17/09/2019

1

Legal Essentials for Property Managers – Information & Data Security

18 September 2019

Legal Essentials for Property Managers –Information and Data

Security

• Introduction

• GDPR Overview• brief overview of GDPR

• Review activity• ICO enforcement

notices/fines• Hot Topics

• Ways to Comply

• Key Tools

• Cloud Computing Issues

• Top Tipswww.kempitlaw.com

17/09/2019

2

GDPR Overview

GDPR significantly broadens and deepens regulatory duties for businesses as controllers and processors of personal data, a wide reaching and pervasive step change in rules regulating the processing of personal data

• Legal basis for processing personal data• Subject access requests• Right to be Forgotten• Data breaches• Direct obligations on processors + requirement on controllers to impose certain contractual terms on

processors• Privacy - by design, by default and impact assessments (PIA)• DPOs/responsibility inside the company/firm/organisation• Transfers• Compensation claims, Fines (and breach of contract liability)

“We’re all going to have to change how we think about Data Protection” (Elizabeth Denham)

GDPR Overview

• Personal Data:

“any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

• details about owners, occupiers, landlords, tenants, etc.

• employee details, etc.

• details about customers and suppliers

• information stored in CRM systems, paper files, hosted/cloud environments

• IP addresses

• CCTV footage

• smart building technology

• pseudonymized data

• derived data?

17/09/2019

3

GDPR Update: Facts and Figures

• Total number of cases reported from 31 EEA countries up to ~Feb 2019: 206,326

• Total EEA fines ~ €56m over same period (€50m is the CNIL fine imposed on Google)

• UK:

• Fines: BA ~£183m, Marriott ~£99m (for cyber incident” that exposed approximately 339 million customer records)

• Breach Reports: 1700 during first month, now ~400 per month

https://edpb.europa.eu/news/news/2019/edpb-libe-report-implementation-gdpr_en

GDPR Update: Hot Topics

• Online advertising

• Proceedings in Ireland, recent guidance from ICO

• Cookies

• Guidance from ICO

• Marketing Communications

• EE fine: £100,000 fine for sending over 2.5 million direct marketing messages to its customers, without consent.• Smart Home Protection Ltd: £90,000 fine for making nuisance calls to people registered with the Telephone Preference Service

(TPS).

• CCTV/facial recognition

• Estate Agency breaches:

• Life at Parliament View Ltd fined £80,000 for leaving 18,610 customers' personal data exposed for almost two years.

17/09/2019

4

Ways to Comply

1. Understand (A) what data is collected; (B) how, where, by whom and for what purposes the data is processed: and (C) on what basis is the processing of the data lawful.

2. Engage with all data subjects and ensure compliance through organization as a whole – compliance is not solely the responsibility of the DPO. All employees and stakeholders should have basic knowledge of GDPR and its core requirements. Ensure all employees/staff:

• know what they can and cannot do• understand the lingo• are familiar with policies and processes (e.g., not recording customer data on personal phones/devices, when to

disclose information, etc.)• know when to seek help/support

3. Use DPIAs to assess risk.

4. Check privacy policies, notices, consents, contracts.

5. Implement ATOMs (appropriate and technical organizational measures) and dovetail GDPR compliance with information security best practices.

Information Security Key Tools: Mapping, DPIAs, ATOMs and Trust Frameworks

17/09/2019

5

GDPR & Information Security: Information Security is broader than GDPR

1. Generally applicable duties:

• Controller ATOM duties• GDPR Arts 5(1)(f), 24(1), 25(1), 28(1)• NIS Directive, CA 2003, PECR• Data sovereignty – IPA 2016, etc.• Data residency• UK criminal law – OSA, CMA, etc.

2. Negligence

• ATOM* emerging as ‘reasonable care’ standard?

3. General civil law liability:

• breach of confidence• misuse of private information• conversion• trespass, etc.

4. Contractual

• Employees• Customers• Service Providers/Suppliers/Contractors

5. Internal policies and procedures

All relevant data activities [A] are value, risk and constraintassessed [B] within a comprehensive data governance framework [C] that is constantly evaluated, directed and monitored [D]

Data Mapping

17/09/2019

6

DPIAs and ATOMs

DPIAs

• GDPR requirement: assessment of envisaged processing, in particular for new technologies required where processing is “likely to result in a high risk to the rights and freedoms of natural persons”.

