Data Privacy Trends in 2021: Compliance with New Regulations

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] greetings everyone welcome to our exclusive global leading voices webinar campaign we are delighted to have you join us here today please be informed that if you have any questions during the presentation you may type them into the question box in your control panel the presenter will answer your questions at the end of the presentation accordingly now without further ado we will turn the time over to our presenter who will begin shortly good morning everyone welcome to the latest pecb webinar today's topic is data privacy trends in 2021 and compliance with new modifying and emerging regulations i'm very happy to be speaking today with peter guillen as well and i'll um just let peter introduce himself first thanks tony um yeah right well we've been passing a few interesting privacy sessions and with the uh suggestion of adding a more global approach on that one i think is a perfect add-on with the knowledge of tony to dive into the global impact on privacy legislation i will take care of the european side and tony will share some quite interesting insights on the us and canadian parts of the story so there we go tony it's yours thank you peter i've done a few other webinars for pecv and this one certainly strikes close to home right now we see a lot of interesting events and activities going on on the privacy side of things and we'll be talking through some of that information today with all of you i have a background in privacy and cyber security as well and have worked in i.t of course over the years so this topic is of great interest to me as well so for today we're looking to talk about data privacy and data protection generally we'll do a brief definition sharing because it's always going to have a baseline we'll talk about the current status in these areas globally and some new and updated privacy legislations there's so much happening right now globally in privacy and data protection that is it's amazing but it's all good lots to watch out for though with regards to your organization and remaining compliant of course we'll look at some commonalities between the legislations and impacts of the various current and uh emerging and modifying legislations globally and look at some trends as well and have a q a session at the end so peter do you want to have any opening remarks on your side yeah as we have been doing over the year last year also with the privacy and the information security sessions um we are taking care of it um that that also the q a so so yeah and our talking about this and certainly with uh tony on my side this is pretty difficult to to compress everything in in one hour session um you will see that we were recording the session you will get access also via slideshare access to the presentation deck but there is more of it and we'll take care of that one by um answering to all the questions as much as possible so the the first ones will be answered within the time frame but if there are other questions we'll take care of answering them offline and posting the questions so we published a collateral speech and you will see in the next few slides that um we have published actually also the background as soon as the session recording is available including with the slide tech we'll make sure that we link to these pages and the q a but also very important tony will talk about quite some legislations also on um the american continent the large continent including mexico canadian canada the u.s side there's a lot of things to do and to to to investigate so we will take care also of publishing this link so you can start digging into it later on and that's exactly what will be uh available on the next slide so go ahead tony thanks peter great summary so here's some of the information that peter was referring to for finding past webinar information on the pcb website and then also finding information on q a collaterals and so on peter's made sure he's put extra effort in here to make this information available to everyone attending today the presentation recording will be at pcb's website under past webinars you may have also seen some content that is shared on linkedin and on youtube as well and then there's some reference and information and q a for this session as well in a specific location on linkedin which you can find under peter's well orchestrated link here anything else on that one peter no we can start i think we got a lot of content so we can fire up great so we have a short definition and this one is one that's commonly available through wikipedia and i've highlighted key terms within this definition collection and dissemination of data technology and then of course a relationship between those actions of collection and dissemination and the public expectation of privacy which includes legal and political issues surrounding this and i think we're all very much aware of this and i know peter can speak to this as well that privacy legislation affects business it affects legal processes it affects individuals it has a very penetrating effect in the world today and it's increasing as we'll talk about through this presentation there is a little bit missing from this definition but we'll talk about that as we go through the next couple of slides and peter it's it's quite important to understand that depending on the region um or even the country or even in in provinces per country um that you understand what what privacy or data privacy or data protection is and certainly in in the gdpr side so then now looking at the european part of that one is that gdpr is is not referring to privacy as such but gdpr as gen general data protection regulation is actually talking about the protection of your personal data and literally your personal attributes of course first of all first name last name address data but even including email addresses and that's that's a very important interpretation because for example we will talk about it later on if you if you look at the other side of the ocean to that one on the us and the canadian side of that one is that pii of personally identifiable information might be interpreted slightly different and certainly for privacy and what you will see for example that in the european context privacy is rather considered as your personal space and what you will see also in the next slide is that privacy in that perspective is considered as the right to do what you want or the or even some context you will see it as the right to be left alone and that that's quite important because it interprets some of the legislation differently and so you you certainly if you get into that kind of space or from a professional perspective you need to take care of different legislations be aware of this perspective and at the end of the presentation today we will discover some hot topic and topics on that one for example clubhouse which is very active right now over the last few days um the mix of privacy and personal data comes very close to that one so there's a very thin line between both of them or or even some of the case the thin line is gone so that's very important to know and that this is exactly the what we want to point out of here is make sure you understand what data privacy what privacy is and what data protection is right good yeah very good point in in north america there's a huge distinction between personal health information and personal data for example and in addition to that we're seeing changes in legislation which we'll talk about on this side of the ocean where we're seeing things like email addresses now becoming part of that personal data definition especially in places like new york and california and we'll see examples of that with this some overlap happening