16th International InfoSec & Data Storage GDPR Article 32 – Security of processing: The controller and the processor shall implement appropriate technical and organisational measures

16th International InfoSec & Data Storage

Protection level PUBLIC

Fernando Silva, DPO

Sofia, 28 September 2017

Legal Framework for the Protection of the Information

Environment

Requirements imposed by the General Data Protection Regulation (GDPR)

Legal Framework for the Protection of the Information

Environment


Information Environment – GDPR requirements

Agenda

• eu-LISA

• GDPR Requirements

– Major questions

– Data Governance

– Demonstrating compliance

– Penalties

eu-LISA


• Established in 2011 (Regulation (EU) No 1077/2011); operational since 1 December 2012

• HQ - Tallinn, EE

• Operations site - Strasbourg, FR

• Back-up site – St. Johann im Pongau, AT

• Liaison office – Brussels, BE

• Employs 175 people

• Annual budget of EUR 153 million in 2017

• Key stakeholders:

• EU MS and Associated Countries,

• EU institutions and Agencies (JHA)

European Agency for the operational management of large-scale IT systems in the area of freedom,

security and justice

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2011:286:TOC

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2011:286:TOC


24/7 operational

management of large-scale

IT systems

24/7 support to MS

System evolution & developmen

t of new systems

Eurodac Eurodac VIS VIS SIS II SIS II

R&D

Training Statistics

Dubli-Net

Dubli-Net

SIRENE Mail

Relay

SIRENE Mail

Relay

VISMail VISMail

Our mandate


Data Protection @ eu-LISA – Importance

• Eu-LISA needs to process personal data

• Eu-LISA deals with personal data

• Data protection is a one factor of trust

Protection level eu-LISA PUBLIC

Requirements imposed by the General Data Protection Regulation

(GDPR)



GDPR replaces former Directive 95/46/EU

Entry into force 25 May 2018

Operations on Personal Data (PD) - Controller:

• Collect

• Store

• Use data

You have to abide by the rules

You have to abide by the rules Process PD for others

Harmonisation and Trust, but also new obligations and responsibilities



Major questions:

• Implementation challenges and how to overcome them?

• DPO: a new role? Cultural changes?

• How effectively protect highly relevant data subject’s rights?

• How to implement concepts as Privacy-by-design and by default?

• How to use and when do a Privacy Impact Assessment?

• How detect and right procedure for personal data breaches?

• What legal aspects when transferring personal data internationally?

• Sanctions?



Data Governance – enterprise risk management

• Governance risk compliance

• Personal Information Management Systems (PIMS)

• Privacy principles

• Certifications

Privacy compliance framework



GDPR Recital 78 states:

The protection of the rights and freedoms of natural persons with regard to the

processing of personal data require that appropriate technical and

organisational measures be taken to ensure that the requirements of this

Regulation are met.

In order to be able to demonstrate compliance with this Regulation, the

controller should adopt internal policies and implement measures which meet in

particular the principles of data protection by design and data protection by

default.

Demonstrating privacy compliance



GDPR Recital 78 states:

The protection of the rights and freedoms of natural persons with regard to the

processing of personal data require that appropriate technical and

organisational measures be taken to ensure that the requirements of this

Regulation are met.

In order to be able to demonstrate compliance with this Regulation, the

controller should adopt internal policies and implement measures which meet in

particular the principles of data protection by design and data protection by

default.




• Adequate, relevant and not excessive

• Need to know principle / Least privilege principle

• Processed lawfully, fairly and in a transparent way

• Obtained/Collected only for specified purposes

• Accurate and up-to-date

• Processed in line with the rights afforded to individuals

• Retained only for as long as necessary

• Not transferred to countries outside the EEA without adequate

protection

• Kept Secure

DP principles:


Article 5.2 Accountability

Article 5.2 Accountability



GDPR Article 25.2 – General obligations:


The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.




GDPR Article 32 – Security of processing:

The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

• the pseudonymisation and encryption of personal data;

• the ability to ensure the ongoing confidentiality, integrity, availability and

resilience of processing systems and services;

• the ability to restore the availability and access to personal data in a timely

manner in the event of a physical or technical incident;

• a process for regularly testing, assessing effectiveness technical…




GDPR Article 33 – Notification of a personal data breach to the supervisory

- The controller notify the supervisory authority of any personal data breach - Without undue delay, not later than 72 hours after becoming aware - Unless the personal data breach is unlikely to result in a risk;

- The processor shall notify the controller;

- Information may be provided in phases;

- Document any PDB;



GDPR Article 35 – Data protection impact assessment:


Where a type of processing (…) is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

• Systematic and extensive evaluation (profiling);

• Large scale processing of special categories (sensitive data – article 9, convictions);

• Systematic monitoring;



GDPR Article 37 – Designation of a Data protection officer:


- processing is carried out by a public authority or body, except for courts;

- Core activities require regular and systematic monitoring on a large scale;

- Processing on large scale special categories of data and criminal

convictions and offences;



GDPR Article 39.1 – tasks of a data protection officer:


b) to monitor compliance with this Regulation, with other Union or Member

State data protection provisions and with the policies of the controller or

processor in relation to the protection of personal data, including the

assignment of responsibilities, awareness-raising and training of staff involved

in processing operations, and the related audits



GDPR Article 39.1 – tasks of a data protection officer:


- Promote the Principle of Privacy by Design

- Promote that projects and systems include PIA

- Cooperate with Stakeholders in terms of Data protection

- Inventory and register of notification operations

- Establishing data protection best practices

- Provision of information, cooperation and respond to EDPS requests

- Upholding data subjects’ rights and freedoms.

- Investigate any breaches of data protection related.



DPOs experience:


- Accountability and genuine top management engagement is essential;

- DPOs must have effective independent oversight;

- Proactively engage with security teams;

- Business risk-based ISMS essential component of privacy compliance

framework by:

- Incorporate Data protection impact assessments and,

- Data protection by design and by default




- GDPR mandates organisations to put in place comprehensive but

proportionate measures;

- Creates an obligation to the companies to understand the risks that they

create for others, and mitigate those risks;

- Is not a ticking box exercise;

- Work on a framework used to build a culture of privacy on the

organisation;




GDPR compliance programme:

- Implementing an compliant ISMS with an ISO;

- Gap analysis;

- Data flow audit;

- Implement a PIMS;

- Security or Cyber Security check;

- Develop a privacy awareness programme, policies and procedures;

When in doubt consult your DPO and contact your

National Data Protection Authority



Penalties

GDPR Article 83 – General conditions for imposing fines



References

Data protection http://ec.europa.eu/justice/data-protection/

General Data Protection Regulation (EU) 679/2016

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC

Data Protection Infographic:

http://ec.europa.eu/justice/newsroom/data-protection/infographic/2017/index_en.htm

http://ec.europa.eu/justice/data-protection/















Contact details:

Fernando Silva, DPO

[email protected]

eu-LISA website: http://www.eulisa.europa.eu

Thank you

mailto:[email protected]

http://www.eulisa.europa.eu/

Documents

16th International InfoSec & Data Storage GDPR Article 32 – Security of processing: The controller and the processor shall implement appropriate technical and organisational measures