To the Compliant Hyperconnected Comfort Zone

Policy Challenges: Security, Data Protection & Compliance in IoT

Arthur van der Wees

Managing Director international law firm Arthur’s LegalFounder & Chief Executive Officer Zapplied Platform

Agenda

1. Unleashing DSM, Digital Economy & Society is Not Nice-to-Have

2. How to Unleash? Policy Initiatives & Related Challenges

3. Common Understanding: Back to Basics

4. Ecosystem for IoT & Rule of Law

5. Data Segmentation: Data is Not a Four Letter Word

6. Cybersecurity, Security Breach Notifications & Security by Design

7. Personal Data, Data Relation Flows, GDPR & Privacy by Design

Massive Growth of Productivity Required: Digital is Key

Financial Times

‘Faced with rapidly ageing populationsand slowing employment growth, matureeconomies need to boost productivitysharply if they are to escapestagnating living standards.

To compensate fully to sloweremployment growth over the coming50 years, productivity growth would

need to be 80% faster than over thepast half-century, according tocalculations from McKinsey.’

Demographics, Technology, Creativity & Ability toTransform: Social Prosperity or Social Disruption?

65% OF KIDS TODAYWILL DO JOBS THAT

HAVEN'T BEEN INVENTED YET

One needs a Set of Catalysts

Invention, idea, technology, competition, peer pressure, hyperconnectivity, commodity prices, never waste a

good crisis, chaos, survival, standardization, regulation, reports, boldness, passion, enterpreneuralship, et cetera

7

Risks, Comfort & Trust in the Digital

Policy Making: Pains to Relieve, Gains to Create & Foster

Hyperconnected Digital Global Economy & Digital Single Market Challenges:

For the 80% not yet using paid digital services, insufficient knowledge isthe main blocking factors (42%).For the 20% using paid digital services, the risk of a security breach isthe main limiting factor (39%).

Eurostat (EC)

Start with Common Understanding: Definitions

Internet of Things

The dynamic global network infrastructure withself-configuring capabilitiesbased on standard and interoperable communication protocolswhere physical and virtual ‘Things’have identities, physical attributes and virtual personalitiesand use intelligent interfacesand are seamlessly integrated into the information network.

International Telecommunication Union (TU-Y Y.2060) and The Internet of Things European Research Cluster (IERC)

Ethics & Accountability

Law & Legislation Official Policies

Standardisation & Certification

Market Self-regulatory& Contractual

Risk Allocation& Insurance

Technology

Case Law

Human & Society

Ecosystem for Technology & Legal

Data is not a four letter word

EC Cloud Service Level Agreement Standardisation Guidelines

3D approach | Multi-story of connected data types | Classified data | Sensitive data | Personal data | Derived data | Proprietary data | IPR | Encrypted data, with or without Tokenization | Every kind of data needs to be addressed differently.

Data

Data of any form, nature or structure, that can be created, uploaded, insertedin, collected or derived from or with cloud services and/or cloud computing,including without limitation proprietary and non-proprietary data, confidentialand non-confidential data, non-personal and personal data, as well as otherhuman readable or machine readable data.

Cybersecurity

The average cost of a business data breach increased23 % over the past two years to USD 3,79 million.

Ponemon Institute

92% of devices accessing the web are running on outdated software with known vulnerabilities.

TheRegister.co.uk

60% of SMEs who experience a data breach go out of business within 6 months.

Experian.com

4 Main Categories Service Level Objectives (SLOs)

1. Performance2. Security3. Data Management4. (Personal) Data Protection

Out of ScopeWithin Scope

EC Personal Data Protection Service ObjectivesChapters 6 EC SLA Standardisation Guidelines

Data Breach Notification Tsunami?