on that definition yeah this is exactly what i mentioned there's also one important thing so if you look into gdpr itself we will discover later on that gdpr is not isolated to the european section or european regional uh or geography actually to be to be honest um but also important it does make a reference to another part of legislation which is the e-communications directive and i will explain later on what exactly the difference is in that one but first of all gdpr is not standalone it impacts other interpretations or other activities like professional activity services direct marketing also e-communications including email if you send email to customers or prospects so there's there's a very tight link between uh the gdpr and privacy other regulations but also internationally so that's what the importance is of this session and i think for the next slide tony um gives a very good overview um and this is also very important to to to see that that there is a lot of legislation i think that tony can explain a bit what you need to look at and as a very nice slide by the way you will also see that in the publication of the slide deck there are some interesting links so you can consult this information we have provided the link later on so you can access it yeah this is from the un conference on trade and development on their website it isn't 100 up to date and it's difficult to maintain any compendium of information like this with regards to legislation globally and i would say that it it focuses mostly and rightly so i guess on trade and development um relevant kind of legislations and there's lots of others that affect privacy legislations and that you can stumble across in uh in your daily work even as an organization globally that aren't covered in sites like this so as peter alluded to we have other links available and what you really need to do is take a link like this one from the un and cross-reference it against other information sources to get a complete picture of privacy legislations globally i have a client here in in my part of canada actually on the east coast of canada that has customers who live in the middle east who live in europe who live in asia a couple of clients in russia clients in the u.s and clients of south america they're a small insurance company but their clients live in those other locations their clients provide personal contact information and other corporate information to this insurance company and they store it here in canada when i did a privacy impact assessment for them of course this map was very relevant for them because it included a lot of legislations that they had to be abiding by when handling their clients information but as you can see on the map 60 percent is estimated on the u.n by the u.n 60 of countries have legislation when you look at that though some of that legislation is already being rebuilt or reinvented or um augmented with stronger measures or better language in the content of the legislation so it's a very much evolving landscape when it comes to privacy legislations globally 10 of countries have draft legislation 19 with none and then five countries from which five percent of countries with no data provided it doesn't mean they don't have legislation or they're not working out just means nothing was provided as yet in this survey by the u.n and this is an interactive map when you go to this website you can actually select regions you can select a specific country you can drill down on legislation groupings it's quite quite well done as far as a data collection it's quite important to know that that if you interpret this map and you understand why privacy or data protection law is there actually it's finding the right balance between doing business and protecting your data so in many cases and that's literally also mentioned for example in gdpr is this legislation or regulation actually is there to protect the business and to to enable businesses to do their jobs so while many people will feel or will sense that data protection or privacy loss will implement some regulations and limitations the purpose of it actually is to enable these transfers of data and um it's quite important to know that certainly in in the current era of internet uh while we're experiencing the freedom of internet now for already more than a decade but it's it's quite important to know that also now with internet and the free flow of data you will not have privacy or you will not have data protection without cyber security right you can have the other way around so you can have cyber security which means a safe company safe internet safe infrastructure without the need of data protection and many companies struggle with that interpretation because they think about cyber security in protecting their company but this is exactly also one of the things you need to look in with with gdpr the slightest chance that you have that you're pre actually treating personal data you need to have a look at this legislation and it's exactly as tony mentioned in the previous slide it's quite difficult to to make that swap or to make that shift into um data protection and privacy protection we will see later on there's a bit more impact because also legislation is moving very fast in that sense uh we will explain also what europe is planning to do or will be happening actually in the next few weeks if not months for 2021 and also on the other side of the ocean and the us and the canadian part there's a lot of things moving and we will quickly touch on the previous session for example cmmc the cyber security maturity certification so there's a lot of things moving in the era of cyber security so you you cannot discouple or disconnect privacy and data protection from cyber security be aware of that one so that means that you not only need to look at the privacy and data protection regulation but also have a look at cyber security regulations and and sometimes also you need to plan for certification some cases for example if you want to handle or when to want to work with u.s government you probably will be forced into some level of mandatory uh security absolutely right absolutely right um so privacy and data protection versus enterprise security do you want to talk about this one too peter yes this is exactly what i mentioned is that a lot of companies think that they need to protect themselves and it's it's correct so so meaning you're talking about finance operations products services but by simply by the fact that in many of these cases it's about people or at least people as a contact that are involved in this kind of operations you're almost dragged into it um that you also need to think about the privacy and data protection and i just saw last week for example in belgium that a lot of small enterprises still have that mindset of enterprise security meaning protecting the company and they still struggle to fit in the story or fit in the protection for privacy and data protection and while we see that lots of large enterprises certainly operating on a global scale do have cookie protection who do have a cookie platform do have a data protection privacy it's not always the case and that's where you need to make sure that you understand uh what what the difference is in privacy and data protection and as we explained also in the previous sessions and this is exactly the link with the series of webinars we did with pcb where you will see for example enterprise security is rather referred to as iso 27001 so the information security protection it's not mentioning people's data it's not mentioning the the sensitive data while the new iso standard iso 27 701 which is also called pims is exactly matching both of these worlds actually to make sure that you don't make any mistakes or at least you know how to