DATA

PROTECTION &

THE CLOUD

CURRENT STATE AND PROBABLE FUTURE

Information & Data Quality Information Governance Data Protection

In today's interconnected

Information Age it is more

important than ever for

organisations to properly manage

the quality of their Information

Assets.

• Strategy & Consulting

• Project Management

• Training & Mentoring

In today's Information Age

"Everyone is Enterprise" making

good Information Governance

more important than ever.

That often requires challenging

changes to be made as people

change their thinking about who is

responsible and accountable for

Information.

• Strategy & Consulting

• Project Management

• Training & Mentoring

Smart organisations realise that

compliance with Data Protection

rules is a key element in a

trusted Information Fuelled

business, and it's about more

than just securing the data!

• Strategy & Consulting

• Project Management

• Training & Mentoring

Click here to Contact Us

Training

Consulting Coaching/

Mentoring

Project

Management

Quality

Assured

Information

Quality

Data

Protection

Data

Governance Information

Quality

Data

Protection

Data

Governance

Certified

Trainers

External

QA

Audits

Irish State Approved

Training Provider

Quality

Assured

Syllabus

Qualified &

Experienced

IQCP

Certified

Certified

PMs

Many

Industries

Govt Edu Utilities Fin.

Svcs

Non-

Profit Telco

CONTACT Web: www.castlebridge.ie

Twitter: @cbridgeinfo

Email: enquiries@castlebridge.ie

Contact Daragh directly

Twitter: @daraghobrien

Email: daragh@castlebridge.ie

AGENDA

• Some Context : Data Protection in the Media (Trends)

• Current Situation

• Selected highlights from the Regulation

• Implications for Cloud

THE QUESTION

Is the probability of your data

protection problems featuring

in the media getting bigger?

THE SHORT ANSWER

THE LONG ANSWER

WHAT WE DID

1. Assume Google search hits as a surrogate for media

focus on the issue

2. Select website domains of print-media newspapers in

Ireland.

3. Select one International print newspaper with web site

4. Conduct Google searches within the domains of the sites

5. Analyse findings to determine trends (if any)

6. Analyse findings for relevance over time (first 10 results)

COMPARING 2010 AND

2011 Growth in hits for Data Protection or Privacy averages 117%

between 2010 and 2011

COMPARING 2010 AND 2011 Some newspapers have significantly higher search hit rates than

others during that period - but increase in relevant hits is consistent

SEARCH RESULTS (JANUARY ONLY) 2010-2012

Comparison of Search results for January 2010 to January 2012

shows consistent upward trend in relevant returns

IS THIS A NEW PHENOMENON? Analysis of search results since 2004 shows a consistent and

accelerating upward trend in search results each year.

Upward inflection

point in 2007/2008

Irish Times

results growing

faster

DOWNLOAD

For more analysis on this topic, download

the whitepaper from our website (no

registration required, but please leave a

comment on the site!)

http://www.castlebridge.ie/blog/daragh-o-

brien/2012/february/data-protection-

growing-area-media-interest

THE CURRENT

SITUATION FOR

CLOUD/DATA

PROTECTION

http://bit.ly/Jkl5Pa Watch the video tutorial

THE PROPOSED

DIRECTIVE

KEY DEVELOPMENTS

New Rights

New Duties

New Penalties

New Definitions

New Roles & Concepts

RIGHTS

Right to

be

Forgotten

Right to

Data

Portability

All rights that exist under Directive 95/46/EC continue to exist

Expands on existing rights of correction\erasure\blocking

Requires deletion of any related links, any shared/distributed copies

Not an absolute right – will need to be balanced against other

rights/responsibilities

Where data is in a structured and commonly used format, the Data

Subject is entitled to a copy of data for further use (even with another

service providers)

Regulation is very “Data Subject” centric. More rights, more

expansive rights. But basics remain the same.

DUTIES

Organisations will need to focus on internal governance and training

to ensure compliance and put in place metrics to evidence this

“The Controller shall adopt policies and implement appropriate measures to ensure

and be able to demonstrate that the processing of personal data is performed in

compliance with this Regulation

• Documentation of Processing

• Data Security

• Data Protection Impact Assessments

• Meeting requirements of Prior Authorisation or Prior Consultation

• Implement mechanisms to ensure the verification of the effectiveness of

these measures.

DOCUMENTATION

Requirement to register with DPC now replaced with requirement to

maintain internal documentation about your processing

“Each Controller and processor and, if any, the controller’s representative, shall

maintain documentation of all processing operations under its responsibility”

• Name and contact details of the Controller/Processor/Representative

• Name and contact details of Data Protection Officer

• Purposes of processing

• Description of categories of data subjects and categories of personal data being

processed

• Details of how controls are being verified

Commission may define formats for process

documentation

DATA PROTECTION OFFICER

Creates a formal role in the management function; Independence

guaranteed under Regulation; Not limited to 250+ employers

“The Controller and the processor shall designate a Data Protection Officer in any

case where…”

• Processing is carried out by a Public Authority or Body

• OR Processing is carried out by enterprise with 250+ employees

• OR Core activities of controller or the processor consist of processing

operations which… …require regular and systematic monitoring of data

subjects

• Office holder must have expert knowledge of Data Protection law

and practices and other professional qualities

• Must be “appropriately” resourced by the organisation

250 employee threshold has been criticised – other

categories may still require a DPO to be appointed

DATA SECURITY

Security continues to be an important issue. Breach Notification

required within 24 hours. Impact on Processors regardless of contract

“Article 30 obliges the controller and the processor to implement appropriate

measures for the security of processing, based on Article 17(1) of Directive

95/46/EC, extending that obligation to processors, irrespective of the contract with

the controller

• Requirements include MANDATORY Breach Notification.

