Event Recording

Dr. Karsten Kinast - Making Sense of the EU General Data Protection Regulation

The cloud is coming to your business, like it or not. With cloud-based systems come inherent challenges. These are further complicated as personal data subject to privacy regulation inevitably moves into the cloud. This combination, putting private information into the cloud, creates risk which must be understood and managed. Is data privacy in the cloud a business issue? We will de-mystify the complexity of cloud-based systems and their inherent risks, enabling appropriate technical and administrative safeguards to be put in place.

Morning, we will now start with the first keynote of this morning keynote session, unfortunately, Lazo who wanted to join us from south America. Couldn't make it on a short notice. So you will see there's a difference between the printed program and the online program on a program, or has been adapt accordingly. And the first present presenter this morning, it's great that cars and keen one of the, our call Analyst is jumping in here for giving us an overview on the EU data protection regulation. Thank you so much. Good morning.
Thank you. You're welcome.
Good morning, everyone. Thanks for showing up. And I'm happy to see loads of faces for this data protection issue. So maybe this is because you expected something else. I hope that even though this is on data protection and data protection is supposed to be a bit of a difficult issue. You will enjoy what I've prepared. I'm trying to make some sense of the EU general data protection regulation. And I thought it's very important to understand why we should all be getting used to think privacy because currently I don't believe we are not thinking privacy enough. It's always an add-on. It must be part of all our efforts in our daily businesses. That's what I think to be thinking privacy today. We have a very fragmented set of laws throughout Europe and the world when it comes to privacy and data protection. The EU commission has been trying to change that for several years.
And here we are, the GDPR, the general data protection regulation tries to overcome this fragmented landscape by giving out a single set of regulations for all over Europe in the first place. And even beyond I'll come back to that a bit later on. So it will directly impose a uniform data security law at the same time. So we have two pillars of jurisdiction here. On the one hand, we have the legal side. On the other hand, we have the security side and all of that doesn't derive from the local governments anymore. It does derive now from the EU commission and that's a tremendous harmonization, and certainly it's not as easy anymore to hide between someone else. If in all over Europe, the regulation will be the same. The idea of it is a consumer law. The idea of protecting your personal information, because the information belongs to you and not the one who has it in his hands, as in some other parts in the world, the idea to protect the possibility to give a consent for using your own information and to be protected and to keep the use of, of private data of personal identifiable information low.
That's the idea of this new EU citizen in law.
It's a very complicated regulation. And if you haven't been to what we previously had and what we still have as a law and data protection, it's not very easy to follow. The pretty peculiar changes that we have at times. So I trying to sum up the 10 key facts that mean a tremendous change for the businesses in the future. And they're already do today. I do work as a privacy lawyer and in practice, I can tell, not even on the day, this came out the groups and the, all the organizations throughout Europe and beyond reacted. It was even before that, when the first drafts came out. So everyone who doesn't have that on the agenda is not too late yet, but there's only less than two years of implementation faces because all of that will be coming true in 2018. So let's see fact number one, I think that's a very important marketing offensive for this whole legislation because the Europeans in the past were not really happy that in some other regions of the world, laws were supposed to be followed.
Even in Europe, maybe in the us, we had some laws that at the end one or other company had to obey to, even though it wasn't formally applicable in Europe. Now, the European commission in the first time ever. And it uses the privacy playground to do that, introduce that idea. Now for the first time ever, the EU commission tries to vice versa, something like that by exporting the idea of the GDPR to the rest of the world. So wherever you're seated in the world, as long as you work with personal identifiable information deriving from a European citizen, you will have to obey that piece of law. And that's, I think not only as I said, the marketing idea, it's something that will really work and will lead to the fact that even Europeans take it more serious. I think that there's a psychological effect behind it that if even customers or suppliers out of the European union will have toey to this regulation, why should I continuously not obey our European privacy laws? So I think the pressure on all of us will extremely come up only for this single rule in article three of the GDPR.