handle this and this will require you to implement some additional functionality and features like for example a register or incident or data breach management system so it's quite important to know the differences and where exactly your obligations are set for this one also very important it's not because you do not handle personal or sensitive data that the impact is you less seen quite some data breaches um also with ransomware a lot of these victims have seen that their data were actually published on the internet and some of them were actually end of business so be aware that even if you leak or if you lose enterprise data that impact for the company is as bad as leaking personal data but the only small difference is that we will explain also in the next slides is that if you leak personal data the subjects or the persons that are impacted by this can go to court or can contact your data protection authority and claim um fees and so on so there's a lot of impact on that one and there's exactly also the proposition of tony we will discuss later on is what is the impact of these data breaches and we will see in the news there are some quite interesting websites where you can see the the effect of the fees and so on and also the fines that are very prominent available that this kind of leakage of leak data leaks will impact your company heavily right all right so we're going to talk through some examples now uh i do uh of course a lot of work on this side of the ocean but also of customers as i've mentioned that have impacts from private legislations globally and uh in north america in canada specifically we have a an act that's a federal act federal legislation called pipita personal information protection electronic documents act which is getting updated as we speak there's new legislation being run through our parliament and that legislation is going to update this and add a lot more teeth and a lot more specific specific controls and specific guidance to the protection of personal or private data the one thing that this act focuses on though is personal or or personally identifiable information as opposed to personal health information in canada as is the case in a lot of countries within canada there's there's separate provincial governments that run provinces like ontario and quebec and nova scotia and these provincial governments have jurisdiction over any acts or laws within the boundaries of their province they're part of canada so this national federal act on privacy is augmented by provincial acts and legislations typically what will happen is a province will take this federal act and they'll interpret it and write a provincial version of that in many cases though they also add a second set of laws or legislation that govern specifics around personal health information so any of your health data from care providers hospitals doctors whatever it is whatever entity might collect to collect or or maintain your personal health information there is similar principles in pepeta that we also see in things like gdpr and other um privacy acts legislation globally like the right to access your information the right to correct it the right to be informed of its collection use purpose all those things and the right to opt in and opt out the the place where this this act kind of wasn't strong enough was on enforcement and on managing um private sector it is dedicated to private sector in its definition but really in this application this act is focused on more focused i would say on larger organizations or federal government it does specifically state you have to appropriately protect personal information and at the bottom as you can see there is a focus as well with the application of this act with regards to cross-border flow of data within each province as well each province with its own private legislation has specific statements in in almost every province around that movement of data outside of the province and that it has to be controlled managed disclosed it's especially sensitive when it comes to moving across international borders even to the u.s fines for non-compliance can be up to a hundred thousand dollars canadian under this act plus they do publish when there's violations or data breaches of the act canada also has a dedicated anti-spam legislation this one is a bit stiffer on the on the violation side a million dollar canadian fine per violation so if you're an organization you've had 10 violations that day there's 10 million dollars that you could be paying at a maximum so it has a hefty price tag on it when you violate it it has to you have to include within your your emails or your your mechanism for contacting clients you have to include an unsubscribe option each time and even today even though this this castle law has been in place for a little over six years now even today i've seen clients who send out emails to their customers thinking they're allowed to but without any unsubscribed mechanism and without following castle guidance and they run a huge risk there of course if one person decides to complain complaints under these laws are typically funneled up through the privacy commissioner's office in ottawa or you could be funneling your complaints to a provincial version of that privacy commissioner's office each province maintains their own privacy commissioner as well this is canada's breakdown by province and territory so you can see there's lots of opportunity for interpretation of privacy laws and the handling of personal information i'm sorry that went back in some cases as well with these privacy laws the the province may decide that their the federal law isn't strong enough and they may augment it quite a bit quebec is an example as well as british columbia where the privacy laws are more stringent for places like the province of nova scotia on the far east coast of canada their focus is really around not just personal information but also health information and its movement they're very very focused on the movement of data apologies my slide joe's jumping there we go so in canada for sure as in a lot of locations globally it's always good to be familiar not just with federal acts and legislations but also with regional or jurisdictional acts and legislations as well the usa has some federal guidance as well they focus on uh electronic signatures and global national commerce act this enables the use of electronic um validation of of actual forms or e-data they also focus on a federal level of control or management of personal health information hippa is a very robust set of laws that are applied across the u.s that protects your health information and carries some seemingly small penalties however as has been reported many many times with hipaa violations are typically in the thousands or tens of thousands of records at one time and you would be paying minimum 100 u.s up to 50 000 u.s per record violation if you had a breach or a ransomware attack or any kind of unauthorized disclosure of personal health information or personal health records just like canada the usa also has individual privacy controls and acts and legislations by state a couple of examples here and this is only two we've talked about in previous presentations briefly but uh the california one was just updated it i think it was three months ago they updated it and it's more robust now but the penalties are quite hefty for violating it the thing with the consumer act uh privacy act in california is that it tells you you have to apply appropriate measures and appropriate uh privacy programs within your organization so there's a bit of leeway for interpretation it's always recommended you air on the side of extreme caution when you're dealing with doing business in california with regards to any kind of personal private