GDPR made simple Presented by Angele de Mesquita (CIPP/E, CIPM)

Angele de Mesquita • 10+ years working in software industry • Current: HoD – Business Transformation at APS • Previous: HoD – GRC & DPO at NetRefer • Identity theft victim

Show of hands please How many of you are employed or have their own business? How many of you know your rights under GDPR? How many of you know when to exercise those rights and how? What about you?

What did the EU want to achieve? Harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. 4 years of discussions Replacement of the Data Protection directive 95/46/EC 25/05/2018 Enforcement comes into effect 14/04/2016 Approved by EU parliament €20,000,000 Or more in penalties

GDPR One year on Statistics provided by the IAPP and IDPC Malta  998 registered DPOs  111 complaints received  327 data breaches  €26,000 in fines with pending casework from Q3 & Q4 2018

Before we move on food for thought…. Does Privacy exist nowadays?

Privacy is gone Facebook bug allowed 1,500 apps to access private photos – wrongly allowing access to 6.8 million users’ photos December 2018 Amazon Ring security camera data left unprotected on the open web. January 2019 UK ICO fines Uber £385,000 for inadequate security permitting a breach affecting 3 million British users and 82,000 drivers. November 2018

Apple FaceTime briefly permitted audio & video spying. January 2019 German Antitrust authority finds Facebook abused its dominance of social network market to track and collect users’ personal data in ways users do not know about. February 2019 Guess what? Facebook still tracks you on Android apps (even if you don’t have a Facebook account) March 2019 Hey Alexa, what do Amazon workers know about me? A Bloomberg investigation disclosed that Amazon employees are listening in on Amazon Echo users. April 2019

U.S. Customs and Border Protection announced yesterday afternoon that hackers had stolen an undisclosed number of license-plate images and travelers’ ID photos from a subcontractor 11th June 2019 AEPD, the Spanish data protection agency, has fined La Liga €250,000 for an alleged ‘spy’ mode that used a device’s microphone to see if the owner was watching a football match using technology similar to Shazam – a service that is able to identify music. If the app detected a match was being watched, it also accessed location data to see whether the venue in question was showing the match legally. 12th June 2019

 Uber have an internal company tool called God View  to track any Uber passenger's movements -- of particular concern when each profile is attached to some personal information, unlike passengers in regular taxis. Facebook knows who your friends are, where you where last weekend, which posts you read and we give all this information willingly

 Google maps / Waze – The CIA know where you are!  Better yet, the CIA can see your surroundings! Hurray for Pokemon Go!  GMAIL – Gmail parses all your emails – They’re so good that now they provide you with predictive answers Fruit Ninja, Despicable Me and Drag Racing, Words with Friends, Draw something free request the phone's unique identity as well as access to the internet for use in targeted advertising. It takes a user's precise location apparently to show where users get free Starfruit (the game's currency) but also uses it to deliver -- you guessed it -- targeted advertising

The NSA and its British equivalent, GCHQ, were targeting leaky smartphone apps including Angry Birds for user data such as age, gender and location. One classified 2012 British report included a code for mining profiles created when Android users play Angry Birds. Another documented that an ad company called Millennial Media worked with Angry Birds developer Rovio to create more intrusive profiles for Android and iOS versions, including additional categories such as ethnicity, marital status and sexual orientation. Can access a user's Location, Calendar and Contacts Book. Incorporates Flurry Analytics framework, a service used to collect usage data. Includes file paths to source code files in debug information, stored within the app's executable. These file paths often include usernames or other information related to the app developer or development company. Uses several ad networks, such as InMobi, AdMob, iAd, Google's Double Click and Millennial Media.

Not scared yet? Think IOT Many devices like thermostats, cameras and other appliances that are increasingly connected to the internet, are providing ample opportunity for intelligence agencies to spy on targets, and possibly the masses. And it’s a danger that many consumers who buy these products may be wholly unaware of. In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials

You should be terrified As technology advances, so do the possibilities of abuse.

How does GDPR help?  Instituting principles as a regulation.  Giving residents more rights over their data.  Considering the technical implications in today’s digital world (Privacy by design & default)  Mandating enforcement officers within certain companies (DPOs)  Hefty fines and penalties  Increased territorial scope

Before deep diving, some definitions Personal Data, Processing, Data Subject, Controllers, Processors, Sub-Processors

Definition: Personal Data 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Normal vs. Sensitive – What’s the deal? A history lesson

Definition: Processing 'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

The Players Data Subject Data Controller Data Processor Sub-Processor

What are the principles behind GDPR? And where do they come from….

