Key Note Speech:
Overview Of The New Regulatory Regime
Garreth Cameron
Group Manager For Business And Industry
Information Commissioners Office (ICO)
Sponsored by
EU data protection reform
and the gambling industry:
Keynote address
Garreth Cameron , Group Manager for Business & Industry
85%
are concerned about
how their personal
information is sold or
passed to other
organisations
Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-trackseptember-2014-individuals.pdf>
77%
are concerned
that organisations
are not keeping
their data secure
Source: ICO Annual Track 2014, n= 1,575, <https://ico.org.uk/media/about-the-ico/documents/1043485/annual-trackseptember-2014-individuals.pdf>
evolution
not revolution
Derogations
Legislation
New Information
Commissioner
Discussion on GDPR – Timeline And Key
Dates, Penalties And Sanctions
Ross McKean
Head of Data Protection, Olswang
Sponsored by
GDPR: Timeline, Key Dates, Penalties
and Sanctions
Ross McKean, Partner, Olswang
Countdown to GDPR: timeline and key dates
Vote by Parliament,
formal signature then
publication in OJ
Regulation takes
effect
Council to
formally
adopt
Political
Agreemen
t
Translation
December
April
2015
2016
2 years + 20 days
June/July?
2016
11 | GDPR: Timeline, Key Dates, Penalties and Sanctions
July/Augus
t
2018
30 March, 2016
Formal sanctions
Today: national sanctions set by MS
under DPD
Tomorrow: harmonised under GDPR
• Right to compensation for "damage"
(Article 23)
• Right to compensation for material or
immaterial damage. Controller or
processor can be liable (Article 77)
• MS must impose "suitable measures
to ensure full implementation of the
Directive" (Article 24)
• E.g. current UK sanctions include:
• Fines up to £500K for serious
breaches
• Undertakings
• Enforcement notices
12 | GDPR: Timeline, Key Dates, Penalties and Sanctions
• Chapter VIII
• Administrative fines (Article 79)
• Up to € 20,000,000 or 4% of turnover
(for breaches including: principles, data
subject rights, international transfers)
• Up to € 10,000,000 or 2% of turnover
(for breaches including: security, breach
notification)
• must be "effective, proportionate and
dissuasive" penalties
30 March, 2016
Cross border enforcement: the not-quite one stop shop
• The Commission's vision: one stop shop enforcement by a single lead authority
• The reality: Lead authority, concerned authorities, cooperation procedure (Ch VII)
• DPA of the “main establishment” of controller or processor = lead authority (Article 51),
however…
•
other DPAs competent. if infringement relates only to that Member State (Article 51(a))
•
BUT lead authority can still decide to deal with the case
• Co-operation procedure: Article 54a; Mutual assistance - Article 55
•
Lengthy, multi-stage process for notification, information sharing and mutual assistance
•
Joint operations possible, where multiple Member States are affected (Article 56)
•
Consistency mechanism: including dispute resolution appeal to EDPB decided within 1 month of
referral by 2/3rd majority (Article 58a)
•
Urgency procedure: a DPA can bypass the consistency and cooperation mechanisms and adopt
provisional measures (for up to three months)
13 | GDPR: Timeline, Key Dates, Penalties and Sanctions
30 March, 2016
Formal sanctions: when can consumer groups bring actions?
Data subjects have the right to…
• Lodge a complaint with a DPA ("in particular" in own Member State) – Article 73
• A judicial remedy against a DPA – Article 74
• An effective judicial remedy against a controller or processor – Article 75
• Compensation for "material or immaterial damage" – Article 77
• Mandate a consumer group* or similar to exercise rights on his/ her behalf – Art 76
* body must be not for profit, public interest and active in the field of privacy protection
Current examples?
• Germany: New rules introduced Feb 2016 allowing privacy claims by consumer bodies
• France: Digital Republic Bill – similar rules in the pipeline, pre-empting GDPR
14 | GDPR: Timeline, Key Dates, Penalties and Sanctions
30 March, 2016
Beyond formal sanctions… follow on risks
• Reputation risk
• C-suite job losses
• Remediation costs and PCI-DSS card scheme fines
• Loss of trust in the brand leading to increased customer acquisition and
retention costs
• UK group actions: where are we?
