Eye for Privacy - EY - United States · The upcoming data protection regulation by Emília Golim Fontainhas 2 12 10 6 4 Data privacy in public sector by Michael Pols and Dani Taboada

January 2015 Eye for Privacy I

Eye for PrivacyMagazine - January 28, 2015

New EU Data Protection Regulation

Privacy in mobile apps

Data privacy in public sector

The upcoming data protection regulationby Emília Golim Fontainhas

2 12

10

6

4

Data privacy in public sector by Michael Pols and Dani Taboada Parga

Privacy & mobile apps by Angeliki Triantou, Swati Manocha and Helena Ursic

Privacy considerations of cloud computing by Konstantins Babahodzajevs and Emília Golim Fontainhas

The upcoming EU regulation on medical devices restates data protection principlesby Helena Ursic

Eye for PrivacyErnst & Young Accountants LLPInformation Security / Data Privacy www.ey.comAmsterdam, January 2015

Executive Editor: Nora BoukadidManaging Editor: Helena UrsicProofreader: Claire GebuisContributing writers: Emília Golim Fontainhas, Konstantins Babahodzajevs, Michael Pols, Dani Taboada Parga, Angeliki Triantou, Swati Manocha, Helena UrsicGraphic Design: Jeroen Hoppenbrouwers

Eye for PrivacyMagazine - January 28, 2015

January 2015 Eye for Privacy 1

Dear readersToday marks an important day for data privacy professionals: the international data privacy day. On the day of publication – 28th of January - exactly 34 years ago, the Council of Europe opened for signature “The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (also known as Convention 108), which set the basis for international data protection. What better day than this to launch EY’s data privacy magazine!

In this era, data privacy is becoming a topic of increasing concern to us all: CPOs, lawyers, information security professionals, compliance officers, auditors and many more. Simultaneously, the data subjects – be it patients, customers, employees, social media users or the average citizen – are all increasingly concerned with and highly interested in their privacy when exchanging their personal data.

On this remarkable day, we launch our EY data privacy magazine – Eye for Privacy. An easy-to-read magazine on data privacy topics that interest us as professionals. We keep you updated on regulations, but go beyond compliance. We highlight the challenges and risks in the processing of personal data and touch upon new technologies and their impact on data privacy, meanwhile appreciating the benefits of the free flow of personal data.

The business objectives are clear: personal data is the currency of today’s digital market and the free flow of (personal) information is the beating heart of the world economy. However, business goals cannot be pursued limitlessly. Data privacy requirements have placed several important restrictions on the existing business practices, pushing companies to strive for a new balance between the usage and protection of personal data.

Global businesses are observing the changing data privacy landscape and aim to align their processes and governance to achieve compliance with data privacy rules, especially in light of the upcoming EU DP regulation (see page 4). Legal compliance is not the sole reason for which data privacy is climbing the business agenda. Economic benefits gained

from a strengthened data privacy framework, such as better reputation, more loyal clients, and so on, are often an incentive for companies to comply with data privacy rules.Data privacy has been receiving an increasing amount of attention in the economy, both in the private and public sector (see page 6). The data protection of mobile apps (see page 7), cloud computing (see page 10), and privacy impact assessments are a mere few of today’s burning issues. Data privacy is raising concerns within all industries, from pharma (see page 12) and technology to healthcare and retail.

We consider data privacy to be a fundamental component of conducting business. A solid data privacy program forms an essential component of each organization that processes volumes of personal data. As strong believers in protecting personal data, we were early adopters, in fact the first and currently the only of the Big Four, to have our BCRs approved and implemented. Furthermore, we were the first to highly invest in data privacy capabilities. We are proud to have a global data privacy community with approximately 500 dedicated data privacy professionals, organized in both industry and competence profiles. This ranges from legal data privacy professionals with a deep pharma industry knowledge, to a data privacy professional specialized in Omni-channel opportunities and limitations. Our data privacy professionals have either a legal, risk, audit or information security background. This, in combination with our industry focus and integration with other competencies, allows us to provide our clients with maximum value. In addition, having the highest number of registered International Association of Privacy Professionals (IAPP) and certified privacy professionals worldwide demonstrates our commitment to data privacy, both internally and in our service offering.

