Upgrade to Pro — share decks privately, control downloads, hide ads and more …

GDPR made simple

GDPR made simple

One year on from the enforcement of GDPR, the talk recapped what it means for the regular EU resident, one’s rights and when to exercise them. In addition, some practical pointers & tips were presented as to how businesses should go about managing their GDPR compliance programme without GDPR becoming a burden. Following the event Ms de Mesquita commented that, “My aim was to get across the importance of the regulation, how it improves the protection of European data subjects’ rights while also highlighting what companies that process personal data must do to safeguard these rights.”

Angele de Mesquita

June 20, 2019
Tweet

Other Decks in Business

Transcript

  1. GDPR
    made simple
    Presented by
    Angele de Mesquita
    (CIPP/E, CIPM)

    View full-size slide

  2. Angele
    de Mesquita
    • 10+ years working in software industry
    • Current: HoD – Business Transformation
    at APS
    • Previous: HoD – GRC & DPO at NetRefer
    • Identity theft victim

    View full-size slide

  3. Show of hands please
    How many of you are employed or
    have their own business?
    How many of you know your rights
    under GDPR?
    How many of you know when to
    exercise those rights and how?
    What
    about
    you?

    View full-size slide

  4. What did the EU want to achieve?
    Harmonize data privacy laws across Europe, to protect and empower all EU citizens data
    privacy and to reshape the way organizations across the region approach data privacy.
    4 years of
    discussions
    Replacement
    of the Data
    Protection
    directive
    95/46/EC
    25/05/2018
    Enforcement
    comes into
    effect
    14/04/2016
    Approved by
    EU
    parliament
    €20,000,000
    Or more in
    penalties

    View full-size slide

  5. GDPR
    One year on
    Statistics provided by the IAPP and IDPC
    Malta
     998 registered DPOs
     111 complaints received
     327 data breaches
     €26,000 in fines with pending
    casework from Q3 & Q4 2018

    View full-size slide

  6. Before we move on food
    for thought….
    Does Privacy exist
    nowadays?

    View full-size slide

  7. Privacy
    is gone
    Facebook bug allowed
    1,500 apps to access
    private photos –
    wrongly allowing access
    to 6.8 million users’
    photos
    December 2018
    Amazon Ring security
    camera data left
    unprotected on the
    open web.
    January 2019
    UK ICO fines Uber
    £385,000 for
    inadequate security
    permitting a breach
    affecting 3 million
    British users and 82,000
    drivers.
    November 2018

    View full-size slide

  8. Apple FaceTime briefly
    permitted audio &
    video spying.
    January 2019
    German Antitrust
    authority finds Facebook
    abused its dominance of
    social network market to
    track and collect users’
    personal data in ways
    users do not know
    about.
    February 2019
    Guess what? Facebook
    still tracks you on
    Android apps (even if
    you don’t have a
    Facebook account)
    March 2019
    Hey Alexa, what do
    Amazon workers know
    about me?
    A Bloomberg
    investigation disclosed
    that Amazon employees
    are listening in on
    Amazon Echo users.
    April 2019

    View full-size slide

  9. U.S. Customs and Border Protection
    announced yesterday afternoon
    that hackers had stolen an
    undisclosed number of license-plate
    images and travelers’ ID photos from a
    subcontractor
    11th June 2019
    AEPD, the Spanish data protection agency, has fined La Liga
    €250,000 for an alleged ‘spy’ mode that used a device’s
    microphone to see if the owner was watching a football
    match using technology similar to Shazam – a service that
    is able to identify music.
    If the app detected a match was being watched, it also
    accessed location data to see whether the venue in
    question was showing the match legally.
    12th June 2019

    View full-size slide

  10.  Uber have an internal company tool called God View
     to track any Uber passenger's movements -- of particular concern when each
    profile is attached to some personal information, unlike passengers in regular
    taxis.
    Facebook knows who your friends are, where you where last weekend, which posts you
    read and we give all this information willingly

