

• 2 February 2016: agreement on EU-US Privacy Shield announced

• 29 February 2016: Privacy Shield documentation published

• 12/13 April: Article 29 Working Party due to adopt opinion on adequacy of

Privacy Shield at plenary meeting

• Art 29 WP due to opine after plenary meeting on other transfer mechanisms eg

binding corporate rules and standard contractual clauses

• Another positive opinion is required of the Article 31 committee before the

Commission can formerly adopt an adequacy decision.

• Reports that Commission want Privacy Shield adopted by June

|

…all subject to what this man may do next

30 March, 2016 International Transfers Today and Tomorrow 10

9

|

International transfers: practical take aways

30 March, 2016 International Transfers Today and Tomorrow 11

0

• Bad news:

• post the Schrems ruling there will continue to be legal uncertainty and it is possible

that a new Privacy Shield regime could also be challenged

• some regulators in Germany have already started enforcing against companies

relying solely on the now defunct safe harbor

• Good news:

• the ICO and the Irish regulator are much more relaxed about international transfers,

but:

• Practical advice:

• you need to have a defendable narrative if the regulators come knocking on your door

– such as model clauses and/or consent - recognising that no solution is entirely

robust

• you should start planning transfer compliance under GDPR now. Privacy Shield and

BCR will take significant time and resource to implement

UK OFFICE

Saddlers House

44 Gutter Lane

London

EC2V 6BR

Tel: +44(0)2079219980

info@gamblingcompliance.com

www.gamblingcompliance.com