information might handle and go the extra mile to make your privacy program your privacy process is very robust so that it can't be interpreted as being not enough effort i guess put into protecting the data but the penalty as you notice in in california this particular law applies to people organizations that have gross revenues in excess of 25 million dollars u.s or if they have 50 000 or more personal records for people who reside in california or they earn one half or more of its revenue from selling personal information so there's three different ways you can have this act applied to you so again you have to really pay attention to the acts if you're going to do business in california make sure you understand if this act applies to you and if it does how you're going to address it to avoid penalties new york shield act as well this is similar uh a measure of protection for consumers in new york state and new york state just like california has made it clear that they don't care where your company is based out of you can be based out of brazil you can be based out of london uk doesn't matter this law is going to apply to you if you're collecting any personal information for residents of those states in central and south america mexico has a federal law um chile has a law as well and chile's is being updated um brazil has a federal level law and it's being updated as well and its enforcement won't begin until august of this year which is good to know it's good to it's good that they've gotten to this stage and hopefully nothing else will slow this one down because this is actually very similar to gdpr and they're looking for specifics to be in place in each organization and they do have a history of enforcement with regards to privacy that you can actually look up through a few websites um so they have experience applying it there's other countries in central south america that have either implemented privacy laws or acts they have them in draft form or they're in progress um but there's a few locations that are kind of surprising that don't have anything some locations in the caribbean and south america and central america have no privacy laws at all one that always jumps out at me is puerto rico since it is um a part of the united states it's a not a state on its own but it is a part of the united states it's protected other states but it has no privacy laws at all and that's a very interesting story tony because that's exactly the point what we have seen in the last few years is that by these driving companies or regions uh us canada and europe um we see actually a lot of synchronization of these privacy laws for the reason of experience we have been focusing on the the main regions u.s canada europe to discuss this interpretation of privacy and data protection laws but we see in other regions also in apec lots of things moving and and lots of these new laws or updates are learning from each other or taking part of the interpretations and and reassemble them um to be applicable also on on the regions so it's very important to know that that lots of things are moving um i just realized um that we actually have forgotten one link between the previous slide and this one is the implementation actually of the agreements between canada and u.s and and europe and um just a few weeks ago months ago we had quite an interesting case and which is now called the srams 2 that actually has attacked the data transfer between us and europe which is called the privacy shield and was was suppressed precedented by the by the safe harbor also known as the facebook case we did not include it yet of actually in this slide deck but i will add it also to the collaterals page because a lot of things have been moving in in that sense um there is a there's a principle that is called the adequacy decisions in in europe then that allows actually to transfer your data to other regions if there is an agreement and there has been for a long time between the us and and europe due to the sram's case actually this safe harbor and privacy shield decisions have been uh attacked and decided as not valid anymore and which has a quite a large impact also in companies how they adopt or how they um adopt themselves and apply the rules in that sense which is not always easy um as stony mentioned is moving very fast in that sense before we go into the european side i wanted to explain a bit about the way that europe handles these legislations and there are two main distinctions actually in the laws and application of the laws first of all is the regulation which is for example gdpr is a regulation and actually is a european law which all applies to all member states still the member states do have the authority to adopt that law or to add um loss in in in their in their own national region for that one and but by default it's implemented and one of the typical examples i can provide to you is the interpretation of youth and one one what age is considered as as applicable for for uh considering a person as not youth anymore and when they can make their own decision or um there must be a parental decision for example on that one so the the age of 13 can can be decided differently for some reasons and also there are some articles also in the gdpr that allow the countries for example to take different decisions for example how does gdpr apply to the government itself right by default for example gdpr says well dear government defines do not apply to governmental uh organization but you can decide how to do so for for example in belgium there is no fine that is applied to the government itself and that means actually there are some different ways actually if you have a data breach for example um the government cannot find itself in in that sense uh and and that that means also there are some other techniques if you are a victim of these data breaches as a subject you need to take different ways actually to get refunds or to get your payment back as a subject the second way of that you can decide on legislation is called the directive and this is very important to know because for for example as also explained in a few slides uh back in in the canadian canada for example you have that uh legislation on e-communications that exists also in europe which is called the e-privacy but that's a directive so how do you handle spam how do you handle e-communications in the in the european area is a directive that means that actually it's a guidance from european level but the eu country so the member states must adopt legislation to to make it applicable to the state and that means that also that there is lots of more availability or flexibility for the countries how to interpret this this legislation in that sense and that's exactly also one of the things that you will see popping up also in the discussions is how to tune that for national legislation so you can go to the next slide only again gdpr is about data protection so your attributes your name your first name last name email address so it's not about privacy while lots of uh articles where we will mention gdpr as privacy legislation it's by the letter of the law it's not it's not deciding what you can do or cannot do at home um and so on so what do the decisions you make to do at home if you're free and you want to move around it's it's not deciding that one it's literally only discussing the data protection of your attributes and how actually companies or other data control as it is defined in gdpr are handling your uh your data and as mentioned it's regulation so it's in it's a law on european level there's not a lot of flexibility for the companies and the member states to implement it they can tune a bit um depending on how they work and second thing very important also the gdpr goes together with other legislation