    View full-size slide

  11.  Google maps / Waze – The CIA know where you are!
     Better yet, the CIA can see your surroundings! Hurray for Pokemon Go!
     GMAIL – Gmail parses all your emails – They’re so good that now they provide you
    with predictive answers
    Fruit Ninja, Despicable Me and Drag Racing, Words with Friends, Draw something free
    request the phone's unique identity as well as access to the internet for use in targeted
    advertising. It takes a user's precise location apparently to show where users get free
    Starfruit (the game's currency) but also uses it to deliver -- you guessed it -- targeted
    advertising

    View full-size slide

  12. The NSA and its British equivalent, GCHQ, were targeting leaky smartphone
    apps including Angry Birds for user data such as age, gender and location. One
    classified 2012 British report included a code for mining profiles created when
    Android users play Angry Birds. Another documented that an ad company called
    Millennial Media worked with Angry Birds developer Rovio to create more intrusive
    profiles for Android and iOS versions, including additional categories such as
    ethnicity, marital status and sexual orientation.
    Can access a user's Location, Calendar and Contacts Book.
    Incorporates Flurry Analytics framework, a service used
    to collect usage data.
    Includes file paths to source code files in debug
    information, stored within the app's executable. These
    file paths often include usernames or other information
    related to the app developer or development company.
    Uses several ad networks, such as InMobi, AdMob, iAd,
    Google's Double Click and Millennial Media.

    View full-size slide

  13. Not scared yet?
    Think IOT
    Many devices like thermostats, cameras and
    other appliances that are increasingly
    connected to the internet, are providing ample
    opportunity for intelligence agencies to spy on
    targets, and possibly the masses. And it’s a
    danger that many consumers who buy these
    products may be wholly unaware of.
    In the future, intelligence services might use the
    [internet of things] for identification,
    surveillance, monitoring, location tracking, and
    targeting for recruitment, or to gain access to
    networks or user credentials

    View full-size slide

  14. You should be
    terrified
    As technology advances, so do
    the possibilities of abuse.

    View full-size slide

  15. How does GDPR help?
     Instituting principles as a regulation.
     Giving residents more rights over their data.
     Considering the technical implications in today’s digital world (Privacy by
    design & default)
     Mandating enforcement officers within certain companies (DPOs)
     Hefty fines and penalties
     Increased territorial scope

    View full-size slide

  16. Before deep diving,
    some definitions
    Personal Data, Processing, Data Subject,
    Controllers, Processors, Sub-Processors

    View full-size slide

  17. Definition: Personal Data
    'personal data' means any information relating to an identified or identifiable natural
    person ('data subject');
    an identifiable natural person is one who can be identified, directly or indirectly, in
    particular by reference to an identifier such as a name, an identification number,
    location data, an online identifier or to one or more factors specific to the physical,
    physiological, genetic, mental, economic, cultural or social identity of that natural
    person;
    Normal vs. Sensitive – What’s the deal?
    A history lesson

    View full-size slide

  18. Definition: Processing
    'processing' means any operation or set of operations which is performed on
    personal data or on sets of personal data, whether or not by automated means, such
    as:
    collection, recording, organisation, structuring, storage, adaptation or alteration,
    retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
    making available, alignment or combination, restriction, erasure or destruction;

    View full-size slide

  19. The Players
    Data Subject Data Controller Data Processor Sub-Processor

    View full-size slide

  20. What are the
    principles behind
    GDPR?
    And where do they come from….

    View full-size slide

  21. 2016 – Regulation (EU) 2016/679
    The universal declaration of Human rights
    (UN) – Article 12 & 19 – The right to a
    private family life and freedom of
    expression
    European Convention on Human Rights -
    CoE – Article 10
    1979
    The German state of Hesse introduces
    the first modern privacy law
    1980 – OECD guidelines
    1981 - CoE follows suit with Convention 108
    1980
    Directive 95/46/EC
    1995
    Sweden creates the Data Act
    By 1979 data protection laws had
    been enacted in 7 member states
    2016
    1948
    1950
    1970
    1973

