2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
Transcript of 2015 Albin Zuccato - Sentors frukostseminarium om dataskydd
Data Protection Regulation
Albin ZuccatoHead of Information Security
Sentor in brief
Businessidea"Protectcompanies
informa0onassetsby
offeringqualifiedITsecurity
services"
Thecompany• Foundedin1998
• Selffinancedandvendorindependent
• Excellentclientandstaffreten?on
• Widerangeofclientsinvarioussectors
• Securitycer?fica?ons
• 45+employees
Data Protec/on– is there a business case?
• AssetProtec?on• Personaldataisanimportantintangibleasset
• Businessenabler/preventer• Privacymaylooseyoumoney
• Privacymaykillyourproduct
• …privacymayaKractcustomers
DirectDamage• Customerloss• Datacorrup?onorloss• Restora?ondamage
Recoverycost• Inves?ga?oncost• Systemcorrec?oncost
Legaldamage• Courtcost• Fines&Penal?es• Liability
Reputa?ondamage• Brandvalue• Marke?ngcost• Lossofcustomer/business
Timeline • CommissionpreparedadraSin2012• Parliamentvotesforgeneralprinciplesoftheregula?on,12.03.2014
• Councilreachesagreementongeneralapproach,15.6.2015
• TrialogebetweenEUCommission,EuropeanParliamentandCouncilstarted,24.06.2015
• Trialogepartneragreedonroadmaptofinalizelealtextduring2015(inconjuc?onwithdataprotec?ondirec?veforlawenforcement),09.10.2015
• Decisioncanbeinspring2016
4
Safe Harbor invalid
• EuropeanCourtofJus?cedeclaredSafeHarborinvalid
• Writeacontract(dataprocessingagreement)• Verifyiftherearegroundfortransfer• Performanceofcontract• Importantpublicinterest• Vitalinterestofthedatasubject
• Getthedatasubjecttogiveexplicteconsent
The upcoming EU data protec/on regula/on
• Lawfulnessofprocessing• Personaldatalistwithprocessingpurpose
• Datasubjectrights• Mechanismstoretrieve,provide,correct,beforgoKenandforwardpersonalinforma?on
• Electronicmeanstocommunicatewithdatasubjects
6
Security
• Dataprotec?onbydesign• CommissionandParliamentperceivepseudonymiza?onasasuitabletechnology
• PrivacyRiskAnalysis• Internalcontrolandauditproceduresforpersonaldataprocessing• Documenta?oninfrastructure• Enhanceincidentmanagementforprivacybreachrepor?ng
8
• Applicability• IntheEUandinterna?onallyforEUci?zens
• FreeServicesareincluded• Amountofdatasubjects(500)andnotcompanysize
• Interna?onaliza?onaspects• Placewheredecisionsaremadecountsforinterna?onalorganiza?on
• Transfertothirdcountrywillbebasedonthecountrieslegisla?on(safe,neutral,unsafe)
Applicability
Fines, liability and supervision
• Datasubjecthasarightforcompensa?onfordamagesuffered
• Es?matessayupto200000SEKperperson
• Penal?esaccordingtocriminallawmaybedecided
• Fines• Warningmechanismwillavailibale• Finesarecurrentlyasubjectfordiscussion(seenextslide)
• Supervisionauthori?eshavetoworkinconcert(i.e.decisionsarebindingforall,leadauthorityforcrosscountry…)
Some ques/ons we get
10
Parliamentwantstosee100Mio€or5%
(CommissionandCouncil)Globalannual
turnover
Absencemechanismforrequest,chargeafee
0,5%(or250k€)
informa?onobliga?on,documenta?onorco-controller
1%(or500k€)
mostotheroffences2%
(or1000k€
• Thelawwillbedecidedin2016andenterintoforce2017
• Dataprotec?onwillbecomeanissuefortheboard
• Thereissomeworktodotobecomecompliant
Conclusion
Ques/ons