In this first edition, we selected several articles reflecting the topics that our clients have highlighted as current concerns and areas of attention. Should you have any suggestions for new topics, or any questions, please feel free to reach out to us! In the meanwhile, enjoy our first edition of Eye for privacy, and allow yourself a deep dive into the exciting privacy world.

Warm regards,

Nora BoukadidEMEIA Data Privacy LeadSenior Manager

In January 2012, the European Commission proposed a General Data Protection Regulation (“Regulation”) intended to harmonize and modernize the core rules pertaining to the protection of personal data of individuals within the EU.

In the past three years, there has been much debate surrounding the proposed changes. An important milestone was reached in March, 2014: the European Parliament adopted its position, voting in favour of an amended text.

Now, we expect the Council of the EU to internally agree on its position. The negotiations are progressing and the ministers of Justice of the EU Member States have already defined an approach of certain key aspects.

The upcoming data protection regulation


Although there is no compromise on the final version of the Data Protection Regulation, and more amendments are expected throughout the duration of the negotiations, it is evident that a clear direction has been defined. The upcoming Regulation will enhance individuals’ rights, increase organizations’ responsibility and reinforce data protection authorities’ powers.

The current proposals are greatly prescriptive and strongly emphasise the accountability of organizations. Establishing a culture of monitoring, reviewing and assessing data processing procedures, minimizing the amount of data processed and installing safeguards to all personal data processing activities constitute some of the new requirements. Organizations will need to comply with provisions on transparency, document data processing operations and notify data breaches that are likely to affect the protection of individuals’ personal data or

privacy. Organisations will furthermore be required to implement technical and organizational measures and procedures to ensure that data is processed

in a data-protection-friendly way, and that it respects rights of the individuals. Finally, data impact assessments must be conducted to review any risky processing activities involving personal data, whereby concrete steps must be taken to address specific concerns.

In essence, the upcoming Regulation represents a strong reinforcement of the building principles laid out in the Data Protection Directive, the current EU privacy act and the basis of Member States’ national laws. According to the Directive’s text, organizations are expected to process personal data lawfully, fairly and for specific purposes only, as well as grant individuals control over their personal data.

As such, if an organization is already compliant with the current laws in Europe (e.g. the Directive and national legislation), it is close to becoming fully compliant with the Regulation.

Regular periodic data protection audits may become a sanction to organizations that do not comply with the rules. Fines for non-compliance are expected to amount to 5% of their annual global turnover.

The new rules will apply directly to all organizations processing data in the EU or offering services to individuals in the EU. The rules are to replace the current fragmented national laws and regulations. Data processors (such as cloud providers) can expect to face direct obligations, including implementing appropriate security measures, maintaining appropriate documentation and informing and alerting the controller when a data breach occurs.

The Regulation is expected to enter into force within two years of approval by the Parliament and the Council. In other words, if it is adopted in May, 2015 (as expected) by the new Commission President, organizations must be fully complaint with the new rules by May, 2017. More cautious previsions suspect that they approval will not be granted before 2016.

Emília Golim Fontainhas Data Privacy Advisor

The current proposals are greatly prescriptive and strongly emphasise

the accountability of organizations.

4 All rights reserved - EY 2015

Transformation in Dutch social servicesThe Dutch central government has transferred its responsibilities related to the care of youth, the employment and income of civilians and the care for chronically ill persons and the elderly to individual municipalities. This transformation is referred to as the 3 decentralizations (3Ds) and is one of the most significant transformations within the public sector of the past several years. With this, the government seeks to achieve higher efficiency and increase the expediency of the social services provided. In reality, this entails doing more with less, i.e.: more activities with fewer resources.