    View full-size slide

  22. OECD Guidelines
     Openness principle -
    Transparency
     Collection limitation principle
     Purpose Specification principle
     Use limitation principle
     Data Quality principle
     Security safeguards principle
     Individual participation principle
    – Right to access and to know
     Accountability principle
    GDPR Principles
    (Article 5)
     Lawfulness, Fairness &
    Transparency
     Purpose Limitation
     Data minimisation
     Accuracy
     Storage Limitation
     Integrity & Confidentiality

    View full-size slide

  23. data subjects must be
    aware of the fact that their
    personal data will be
    processed, including how
    the data will be collected,
    kept and used, to allow
    them to make an informed
    decision about whether
    they agree with such
    processing and enable
    them to exercise their
    rights.
    Fairness also requires an
    assessment on how the
    processing will affect the
    data subject = DPIA
    consent, contract
    performance, legal
    obligation, vital interest of
    the individual, public
    interest, legitimate interest
    Transparency – open and
    clear, data subject rights
    and control over their data.
    Lawfulness Fairness Transparency

    View full-size slide

  24. Voluntary Granular Transparent Clear
    What to look out for:
     Terms and Conditions which are full of legal speak, that are not in clear plain English.
     Pre-checked boxes for direct marketing or any other service
     No information about unsubscribing
     No privacy Notice
    As a business in addition to ensuring the above, you need to be able to prove that you are doing all
    this. Audit records… for everything…with dates and time.
    citizen
    Business
    Real life application
    Consent must be freely given, specific, informed and unambiguous (Article 7)

    View full-size slide

  25. Example of a complete rule breaker
    – Not clear, not concise, not
    intelligible and asking for inaction
    rather then action.
    Good luck unsubscribing… I
    say, good luck with the
    supervisory authority!

    View full-size slide

  26. Only collect what you really
    need and do a Necessity
    and Proportionality test on
    it.
    Can we accomplish the
    same thing with
    anonymized data, are we
    collecting too much in
    terms of quantity. If a
    sample of 300 suffices why
    should we collect 600.
    Only collect and process
    personal data to
    accomplish specified,
    explicit and legitimate
    purposes
    Reasonable measures to
    ensure data is accurate and
    kept up-to-date. Also
    because inaccurate data is
    useless data.
    Purpose Limitation Data Minimization Accuracy
    Personal data should not be
    kept for longer than
    necessary for the purpose
    for which the personal data
    is processed.
    Personal data may be kept
    for longer periods insofar
    as the personal data will be
    processed soled for
    archiving purposes in the
    public interest, scientific or
    historical research
    purposes or statistical
    purposes.
    Also – storage costs money
    Storage Limitation
    Purpose Limitation Data Minimization

    View full-size slide

  27. What to look out for:
     Asking for too much information – beware - It is your right to know why!
     Periodic confirmation of your details
     Data Retention and archival policies need to be in place.
     Deletion policies and mechanisms.
    citizen
    Business
    Real life application
    Purpose Limitation Data Minimization Storage Limitation
    Purpose Limitation Data Minimization Accuracy
    Purpose Limitation

    View full-size slide

  28. maintaining the
    consistency, accuracy,
    and trustworthiness of
    data over its entire life
    cycle . Data must not be
    changed in transit, and
    steps must be taken to
    ensure that data cannot
    be altered by
    unauthorized people
    means something that is
    secret and is not
    supposed to be
    disclosed to unintended
    people or entities.
    Confidentiality ensures
    that sensitive
    information is accessed
    only by an authorized
    person and kept away
    from those not
    authorized to possess
    them
    implies that information
    is available to the
    authorized parties
    whenever required.
    Unavailability to data
    and systems can have
    serious consequences.
    It is essential to a
    disaster recovery plan
    which includes
    unpredictable events
    such as natural disasters
    and fire
    CONFIDENTIALITY INTEGRITY AVAILABILITY