• Rise of Article 8 ECHR and Article 8 of the EU Charter
• Increased public concern about privacy
• Damages for distress (e.g Vidall Hall)
• Class actions on the horizon?
• French and German domestic laws and right of consumer groups to represent
individual data subjects under the GDPR increase the risk of privacy class actions
15 | GDPR: Timeline, Key Dates, Penalties and Sanctions
30 March, 2016
Follow on risks: a recent US example
• 40 million cards stolen
• 70 million customer records stolen
• 46% drop in 2013 Q4 profits
• $200 million estimated cost just to reissue
payment cards
• $252 million direct costs of breach related
expenses (excluding increased customer
acquisition / retention and insurance premiums)
• CEO resigned
• CIO resigned
16 | GDPR: Timeline, Key Dates, Penalties and Sanctions
30 March, 2016
GDPR Readiness: What Should Your
Business Do Now?
Anna Soilleux
Senior Associate, Olswang LLP
Sponsored by
Data Protection Now Means Compliance
Michael Mrak
Head of Compliance and Data Protection,
Casinos Austria AG and Austrian Lottery GmbH
Sponsored by
Grafik Umsatzerlöse
DATA PROTECTION
NOW MEANS COMPLIANCE
Some thoughts on the meaningful use of certification systems
30.03.2016
21
Agenda
Grafik Umsatzerlöse
•
•
•
•
Preparing for the EU GDPR: Obligations!
What is compliance?
Rule based standards or risk based approach
How to properly implement compliance
30.03.2016
22
Michael Mrak
DPOs – The new enemies of the marketing department?
Grafik Umsatzerlöse
30.03.2016
23
Michael Mrak
Preparing for the EU GDPR: Obligations!
Grafik Umsatzerlöse
• The GDRP provides for the following administrative sanctions:
•
•
•
issuing of warnings
regular and periodic data protection audits;
an administrative fine of up to €20 million or up to 4% of annual worldwide turnover,
whichever is higher, to be imposed on anyone who intentionally or negligently
(amongst other things):
• processes personal data without sufficient legal basis for doing so; or
• does not implement appropriate technical and organizational measures to ensure a level of
security appropriate to the risk; or
• does not alert or notify a data protection breach to the relevant supervisory authority or data
subject; or
• does not carry out a data protection impact assessment or processes personal data without
prior authorization from or consultation with the supervisory authority; or
• carries out or instructs an unauthorized transfer of data to a third country or an international
organization; or
• does not comply with an order or a temporary or permanent ban on processing or the
suspension of data flows by the supervisory authority.
Data Protection Impact Assessment (DPIA)
Grafik Umsatzerlöse
• The new frontier for privacy professionals
• Risk management has for a long time been a critical tool for
complying with laws (i.e. AML, RG etc.)
• In die field of data protection, these efforts have often been applied
informally and in unstructured ways
• In practice, they often failed to take effective advantage of many
principles and tools of risk management that are widely accepted in
other areas
• Under the GDPR, companies must carry out DPIAs for „high risk“
data processing (Art. 33)
• Do You know Your “high risk” data collections?
• Financial data?
• Player tracking information?
• Responsible gaming data?
What is compliance?
Grafik
• In Umsatzerlöse
general, compliance means conforming to a rule, such as a
specification, policy, standard or law.
• Regulatory compliance describes the goal that organizations aspire to
achieve in their efforts to ensure that they are aware of and take steps
to comply with relevant laws and regulations.
• Internal guidelines are based on external regulations, but also take into
account the company's values
• It's about living the values and to make ethical behavior into a
competitive advantage.
30.03.2016
26
GoodPriv@cy data protection
Grafik
• AUmsatzerlöse
protected
•
•
•
•
•
•
•
•
guarantee mark
Can be obtained by all organizations
Is valid for three years
Can be combined with other standards
Builds confidence and certainty
Certification as evidence
Forces a systematic approach to the processing of
personal data
Helps to build trust with consumers, government
agencies and public bodies
Best practise-approach for compliance with the law
30.03.2016
27
Best practices: Standards – do not reinvent the wheel!
Grafik
Umsatzerlöse
Any compliance
organization should always build on existing standards!