The three new laws associated with the 3 decentralizations - (solid) problem analysis, assessments, access and admission to care - will change the way in which social services are provided. The past several months have witnessed a substantial amount of initiatives; it is now time to put these efforts into practice.

Privacy within the decentralizationThe 3 decentralizations focus on providing sensitive social services to civilians. In order to do so efficiently, the personal information of civilians must be collected, combined and processed. For many services, sensitive personal information, such as healthcare information, must be included. With the increasing amount of parties involved in one process, it is crucial to design and implement the appropriate governance, policies, procedures and controls that will mitigate the risk of misuse or loss of personal information.

Changes and challengesNot only are the 3 decentralizations changing the way that sensitive social services are delivered, they are also importantly affecting responsibilities. Municipalities collecting the information are wholly responsible for anything that may happen to the information processed. It is important to establish the type of information processed, by whom it is processed and for which purpose it is processed. It must subsequently be established that the processing of (sensitive) personal information is performed in accordance with the applicable laws and regulations. To establish such governance, policies, procedures and processes, knowledge of privacy, both now and in the future, are indispensable.

EY used a combined approach of an awareness workshop and a

Privacy Impact Assessment (PIA) to assist several municipalities in

grasping the concept of privacy and the upcoming changes in the Data

Protection regulation. Additionally, EY aided municipalities in identifying

the privacy challenges of newly designed processes. In order to help

them with the transformation, EY advisors first gained insight into

the currently available governance, procedures, policies and processes.

Based on this insight and further analysis, EY then proposed concrete actions that the municipalities need

to consider in the future.

Michael PolsData Privacy Manager

Dani Taboada PargaData Privacy Senior Advisor

Data privacy in public sector

“ 5

Data Protection is about enabling processing of data, not about prohibiting it.The 5th Annual European Data Protection & Privacy Conference in Brussels

“


Privacy & mobile apps


Privacy & mobile apps

In 2013, Apple’s CEO Tim Cook announced that smartphone and tablet users can find a staggering 900,000 applications and games in the App Store. In July 2014, he shared a tweet about another record in App Store revenue, which increased the value of Apple’s share far beyond expectation. Following the trends that Apple and its peers have set, it is unsurprising that the focus of organizations has turned to mobility.

Mobile channels form the core of organizations’ attention, as such channels allow for customers to be reached on a 24/7 basis. Mobile devices now include the feature ‘geo-localization data sharing,’ which allows organizations to have access to their clients’ GPS coordinates via various apps. Armed with this information,

organizations are able to learn about the client’s areas of interest and send relevant advertisements in response. Given that an increasing amount of apps allows users to login via Facebook, organizations are able to gather information from their social network profiles. This may include the client’s age, gender and preferences, as well as what is being said about the organization.

Although personal data forms the key asset for many companies, it cannot be collected and processed freely. Information about an individual’s personal characteristics (this may be sensitive, such as health-related information) and location have been declared a fundamental human right and are protected under EU privacy law(s). With consumers and law enforcement agencies becoming increasingly aware of privacy threats caused by inappropriately designed mobile apps, it is crucial that the business handles both its internal and externally launched mobile apps carefully. A solid understanding of risks, legal requirements and security considerations is critical to ensure a safe and compliant mobile apps environment.

1 E.g. French data protection authority has just performed an extensive privacy scan of about 100 most used apps

Mobile channels form the core of organizations’

attention, as such channels allow for customers to be reached on a 24/7 basis.


Privacy Risks of Mobile Apps There are several potential risks linked to mobile apps. First, there are typical privacy challenges such as inappropriately obtained consent, excessive collection of data and unclearly defined purpose of collecting data.

Second, the collaboration of numerous players throughout the production process raises additional risks. The process often includes immature players who have only recently started to penetrate the IT market and thus lack privacy-specific knowledge and resources (e.g.: they are unaware of how to draft appropriate privacy policies). When third parties become involved in more advanced phases (e.g.: in the case of an advertising agency that uses apps to collect data for marketing purposes), data is often immoderately used.

