20120418 castlebridge associates data protection and the cloud, darragh o'brien
DESCRIPTION
Castlebridge Associates Data Protection and the Cloud, Darragh O'BrienTRANSCRIPT
DATA
PROTECTION &
THE CLOUD
CURRENT STATE AND PROBABLE FUTURE
Information & Data Quality Information Governance Data Protection
In today's interconnected
Information Age it is more
important than ever for
organisations to properly manage
the quality of their Information
Assets.
• Strategy & Consulting
• Project Management
• Training & Mentoring
In today's Information Age
"Everyone is Enterprise" making
good Information Governance
more important than ever.
That often requires challenging
changes to be made as people
change their thinking about who is
responsible and accountable for
Information.
• Strategy & Consulting
• Project Management
• Training & Mentoring
Smart organisations realise that
compliance with Data Protection
rules is a key element in a
trusted Information Fuelled
business, and it's about more
than just securing the data!
• Strategy & Consulting
• Project Management
• Training & Mentoring
Click here to Contact Us
Training
Consulting Coaching/
Mentoring
Project
Management
Quality
Assured
Information
Quality
Data
Protection
Data
Governance Information
Quality
Data
Protection
Data
Governance
Certified
Trainers
External
QA
Audits
Irish State Approved
Training Provider
Quality
Assured
Syllabus
Qualified &
Experienced
IQCP
Certified
Certified
PMs
Many
Industries
Govt Edu Utilities Fin.
Svcs
Non-
Profit Telco
CONTACT Web: www.castlebridge.ie
Twitter: @cbridgeinfo
Email: [email protected]
Contact Daragh directly
Twitter: @daraghobrien
Email: [email protected]
AGENDA
• Some Context : Data Protection in the Media (Trends)
• Current Situation
• Selected highlights from the Regulation
• Implications for Cloud
THE QUESTION
Is the probability of your data
protection problems featuring
in the media getting bigger?
THE SHORT ANSWER
THE LONG ANSWER
WHAT WE DID
1. Assume Google search hits as a surrogate for media
focus on the issue
2. Select website domains of print-media newspapers in
Ireland.
3. Select one International print newspaper with web site
4. Conduct Google searches within the domains of the sites
5. Analyse findings to determine trends (if any)
6. Analyse findings for relevance over time (first 10 results)
COMPARING 2010 AND
2011 Growth in hits for Data Protection or Privacy averages 117%
between 2010 and 2011
COMPARING 2010 AND 2011 Some newspapers have significantly higher search hit rates than
others during that period - but increase in relevant hits is consistent
SEARCH RESULTS (JANUARY ONLY) 2010-2012
Comparison of Search results for January 2010 to January 2012
shows consistent upward trend in relevant returns
IS THIS A NEW PHENOMENON? Analysis of search results since 2004 shows a consistent and
accelerating upward trend in search results each year.
Upward inflection
point in 2007/2008
Irish Times
results growing
faster
DOWNLOAD
For more analysis on this topic, download
the whitepaper from our website (no
registration required, but please leave a
comment on the site!)
http://www.castlebridge.ie/blog/daragh-o-
brien/2012/february/data-protection-
growing-area-media-interest
THE CURRENT
SITUATION FOR
CLOUD/DATA
PROTECTION
http://bit.ly/Jkl5Pa Watch the video tutorial
THE PROPOSED
DIRECTIVE
KEY DEVELOPMENTS
New Rights
New Duties
New Penalties
New Definitions
New Roles & Concepts
RIGHTS
Right to
be
Forgotten
Right to
Data
Portability
All rights that exist under Directive 95/46/EC continue to exist
Expands on existing rights of correction\erasure\blocking
Requires deletion of any related links, any shared/distributed copies
Not an absolute right – will need to be balanced against other
rights/responsibilities
Where data is in a structured and commonly used format, the Data
Subject is entitled to a copy of data for further use (even with another
service providers)
Regulation is very “Data Subject” centric. More rights, more
expansive rights. But basics remain the same.
DUTIES
Organisations will need to focus on internal governance and training
to ensure compliance and put in place metrics to evidence this
“The Controller shall adopt policies and implement appropriate measures to ensure
and be able to demonstrate that the processing of personal data is performed in
compliance with this Regulation
• Documentation of Processing
• Data Security
• Data Protection Impact Assessments
• Meeting requirements of Prior Authorisation or Prior Consultation
• Implement mechanisms to ensure the verification of the effectiveness of
these measures.
DOCUMENTATION
Requirement to register with DPC now replaced with requirement to
maintain internal documentation about your processing
“Each Controller and processor and, if any, the controller’s representative, shall
maintain documentation of all processing operations under its responsibility”
• Name and contact details of the Controller/Processor/Representative
• Name and contact details of Data Protection Officer
• Purposes of processing
• Description of categories of data subjects and categories of personal data being
processed
• Details of how controls are being verified
Commission may define formats for process
documentation
DATA PROTECTION OFFICER
Creates a formal role in the management function; Independence
guaranteed under Regulation; Not limited to 250+ employers
“The Controller and the processor shall designate a Data Protection Officer in any
case where…”
• Processing is carried out by a Public Authority or Body
• OR Processing is carried out by enterprise with 250+ employees
• OR Core activities of controller or the processor consist of processing
operations which… …require regular and systematic monitoring of data
subjects
• Office holder must have expert knowledge of Data Protection law
and practices and other professional qualities
• Must be “appropriately” resourced by the organisation
250 employee threshold has been criticised – other
categories may still require a DPO to be appointed
DATA SECURITY
Security continues to be an important issue. Breach Notification
required within 24 hours. Impact on Processors regardless of contract
“Article 30 obliges the controller and the processor to implement appropriate
measures for the security of processing, based on Article 17(1) of Directive
95/46/EC, extending that obligation to processors, irrespective of the contract with
the controller
• Requirements include MANDATORY Breach Notification.