Current Local+

NIS Directive (May 2016)

+GDPR

(May 2016)

Connected Devices & Tick The Box:

Additional Unmanaged Risk

Shadow IT + Shadow Websites +

Shadow Cloud +Shadow IoT +

=Pandora’s Box of Data Management

to Effective Date GDPR

25 May 2018

Stan

dar

ds

Dev

elop

ers

on

Pri

vacy

by

Des

ign

Mea

sure

sin

N

orm

ativ

eSt

and

ard

s

Privacy High Level EcosystemMain Categories of Stakeholders in Privacy by Design

Supply Side, Engineers

Supply Side, Management

Demand Side: Customers & End-Users

Data Subject

Personal Data (PII), if any (*)

Personal Data Regulation

Privacy in IoT, by Design

Reg

ula

tors

&

Dat

a P

roct

ecti

onA

uth

orit

ies

(DPA

s)

7 Phases of the Personal Data Life Cycle

1. Obtain /Collect

2. Create / Derive

4. Store

3. Use

5. Share / Disclose

6. Archive

7. Destroy / Delete

Most PII comes out of Phase 1 & 2

BUT

Personal Data is

created & processed in any and each

phase

Customer number

Provision ofServices

Personal Data Legimate PurposeLegal Basis

Registration of Customer

Responding toQuestions

[…]

Improving theProduct/Services

Personal Offering or Advert

Information Security

Address

Access Data

A. Informed & Unambiguous Consent

B. Execution of a Contractual Relationship

C. Mandatory Obligation

D. Required per materialreason data subject

E. Providing a public task/service

Behaviour

Actors

Actor 1

Actor 2

Example of Data Relation Flowsbetween Personal Data, Actors, Legal Grounds & Purpose

First four (4) Steps of Processing Personal Data (Example)

1. Usability

2. Identity/ Access

3. Security4. Personal

Data Protection

5. Data Right Management

Privacy-by-Design Life Cycle

*) Repeat

*

Better leave it to the Moneys!? Chaos Engineering: Design for Failure

Thank youfor your

attention!

Arthurslegal.com@Arthurslegal

ZappliedPlatform.com @Zapplied

PUSHING THE CUTTING EDGE TO MAINSTREAM, WHILE CREATING NEW CUTTING EDGES

Arthur’s Legal: Arthur’s Legal a global tech law firm by design. It provides integrated full services, and mainly focuses onlocal and global private and public organizations that are active as customer, user, vendor, integrator, consultant, legislator or policymaker in the fields of IT, cloud computing, internet of things, data analytics, cybersecurity, robotics, block chain technology andartificial intelligence.

Global Digital Strategy: The counsels of Arthur’s Legal are legal experts, strategists, technologists, standardizationspecialists and frequent speakers worldwide, with in-depth experience and are well-connected in the world of technology,innovation, data, digital, cybersecurity, (personal) data protection, innovation, standardization & global business. On these topics, itsmanaging director Arthur van der Wees LLM is expert advisor to the European Commission as well as local governments andinstitutes worldwide.

Cloud Computing, CyberSecurity, Digital Data & Internet of Things: Arthur’s Legal is Co-Chair ofEC’s Alliance IoT Innovation (AIOTI) WG4 (Policy), Project Leader of AIOTI WG3 Privacy-by-Design working group, co-authorof the EC Cloud SLA Standardisation Guidelines, Cloud Security Alliance’s Privacy Level Agreement 2.0, co-contributor to ISOstandards such as ISO/IEC 19086. Arthur’s Legal is co-founder of CloudQuadrants on the maturity of cloud offerings, theCyberchess Institute that landscapes the cybersecurity arena, and the Institute for Next Generation Compliance that promotes therestructuring and automation of compliance and related procurement.

Hyperconnected: Arthur's Legal has an unique 3D-angle & x-by-design approach, connecting vital topics such as usability,security, data management, (personal) data protection, compliance with technology, infrastructure, architecture and globalstandardization thereof, with the capability and ability to connect those components in hyperconnected ecosystems much earlier(read: pro-active, preventative) than the traditional policy-making, legal and compliance practice does. For upcoming events, keynotes and other activities, please check out the website and stay up to date via its social media channels.