    View full-size slide

  29. What to look out for:
     Submitting personal data – https – look out for the green lock.
     Your information is available when needed.
     Granular permissions by role.
     Disaster recovery & business continuity plans.
     Data protected in transit & at rest even from your employees.
     Privacy by design and default concept to be applied.
    citizen
    Business
    Real life application
    CONFIDENTIALITY INTEGRITY AVAILABILITY

    View full-size slide

  30. That’s a big ask.
    Do you want Ketchup with that?
    Nah just a couple of rights and
    obligations on top…

    View full-size slide

  31. Privacy
    is gone
    The right to know
    The right of Rectification
    The right to access
    The right to be forgotten
    Restriction of Processing
    Data Portability

    View full-size slide

  32. By contacting the company.
    They have 30 days maximum to
    provide you with
    - Either the information you asked
    for.
    - An approved extension by the
    authority for up to 60 days.
    How to
    exercise
    these
    rights

    View full-size slide

  33. If that doesn’t work or there
    is no option to contact the
    company – Report the case
    to the IDPC
    It’s anonymous!
    https://idpc.org.mt/en/Pages/contact/co
    mplaints.aspx

    View full-size slide

  34. Privacy
    is gone
    Data Breach Obligations
    Having a DPO
    (not all companies)
    Record Keeping
    (as evidence)

    View full-size slide

  35. Data Breach…
    exaggerated much?

    View full-size slide

  36.  What is a breach?
     When the personal data breach is likely to
    result in a high risk to the rights and
    freedoms of natural persons, the controller
    shall communicate the personal data
    breach to the data subject without undue
    delay.
     How common are breaches?
    Data Breach (Articles 33 & 34)

    View full-size slide

  37. http://www.informationisbeautiful.net
    /visualizations/worlds-biggest-data-
    breaches-hacks/
    Entity alternative name
    records lost YEAR story SECTOR METHOD
    US Customs and Border Protection 100,000 2019June 2019. Photos of travellers' faces and licen
    government hacked
    Click2Gov 300,000 2018Dec 2018. Vulnerabilities in Click2Gov, a type o
    financial hacked
    SingHealth 1,500,000 2018July 2018. Hackers stole personal details of 1.5
    healthcare hacked
    Quest Diagnostics 11,900,000 2019June 2019. One of the biggest blood testing pr
    healthcare poor security
    Australian National University 200,000 2019June 2019. A hacker accessed personal inform
    academic hacked
    Canva 139,000,000 2019May 2019. A hacker stole names, email addres
    web hacked
    First American Financial Corporation
    885,000,000 2019May 2019. A provider of real estate title insura
    financial poor security
    Chtrbox Instagram Influencers 49,000,000 2019May 2019. A database of contact details for m
    media poor security
    WiFi FinderA hotspot finder app 2,000,000 2019Apr 2019. An Android app exposed the Wi-Fi p
    app poor security

    View full-size slide

  38. Enforcement &
    Penalties
    €20M or 4%
    €10M or 2%

    View full-size slide

  39. for infringements of:
    • conditions for children’s consent,
    • processing that doesn’t require
    identification,
    • general obligations of processors
    and controllers,
    • certification, and
    • certification bodies
    for infringements of:
    • data processing principles,
    • lawful bases for processing,
    • conditions for consent,
    • processing of special categories of
    data,
    • data subjects’ rights, and
    • data transfers to third countries
    €10 million or 2%
    €20 million or 4%