and we will discuss that later on so you can take to the next slide tony and then we have a few uh legislation that actually our next to the gdpr and e-communications and e-commerce is a very important one and e-privacy directive which is now in in review which already has suffered from a lengthy discussion but um they go together with gdpr and that's exactly what what the european commission and the european parliament is discussing right now is how to fit that e-privacy directive together with gdpr to make sure actually that the the regulations and the decisions in both legislations are matched together so for example e-privacy is all about e-communications and and you have seen uh tony discussing this also in the us and the canadian side is exactly the same thing also in europe how do you handle this this data and how do you uh do direct marketing and and commerce actually on electronic way is exactly the same discussion so there's no surprise in that sense that uh europe is having the same issues and discussions as what the us and canada is is doing but also very important if you uh move on to the next few slides tony there's all the legislation on and this one it's very important to know that we also have some other directives and legislations coming up the existing directive is nis is actually a directive which protects from a cyber security point of view public and critical infrastructure critical infrastructure meaning waterways electricity provision rope road traffic control making sure that all the critical infrastructure which we all need actually to to make our life is protected from cyber attacks um already since the fewer years available which required also the member states to implement local legislation now uh nis version 2 is coming up so with the lessons learned probably next year or next two years probably there will be a new versions on that one coming up and it's all about cyber security as i mentioned before in the presentation cyber security and privacy and data protection cannot be uh unlinked so it's very important too to know the impact on that one another one has got an active of will be active this year is called the cyber act and that's actually a sort of twin of the gdpr is a regulation which will decide actually on the certification level of products services and people actually to um to support actually then is in this case and you you will see that very likely the same way as that america or us is handling the cyber certification which we discussed in previous session with the cmmsc the cyber act will do the same thing and the point here is that lots of national governments will use that cyber act to make sure that the products they buy or the the people they work with or the platforms they work with will have a minimum security level um specifically cyber security in this case so um the cyber act will will make a change also on that one how we will look at in the near future to security and more specifically cyber security and as mentioned we will also see that there is some impact also in data protection in that sense good you can go to the next titanium so some changes coming up and uh i guess to knit back to something that peter mentioned as well in north america we also have of course the nist structure for cyber security nist is a set of guidance out of the us and it's also got a fairly active and growing section for privacy and data protection and infrastructure protection as well those are typically broken out on this side of the water they break out infrastructure protection as a separate entity and there's this whole sense of guidance around that that around scada systems and scada security and ics systems and iot and all of that but there is overlap for certain in canada canada is taking a step to unfortunately use the exact same abbreviation that california is using for their privacy protection act for consumers the ccpa canada is also building a thing called the ccpa and remarkably enough the government states that it's going to be stronger than california's ccpa so it almost sounds like a bit of competition to see who can out protect privacy or private data this is going to be an enhancement to existing legislation it has a tribunal established kind of like a commissioner office or commissioners group and the goal of this is to try to make sure every organization that has consumer information maintains a structured privacy program that they've obtained meaningful consent so it's not enough now to just say yeah yeah we said on the page we're going to use your data that's enough that they click okay that isn't enough anymore with this new act they want meaningful consent so you have to check a box saying yes i agree so it's no there's no gray area when it comes to consent anymore de-identified data is also covered de-identified data as you probably are aware is information that may not be tied directly to you but it's your data and they've just removed your name from it you're identifying information from it but that's still covered under this new act the handling of that information how it's de-identified how it's utilized afterwards that's all part of this new act so they're going an extra step with the data there's a right to erasure here it's it's called erasure instead of forgot or right to be forgotten so you do have a right under this new act to request your data be erased and never used again and there's an enhanced enforcement component which includes even regional enforcement entities to help make sure this is actioned all the time and they specifically state that private lawsuits are enabled through this act as well so much like the states where you get into litigations if you feel like you've been wronged by a company that sort of thing can happen with regards to privacy violations in canada under this act so it's a new world for canada to get that kind of thing mentioned in a in a law of any sort third-party service providers are all also in scope so it's no longer just you or your organization it's whoever you're doing business with as well you have to make sure you have a complete supply chain secure supply chain for consumer privacy all the way up to your third-party service providers penalties can be quite hefty as you see at the bottom three percent of your global revenue or 10 million dollars canadian or possibly five percent of your global revenue or 25 million dollars canadian for serious breaches i don't the definition for serious breaches is still being worked on but these are not inconsiderable fines um over here yeah we're matching up a few of the things we exist we discussed already but our brother would would move on to the next slide because actually the next session section is discussing the commonalities and we will discuss the uh the fines that we will discuss is pretty similar and it's nice to see that that pretty much the the the the impact of defines in us canada and some other regions are pretty similar in in that sense our but we'll discuss the details a bit more defines again later on tony so uh i rather uh devote over to you discuss pretty much the some of the common features and and we will compare a few of them right sure things so privacy officers obviously are important to have in your organization everyone's asking for them now all the legislations are looking for this to happen penalties they're not small as you've seen in some of these examples and um they can also carry the penalty of course of uh publicly having your name published the name and shame concept where you're going to have someone notify an authority that your date their data was breached in while it was in your custody and then that information becomes public information privacy programs should be in place of course that includes breach management includes privacy