The definition of personal data has been very broad in the past. I mean, constantly people who are completely shocked for how far we believe per the term personal data needs to be laid out any directly or indirectly linked information to a person linked to, to a person is considered already today as personal data and with the new possibilities of gathering, tons of information, big data applications. And so on. Now we see a reaction on even understanding the term personal data, personal identifiable information that is broader. What does that mean? Even more databases, even more gatherings of data will be understood as falling under this directive. Whereas of today, maybe you might have an it set up where parts of it aren't even affected by the current data protection laws in the future. This will hardly ever be the case. Think of meta information and so on.
So there is not an easy way to evade from falling under this new regulation. While we have a ban with a permit reservation at this point of time. So trying to explain that in a less legal term, that means as a default setting in Europe already today, we are not allowed to work with personal information unless there is this or that exemption. You really have to check every time you pick up an information you're using it, or you change or alter it every time you will have to find out whether this is a necessary action for the contract you're carrying out. So the law allows you to use that information, or whether you have a valid, informed consent, lots of people in this room or anywhere believe I'm okay. I do have a consent in place, but it needs to be a valid consent. And that's science.
It's really difficult to meet the, to scale the, the, the wording of the consent between full transparency. That of course is very important for the citizen to understand what's happening with this information on the one hand and on the other hand, not to be confusing. So you need to be very plain in your language when asking for a consent, you need to be very clear on what you want and what you're doing at the same time. So that's not easy. And I can tell you that most of the consents that I'm being shown exposed to are not valid, and they will not make it. If you're bringing up to the law, up to the court, which hasn't happened in the past at all often. So it's a, it's a well maintained secret that a consent is not a consent is not a consent at all times, but I believe that in the future, working with the consent actively going out there and explaining what you are doing with the information will be even more important and crucial to businesses because without a consent, the whole activity around information might be seized by authorities.
That is a possible option. It's not a fairytale fact. Four is an appointment of a data protection officer will be mandatory for certain companies. I think most of you know that in Germany, we have that situation already, a data protection officer who takes care of all the daily questions for data protection is mandatory in Germany. Once you exceed the level of 10 employees, that's a pretty static benchmark. And I certainly do serve as DPO for a lot of companies that are smaller or much bigger, but even smaller companies maybe are exposed to a higher risk when it comes to data protection, because they have a tremendous amount of data at their hand. There can be five people handling so much information. I don't need to tell you, and still it's not mandatory to have a DPO in Germany at this point of time, this will change.
So it will not be the mere number of employees or anything like that. It will be what you do with information. And the wording is somewhat blurry. We're asking for large scale processing of personal data. I think there will be some discussions to what that means, but I think you don't need to be lawyer to understand what's meant once you are seriously, depending on information, on personal information for your daily business, you will have to appoint a DPO. And this DPO of its nature is an extended arm of the authority. And he will have to report in compliances that go beyond a certain level of daily in compliance. If you know what I mean, he will have to report that to the authority. So it might be an employee or an external person, but it's someone to take serious and use, right from the beginning to design privacy and design the data flows accordingly to the law because in the future, more than today to do that regulation, you will have to change it after, because if you didn't include the DPO right from the beginning, he might have to tell you after implementation that what you have done is not listed, and he will have to seize that in the name of the authority, working together with the authority fact, five is the PI.
That's not a German invention as the DPO, it's more of a UK invention. The UK has worked the commissioner in, in the UK. The authority, there has worked a lot with peers in the past, and it does go very well with the idea of a DPO. You should have a privacy risk assessment before even starting. I know that all of you that work on implementing new it applications in the company that really have other things to worry about in real life. And now as an net on problem, you will have to have a privacy risk assessment. So while going your path on computing and implementing your it applications, you will have to keep in mind privacy. You have to pay ping pong with the DPO in order to be constantly in a compliance situation. And it's a very formalized action you have to undertake. So there is a very formal step to, to give that application free after the privacy impact assessment it's to be recorded and it's to be handed over to an authority, if the authority asks for it.