2016 – Regulation (EU) 2016/679 The universal declaration of Human rights (UN) – Article 12 & 19 – The right to a private family life and freedom of expression European Convention on Human Rights - CoE – Article 10 1979 The German state of Hesse introduces the first modern privacy law 1980 – OECD guidelines 1981 - CoE follows suit with Convention 108 1980 Directive 95/46/EC 1995 Sweden creates the Data Act By 1979 data protection laws had been enacted in 7 member states 2016 1948 1950 1970 1973

OECD Guidelines  Openness principle - Transparency  Collection limitation principle  Purpose Specification principle  Use limitation principle  Data Quality principle  Security safeguards principle  Individual participation principle – Right to access and to know  Accountability principle GDPR Principles (Article 5)  Lawfulness, Fairness & Transparency  Purpose Limitation  Data minimisation  Accuracy  Storage Limitation  Integrity & Confidentiality

data subjects must be aware of the fact that their personal data will be processed, including how the data will be collected, kept and used, to allow them to make an informed decision about whether they agree with such processing and enable them to exercise their rights. Fairness also requires an assessment on how the processing will affect the data subject = DPIA consent, contract performance, legal obligation, vital interest of the individual, public interest, legitimate interest Transparency – open and clear, data subject rights and control over their data. Lawfulness Fairness Transparency

Voluntary Granular Transparent Clear What to look out for:  Terms and Conditions which are full of legal speak, that are not in clear plain English.  Pre-checked boxes for direct marketing or any other service  No information about unsubscribing  No privacy Notice As a business in addition to ensuring the above, you need to be able to prove that you are doing all this. Audit records… for everything…with dates and time. citizen Business Real life application Consent must be freely given, specific, informed and unambiguous (Article 7)

No content

No content

Example of a complete rule breaker – Not clear, not concise, not intelligible and asking for inaction rather then action. Good luck unsubscribing… I say, good luck with the supervisory authority!

Only collect what you really need and do a Necessity and Proportionality test on it. Can we accomplish the same thing with anonymized data, are we collecting too much in terms of quantity. If a sample of 300 suffices why should we collect 600. Only collect and process personal data to accomplish specified, explicit and legitimate purposes Reasonable measures to ensure data is accurate and kept up-to-date. Also because inaccurate data is useless data. Purpose Limitation Data Minimization Accuracy Personal data should not be kept for longer than necessary for the purpose for which the personal data is processed. Personal data may be kept for longer periods insofar as the personal data will be processed soled for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Also – storage costs money Storage Limitation Purpose Limitation Data Minimization

What to look out for:  Asking for too much information – beware - It is your right to know why!  Periodic confirmation of your details  Data Retention and archival policies need to be in place.  Deletion policies and mechanisms. citizen Business Real life application Purpose Limitation Data Minimization Storage Limitation Purpose Limitation Data Minimization Accuracy Purpose Limitation

maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle . Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people means something that is secret and is not supposed to be disclosed to unintended people or entities. Confidentiality ensures that sensitive information is accessed only by an authorized person and kept away from those not authorized to possess them implies that information is available to the authorized parties whenever required. Unavailability to data and systems can have serious consequences. It is essential to a disaster recovery plan which includes unpredictable events such as natural disasters and fire CONFIDENTIALITY INTEGRITY AVAILABILITY

What to look out for:  Submitting personal data – https – look out for the green lock.  Your information is available when needed.  Granular permissions by role.  Disaster recovery & business continuity plans.  Data protected in transit & at rest even from your employees.  Privacy by design and default concept to be applied. citizen Business Real life application CONFIDENTIALITY INTEGRITY AVAILABILITY

That’s a big ask. Do you want Ketchup with that? Nah just a couple of rights and obligations on top…

Privacy is gone The right to know The right of Rectification The right to access The right to be forgotten Restriction of Processing Data Portability

By contacting the company. They have 30 days maximum to provide you with - Either the information you asked for. - An approved extension by the authority for up to 60 days. How to exercise these rights

If that doesn’t work or there is no option to contact the company – Report the case to the IDPC It’s anonymous! https://idpc.org.mt/en/Pages/contact/co mplaints.aspx

Privacy is gone Data Breach Obligations Having a DPO (not all companies) Record Keeping (as evidence)

Data Breach… exaggerated much?

