data protection: putting a policy in place and making sure it works monday 1 june 2015 munich,...
TRANSCRIPT
Data protection: putting a policy in place and making sure it works
Monday 1 June 2015
Munich, Germany
Ana Mingo
Counsel
BP Legal
Spain
Hannes Saarinen
Privacy Manager
F-Secure Corporation
Finland
Jonathan Armstrong
Partner
Cordery
UK
2
3
“PERSONAL DATA” ?
any data on person and his/her personal characteristics, where these can be linked to him/her/household with feasible efforts.
Would you want to share everything about your life with everyone, everywhere, all the time, forever?
4
Data Privacy to do’s
• Privacy Notice
• Notification/Authorisation
• Data Protection Officer
Data transfer options
• EU Model Terms• Individual DTAs• Binding Corporate Rules• Safe Harbor
Note: consent is less likely to be a viable option
6
Employees’ data
Fair Processing Statement
• Applicants: websites and forms.
• Employees: employment contracts, Intranet, email.
• It shall accurately reflect how applicants/employees’ personal information will be used.
Categories of data• Basic data
• Sensitive data:
• Racial or ethnic origin, sexual life.
• Religious beliefs or beliefs of a similar nature.
• Political opinions or trade union membership (or non-membership).
• Physical or mental health or conditions.
• Commission or alleged commission of any offence.
• Generally only with the employee’s consent.
• High level security measures.
Retention
• Personal information shall be kept accurate and up to date.
• Personal information shall be kept only for as long as is really necessary.
Main risk
Data protection is one of the easiest ways to put the company in trouble by an upset employee.
– Applicants who have been unsuccessful in securing a job
– Employees involved in a disciplinary process
– Employees being made redundant or terminated from the company
– Employees who are in dispute with other members of staff
– ….
Hot Topics
• Pre-employment vetting
• Internet /email/telephone monitoring and recording
• BYOD
• CCTV in the workplace
• Whistleblowing
FIRST STEPS OF APRIVACYOFFICER *)
HANNES SAARINEN
F-SECURE (c) Till Westermayer CC/by-sa/2.0
PIA’s
13
cookie notice
Transfer agreements
DPA notification(s)
Policy (public)Policy
(internal)
Security
New Regulation
Subcontracting
Privacy by Design @
R&D
Train employees
Management buy-in
14
COMPLIANCE OFFICER BUSINESS ENABLER
© Disney © Hollywood Pictures & Cinergi Pictures Entertainment
HOW ARE YOU SELLING YOURSELF TO CEO ?
PHOTO: Ryan Lowry for The New York Times
15
ANATOMY OF A PRIVACY POLICY
• WHY WE COLLECT YOUR DATA• WHAT WE COLLECT• WHAT WE DO WITH IT• WHOM DO WE TRANSFER IT TO• HOW LONG WE KEEP IT• DO WE KEEP IT SECURE • WHAT RIGHTS YOU HAVE AND HOW
YOU CAN EXERCISE THOSE• EXCLUSIONS / OTHER POLICIES• CHANGES• CONTACT INFORMATION
16
WHAT IS RELEVANT FOR ME, THE PRIVACY OFFICER
ANATOMY OF A PRIVACY POLICY
• WHY WE COLLECT YOUR DATA• WHAT WE COLLECT• WHAT WE DO WITH IT• WHOM DO WE TRANSFER IT TO• HOW LONG WE KEEP IT• DO WE KEEP IT SECURE • WHAT RIGHTS YOU HAVE AND HOW
YOU CAN EXERCISE THOSE• EXCLUSIONS / OTHER POLICIES• CHANGES• CONTACT INFORMATION
17
WHAT IS RELEVANT FOR THE CUSTOMER
18
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”
19
WHEN YOU GET BACK TO THE OFFICE…
1. GO FOR A STROLL AND THINK WHY YOU ARE NEEDED
2. TELL THE ANSWER TO YOUR CEO
3. POLISH THE POLICY
20
4. TAKE YOUR SECURITY OFFICER FOR LUNCH
Data Security - Landscape
• Personal data has a value
• Different political reactions
• Different legal systems worldwide
• Different enforcement even within Europe
• Contrasting approach Europe v. US
• Snowden has changed the game
UK Legislative background
“Appropriate technical and organisational measures shall
be taken against unauthorised or unlawful processing of
personal data and against accidental loss or destruction
of, or damage to, personal data.”
Example: Bank of Scotland
• Robbie Hastie• Revealed details of Hibs players’ wages• Pleaded guilty to DP offence of knowingly or
recklessly disclosing information without consent• £400 fine• Bank of Scotland co-operated
23
Example: Big Brother
• €1,081,822 total fine• €150,250 fine for lack of IS training,
policy etc.• Appeal failed
24
Example: Staysure• Holiday insurer hacked• Hackers hacked credit card details & some medical details –
some credit card details used • ICO investigation found
– card acquirer found the issue– no policy or procedures – failed to patch
• Company received monetary penalty of £175,000 in February 2015
• Agreed to take steps to minimize harm e.g. free Experian reports
• Possible class action? 25
Prevention
Dutch CBP:
“Contingency planEvery organisation should have a contingency plan indicating exactly what is to happen in the event of an emergency. However, such a plan is useful only if personnel are familiar with it and regular drills have been held to practise its implementation...”
New EU Data Rules
• Proposed Regulation not Directive• Fines of 2% of global turnover• Toughened enforcement bodies• Consent less of an option• Breach reporting in 24 hours?
27
New EU Data Rules
• Suppliers outside EU in scope• Right to be forgotten• More SARs
28
The Perfect Storm… More (& Less)• More…
• Reliance on 3rd parties, e.g. outsourcing; SaaS; Cloud
• Cost pressure• Regulation and enforcement• Geography• Social networking• Value in stolen data• Speed • Whistleblowers• Chance of getting caught• Focus on investigations• People trying to re-write
history, because they can• Rise in class actions?
• Less…• Care• Compliance and legal
resources• Attention to contractual terms• Vendor accountability
29
Resources
• Book – www.tinyurl.com/jpa001• New EU Data Rules – http://bit.ly/1HUHai4 • Right to be forgotten – http://bit.ly/1tB8Osb • Cordery news – http://bit.ly/1vnFHJm • Podcasts – www.bit.ly/techlaw10• Class actions – http://bit.ly/1E8aNcU
30
Ana Mingo
Counsel
BP Legal
Spain
Hannes Saarinen
Privacy Manager
F-Secure Corporation
Finland
Jonathan Armstrong
Partner
Cordery
UK
31