policies all the things you think should be in a good privacy program and breach management notification is often broken out as a separate item in legislation today on purpose so that you've done appropriate breach management and appropriate notification when and as required consent is also a big thing that's become far more relevant and far more a far more stringent requirement in legislations globally and that publishing at the bottom of infractions or violations is becoming more common as well the name and shame approach uh so we've talked about this one already so gdpr yeah it's it's pretty similar but i think just as a bit of a repetition of previous sessions um please remember what the the core activities and the core decisions and the principles of of legitimacy actually in gdpr is covered in article five and six um as estonia mentioned um consent is just one of them and we've seen in the past a few years and certainly with the launch of gdpr uh lots of attention has been attracted to the consent but in essence there are four more important ways or reasons why you need to to to treat or handle the privacy or actually personal data in that sense and last but not least and this is quite hot also right now is legitimate interest actually that that's where the data controller or the company makes the decisions to handle the data and certainly with this e-privacy and marketing and direct marketing stuff this has been pretty much under the radar until now and we see a lot of countries and the european region still acting right now on this legitimate interest and direct marketing so it's a very hot topic and we will discuss it later on also at the end of the session um there's a huge conflict in how the companies handle the data um if they make decision to to send you a mail or to use that for direct marketing you enter in sort of conflict area in that sense and we see a lot of decisions right now where the dpas um spend some fines actually on on not really legitimate interest or the wrong use actually of the legitimate interest and to link up with the previous slide of tony also we see some sample cases also where the name and shame so the publication of these records without any fines is also used actually to publish the the violation that company have been doing in that sense so um there's not always large fines being applied but also the fact the company got into the news and some of the cases the companies were not successful in keeping their name out of the cases because it's so exemplary or for that one for the case that even these companies could not just simply uh be anonymous in in the court cases in that sense so we see a balance here and we will discuss also later on the uh defined so we can move on to the next slide tony is that the application of these principles is very important to to to know and that's where lots of companies and certainly the smaller companies have a lot of issues actually uh since if you used to implement gdpr correctly and again these principles are are applied also in other legislation so the data protection by default and the data protection by design means that you need to build in that security or data protection into your systems a lot of companies who are running their infrastructure already for quite a few years have quite some issues into updating their infrastructure to do so also we see more and more joint controllers that means that companies are jointly handling the data and that poses quite some some issues also in relation to reporting it to the subjects in that sense and this is also one of the battle areas what we'll see is how you handle data how you respond to the subjects in that sense lots of companies are actually required to have a record of processing which is also called a processing register which is not that easy to maintain for larger companies yes but smaller companies um have quite some difficulties into to get it done and thirdly in case of a data breach how you handle that one including notifying the data protection authority having an incident register having incident management procedure is not an easy task for lots of companies so it's quite important and also securing your processing activities including cyber security is quite a difficult task and there are some quite some results and analysis and surveys actually that show that lots of companies um and we're talking about more than 50 of the companies have issues actually to set up the proper gdpr processing activities you can go to the next one tony and also important one that's also mentioned by tony in in the commonalities actually in the legislations is obligation to have a data protection officer or a privacy officer or chief privacy officer what's in a name there's a quite a distinct part of the gdpr that actually handles this dysfunction it's very important there are some strict guidelines one is mandatory to have one but it's always best that as soon as you have some uh large-scale operations or a large volume of data of data working for processing in your company that you should also consider to have a data protection officer more in an advisory function but it can be wise to have that function created or someone available for that ones but by the way it can also be an external consultant to helping you out on this one one of the largest mistakes i also mentioned at the end of this slide is that companies make is that making the data protection officer responsible for the data processing tasks it's not and certainly not on the gdpr it's very important that it's an advisory function the main accountability and responsibility stays within the company not at the dpo level and this is an important thing for lots of companies to make sure that actually that segregation of duty is being implemented you can go to the next slides tony and this one of course is well known we discussed it in the previous sections uh previous uh webinar so i'm not going too much too far in detail on this one but have a look at the numbers it's well known but the interesting part of this session of today is that these numbers and fines are pretty much the same in lots of other countries and um there's a clear distinction in major issues and minor issues minor issues meaning that if you have some of the applications within gdpr who do not touch directly or at large scales on the subjects um you get into a two percent or a 10 million fine depending on whatever is the biggest or four percent or the 20 million euro fine actually is if there is an indirect impact on the subjects rights you can get into that large scale and you see that actually the number of fines here or the the value of the files is pretty similar as what tony has discussed earlier on right we can go to the next slides if you want to see how these fines are working and what's the impact right now um have a look at uh at google or or or bing or whatever and look for for um enforcement tracker or gdpr fines tracker i just gave a few of them you can find a lot more but certainly the enforcement tracker the first one i mentioned over here is quite interesting you will see actually a a lively follow up actually on the fines that are being tracked by the data protection authorities all over europe so it's quite interesting to see um and even belgium is one of the smaller countries in this area um has been quite active although that the belgian dpa has taken position not to go for the maximum fines they have still still had some interesting cases and just just for your example one of the cases is a sort of company that actually collected data from fresh mothers that have had just freshly had their babies actually in the hospital and they send over a sort of commercial package to them but it looked like that that this company was not respecting the rules of the game