    View full-size slide

  40. Google fined 50 million
    Euros for collecting
    personal data from
    users w/o providing an
    adequate level of
    transparency oh how
    that data will be used.
    January 2019
    Denmark Taxa 4X35 – 1.2
    Million Danish Kroner.
    As a result of a random
    audit, the company was
    found to have 9m
    records that were not
    needed.
    January 2019
    CNIL fines French real
    estate SERGIC €400,000
    for exposing customer
    documents such as IDs,
    health cards and tac
    documents without
    prior authentication
    June 2019
    Lithuania – Mister
    Tango UAB - €61,500 for
    accidentally exposing a
    website with a list of
    consumer payments
    and payment details for
    2 days.
    May 2019

    View full-size slide

  41. Does GDPR apply
    only in Europe?

    View full-size slide

  42. This Regulation applies to the
    processing of personal data in the
    context of the activities of an
    establishment of a controller or a
    processor in the Union, regardless of
    whether the processing takes place
    in the Union or not.
    This Regulation applies to the
    processing of personal data of data
    subjects who are in the Union by a
    controller or processor not
    established in the Union, where the
    processing activities are related to:
    (a) the offering of goods or services,
    irrespective of whether a payment of
    the data subject is required, to such
    data subjects in the Union; or
    (b) the monitoring of their behaviour
    as far as their behaviour takes place
    within the Union.
    This Regulation applies to the
    processing of personal data by a
    controller not established in the
    Union, but in a place where
    Member State law applies by virtue
    of public international law.
     Within the EU
     To any
    company
    offering a
    service Within
    the EU.

    View full-size slide

  43. How can the EU
    enforce GDPR on a
    company out of the
    EU?

    View full-size slide

  44. EU-US privacy
    Shield
    Forcing EU
    companies to
    work with
    companies in the
    EU, adequacy
    decisions, or liable
    to the same
    consequences
    under GDPR.
    Forcing companies
    that want to
    service EU to have
    a representative in
    the EU – Article 27
    Working with
    other countries
    that have
    appropriate level
    of privacy laws.
    Being responsible
    for your data
    processors and
    forcing due
    diligence

    View full-size slide

  45. If you’re a business,
    how do you satisfy
    all that?
    Without going broke…

    View full-size slide

  46. List all the systems and places where data is stored,
    and take a data inventory
    Create a questionnaire, asking all teams
    what PII they use in their day to day and
    what for?
    Invest in a GRC tool
    Cross check system
    permissions, and
    questionnaire responses
    Conduct a risk
    assessment
    Mitigation
    strategies
    .
    1. IT is your best friend – get a list of all the systems
    within your organisation and don’t forget any
    physical locations.
    2. Build a data inventory
    3. Create a questionnaire that is to be filled in by every
    team listing the personal information they use on a
    day to day basis and for what.
    4. Procure a GRC tool – Excel won’t work if you’re a
    medium sized company.
    5. Someone will have forgotten something – if a
    medium to large company get the help of your BI
    team to cross check the data automatically
    6. Conduct a risk assessment based on the data
    collected.
    7. Take each risk through the risk framework i.e.
    quantification & mitigation plans
    8. Start actioning your mitigation plans

    View full-size slide

  47. Remember it’s all about the data subject – You are
    a data subject – ask yourself how would you feel?
     Tighten security
     Be transparent – not at the risk of sacrificing security
     Train your people
     Stop the bleeding implement Privacy by design and
    default.
     Hire a DPO (internal) to guide and help you.
     Record your breaches
     Don’t look at it only from the legal perspective.
     Take a look at coffee and process for more tips
    and tricks.
    https://coffeeandprocess.com

    View full-size slide

  48. The views expressed in this presentation and speech are the
    presenter’s own views and do not necessarily reflect the views
    of APS Bank or any of its affiliates. The information presented
    cannot be considered to be legal, investment, tax, consulting
    or any other professional advice. It is also provided on an “as
    is” basis with no guarantees of completeness or timeliness and
    without any warranties of any kind whatsoever.

    View full-size slide

  49. GDPR
    made simple
    Presented by
    Angele de Mesquita
    (CIPP/E, CIPM)

    View full-size slide