DATA PRIVACY IN A DIGITAL ERA

SHARON HOLI – Head of Masoko

Safaricom PLC

Information Security Breaches Survey 2017Source PwC Belgium

Data is a corporate asset, like any other

Data is the life blood of decision making

Corporate data is at a higher risk of theft or misuse than ever before

Companies have obligations to protect data

• The right to privacy is a basic human right recognized in the Kenyan Constitution and other global legislation like the EU Charter on Fundamental Rights.

• This right seeks to protect the inviolable personality, independence and dignity of all individuals.

Right to privacy

•The right to personal data protection is another fundamental right

•It guarantees the right to privacy by implementing necessary controls to protect personal data

•Where personal data is required, the purposes should be clearly defined

•Regulation should balance between the need for personal data by the data controller vs the need for protection

Right to data protection

• Globally there is renewed interest in data security, privacy, and confidentiality

Global trends

Privacy, security and trust are increasingly vital and intertwined in our data-driven society

Data protection is about securing data against unauthorized access, essentially

a technical issue

Data privacy is about authorized access, a legal issue

Data Protection vs Data Privacy

Which data warrants protection?

Personal Identifiable Information (PII)

Can be linked to a specific individual e.g. name, e-mail, full postal address, birth date, identity number, driver’s license number, bank account details

Sensitive Personal DataInformation concerning a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

Legislation touching on data privacy in Kenya

CHAPTER FOUR––THE BILL OF RIGHTS KENYAN

CONSTITUTION

• Article 31

• Every person has the right to privacy

DRAFT CYBER SECURITY AND PROTECTION BILL,

2016

• Prescribes removal of personal details that may identify a specific person not directly related to a cyber-security threat when parties are sharing information

• Prohibits sharing of information relating to the health status of another person without the prior written consent of the person to whom the information relates.

DRAFT DATA PROTECTION BILL 2013

• It is hoped the regulation will increase accountability in the way individuals and institutions handle confidentialinformation given to them by customers in the course of their operations.

• Penalties prescribed include a fine not exceeding Sh100,000or imprisonment for a term not exceeding two years or both

GDPR

GDPR Explained in 2 Minutes -VIDEO

Source: Youtube published by Oberlo

GDPRGDPR

� The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.

� It becomes enforceable from 25 May 2018

� It does not require national governments to pass any enabling legislation and so it is directly binding and applicable

� "The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents.

� Maximum penalties of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year."

� The GDPR also brings a new set of "digital rights" for EU citizens in an age of an increase of the economic value of personal data in the digital economy.

GDPR

GDPR Chapter 3 Article 17 Right to erasure (‘right to be

forgotten’)1. The data subject shall

have the right to obtain from the controller the erasure of

personal data concerning him or her without undue delay

and the controller shall have the obligation to erase

personal data without undue delay

The challenge in a digital age

Data Growth

Data Speed

Data Diversity

Data privacy breaches what’s the harm?

Damage to reputation

Disruption of operations

Legal liability under applicable laws, regulations or contracts

Financial costs

Facebook data breach-VIDEO

Source: Youtube published by euronews

The latest publicised data breach

The Breach:

A political consulting firm, Cambridge Analytica, obtained personal data from more than 50 million Facebook users without their permission

Cambridge Analytica acquired the 50m profiles from a researcher in 2014.

It appears the information was harvested by a researcher who collected data not only on the 270,000 or so users who Facebook said took his survey but also on their friends, who knew nothing about the survey and did not consent. The researcher then passed this data to Cambridge Analytica.

Financial: Facebook Inc. shares posted their steepest drop since 2015.Almost $20bn (£14bn) was wiped off the social network company’s market cap in the first few minutes of trading. By midday, the company’s share price losses had multiplied to more than $40bn, making the day its worst in more than five yearsLegal/Regulatory: Facebook has been invited to testify before a US congressional committee in the coming weeksReputation: The Cambridge Analytica scandal has done immense damage to the brand, sources across the company believe. It will now take a Herculean effort to restore public trust in Facebook's commitment to privacy and data protection

I m p a c t

Other recent data breaches Source: www.csoonline.com

October 9, 2017: In December 2016, it was reported that “more than 1 billion user accounts” may have been impacted by the 2013 Yahoo breach. 4 months after Verizon acquired Yahoo’s core internet assets, it was revealed that every single customer account was impacted by that breach; 3 billion Yahoo accounts were affected. or the core

operations of Yahoo, a cut of $350 million as part of

revised terms because of the data breachYahooSept 7, 2017: Equifax, one of the three largest credit

agencies in the U.S., suffered a breach that may have affected 143 million consumers. Sensitive data was stolen—including Social Security numbers, driver’s license numbers, names, addresses, dates of birth, credit card numbers etc — arguably one of the worst breaches ever. Hackers were able to gain access to the company’s system from mid-May to July; the breach was discovered by Equifax on July 29th, 2017

Equifax

A global survey of data use governance

Key findings from The Global State of Information Security®

Survey 2018

..to build digital trust

• Create a “culture of security” from top down

• Make information security a risk management issue, as well as a technology issue

• Understand which laws apply, ensure compliance with them

• Educate employees, business partners

“Many organizations worldwide need stronger privacy risk management that is better integrated with cybersecurity, according to our 2018 Global State of Information Security®

Survey (GSISS)”

Trust takes years to build, Trust takes years to build, Trust takes years to build, Trust takes years to build,

seconds seconds seconds seconds to break, to break, to break, to break,

and and and and forever to repairforever to repairforever to repairforever to repair....

United Nations Conference on Trade

and Development (UNCTAD)

Data protection principles

Data Privacy

Laws, regulations at a

national/international level

Data Privacy & Protection policies/

guidelines at company level

Contracts with third parties to

define data protection

responsibilities

Information system security

controls

User awareness on data

protection

Privacy Impact Assessments/Priva

cy audits

Privacy Impact Assessment

Privacy Impact Assessment-VIDEO

Source: Youtube published by Capgemini Group

Privacy Impact Assessment

Privacy Impact

Assessment

Identify exposure to

data privacy,

data security risks

Consider and

implement changes to

minimize risks

Develop and adopt

best practices

going forward

Review contracts with vendors that

collect or provide

sensitive/personal data to

company

Review policies and practices for data:

• Collection,

• Storage

• Use

• Disclosure

• Protection

• Destruction

Data privacy and

security are not just IT

issues; instead, they

touch on all parts of

the company

Some best practices: Data Security

Take stock:•What information do you have?

•Where is it stored?•Who has access to it?

•Who should have access to it?