actually and they ended up with a 50 000 fine 50 000 euro fund actually because of actually mishandling this uh mother's data and their children's data actually for uh doing direct marketing and they sold over actually their uh privacy or data protection personal data to other companies uh which which uh gave a quite a large impact of the subject uh impacted on that one good go for the next one 20. pretty much similar um be aware that that now nowadays and that's exactly also what tony showed is that changes in laws are giving more power to the subject the fines are going up the impact and the power that subjects you have is is very important and the other side of the balance is that companies data controllers in this case need to balance their rights in doing business versus the subject rights and how to to look at it and of course their their position against the government and against their commercial interest to handle that data to do business this conflict error that gets very hot right now and lots of decisions and fines are based actually because of this position in that one and selling data for direct marketing is one of the next battles that will come up probably in in lots of court cases up to up to now right go for the next one tony good we're pretty much to the end of the session um just a few items i wanted to discuss here or actually put in in the air actually um it's it's might be another topic for next session but be aware that also cyber crime is increasing we've seen globally the attacks getting more and more severe and in the past cybercrime certainly ransomware was all about locking down companies or getting them getting ransom money out of it what we see right now is that more and more of these attacks and certainly with uh with ransomware is that these attackers or these criminals are even pushing data during the ransom actually to to to the internet uh shaming these companies forcing them to pay up for for for the ransom and is it getting more and more aggressively so the data leakage of these ransomware is is growing uh significantly even in hospitals even in the corona stages as it is right now we see a lot of impact also on health care so so it is getting very very aggressive and we have not seen the uh the ant yet um also the commercial impact versus the rights of the subjects um existing social media platforms we have discussed it over we talked about it um the facebook case srams on on the uh on the european side has been very important and just a few days ago a few weeks ago we have seen also uh some some uh new platforms popping up um also on on the internet uh tick tock uh i just name it and and clubhouse is for example is is one of the of the newest platforms uh right now in a sort of uh launching stage uh specifically for apple users but um we have seen already some data breaches in the clubhouse and it looks like that they didn't take care too much even in the early stages of data privacy and for example if you join or can join it's by invitation only right now uh clubhouse um the first thing that actually clubhouse does is actually discovering and copying your contact data and into the system so we have not seen the end yet and there were some privacy issues in in in clubhouse before uh allowing to record some sessions or getting access illegal access to chats so also on that that level it's pretty amazing that launching a new social media platform is not taking care of privacy they will get busted for forever likely if they don't take care of it with official launch so the pressure on these companies is getting higher even on the international level so that that's very important also very important take back privacy we see that a lot of people getting conscient about this privacy they they care more about their data but the major problem here is certainly with the launch of internet a decade ago privacy was not that important so we see actually lots of data is readily available and taking back that privacy is a huge effort and we see that the pressure on these technical companies hosting internet platforms or hosting social media is increasing so that that's an important wave that we see right now is that people getting conscious about it claiming back their right on privacy claiming back on control on their own data and that's not that easy to achieve for the next coming years good right now we just add that it's also gotten to be a big issue right now because of work from home or remote working there's a lot more targeting going on on individual levels as well one recent trend is a theft of pennies at a time instead of referring to it from bank accounts so instead of it taking money from individuals cleaning out the bank accounts completely cyber criminals are now going to this individual individualized approach where they're they're getting into your system getting into your bank and only taking out small amounts of money over time and it adds up to a lot of amount a lot of money of course when you accumulate globally but that's also part of the privacy risk working from home means your attention to your privacy and your protection of your private information maybe is not as diligent as it should be yeah one of the new things because of taking back that privacy is a cookie management we will see that uh right now people start worrying about the tracking that is enabled by this cookie uh we've seen lots of ways of working with cookies and even on the european level that there have been even some contradictionary uh um advices on on multiple companies so in that sense uh handling this cookie wall stuff is very important and and what what i meant for example here with the dark patterns is the big buttons with accept all which means opening up all the cookies but in essence if you care about your profit and privacy you should actually look at the smaller buttons and then tune your cookie acceptance or actually ignore all but you don't then also know that some of the parts of the platform might not not also work in the way you would expect in that sense and that's something that actually is getting very active and we will see more and more companies to find the right balance in accepting no cookies while keeping the platforms alive so that that's also very important and while in 2016 with the launch of gdpr there was a lot of discussion in how marketing direct marketing would would be kept alive uh we've seen actually very limited impact in that sense but we realized right now that lots of these direct marketing companies have an awful lot of data bus and which is called the data brokers collecting all the data the position of that one is is becoming very important because of the discussions we had with the the consent and the legitimate interest is we see a lot of companies popping up that are sitting on a large volume of data and we see also on the european level a lot of companies um getting attention with that one and not always positive attention in in that sense and one other important thing is also very important to in the perspective of the session of today is data brokers that are not actually having their services or their data being stored in in europe uh there are quite some companies that that are hosting the services out of out of the u.s or canada and it's very difficult as a european subject for example to get in reach or do to get contact with these companies because actually they're officially being hosted in the us so there's a lot of discussion over there and i think that we will see more things popping up on this one the next few weeks if not months good last but not least also iot and as i mentioned a few a few regulations and loss coming up um right now because of the cyber act for example um is we are all getting uh used to the iot uh so the internet of things so