Data Protection Regulation

Albin ZuccatoHead of Information Security

Sentor in brief

Businessidea"Protectcompanies

informa0onassetsby

offeringqualifiedITsecurity

services"

Thecompany•  Foundedin1998

•  Selffinancedandvendorindependent

•  Excellentclientandstaffreten?on

•  Widerangeofclientsinvarioussectors

•  Securitycer?fica?ons

•  45+employees

Data Protec/on– is there a business case?

•  AssetProtec?on•  Personaldataisanimportantintangibleasset

•  Businessenabler/preventer•  Privacymaylooseyoumoney

•  Privacymaykillyourproduct

•  …privacymayaKractcustomers

DirectDamage•  Customerloss•  Datacorrup?onorloss•  Restora?ondamage

Recoverycost•  Inves?ga?oncost•  Systemcorrec?oncost

Legaldamage•  Courtcost•  Fines&Penal?es•  Liability

Reputa?ondamage•  Brandvalue•  Marke?ngcost•  Lossofcustomer/business

Timeline •  CommissionpreparedadraSin2012•  Parliamentvotesforgeneralprinciplesoftheregula?on,12.03.2014

•  Councilreachesagreementongeneralapproach,15.6.2015

•  TrialogebetweenEUCommission,EuropeanParliamentandCouncilstarted,24.06.2015

•  Trialogepartneragreedonroadmaptofinalizelealtextduring2015(inconjuc?onwithdataprotec?ondirec?veforlawenforcement),09.10.2015

•  Decisioncanbeinspring2016

4

Safe Harbor invalid

•  EuropeanCourtofJus?cedeclaredSafeHarborinvalid

• Writeacontract(dataprocessingagreement)•  Verifyiftherearegroundfortransfer•  Performanceofcontract•  Importantpublicinterest•  Vitalinterestofthedatasubject

•  Getthedatasubjecttogiveexplicteconsent

The upcoming EU data protec/on regula/on

•  Lawfulnessofprocessing•  Personaldatalistwithprocessingpurpose

•  Datasubjectrights•  Mechanismstoretrieve,provide,correct,beforgoKenandforwardpersonalinforma?on

•  Electronicmeanstocommunicatewithdatasubjects

6

Security

•  Dataprotec?onbydesign•  CommissionandParliamentperceivepseudonymiza?onasasuitabletechnology

•  PrivacyRiskAnalysis•  Internalcontrolandauditproceduresforpersonaldataprocessing•  Documenta?oninfrastructure•  Enhanceincidentmanagementforprivacybreachrepor?ng

8

•  Applicability•  IntheEUandinterna?onallyforEUci?zens

•  FreeServicesareincluded•  Amountofdatasubjects(500)andnotcompanysize

•  Interna?onaliza?onaspects•  Placewheredecisionsaremadecountsforinterna?onalorganiza?on

•  Transfertothirdcountrywillbebasedonthecountrieslegisla?on(safe,neutral,unsafe)

Applicability

Fines, liability and supervision

•  Datasubjecthasarightforcompensa?onfordamagesuffered

•  Es?matessayupto200000SEKperperson

•  Penal?esaccordingtocriminallawmaybedecided

•  Fines•  Warningmechanismwillavailibale•  Finesarecurrentlyasubjectfordiscussion(seenextslide)

•  Supervisionauthori?eshavetoworkinconcert(i.e.decisionsarebindingforall,leadauthorityforcrosscountry…)

Some ques/ons we get

10

Parliamentwantstosee100Mio€or5%

(CommissionandCouncil)Globalannual

turnover

Absencemechanismforrequest,chargeafee

0,5%(or250k€)

informa?onobliga?on,documenta?onorco-controller

1%(or500k€)

mostotheroffences2%

(or1000k€

•  Thelawwillbedecidedin2016andenterintoforce2017

•  Dataprotec?onwillbecomeanissuefortheboard

•  Thereissomeworktodotobecomecompliant

Conclusion

Ques/ons