And that's, I think threat enough in the one or other situation, fact six is the fact that we will have a common data breach notification in the future. That's something that came up in other parts of the world. So Europeans, haven't been very fast on that, but in the last years, couple of years, three, four years, maybe we have become, we have gotten into a situation where we have quite good carpet of data, breach notifications regulations throughout Europe. This will be harmonized in order to be more comparable within the countries. So the idea of the data breach notification is that you need to monitor constantly for breaches, which lot of companies I do see around do not do in an appropriate manner, at least not in appropriate manner. If it comes to keeping up to the regulation, it does at the same time, mean that once you have discovered a data breach or what you consider to be a breach, because you have to decide afterwards, but make sure that you do the right decision, because if you consider wrongly, that's not in favor of you, that's for sure.
You will have to notice the local data protection authority on your beach within 72 hours after you have found out what does that mean for Friday afternoon data breach? It means that you have to be organized, do your homework and have an organization that is able to understand what data breach means, not resulting from it, but how to define and detect a data breach doesn't seem to be an easy task for people that don't work in it, security or data protection, or both actually you almost need to be it, it, in cases, a data security and a data protection expert in order to find out. So this is connected to a lot of training and a lot of involvement. You need to change your policy on data security and the way you promote it into your company. In order to achieve a setup where a data breach will seriously be understood and reported.
Then in fact, seven, which is part of a panel, which will have this morning in, I say the fact seven is data minimization, the right to razor or right. To be forgotten. Everyone has read on that. That has been around in the past, but now they really mean it I'd say in the past, it was like, okay, I have found a use for my information in the beginning when I receive the information, when I dig that data gold. And I know certainly that I may not alter the reason or the, the purposes that I'm using that information for. And that exactly is the idea of data minimization for marketing purposes, for various it purposes. You really need to redo your consent before you alter the purpose of the use of your data. Fact, eight is the data processor responsibilities. It's not only the one that keeps the information as a controller.
It's the outsourcing partner as well, that needs to stick up all to all these regulations in the past. It was always the controller that had the liability. Now, if you're a peer service provider and you're working with information of others, it will be your responsibility. If that information is around for a good legal reason or not. So not only your own action as an outsourcing provider might be part of your liability, but even the quality of information, privacy by design. That's a really beautiful word. We can read it everywhere. What does that mean? It really means that while implementing any piece of software, data protection must be safeguarded. For example, eraser of information is something that I do not see around today that often in software, some software might not even erase information properly at all in the future. That's not possible anymore. Software must be capable of completely raising information.
I think that's gonna be a very difficult task for a lot of software engineers. Fact, 10 is the one stop shop. Ireland has been pretty crowded of large us corporations because it was famous for having a pretty weak authority at parts. People at least believed. So, so, so at parts. So in Ireland, there were a lot of companies such as Google, as we know, based in Europe, it was their leg in Europe. They didn't have to fear much because it was only the local data protection authority that could hinder them in doing their business the way they're used to do it from outside of Europe, this will belong to the past. Once we are in mid mid 2018, any authority in Europe can take a case wherever this company is seated may be in the us, may, anywhere in the world may be anywhere in Europe.
So this rule will again, enforce what a citizen maybe believes to be his right already today, will all that hurt, or is it again, just a privacy threat from the legislators? I think it will hurt. It's heavily underlined with subpoenas up to 20 million of euros or 4% of the company's total worldwide annual turn over of a group, not of a single legal entity I've seen in practice that a lot of smaller companies were just, you know, running out of business slowly because they had committed some errors and data protection, and they had to accept a subpoena. So this will not be possible anymore. It will be a full responsibility for the corporation leading a group. So no matter if the 20 million euros may be acceptable for this one legal entity or not, the corporation will have to carry that. Thank you very much for your attention. Thanks very much for listening to those new data protection rules have a very good day today at EIC. Thanks.
Great casting. So this is already in, in place or is this about to come this year or