• Apply to Processors and Controllers equally.

• “Belt and Braces” on contractual provisions re: Security.

Security and Privacy are becoming a source of competitive

advantage.

CROSS BORDER DATA TRANSFER

It will not matter where your Cloud service is based. If you are

based in EU, selling into EU, monitoring behaviour of people in EU,

EU laws will apply

“Regulation applies to

• processing of personal data by organisations based in EU

• Processing of personal data by organisations based outside EU

• Offering goods or services to data subjects in the EU

• Conducting monitoring of behaviour

• Where national law of Member State applies under public International Law ”

Sets EU Principles as a benchmark for other nations

Puts focus on protection of the Data Subject

CROSS BORDER DATA TRANSFER

The principles of Cross Border Transfer are largely unchanged.

Binding Corporate Rules simplified; Some new elements proposed

“Transfer overseas is permitted when:

• To “Safe Countries” (adequacy decision)

• Appropriate safeguards in CONTRACT (BCR, Standard Contract Clauses)

• Binding Corporate Rules (BCR – process simplified)

• Similar to existing frameworks

• Binding Corporate Rules process simplified

• Key focus is on SAFEGUARDS and enforceability.

Still not without complexity for Cloud services.

Countries can now be declared UNSAFE.

TWEAKED DEFINITION OF “DATA SUBJECT”

The definition of Data Subject will be changing to include additional

categories and types of data.

“an identified natural person or a natural person who can be

identified, directly or indirectly, by means reasonably likely to be used by the

controller or by any other natural or legal person, in particular by reference to an

identification number, location data, online identifier or to one or more factors

specific to the physical, physiological, genetic, mental, economic, cultural or social

identity of that person

Definition is expanded beyond 95/46/EC to include a wider

range of data, including location data, and on-line identifiers

(including Usernames and IP addresses… we assume…)

Doesn’t quite match A29 Working Group definition… some

scope for change

PRIVACY BY DESIGN

Privacy by Design basically requires fundamental quality principles

to be applied to Data Protection to PREVENT problems.

Having regard to the state of the art and the cost of implementation, the controller

shall, both at the time of the determination of the means for processing and at the

time of the processing itself, implement appropriate technical and organisational

measures and procedures in such a way that the processing will meet the

requirements of this Regulation and ensure the protection of the rights of the data

subject.

Requirement is to build quality in.

Requirement is to ensure quality is managed

Recommended practice for all data,

Mandatory for SENSITIVE Data

PROCESSORS BECOMING CONTROLLERS

Exceeding your contracted duties will strip Processors of any de facto

protections they might have availed of as Processors acting under

orders

If you are a Processor who acts outside the terms of your engagement with a Data

Controller, you will be treated as a Data Controller

• Full penalties apply to you.

• Important to have DOCUMENTED contracts outlining the nature of the

processing being performed

• Important to have Change Control.

ONE-STOP SHOP

Potentially will simplify things for EU companies.

Mechanism still has to be clarified for how this will work

EU27 Data Protection Authorities will engage in greater co-operation and

collaboration.

• Important to know where your “base” is as they are the DPC you will deal with.

• Customers in other EU countries will deal with you via their national DPA, who

will liaise with the Irish DPC

• Precise mechanism still to be confirmed..

PENALTIES

The penalties and enforcement mechanisms are greatly strengthened

in the Regulation. Plenty of opportunity to make legal history.

Up to €2million or 5% of Global Turnover

• EU member states may implement further administrative sanctions.

• Potential to be sued in Court by a Data Subject

• Don’t forget Brand damage

Mechanisms for application of penalties are still to be fully

defined and fleshed out.

Expect to see mechanisms between “slap on wrist” and

“sell the house”

IMPLICATIONS FOR

CLOUD?

M.A.G.G.O.T

M – Meaning, Measurement, Money

A – Accountability & Accessibility

G – Governance

G – Global Scope & Effect

O – Oversight & Operations

T - Transparency

TIME SCALES FOR REGULATION?

• Expected to be enacted and implemented 2013 (ish)

• Enforceable 2 years later

24 to 36 Months to make changes in

your organisation, your operating

model, and with your partners

The Early Bird gets the Worm…

…or the M.A.G.G.O.T

DARAGH’S PUBLICATIONS

The Data Strategy and Governance Toolkit (2011)

Defining and Executing an Effective Data Quality Strategy (2008)

Taking an “Information Quality” perspective, and building on his 2008

publication, this book explores the drivers for Information Quality and Data

Governance in modern organisations, regardless of size, as well as exploring

the role of Governance and Information Quality in areas such as Cloud

Computing and Regulatory Compliance.

O Brien also takes readers through tools and methodologies for communicating

the value of information quality, data governance, and related disciplines such as

• Defining a Value Deliver System

• Strategy Maps

• Story Telling

Both published by Ark Group, available on Amazon

Managing Information and Data Quality requires organisations to take a strategic

approach in order to ensure success. This report summarises a number of best

practice methodologies for Information/Data Quality Management, key drivers for

managing and improving quality of information, and useful approaches for

mapping and communicating the strategic importance of high quality information

and data in your organisation.

Buy: http://bit.ly/HWKdXD