IDW PS 980
Standard
TÜV Rheinland
Compliance Care
Data Protection
Information Security
ISAE 3000
Anti Money Laundering
Quality Management
Anti Corruption
Corporate Citizenship
Responsible Gaming
30.03.2016
Responsible Gaming
28
A possible solution: Implementing a DPMS
Grafik Umsatzerlöse
• A data privacy management system (DPMS) based on a standard
can help You to enforce necessary compliance without re-inventing
the wheel
• Best practice (like common standards like ISO 9001, 27001 etc.)
• Build synergies if you are already certified in other fields of
compliance
Is compliance innovative?
Grafik Umsatzerlöse
• Innovations are like the development of an unknown world
• “Customers” of the old world must become familiar with the new world
• Compliance always means “stress” for the organization
• Innovations often met with some reservation (which can possibly
invalidate) and often on fundamental hostility, which often prevent the
breakthrough
• As a DPO you need to deal with this “stress”
Risk based approach
Grafik Umsatzerlöse
•
The risk based approach next to
rule-based systems is becoming
increasingly important
•
Through an effective risk
management the responsibility of
the organization units will become
the focus
detect
risk
control
30.03.2016
measure
31
5 Basic elements of every compliance system
Grafik Umsatzerlöse
Code of Conduct
Structure of the organization
Credo and Code
as a roof
Review and
development
Incentives and
sanctions
Legal risk analysis,
processes
Sufficient staff
structures
Sufficient financial
resources
Guidelines
Adoption and enforcement of rules
Training and education
Violations of the law are to sanction any case immediately
Periodic review of the compliance program
30.03.2016
Law-abiding behavior should be a prerequisite
for any remuneration
32
The „tone at the top“
Grafik Umsatzerlöse
For the successful implementation of every
compliance management in the company, it is
important to positively influence the behavior
of managers and employees and to achieve
sustainable change.
30.03.2016
33
Search internal allies
Grafik
Umsatzerlöse
• Internal
allies are essential
• Compliance "against" the organization never works
• Possible internal allies are, for example,
–
–
–
–
–
–
–
Internal Audit,
Legal Affairs
Risk Management
Executive assistant
Group Communications
Human Resources
…
• Lets not forget the affected business areas = possible synergies
– Information Technologies
– Marketing & Sales
– Other compliance departments (AML officer, responsible gaming etc.)
30.03.2016
34
Grafik Umsatzerlöse
Thank you for your attention!
E-Mail: [email protected]
Phone: +43 664 5032331
www.linkedin.com/in/mmrak
30.03.2016
35
Keynote Speech: Data Protection Now
Means Compliance
Steve Wright
Former Global Privacy Officer,
Unilever
Sponsored by
GDPR Requirements For Breach
Monitoring And Notification
Ross McKean
Head of Data Protection, Olswang
Sponsored by
GDPR: Data Breach Notification
Ross McKean, Partner, Olswang LLP
22 March 2016
45 | GDPR: Data Breach Notification
Agenda
1. Lessons learned from the US
2. Current law and practice in the UK
3. New rules for breach notification under GDPR
4. What should you do now to prepare?
46 | GDPR: Data Breach Notification
30 March, 2016
Lessons learned from the US
47 | GDPR: Data Breach Notification
30 March, 2016
Lessons learned from the US
• Since California introduced the first
notification law in 2002, a total of 47
US States have introduced similar
laws
• Most require notification of
unencrypted data breaches to
affected citizens
• National Conference of State
Legislatures maintains a list and
links to all State laws: www.ncsl.org
48 | GDPR: Data Breach Notification
30 March, 2016
Lessons learned from the US
1. Mandatory notification laws have driven notifications – sweeping breaches
under the carpet a very high risk option
2. Most State laws require rapid notification within very short timescales (days
rather than weeks)
3. Few have any materiality threshold – majority of breaches must be notified
though some limit obligation to where “unencrypted” data is compromised.