Not only are mobile apps capable of revealing one’s most personal information (health data, personal messages, website visits, online payments, etc.), they can additionally be used as tracking devices, whereby users’ locations are documented. This leads to another major risk: aggressive state surveillance. Edward Snowden proved that the risk of excessive surveillance is more than hypothetical.

Data Privacy as the focus of EU regulatorsAt the beginning of 2013, law enforcement agencies worldwide adopted a more coordinated approach to face the issue of mobile data protection . The independent EU advisory body on data protection – Article 29 Working Party – published an opinion about apps installed on smart device. In March 2013, the Californian Attorney General proposed a set of privacy safeguards, mostly intended for the apps developers headquartered in the Silicon Valley. In September 2014, guidelines on privacy for mobile apps were issued by the Australian information commissioner. Recently, the German data protection authority adopted a similar document, clustering the legal requirements and proposing a compliance strategy.

What to do?Before collecting and further processing any personal data, valid consent must be obtained from the users. There are two types of consent that might be relevant for mobile apps. First, for the mere processing of personal data, the general directive on EU data demands an informed and free consent of the data subject, i.e.: the person whose data is processed. Second, according to E-privacy directive, a controller is required to ask for consent if the mobile app is designed to store certain technical equipment – such as cookies – on the user’s device (e.g.: mobile phone). Typically, both consents are simultaneously obtained. It is essential that they are given as a result of the user’s informed and free choice. Receiving informed and free consent is particularly critical for the apps that process sensitive data, such as health or biometric data. Furthermore, users must always be provided with the possibility to withdraw their consent in a quick and simple manner.

To ensure that consent is informed, controllers must provide the user with a transparent and comprehensive privacy policy. It must explain the organisation’s identity, provide contact details, list the purposes of processing and reveal whether data will be disclosed to third parties. In light of fair processing of personal data, the WP additionally advises the data controllers to provide the users with information about data retention periods and security measures that have been applied.

App developers and other data controllers in the mobile app ecosystem must enable app users to exercise their legal rights: the right to access, the right to rectification, the right to erasure and the right to object to data processing. • Apps must clearly and visibly inform the users about the

existence of these access and correction mechanisms. The Article 29 Working Party recommends the design and implementation of simple but secure online access tools.

• The need for easy online access is especially high for apps that process user profiles that are rich with information, such as networking, social and messaging apps, or apps that process sensitive or financial data.

Users must always be provided with the possibility to withdraw their consent in a quick and simple manner


Security aspects Information Security plays an important role in achieving privacy goals. In order to protect personal data, it is necessary for businesses to integrate not only a business framework for data privacy, but also technics and technology that will enhance the data protection and ensure that the data transferred between the different parties is secure and private. Listed below are some of the measures that may be taken to prevent/lower the security threats:• Anti-Malware: According to the Forbes 2014 report, the android

platform accounts for 97% of mobile malware. It is suggested for mobile apps to be downloaded from trusted sources (like Playstore) only. Furthermore, there are numerous anti-malwares in the market that are used to prevent Trojans or viruses.

• Authentication: strong authentication on mobile apps could help prevent the threat probability.

• Encryption: Encoding the data is an important mechanism for preventing eavesdropping and exposure of the personal data.

• Secure Network: Researchers suggest there to be many applications that lack (or have improper) encryption. It is thus advisable to make use of secured networks when working with mobile apps that deal with personal information, especially in the case of sensitive, financial, or health information.

The upcoming regulationAs mentioned by the previous article, the Commission’s proposal for the General Data Protection Regulation calls for further harmonisation of data protection rules in the EU, ensuring legal certainty for businesses and increasing trust with a consistent and high level of protection of individuals. The proposal introduced the principles of “data minimisation”, “data protection by design”, and “data protection by default” in order to ensure that data protection safeguards are taken into account at the planning stage of procedures and systems.

How will the above-mentioned legal developments affect the usage of mobile apps? Privacy by design as a concept suggests considering privacy in the initial stage of an app’s development. Hence, controllers will need to ensure that all engaged developers have adequately incorporated privacy controls into the app.

