Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
To the Compliant Hyperconnected Comfort Zone
Policy Challenges: Security, Data Protection & Compliance in IoT
Arthur van der Wees
Managing Director international law firm Arthur’s LegalFounder & Chief Executive Officer Zapplied Platform
Agenda
1. Unleashing DSM, Digital Economy & Society is Not Nice-to-Have
2. How to Unleash? Policy Initiatives & Related Challenges
3. Common Understanding: Back to Basics
4. Ecosystem for IoT & Rule of Law
5. Data Segmentation: Data is Not a Four Letter Word
6. Cybersecurity, Security Breach Notifications & Security by Design
7. Personal Data, Data Relation Flows, GDPR & Privacy by Design
Massive Growth of Productivity Required: Digital is Key
Financial Times
‘Faced with rapidly ageing populationsand slowing employment growth, matureeconomies need to boost productivitysharply if they are to escapestagnating living standards.
To compensate fully to sloweremployment growth over the coming50 years, productivity growth would
need to be 80% faster than over thepast half-century, according tocalculations from McKinsey.’
Demographics, Technology, Creativity & Ability toTransform: Social Prosperity or Social Disruption?
65% OF KIDS TODAYWILL DO JOBS THAT
HAVEN'T BEEN INVENTED YET
One needs a Set of Catalysts
Invention, idea, technology, competition, peer pressure, hyperconnectivity, commodity prices, never waste a
good crisis, chaos, survival, standardization, regulation, reports, boldness, passion, enterpreneuralship, et cetera
7
Risks, Comfort & Trust in the Digital
Policy Making: Pains to Relieve, Gains to Create & Foster
Hyperconnected Digital Global Economy & Digital Single Market Challenges:
For the 80% not yet using paid digital services, insufficient knowledge isthe main blocking factors (42%).For the 20% using paid digital services, the risk of a security breach isthe main limiting factor (39%).
Eurostat (EC)
Start with Common Understanding: Definitions
Internet of Things
The dynamic global network infrastructure withself-configuring capabilitiesbased on standard and interoperable communication protocolswhere physical and virtual ‘Things’have identities, physical attributes and virtual personalitiesand use intelligent interfacesand are seamlessly integrated into the information network.
International Telecommunication Union (TU-Y Y.2060) and The Internet of Things European Research Cluster (IERC)
Ethics & Accountability
Law & Legislation Official Policies
Standardisation & Certification
Market Self-regulatory& Contractual
Risk Allocation& Insurance
Technology
Case Law
Human & Society
Ecosystem for Technology & Legal
Data is not a four letter word
EC Cloud Service Level Agreement Standardisation Guidelines
3D approach | Multi-story of connected data types | Classified data | Sensitive data | Personal data | Derived data | Proprietary data | IPR | Encrypted data, with or without Tokenization | Every kind of data needs to be addressed differently.
Data
Data of any form, nature or structure, that can be created, uploaded, insertedin, collected or derived from or with cloud services and/or cloud computing,including without limitation proprietary and non-proprietary data, confidentialand non-confidential data, non-personal and personal data, as well as otherhuman readable or machine readable data.
Cybersecurity
The average cost of a business data breach increased23 % over the past two years to USD 3,79 million.
Ponemon Institute
92% of devices accessing the web are running on outdated software with known vulnerabilities.
TheRegister.co.uk
60% of SMEs who experience a data breach go out of business within 6 months.
Experian.com
4 Main Categories Service Level Objectives (SLOs)
1. Performance2. Security3. Data Management4. (Personal) Data Protection
Out of ScopeWithin Scope
EC Personal Data Protection Service ObjectivesChapters 6 EC SLA Standardisation Guidelines
Data Breach Notification Tsunami?