Evidence of notification fatigue setting in
4. Many organisations are not using privilege effectively – forensics are often
not instructed by lawyers so their reports are easy prey for class action
claimants and State Attorney Generals
5. Frequency of reported breaches is increasing
6. Cyber and data breach remains a top priority for government and the media
and continues to make daily headlines
7. There is a high risk of lasting reputational damage
49 | GDPR: Data Breach Notification
30 March, 2016
UK: Current law and practice
1. No general obligation to notify data breaches (though sector rules apply)
2. Legal standard of care = appropriate technical and organisational measures
2. ICO guidance recommends notification of “serious breaches”
3. Limited legal sanctions for not notifying
4. Total fines to date issued by the ICO: c. £6 million fines in total. FCA / FSA 7
c. £8 million fines in total
5. Reputational damage harder to quantify but only bites if the breach becomes
public knowledge
6. In practice, many choose not to notify unless there is a serious risk of harm
to consumers and/or the ICO is likely to find out through other channels
7. Incident response is often led by IS function with little / no involvement of
legal. Privilege and document control is rarely considered during the early
stages of an investigation
50 | GDPR: Data Breach Notification
30 March, 2016
GDPR: Breach Notification to Regulators
In the case of a personal data breach, the controller shall without undue delay
and, where feasible, not later than 72 hours after having become aware of it,
notify the personal data breach to the supervisory authority … unless the data
breach is unlikely to result in a risk for the rights and freedoms of individuals.
The notification ... shall be accompanied by a reasoned justification in cases
where it is not made within 72 hours – Article 32
Notification to: the competent supervisory authority / authorities
Materiality threshold: low. Any data breach unless unlikely to result in “a risk”
[NB any risk] for the rights and freedoms of individuals
Deadline: tight! Within 72 hours “after having become aware of it”
What must be notified: (i) nature of the breach including categories and number
of data subjects and data records concerned; (ii) name and contact of DPO or
other contact; (iii) likely consequences of breach; (iv) measures taken or planned
to address breach and mitigate adverse effects
Do processors have to notify? Yes, though only to the relevant controller(s)
“without undue delay after having become aware”
51 | GDPR: Data Breach Notification
30 March, 2016
GDPR: Breach Notification to Data Subjects
When the personal data breach is likely to result in a high risk to the rights and
freedoms of individuals the controller shall communicate the personal data
breach to the data subject without undue delay. Article 32
Notification to: affected data subjects
Materiality threshold: any breach likely to result in a “high risk” to the rights and
freedoms of individuals. No requirement to notify where controller has
implemented appropriate technical and organisational measures to render data
unintelligible (e.g. encryption) or has taken “subsequent measures” to ensure that
high risk to rights and freedoms is unlikely to materialise
Deadline: without undue delay. Phased notification permitted?
What must be notified: (i) name and contact of DPO or other contact; (ii) likely
consequences of breach; (iii) measures taken or planned to address breach and
mitigate adverse effects
52 | GDPR: Data Breach Notification
30 March, 2016
GDPR: Breach Infrastructure Requirements
Controllers and processors must implement appropriate technical and organisational
measures, to ensure a level of security appropriate to the risk, including … as appropriate:
(i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the
ongoing confidentiality, integrity, availability and resilience of systems and services; (iii) the
ability to restore; and (iv) a process for regulary testing, assessing and evaluating the
effectiveness of these measues – Article 30
Is there an obligation to monitor for breach? Yes – as an “appropriate” technical
measure*
Is there an obligation to test security and breach response? Yes – explicit in Article 30
(point (iv) above)*
Is there an obligation to train staff in the use of technical solutions and in breach
response? Yes – this would be part of the general obligation to implement appropriate
“organisational” measures*
Is there a requirement to keep a log of data breaches? Yes – for each breach the
controller is required to log the facts, the effects and remedial action taken to allow
regulators to assess compliance – Article 31(4)
* the small print – will depend on the facts in each case and guidance as it develops!
53 | GDPR: Data Breach Notification
30 March, 2016
What should you do now to prepare?