Data minimisation relates to the collection, storage and deletion of the data. Mobile app should only collect personal data if this is necessary for the business objectives. Ideally, they should anonymise the data before processing it further.

The upcoming regulation introduces higher fines: up to 5% of a company’s annual revenue. As law enforcement bodies have already initiated a general scan of mobile apps, achieving compliance has become more critical than ever before.

Angeliki TriantouData Privacy Advisor

Swati ManochaAdvisor, EY CertifyPoint

Helena UršicData Privacy Advisor

“Personal data is the currency of today's digital market”V. Reding, EU MP

In order to protect personal data, it is necessary for businesses to integrate not only a business framework for data privacy, but also technics and technology that will enhance the data protection and ensure that the data transferred between the different parties is secure and private.


Organizations are increasingly considering cloud computing as a way to cut operational costs, while improving their business effectiveness. Cloud-based services allow for more flexibility and can significantly reduce the amount of dedicated resources required for IT.

To ensure optimal performance, it is vital to be well aware of what happens to the data that is migrated to the cloud, while simultaneously providing all stakeholders with the confidence that data is safe and secure.

Where is the “cloud”? Which are the responsibilities of stakeholders? How is data protected? Which rules and regulations are applicable? These are a mere few of the questions that must be answered prior to moving to the cloud.

Privacy considerations of cloud computing

“With the emerging global digital economy and the increasing popularity of cloud computing services, legislation which reinforces trust in the market will be a key driver for business growth.”European Commission


If an organization determines the purpose of the personal data collected and the means to process the data, it is considered to be the data controller. Such organisations face legal requirements that will not change when moving to the cloud. Data controllers are responsible for ensuring that any entity processing data on their behalf is legally compliant, as well.

As long as the cloud provider processes personal data on the behalf of the controller, it is considered to be a data processor. It is obliged to ensure confidentiality and must adopt adequate security measures and assist the controller in ensuring that the data subjects are able to exercise their rights.

Key ConsiderationsThe contract with your cloud service provider should address several important aspects of the cloud service, such as: security measures, availability, integrity, confidentiality, transparency, isolation, location, exercise of

the data subjects’ rights, portability, accountability, subcontracting, international transfers and data breaches.

Regulatory ChangeThe new EU General Data Protection Regulation (please read more about this in the previous two articles) will apply to all companies

and cloud providers located in the EU, or that provide services to individuals in the EU.

The proposed text includes clear and direct rules regarding the obligations and liabilities of cloud providers, who will be required to assist the data controllers in ensuring compliance.

Several key considerations are highlighted below:

• Location All data is stored on the remote servers of the cloud provider. It is important to know where your data and its backup are physically located, as it might cross multiple geographical borders and thereby various legislations. The transfer of personal data to countries outside the EEA is only allowed if specific safeguards are installed, or if the level of data protection legislation in those countries is adequate.

• Multiple processors Cloud solutions are often comprised of products from multiple providers. Therefore, it is important to know who is going to be involved in the processing of your data and whether they are compliant with security and regulatory requirements.

• Destruction and portability It is your responsibility to ensure that the personal data handled on your behalf is appropriately erased, anonymized or blocked, when requested or required. Removing data from the cloud is a complex process. For the portability and removal of data, it is vital to understand how is it segregated from the rest and in which format is it stored.

Once you have selected your cloud service provider, you are obliged to continually monitor, review and assess the processing of personal data taking place in the cloud on your behalf.

“The Cloud is Hotel California. You can check out any time you want, but your data never leaves”

Data privacy in the Cloud, ISF, 2013

Emília Golim Fontainhas Data Privacy Advisor

Konstantins BabahodzajevsData Privacy Advisor


Helena UrsicData Privacy Advisor

The upcoming EU regulation on medical devices restates data protection principles

Pharma and the medical devices (MDs) industry are recognized as two of the most regulated businesses. It therefore comes as no surprise that several stringent regulations apply to the collection and processing of personal data, in the production process and usage of medical devices. This is particularly true for clinical trials/investigations, for instance, where substantial amounts of patient data are collected or where costumers’ data are processed as part of marketing activities. Recently, the EU Commission proposed a new regulation on medical devices that includes several important data privacy implications for the manufacturers. The new law is expected to be adopted in 2015.