It's, it's, it's a bit of an awkward situation. It is in place, but we will have to obey it in 2018. Okay.
Starting January 1st,
Now starting somewhat around June. We don't know there's translations ongoing. Okay. So there will be mid-June
Probably. Okay. So we still have two years to
Prepare. It feels like minus five seconds.
There's some questions. What is your definition of privacy? Maybe we can replace it. What is the definition of privacy in the sense of the European commission? Well,
Yeah, that's much better. My personal opinion is not that important in this case. Privacy means to be able to decide what happens to your information, to your personal information shall be used for this purpose for another yes or no. That has been for many decades, the definition be able to decide. And if you want to give it free, set it out to the world, you are fine.
How many websites apps do respect this directive today?
I don't know any.
Okay. What about the right to be forgotten versus legal audit logs? So this, this accountability versus right to be forgotten discussion.
Well, that's a pretty complex question. Certainly there will be. And there already is. It's combined with a lot of possibilities for any citizens to ask. What's ongoing with this information at a certain company, the shams case leading to the fall of safe Harbor is a very good example. He was asking for having this person information that was stored at Facebook and they did send him, I think 64,000 pieces of paper. They printed it out because they just didn't wanna send him this file. And you know, this is the right to be forgotten. He had the right to be forgotten loads of parts, big parts of that information should have been erased at that point of time. And this is why the timeline was invented. There is no right to be forgotten if you have a good reason to use the information, unless the citizen asks the information to be erased. So that's gonna be the accountability to look what the customer really wants from you. Does he want you to erase that information? Yes or no. And if he ask you to you better do that. So that's the accountability at the end
Are the guidelines today for consent.
There are, there is not a checklist or anything like that. There is the law and the law needs to be appropriately applied for the single case. Okay. So that's what I mean, it's an on own signs. It's not that easy to be transparent enough and short enough at the same time. So no, there's not a checklist, but yes, certainly there's pillars and there's frameworks that I need to obey.
And last question, what is about anonymization? So is it enough?
Sorry, go
To can,
Right? Yeah. Consent
Receipt. Okay. Can initiative. Okay. So
I got something to learn there. So there is maybe not official ones, which I was thinking was the question. Okay.
Okay. Thank you for that remark. And last point is what about other organization? So does it surface, is it enough to anonymize to, to get out of the law
Or yes. That's a clear, yes. The way you ask the question though, I need to be very clear anonymization. Isn't easy. People believe I do anonymize. If there is no name in there or another identifier that I jump on, like a personal ID at a company or so, so that's really not, it, an anonymization is really difficult to obtain because there shouldn't be anyone around anymore who can link the person to the information. So that's statistics, right? And beyond that, before that point, you will not have to anonymize properly, but we are opening the door a bit. The subsidization might be the new anonymization that's as a seed to be seen in that regulation, but the discussion is ongoing. So now we are with that strict minimizing definition, that means no one may be able to understand what's which person is behind in information. Okay. Thank you so much, Casa. Thanks very much. Thanks. Okay.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

You Can Only Protect and Govern the Data You Know About

Data is widely recognized as the lifeblood of the modern enterprise. However, the exponential rate at which it is being generated means that it is crucial that organizations have the capability to manage it effectively to ensure its confidentiality, integrity, and availability. These…

Analyst Chat

Analyst Chat #118: A first look at the new Trans-Atlantic Data Privacy Framework

On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy…

Analyst Chat

Analyst Chat #115: From Third-Party Cookies to FLoC to Google Topics API

Online tracking is a highly visible privacy issue that a lot of people care about. Third-party cookies are most notorious for being used in cross-site tracking, retargeting, and ad-serving. Annie Bailey and Matthias sit down to discuss the most recently proposed approach called…

Analyst Chat

Analyst Chat #108: Privacy and Consent Management

"Privacy and Consent Management" is an exciting topic in a continuously changing market. Annie Bailey has just completed her latest Leadership Compass, which researches this market segment. To mark the release of this document, she joined Matthias for an Analyst Chat episode where she…

Analyst Chat

Analyst Chat #79: DNS and Privacy

Your DNS server knows what websites you use, what the name of your mail server is, and which corporate services you use while working from your home office. And there are even broader challenges when it comes to protecting sensitive personal data in that context. Alexei Balaganski and…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00