Building better compliance
• Build the right team. Now. Engage your lawyers and other external vendors
now so they are on tap when you need them
• Create policies, raise awareness and normalise the risk
• Rehearse your coms: build a defendable narrative
• Use privilege and confidentiality rings
• Practice: war game. Regularly
• Ensure regular security patching
• Review cyber insurance coverage
54 | GDPR: Data Breach Notification
30 March, 2016
Thank you for listening
Ross McKean / Partner / Head of Data
Protection
+44 20 7067 3378
ross,[email protected]
Brussels
+32 2 647 4772
Singapore
+65 6720 8278
London
+44 20 7067 3000
Paris
+33 17 091 8720
Madrid
+34 91 187 1920
Thames Valley
+44 20 7071 7300
Munich
+49 89 206 028 400
***
***
Olswang:
Changing Business.
www.olswang.com
Responding To Cyber Crime – Working
With The Police
Roy Ramm
Founding Director, ExtraYard
Sponsored by
The scale of the threat from serious and organised crime has
been demonstrated by high profile cases of child sexual
exploitation; growing use of cyber techniques by organised
criminals to commit fraud and trade illegal drugs and firearms
on the internet; and the spread of banking malware
responsible for losses of hundreds of millions of pounds.
National Security Strategy identifies cyber crime as a Tier One
risk; it covers both cyber-dependent crime and cyber enabled
crime .
A national cyber security incident, which the NSS identifies as a
Tier One risk and which may require an aggregated police
response under the guidelines set out by the UK’s Computer
Emergency Response Team (CERT-UK) with appropriate links to
NCA, civil contingencies and public order policing as needed.
THE STRATEGIC POLICING
REQUIREMENT
GCHQ and the National Cyber Crime Unit (NCCU)
work together to develop the skills and technology
required to combat the elite cyber crime threat to the
UK.
For the most serious national crimes, the NCCU in
the National Crime Agency (NCA), leads operations.
Each of the 9 Regional Organised Crime Units has its
own cyber unit.
The Metropolitan Police has also enhanced its their
cyber capability. Operation FALCON (Fraud and
Linked Crime Online) brought together the
Metropolitan Police’s fraud squad and the cyber
crime unit to disrupt and arrest cyber criminals
attacking London businesses.
WHO ARE THE
INVESTIGATORS?
OPERATIONS IN PARTNERSHIP
Cyber crime and cyber-enabled crime, facilitated by
the use and control of malicious software (malware).
Cyber crime and cyber-enabled crime, facilitated by
the use of online phishing techniques.
Computer and network intrusions (with various motives
and objectives).
Denial of service attacks and website defacement (with
various motives and objectives).
The online trade in financial, personal and other data
obtained through cyber crime or cyber- enabled crime.
The intentional and dishonest online provision of services,
tools etc. to facilitate cyber crime or cyber-enabled
crime.
WHAT THE NCA OR THE
POLICE WILL INVESTIGATE
Cyber crime and cyber-enabled crime, facilitated by
the use and control of malicious software (malware).
Cyber crime and cyber-enabled crime, facilitated by
the use of online phishing techniques.
Computer and network intrusions (with various motives
and objectives).
Denial of service attacks and website defacement (with
various motives and objectives).
The online trade in financial, personal and other data
obtained through cyber crime or cyber- enabled crime.
The intentional and dishonest online provision of services,
tools etc. to facilitate cyber crime or cyber-enabled
crime.
WHAT THE NCA OR THE
POLICE WILL INVESTIGATE
Working with partners in law enforcement, industry and
government, the National Crime Agency (NCA)
coordinated an intensive period of UK-wide action against
cyber crime.
Fifty-seven people were arrested in 25 separate operations,
related to a range of cyber criminality including:-
- Network intrusion and data theft from multinational
companies and government agencies,
- Distributed Denial of Service (DDoS) attacks
- Cyber-enabled fraud
- Malicious software and virus development
Operational activity took place across England, Scotland
and Wales involving officers from the NCA’s National Cyber
Crime Unit (NCCU), Metropolitan Police and Regional
Organised Crime Unit’s (ROCUs) associated with local forces
around the UK
57 ARRESTED IN NATIONWIDE
CYBER CRIME STRIKE WEEK
6 MARCH 2015
The 7th Principle : Appropriate technical and organisational
measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or
destruction of, or damage to, personal data.
Where no serious cyber crime threat exists the investigative
role is likely to remain with the Information Commissioner
If you have been attacked and your data protection
measures are found not to be ‘appropriate’ you may be both
a victim of crime and a ‘suspect’.
Call your lawyer
Call the Information Commissioner
Call Action Fraud?
Call the police?
VILLAIN OR VICTIM - WHO
TO CALL?