At the outset, the new Regulation addresses one of the main shortcomings of the current system: its lack of transparency. The new Regulation restates the data protection principles to emphasize that privacy should be guaranteed for users of all medical devices. In its attempt to better address the issue, it emphasizes that all manufactured devices that utilise human tissues or cells should be compatible with the data protection requirements laid down in the existing EU law. In addition, it requires companies to be more attentive to privacy concerns during clinical trials. For instance, before a patient signs a form consenting to participate in a clinical trial, he or she must be provided with a detailed description of the arrangements made to comply with the applicable rules on the protection and confidentiality of personal data. In other words: the way in which the confidentiality of the records is ensured and how security breaches are handled must be clearly communicated.

The proposed MDR is merely one of the EU legal acts that addresses the issue of privacy and medical devices. The existing EU directive on data protection and – to an even greater extent – the proposed EU data protection regulation contain a set of requirements relevant for medical device manufacturers. The EU Commission has additionally proposed the Network and Information Security Directive, which will impose minimal information security requirements and other measures related to the use of personal data.

While the laws related to medical devices or privacy are changing rapidly, the progress remains insufficiently fast to address all technological developments in a timely manner. Article 29 Working Party’s opinions offer several guidelines for the areas in which the current laws lack specific provisions (e.g.: privacy dilemmas of medical devices that use internet of things and the responsibilities of manufacturers).

In line with the (new) privacy requirements described above, below are several concrete actions that MDs producers should carefully consider: • Is your communication with the patients clear and are

the data collected in clinical trial secure enough?• Do all your medical devices respect the requirement

of data privacy by default/design? To be compliant, privacy settings on services and products should adhere to the general principles of data protection, such as data minimisation and purpose limitation. Article 29 Working party strongly advices to conduct regular assessments to ensure appropriate security and privacy of devices.

• (How) is the medical device that you produce used for profiling (monitoring) of patients?

• Does your company produce implantable medical devices? If this is the case, the development and production process should always include a careful and regular consideration of possible privacy risks. With regards to the existing portfolio, it is recommended to perform a thorough scan to check whether there may be any privacy non-compliances.


EY contacts

For more information about data privacy and what we can do to help you, contact our data privacy leads.

Nora BoukadidEMEIA Data Privacy Lead

+31 6 2125 14 47 [email protected]

Thagraj Moodley Africa Data Privacy Lead

+27718958736 [email protected]

Nora Boukadid / Kristof Dewulf BeNe Data Privacy Lead


+32 474 439 011 [email protected]

Nikolay A Samodaev / Evgeny A Kim CIS Data Privacy Lead


+74 957 059 [email protected]

Panagiotis PapagiannakopoulosCSE Data Privacy Lead


Pascal AntoniniFraMaLux Data Privacy Lead


Christoph Capellaro MENA Data Privacy Lead

+965 9721 [email protected]

Vishal Jain / Terry ThomasIndia Data Privacy Lead

+91 98201 [email protected]


Matthias Struck GSA Data Privacy Lead

+49 221 2779 20214 [email protected]

Nicola HermanssonUK&I Data Privacy Lead


Manuel Giralt Herrero Mediterranean Data Privacy Lead


Christina AarNordics Data Privacy Lead


EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate Legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

© 2015 Ernst & Young Accountants LLPAll Rights Reserved.

ED none

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global EY organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

ey.com/nl

Documents

Eye for Privacy - EY - United States · The upcoming data protection regulation by Emília Golim Fontainhas 2 12 10 6 4 Data privacy in public sector by Michael Pols and Dani Taboada