• Good practice to use DPIAs/PIAs when changing any business process or procedure that may affect how data is processed (even if data is non-personal and not subject to GDPR).

• DPIAs/PIAs help to define and quantify risk and also how to minimise/resolve it.

• Robust processes around data mapping and use are invaluable when conducting DPIAs and/or PIAs.

ATOMs – Article 25 GDPR

“… the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. ”

A Trust Framework is a commonly agreed set of standards and operating rules – to share data in a fair, safe and equitable way – to be followed by all with access to the data concerned (whether to receive, store or use).

“a legal structure that provides independent stewardship of data” (Open Data Initiative https://theodi.org/article/defining-a-data-trust/)

• The Trust Framework consists of:

Legal framework: a written agreement with all users sharing applications so that legal enforceability can therefore readily be assured;

Operating Rules: addressing the preferences of the data provider and access rights of various types of data user (data categorisation, data management and data governance); and

Technical Specifications: addressing data sets, privacy, interfaces (APIs) & validation techniques.

Trust Frameworks

17/09/2019

7

Cloud Computing Issues

• As IT workloads migrate to the cloud, the benefits must be weighed and managed against the risks• The security of data in the cloud remains the central preoccupation of both cloud service providers

(CSPs) and their customers

• NCSC – cyber threat to UK business, 2017-2018 report (10 April 2018):“Only 40% of all data stored in the cloud is access secured, although the majority of companies report they are concerned about encryption and security of data in the cloud. As more organisations decide to move data to the cloud (including confidential or sensitive information) it will become a tempting target for a range of cyber criminals. They will take advantage of the fact that many businesses put too much faith in the cloud providers and don’t stipulate how and where their data is stored”

• IDC’s Data Age 2025 White Paper (2017) – the role of data and the cloud will intensify:“All this data from new sources open up new vulnerabilities to private and sensitive information. There is a significant gap between the amount of data being produced today that requires security and the amount of data that is actually being secured, and this gap will widen — a reality of our data-driven world. By 2025, almost 90% of all data created in the global datasphere will require some level of security, but less than half will be secured.”

Cloud Computing – Data Issues

17/09/2019

8

• DPIAs and Due Diligence Key – security assessments, detailed description of ATOMs should be made available by CSP, pen testing, BC/DR policies, standards & certification

• ATOMs

• Customers want transparency, detailed information about security and ATOMs, a data law compliant solution, remedies for breach

• CSPs will:

• “implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure” (AWS Ts&Cs)

• “maintain appropriate technical and organizational measures, internal controls, and data security routines intended to protect Customer Data against accidental loss or change, unauthorized disclosure or access, or unlawful destruction” (Microsoft Azure Ts&Cs)

• What are “appropriate” TOMs and who decides?

• Liability – contractual limits on CSP’s liability

Cloud Computing Issues – what’s important?

• Step 1: questionnaire for CSPs to complete as a management record to evidence compliance, governance and e.g. cloud security principles/best practice

• map to internal processes & sign-off

Step 2: Security assessment questionnaire content• CSP hosting details – where?• Public/private cloud/hybrid cloud/hyperconverged

infrastructure?• CSP standards certification?• Encryption - data in transit/at rest, etc• CSP security: (i) operational, (ii) personnel, (iii) supply

chain, (iv) development, (v) customer management, (vi) service admin

• Identity/authentication, external interfaces, • CSP governance/audit/incident management• BC/DR• Retention and data return

• Step 3: CSP assurance that it will meet its security commitments obtained by the combination of [contractual commitment] + [standards certification]+ [independent testing]

Cloud Computing – what does compliance look like?

17/09/2019

9

Tips

2 keywords to remember:

ACCOUNTABILITY

TRANSPARENCY

How would I feel if that happened to me or my data?

• Understand your data landscape

• Ensure all owners, occupiers, tenants, landlords, etc. know what data you hold, what you do with it, and on what basis

• Ensure employees and staff are fully aware of operational processes and why these need to be followed

• Encourage compliance: conduct regular training

• Encourage responsibility: human error accounts for large number of data breaches

• Ensure your service providers and suppliers agree to appropriate and comprehensive GDPR terms

• Keep updated on recent developments and areas of interest for regulators.

Questions?

Deirdre Moynihandeirdre.moynihan@kempitlaw.com020 3011 1627