EU GDPR compliance forerunners answer your questions on: Defining breaches; the role of CISO; the future of ad-tech; monetisation of personal data; hiring a DPO; high risk org structures and we ask can GDPR inhibit the sharing of threat and attack data?
As we get closer to the deadline, momentum is growing and so is the knowledge and best practice available. On a cross-functional basis, GDPR will be a constant for companies for the foreseeable future. And, while practitioners focus on restructuring their business models to accommodate ‘privacy by design’, many are thinking ROI, approaching the legislation creatively. But BAU and the threat of equally creative fines may surpass the need to see return this early in the journey.
On Wednesday June 21 2017, Noord Group will host ‘GDPR Roundtable day: Laying the foundation for compliance design’ in the City of London at The Grange Tower Bridge Hotel.
In an always interactive format, your learned peers will tackle key parts of the legislation practically, pragmatically – honestly. Register now.
ave a sneak peak of what to expect as we put the tough questions to our panel:
- Angela Isom, Group Head of Data Protection Risk, JLT Insurance Group
- Nailah Ukaidi, Information Governance & Assurance Manager, Walsall Council
- Nigel Hawthorn, EMEA Marketing Director, Skyhigh Network
- Nina Barakzai, President and Chair, In House Counsel Worldwide/Group Head of Data Protection & Privacy, Sky
Q: Would GDPR consider a ransom ware attack as a ‘breach’ or an ‘availability’ issue?
NB: ‘A ransom ware attack would suggest there is some sort of vulnerability in the data controller’s control environment, so it would be up to the data controller to demonstrate that there is no such vulnerability. This is a defensive issue for the controller as the burden of proof is on the controller.’
NU: ‘A breach means any failure to comply with the DPA and in addition to being able to demonstrate compliance with the 7th Principle relating to appropriate organisational and technical measures the Data controller must be able to demonstrate that the ransom attack has not impaired their ability to comply with the other principles of the DPA’
Q: How do the CISOs view this within their organisation?
NB: ‘CISOs would need to show they have taken appropriate organisational and technical measures to address known and predictable vulnerabilities. Patching and any other such best practice activities should be able to be evidenced.’
Q: Does the right to consent mean the end of ad-tech?
NB: ‘Right to consent is already a requirement, in that the individual must be given enough information to be able to make an informed and freely given choice about how their data will be used, by whom and within a pre-determined scope. If the ad-tech is less than transparent or not given at point of collection of the data, the argument can easily be made that the consent within a pre-determined scope has not been given, so cannot be relied on.’
Q: What are the implications of data portability. i.e. Will individuals be able to monetise their own data?
NB: ‘Data portability means being able to move certain data to another service provider, but the level and nature of that data has not yet been decided. Therefore, it is up to the controller to identify what data is required to allow the individual to still receive a service from the new provider. It does not mean that all data held by one controller must be sent to another controller.’
AI: ‘The Article 29 working party has published guidance on the right to data portability and importantly it states “ It clarifies the conditions under which this new right applies taking into account the legal basis of the data processing (either the data subject’s consent or the necessity to perform a contract) and the fact that this right is limited to personal data provided by the data subject.” From that guidance the data subject has a right of access only to what they have provided to the data controller already.’
NU: ‘The right to portability gives the data subject the right to transmit personal data from one data controller to another data controller “without hindrance”. and requires that the Data Controller provide this data in “in a structured, commonly used and machine-readable format”. There is a further responsibility upon the new receiving Data Controller to ensure that any new data received complies with all of the data protection principles set out in Article 5 of the GDPR, so he must clearly and directly state the purpose of the new processing before any request for the transmission of the portable data is made.’
Q: What is the number of individuals you need to process to require a DPO?
NB: ‘Organisations can choose to appoint a DPO or not, but it must be based on the assessment of activities e.g. where there may be systematic processing of data or where there is a certain level of individuals’ data being processed.’
AI: ‘The Article 29 working party has published guidance on when an organisation is obligated to have a DPO “Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale. However, any organisation can choose to appoint a DPO. If they choose to do this then the DPO is obligated to comply with the GDPR requirements of a DPO.’
Q: Have any of the ‘big data’ companies e.g. FB, Google made any statements about portability and whether they’ll challenge/comply?
NH: ‘Many of the largest big data companies already offer data portability via OpenID APIs. I think the difficulty with complying is more likely to rest with organisations with many years of legacy systems where extracting data is not as easy as the companies that have data as a major part of their DNA.’
Q: What constitutes a high risk to the rights and freedoms of individuals?
NB: ‘Each controller will have its own view of what is or is not high risk.’
Q: How will GDPR promote or potentially inhibit the sharing of threat and attack data between industry partners? Will it aid collaboration?
NH: ‘I doubt it will affect the sharing of threat and attack data firstly as this type of data might not have any personal information contained within it and that the GDPR allows data to be shared for the purposes of prevention, detection or prosecution of criminal offences.’
NU: ‘The government’s Cyber Security Scheme will further support the sharing of information in this regard.’
We thank the delegates who attended the 16th Noord InfoSec Dialogue in March for submitting the questions. And, equally thanks to our panel for applying themselves to sharing their perspectives candidly.
You’re recommended to apply if you are currently partaking in the implementation of a GDPR strategy or you’re offering a solution for GDPR compliance. Applications are subject to final confirmation due to the high demand for places.