lots of personal devices connected i'm not talking about phones but watches fridges toys cars uh even cameras actually that directly connected to the internet um and who can be attacked and even in right if i'm not mistaken in the early 2017 we already had an internet attack on the dns system by these iot devices so you will see that that also that this is another area where actually we will see a lot of investments also in security because they have our data by design right now very low protection levels and we will see that also regulations will have a look at this and for example in europe the demands for having iot devices secured will only increase so have an eye on that one again maybe a very interesting topic from one of the next sessions this year with pcp go and i strongly recommend making sure you keep your iot devices up to date i just got updates on a few of mine that included two-factor authentication being added to them so it is possible to upgrade them and make them more secure so that is happening so i think we've covered everything in our topic and i see we're a bit over time but we do have some reference material attached as well to this slideshow and there's a link here of course provided for this by peter by peter and there's some extra slides at the end of this slideshow as well good albana it's up to you thank you peter and tony for delivering this very informative and detailed webinar pcb offers training and certification courses which will show your dedication in implementing and managing privacy related frameworks and most importantly you will get recognized worldwide now before moving on with the q a session i want to inform you that in addition to all available pcb training course delivery formats pcb is now offering the iso 27001 lead implementer and iso 31 000 risk manager e-learning training courses in english now we'll go ahead and take some time to answer some of the questions from that and these regarding today's topic please know that due to time limitations today our presenters will answer two to three questions however like in the previous sessions we'll make sure to send you the link where you can find all answers to your questions during the live session the first question is considering the increased number of standards and regulations addressing privacy within the adoption of a global standard that covers mostly all compliance requirements and commonalities help global organizations as well as a guidance for countries with no existing privacy legislation would an iso 2701 be a good candidate for such an umbrella standard and what would be the blocking points for such an approach peter tony um yeah the ideal standard would be very interesting exactly to to make a global standard by the way the 27 701 which was also called pims does exactly that so it's an integration of the gdpr uh way of working but also be aware that iso standard is not gdpr only so there is also a very strong reference to the nist uh interpretation of pii as tony discussed early on so yes absolutely the 27 701 would be an ideal standard um be aware that 27701 and also the 27001 which is the isms standard is a management system so um it's covering the processes and it does not cover for example the technical standards um like the common criteria for example is doing so the iot security to the hardware security is not covered by the isms or the pim system but yes absolutely you could use the pims or isms system as a global standard as we discussed also in the previous sessions you can easily plug in some other standards like the nist or the canadian rules on on that one so so it's an open standard it's not too detailed but it allows you to plug in local technical standards if you wish to do so so we're on the road on that one on implementing that one right now the fact is that other companies which is the assessment companies are getting ready for certification on that one so on iso level the the certification for the iso 27701 is is getting up to speed on the other hand gdpr certification as such and and and very strictly uh interpreting the gdpr is absolutely not ready for system certification right now so there's a lot of certification discussions going on um i think that even on in that level the cyber act will even surpass the gdpr on the level of certification so getting certification as recognized by gdpr is very difficult and you might also see as we discussed in previous sessions there are some road blockers in the illegal part of gdpr that will allow actually certification on gdpr because gdpr is not looking at an information security management system as certification and that that's exactly the difficult way to getting official gdpr certification that one so that that's also another hot discussion which is not finished yet okay thank you peter the next question is is the separate legislation for health data considering that health is under the jurisdiction of the canadian provinces yeah so the the way that health data is handled in canada it is handled at the provincial level and even during this pandemic the federal government hasn't been actively enforcing things like health restrictions or health guidance at the provincial level that's left to the each province within canada to establish those guidelines those enforcements so it's the same with the personal health information and guidance around that it's left to the provincial level i would like to see a national guidance built for that however for health information and protection of it i think i'll be waiting a long time before i ever see that happen it has happened in the states with hipaa but it's nothing like that in canada yet okay thank you tony and the last question is how is brexit impacting gdpr and cross-border data storage well there is a quite a recent discussion on adequacy for the uk it's it's it's quite amazing that at the start of gdpr we had the same adequacy decision for switzerland i think if i'm not mistaken it took three pages to get a decision now the uk leaving europe as a page i think if the document on adequacy decision on the uk is 88 pages so um that that also uh puts a very important emphasis actually on the implementation although the system is pretty much the same there's this has been quite a lengthy discussion on on getting the the acceptance of the uk system right now as uh as applicable for gdpr um so so in that sense it's considered uh right now as adequate uh to do so but again keep in mind that and i adequately see decision in in gdpr is a two-year decision and we had pretty similar discussions also on the framework like privacy shield with the us so it's up to evaluation every two years so that that will very likely also happen for uh for the uk so for right now is is considered adequate as what the gdpr has been implementing it can change over time depending on what what what the uk will do depending on the regulations will they change or not and uh it can be even political discussions or end up as a political discussion as we have seen uh with the chains of president in the u.s uh it can change it it can seem to way it can change in the uk depending on the elections we don't know or if we have some other global events popping up uh did these might impact the decisions on gdpr okay once again thank you peter and tony for this remarkable session and thank you everyone for attending today's webinar please be informed that this session will be recorded and posted on our website and youtube channel along with the slides of the presentation for more information about our webinars please visit our website www.pcb.com thank you all and stay safe

Info

Channel: PECB

Views: 2,214

Rating: undefined out of 5

Keywords:

Id: BKWf6GTlgAM

Channel Id: undefined

Length: 72min 35sec (4355 seconds)

Published: Fri Feb 26 2021