Fake credit card transactions;
Witnesses at risk of physical harm or
intimidation;
Offenders at risk from vigilantes;
Exposure of the addresses of service personnel,
police and prison officers, and women at risk of
domestic violence;
Fake applications for tax credits; and
Mortgage fraud.
BREACHES MAY CAUSE
REAL HARM AND DISTRESS
Make early contact with law enforcement
Closing the door or following the trail?
“The primary object of an efficient police is the prevention of
crime”:
Protect yourself/customers from further loss
“The next that of detection and punishment of offenders if crime is
committed”.
Preserve evidential trail
Preserve all material
Limit knowledge
Control communication
Make careful and detailed notes of ALL actions
Destroy/delete NOTHING
Choose your witnesses carefully
WORKING WITH
INVESTIGATORS
DISCREET AND PROPORTIONATE
INVESTIGATIVE APPROACH
EXTRAYARD LIMITED,
123 ALDERSGATE STREET, LONDON,
EC1A 4JQ
+44(0)207 553 7960
[email protected]
Responding To Cyber Crime – Working
With The Police
Chris Martin
Senior Business Manager EMEA,
Darktrace
Sponsored by
The Enterprise Immune System:
Using Machine Learning to Detect Threats
Chris Martin
Senior Business Manager EMEA
Company Background
• Founded in 2013 in Cambridge, UK
• Started by mathematicians and
government intelligence specialists
• Winner of ‘Security Company of the
Year’ at Info Security Global
Excellence Awards 2015
• HQs in Cambridge, UK & San Francisco
• Winner of ‘Best Insider Threat
Detection and Solutions’ at Network
Products Guide IT World Awards
• Over 550 deployments worldwide
• Gartner ‘Cool Vendor’ 2015
• 18 global locations
• World Economic Forum ‘Technology
Pioneer’ 2015
• Technology based on machine learning
& mathematics
“Darktrace is a game-changer”
Virgin Trains
Enterprise Immune System
Unsupervised machine learning
Develops mathematical models of
normal behavior
Inside-out view
Complete analysis and visibility of
100% network traffic
Correlation & behavioral analysis
For every individual user, device and
network
Real time & long-running
Analyzes events over long periods of
time, with playback capability
Visualization and investigation
Auto-classification of threats,
supporting workflow and collaboration
Machine Learning & Mathematics
• Advanced Bayesian mathematics pioneered
at Cambridge University
• Recursive Bayesian Estimation detects
subtle changes within data series in real
time and adaptively iterates its models
• Numerous approaches used to classify the
probability of an action based on previous
and emerging behaviors
• No ‘a priori’ assumptions about good or bad
– mathematical models are unique to your
organization
• Distribution is built from a complex set of
low-level host, network and traffic
observations or ‘features’
Darktrace in your security stack
Case Study: BT
Industry
• Telecommunications
Challenge
• Large, widely dispersed network
• Fast-evolving sophisticated threats
• Wanted a solution that could parse complex
network data and detect previously unknown
threats
Benefits
• Real-time, dynamically updated visibility of
entire network
• Confidence that previously unknown threats can
be detected within network before they do
serious damage
• Enhanced their own security offerings with
Darktrace’s expertise in unsupervised machine
learning and Bayesian mathematics
• Defended against potential insider threat
“Darktrace’s machine learning
and mathematics are extremely
powerful in detecting activity
that is abnormal and will be
critical to our future cyber
security offerings.”
Mark Hughes, President
BT Security
Darktrace in 2016
•
750 deployments to date
•
200+ employees
•
Proven to work at scale
•
Works on virtualized and cloud
environments (vSensor)
– including Amazon AWS,
Rackspace etc
Major product announcement imminent – the
machine fights back. Watch this space!