• Apply to Processors and Controllers equally.
• “Belt and Braces” on contractual provisions re: Security.
Security and Privacy are becoming a source of competitive
advantage.
CROSS BORDER DATA TRANSFER
It will not matter where your Cloud service is based. If you are
based in EU, selling into EU, monitoring behaviour of people in EU,
EU laws will apply
“Regulation applies to
• processing of personal data by organisations based in EU
• Processing of personal data by organisations based outside EU
• Offering goods or services to data subjects in the EU
• Conducting monitoring of behaviour
• Where national law of Member State applies under public International Law ”
Sets EU Principles as a benchmark for other nations
Puts focus on protection of the Data Subject
CROSS BORDER DATA TRANSFER
The principles of Cross Border Transfer are largely unchanged.
Binding Corporate Rules simplified; Some new elements proposed
“Transfer overseas is permitted when:
• To “Safe Countries” (adequacy decision)
• Appropriate safeguards in CONTRACT (BCR, Standard Contract Clauses)
• Binding Corporate Rules (BCR – process simplified)
• Similar to existing frameworks
• Binding Corporate Rules process simplified
• Key focus is on SAFEGUARDS and enforceability.
Still not without complexity for Cloud services.
Countries can now be declared UNSAFE.
TWEAKED DEFINITION OF “DATA SUBJECT”
The definition of Data Subject will be changing to include additional
categories and types of data.
“an identified natural person or a natural person who can be
identified, directly or indirectly, by means reasonably likely to be used by the
controller or by any other natural or legal person, in particular by reference to an
identification number, location data, online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that person
Definition is expanded beyond 95/46/EC to include a wider
range of data, including location data, and on-line identifiers
(including Usernames and IP addresses… we assume…)
Doesn’t quite match A29 Working Group definition… some
scope for change
PRIVACY BY DESIGN
Privacy by Design basically requires fundamental quality principles
to be applied to Data Protection to PREVENT problems.
Having regard to the state of the art and the cost of implementation, the controller
shall, both at the time of the determination of the means for processing and at the
time of the processing itself, implement appropriate technical and organisational
measures and procedures in such a way that the processing will meet the
requirements of this Regulation and ensure the protection of the rights of the data
subject.
Requirement is to build quality in.
Requirement is to ensure quality is managed
Recommended practice for all data,
Mandatory for SENSITIVE Data
PROCESSORS BECOMING CONTROLLERS
Exceeding your contracted duties will strip Processors of any de facto
protections they might have availed of as Processors acting under
orders
If you are a Processor who acts outside the terms of your engagement with a Data
Controller, you will be treated as a Data Controller
• Full penalties apply to you.
• Important to have DOCUMENTED contracts outlining the nature of the
processing being performed
• Important to have Change Control.
ONE-STOP SHOP
Potentially will simplify things for EU companies.
Mechanism still has to be clarified for how this will work
EU27 Data Protection Authorities will engage in greater co-operation and
collaboration.
• Important to know where your “base” is as they are the DPC you will deal with.
• Customers in other EU countries will deal with you via their national DPA, who
will liaise with the Irish DPC
• Precise mechanism still to be confirmed..
PENALTIES
The penalties and enforcement mechanisms are greatly strengthened
in the Regulation. Plenty of opportunity to make legal history.
Up to €2million or 5% of Global Turnover
• EU member states may implement further administrative sanctions.
• Potential to be sued in Court by a Data Subject
• Don’t forget Brand damage
Mechanisms for application of penalties are still to be fully
defined and fleshed out.
Expect to see mechanisms between “slap on wrist” and
“sell the house”
IMPLICATIONS FOR
CLOUD?
M.A.G.G.O.T
M – Meaning, Measurement, Money
A – Accountability & Accessibility
G – Governance
G – Global Scope & Effect
O – Oversight & Operations
T - Transparency
TIME SCALES FOR REGULATION?
• Expected to be enacted and implemented 2013 (ish)
• Enforceable 2 years later
24 to 36 Months to make changes in
your organisation, your operating
model, and with your partners
The Early Bird gets the Worm…
…or the M.A.G.G.O.T
DARAGH’S PUBLICATIONS
The Data Strategy and Governance Toolkit (2011)
Defining and Executing an Effective Data Quality Strategy (2008)
Taking an “Information Quality” perspective, and building on his 2008
publication, this book explores the drivers for Information Quality and Data
Governance in modern organisations, regardless of size, as well as exploring
the role of Governance and Information Quality in areas such as Cloud
Computing and Regulatory Compliance.
O Brien also takes readers through tools and methodologies for communicating
the value of information quality, data governance, and related disciplines such as
• Defining a Value Deliver System
• Strategy Maps
• Story Telling
Both published by Ark Group, available on Amazon
Managing Information and Data Quality requires organisations to take a strategic
approach in order to ensure success. This report summarises a number of best
practice methodologies for Information/Data Quality Management, key drivers for
managing and improving quality of information, and useful approaches for
mapping and communicating the strategic importance of high quality information
and data in your organisation.
Buy: http://bit.ly/HWKdXD