 What is a breach?  When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.  How common are breaches? Data Breach (Articles 33 & 34)

http://www.informationisbeautiful.net /visualizations/worlds-biggest-data- breaches-hacks/ Entity alternative name records lost YEAR story SECTOR METHOD US Customs and Border Protection 100,000 2019June 2019. Photos of travellers' faces and licen government hacked Click2Gov 300,000 2018Dec 2018. Vulnerabilities in Click2Gov, a type o financial hacked SingHealth 1,500,000 2018July 2018. Hackers stole personal details of 1.5 healthcare hacked Quest Diagnostics 11,900,000 2019June 2019. One of the biggest blood testing pr healthcare poor security Australian National University 200,000 2019June 2019. A hacker accessed personal inform academic hacked Canva 139,000,000 2019May 2019. A hacker stole names, email addres web hacked First American Financial Corporation 885,000,000 2019May 2019. A provider of real estate title insura financial poor security Chtrbox Instagram Influencers 49,000,000 2019May 2019. A database of contact details for m media poor security WiFi FinderA hotspot finder app 2,000,000 2019Apr 2019. An Android app exposed the Wi-Fi p app poor security

No content

Enforcement & Penalties €20M or 4% €10M or 2%

for infringements of: • conditions for children’s consent, • processing that doesn’t require identification, • general obligations of processors and controllers, • certification, and • certification bodies for infringements of: • data processing principles, • lawful bases for processing, • conditions for consent, • processing of special categories of data, • data subjects’ rights, and • data transfers to third countries €10 million or 2% €20 million or 4%

Google fined 50 million Euros for collecting personal data from users w/o providing an adequate level of transparency oh how that data will be used. January 2019 Denmark Taxa 4X35 – 1.2 Million Danish Kroner. As a result of a random audit, the company was found to have 9m records that were not needed. January 2019 CNIL fines French real estate SERGIC €400,000 for exposing customer documents such as IDs, health cards and tac documents without prior authentication June 2019 Lithuania – Mister Tango UAB - €61,500 for accidentally exposing a website with a list of consumer payments and payment details for 2 days. May 2019

Does GDPR apply only in Europe?

This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.  Within the EU  To any company offering a service Within the EU.

How can the EU enforce GDPR on a company out of the EU?

EU-US privacy Shield Forcing EU companies to work with companies in the EU, adequacy decisions, or liable to the same consequences under GDPR. Forcing companies that want to service EU to have a representative in the EU – Article 27 Working with other countries that have appropriate level of privacy laws. Being responsible for your data processors and forcing due diligence

If you’re a business, how do you satisfy all that? Without going broke…

List all the systems and places where data is stored, and take a data inventory Create a questionnaire, asking all teams what PII they use in their day to day and what for? Invest in a GRC tool Cross check system permissions, and questionnaire responses Conduct a risk assessment Mitigation strategies . 1. IT is your best friend – get a list of all the systems within your organisation and don’t forget any physical locations. 2. Build a data inventory 3. Create a questionnaire that is to be filled in by every team listing the personal information they use on a day to day basis and for what. 4. Procure a GRC tool – Excel won’t work if you’re a medium sized company. 5. Someone will have forgotten something – if a medium to large company get the help of your BI team to cross check the data automatically 6. Conduct a risk assessment based on the data collected. 7. Take each risk through the risk framework i.e. quantification & mitigation plans 8. Start actioning your mitigation plans

Remember it’s all about the data subject – You are a data subject – ask yourself how would you feel?  Tighten security  Be transparent – not at the risk of sacrificing security  Train your people  Stop the bleeding implement Privacy by design and default.  Hire a DPO (internal) to guide and help you.  Record your breaches  Don’t look at it only from the legal perspective.  Take a look at coffee and process for more tips and tricks. https://coffeeandprocess.com

The views expressed in this presentation and speech are the presenter’s own views and do not necessarily reflect the views of APS Bank or any of its affiliates. The information presented cannot be considered to be legal, investment, tax, consulting or any other professional advice. It is also provided on an “as is” basis with no guarantees of completeness or timeliness and without any warranties of any kind whatsoever.

Thank You!

GDPR made simple Presented by Angele de Mesquita (CIPP/E, CIPM)