Current Local+
NIS Directive (May 2016)
+GDPR
(May 2016)
Connected Devices & Tick The Box:
Additional Unmanaged Risk
Shadow IT + Shadow Websites +
Shadow Cloud +Shadow IoT +
=Pandora’s Box of Data Management
to Effective Date GDPR
25 May 2018
Stan
dar
ds
Dev
elop
ers
on
Pri
vacy
by
Des
ign
Mea
sure
sin
N
orm
ativ
eSt
and
ard
s
Privacy High Level EcosystemMain Categories of Stakeholders in Privacy by Design
Supply Side, Engineers
Supply Side, Management
Demand Side: Customers & End-Users
Data Subject
Personal Data (PII), if any (*)
Personal Data Regulation
Privacy in IoT, by Design
Reg
ula
tors
&
Dat
a P
roct
ecti
onA
uth
orit
ies
(DPA
s)
7 Phases of the Personal Data Life Cycle
1. Obtain /Collect
2. Create / Derive
4. Store
3. Use
5. Share / Disclose
6. Archive
7. Destroy / Delete
Most PII comes out of Phase 1 & 2
BUT
Personal Data is
created & processed in any and each
phase
Customer number
Provision ofServices
Personal Data Legimate PurposeLegal Basis
Registration of Customer
Responding toQuestions
[…]
Improving theProduct/Services
Personal Offering or Advert
Information Security
Address
Access Data
A. Informed & Unambiguous Consent
B. Execution of a Contractual Relationship
C. Mandatory Obligation
D. Required per materialreason data subject
E. Providing a public task/service
Behaviour
Actors
Actor 1
Actor 2
Example of Data Relation Flowsbetween Personal Data, Actors, Legal Grounds & Purpose
First four (4) Steps of Processing Personal Data (Example)
1. Usability
2. Identity/ Access
3. Security4. Personal
Data Protection
5. Data Right Management
Privacy-by-Design Life Cycle
*) Repeat
*
Better leave it to the Moneys!? Chaos Engineering: Design for Failure
Thank youfor your
attention!
Arthurslegal.com@Arthurslegal
ZappliedPlatform.com @Zapplied
PUSHING THE CUTTING EDGE TO MAINSTREAM, WHILE CREATING NEW CUTTING EDGES
Arthur’s Legal: Arthur’s Legal a global tech law firm by design. It provides integrated full services, and mainly focuses onlocal and global private and public organizations that are active as customer, user, vendor, integrator, consultant, legislator or policymaker in the fields of IT, cloud computing, internet of things, data analytics, cybersecurity, robotics, block chain technology andartificial intelligence.
Global Digital Strategy: The counsels of Arthur’s Legal are legal experts, strategists, technologists, standardizationspecialists and frequent speakers worldwide, with in-depth experience and are well-connected in the world of technology,innovation, data, digital, cybersecurity, (personal) data protection, innovation, standardization & global business. On these topics, itsmanaging director Arthur van der Wees LLM is expert advisor to the European Commission as well as local governments andinstitutes worldwide.
Cloud Computing, CyberSecurity, Digital Data & Internet of Things: Arthur’s Legal is Co-Chair ofEC’s Alliance IoT Innovation (AIOTI) WG4 (Policy), Project Leader of AIOTI WG3 Privacy-by-Design working group, co-authorof the EC Cloud SLA Standardisation Guidelines, Cloud Security Alliance’s Privacy Level Agreement 2.0, co-contributor to ISOstandards such as ISO/IEC 19086. Arthur’s Legal is co-founder of CloudQuadrants on the maturity of cloud offerings, theCyberchess Institute that landscapes the cybersecurity arena, and the Institute for Next Generation Compliance that promotes therestructuring and automation of compliance and related procurement.
Hyperconnected: Arthur's Legal has an unique 3D-angle & x-by-design approach, connecting vital topics such as usability,security, data management, (personal) data protection, compliance with technology, infrastructure, architecture and globalstandardization thereof, with the capability and ability to connect those components in hyperconnected ecosystems much earlier(read: pro-active, preventative) than the traditional policy-making, legal and compliance practice does. For upcoming events, keynotes and other activities, please check out the website and stay up to date via its social media channels.