Conclusion
• The threat is inside
• Rules & signatures are not enough
• Enterprise Immune System is unique
– Powered by machine learning and mathematics
– Understands ‘normal’ and detects emerging insider and external threats
– No rules or signatures
– Installs in 1 hour
Thank you
Context: Working An Incident
Mark Raeburn
CEO, Context Information Security
Sponsored by
Working an Incident
30/03/2016
Cyber Threat Landscape
Nation States
Organised Crime
Hacktivists
Insiders
• Intellectual property
• Merger & Acquisition data
• Military technologies
• Payment card data
• Financial market data
• Full identification data
• Web server data
• Social Media credentials
• Information related to key employees
• Data Theft
• Accidental Loss
• Misconfigurations
Monitoring & Response: why it is important
30/03/2016
Meet your team
COMMUNICATION
INVESTIGATION
•
•
•
Prioritise assets &
capture baselines,
threat info
Incident triage
procedures
Effective ways to
investigate and
recover data
TEAM
LEADER
INCIDENT RESPONSE
TEAM
•
•
Team member
contact info
External contacts
Internal + external
strategy
Press lines
Insurer
LEGAL
•
•
Coordinate + align key
resource, minimise
impact + restore
operations
LEAD
INVESITGATOR
PR
What good looks like
1. Define
Cyber Security
Strategy
30/03/2016
The Science of Sufficiency
Risk
Capability
Maturity
Espionage
Cyber Crime
Script Kiddies
Hackivists
30/03/2016
Measuring Success
Options
Vs. Considerations
Return to Operation
What is normal?
Time to Closure
Behavioural Impact
# Alerts or Incidents
Capability Improvements
Red/Blue Team
Accepted Risk Appetite
Peer Comparison
30/03/2016
Any Questions
Marketing, Profiling And Consent
Anna Soilleux
Senior Associate, Olswang LLP
Sponsored by
International Transfers
Ross McKean
Head of Data Protection, Olswang
Sponsored by
International Transfers Today and
Tomorrow
Ross McKean, Partner, Olswang
Rules and options for international transfers
Today: under DPD
Tomorrow: under GDPR Chapter V
• General principle: transfers to a third
country (i.e. non EEA) permitted only if
third country ensures "adequate"
protection - Article 25
• General principle: No transfers to third
countries unless Chapter V conditions
are met. Applies to controllers and
processors – Art 40
• Adequacy findings: Article 25(6)
including:
• Fines – 4% / € 20 million bracket
•
Adequacy decisions (White List) - Article 41
•
"Appropriate safeguards" including model clauses,
codes of conduct and certification mechanisms - Article
42
• Derogations: Article 26 including:
•
BCRs: Front and centre – now has its own Article 43
• unambiguous consent
•
DPD findings – remain valid until amended, replaced
or repealed – Art 42
• performance of a contract
•
Derogations: Article 44 including
• White List decisions
• Model clauses
• transfer necessary or legally
required on important public interest
grounds
10 | International Transfers Today and Tomorrow
7
•
explicit consent
•
performance of a contract
•
necessary for important public interest reasons
30 March, 2016
US transfers: Safe Harbor, Privacy Shield – where are we
now?
• 6 October 2015: CJEU invalidates Safe Harbor in Schrems decision
• 16 October 2015: Article 29 Working Party statement
• 2 February 2016: agreement on EU-US Privacy Shield announced
• 29 February 2016: Privacy Shield documentation published
• 12/13 April: Article 29 Working Party due to adopt opinion on adequacy of
Privacy Shield at plenary meeting
• Art 29 WP due to opine after plenary meeting on other transfer mechanisms eg
binding corporate rules and standard contractual clauses
• Another positive opinion is required of the Article 31 committee before the
Commission can formerly adopt an adequacy decision.
• Reports that Commission want Privacy Shield adopted by June
10 | International Transfers Today and Tomorrow
8
30 March, 2016
…all subject to what this man may do next
10 | International Transfers Today and Tomorrow
9
30 March, 2016
International transfers: practical take aways
• Bad news:
• post the Schrems ruling there will continue to be legal uncertainty and it is possible
that a new Privacy Shield regime could also be challenged
• some regulators in Germany have already started enforcing against companies
relying solely on the now defunct safe harbor
• Good news:
• the ICO and the Irish regulator are much more relaxed about international transfers,
but:
• Practical advice:
• you need to have a defendable narrative if the regulators come knocking on your door
– such as model clauses and/or consent - recognising that no solution is entirely
robust
• you should start planning transfer compliance under GDPR now. Privacy Shield and
BCR will take significant time and resource to implement
11 | International Transfers Today and Tomorrow
0
30 March, 2016
UK OFFICE
Saddlers House
44 Gutter Lane
London
EC2V 6BR
Tel: +44(0)2079219980
[email protected]
www.gamblingcompliance.com
© Copyright 2026 Paperzz