Cloud Data Protection Fitness - A Workout

Similar documents
Cloud Security under Forthcoming Laws

GDPR & Service Providers ( Cloud Focus )

GDPR & Cloud Providers Keynote Presentation

Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

New EU Data Protection legislation comes into force today. What does this mean for your business?

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Article 29 Working Party Issues Opinion on Cloud Computing

How To Understand The Legal Background Of Cloud Computing

White Paper: Data Protection In The Cloud. Data Protection In The Cloud

(a) the kind of data and the harm that could result if any of those things should occur;

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

Cloud Computing. Introduction

Data Protection Act Guidance on the use of cloud computing

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

The Nordic IT Law Conference 2010 Cloud Computing

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data Centres North Data Centre Security is the tail wagging the dog? May

Data Protection and Cloud Computing: an Overview of the Legal Issues

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Cloud computing is going mainstream

Cloud Computing: The Wave of the Future

Hans Bos Microsoft Nederland.

How To Protect Your Data In The Cloud

Data Privacy, Security, and Risk Management in the Cloud

Welcome & Introductions

Key privacy / data protection questions

Data and Cyber Laws Up-date 9 July 2015

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

Cloud Security Introduction and Overview

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Licensing Guide for Partners. Leveraging Data Center Providers and Software Services Resellers

Secure your cloud applications by building solid foundations with enterprise (security ) architecture

The European General Data Protection Regulation. A guide for the insurance industry

Cloud Computing in a Government Context

Privacy and Security Guidance Cloud Computing in the MUSH Sector

The potential legal consequences of a personal data breach

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cloud Computing Contracts. October 11, 2012

CONTROLLING CLOUDS: BEYOND SAFETY

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

BHF Southern African Conference

Top 10 Cloud Risks That Will Keep You Awake at Night

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?

Legal issues in the Cloud

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

The Keys to the Cloud: The Essentials of Cloud Contracting

The Cloud Challenge: understanding what is "market"?

OPINION MAY 2012 ON CLOUD COMPUTING Article 29 Data Protection Working Party (July 1, 2012)

Response to Justice Select Committee's Call for Evidence on the EU Data Protection Framework Proposals. Cloud Legal Project 17 August 2012

Virtualization Impact on Compliance and Audit

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Data Breach Notification Duty. Dr. Elisabeth Thole 31 October 2015 UIA Valencia

Canvassing the Cloud. An Eversheds LLP and PA Consulting Group study into the adoption of Cloud technologies

CLOUD CONTRACTS WHAT PROVIDERS AND CUSTOMERS SHOULD DISCUSS

Questions for the Discussion on Subcontracting

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Refresher on cloud computing

Legal Aspects of the MonIKA-Project - Privacy meets Cybersecurity

Big Data for Law Firms DAMIAN BLACKBURN

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Q Published Q3 2015

Using a Managed File Transfer technology to prepare your customers for the GDPR (whatever is next)

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

GAIN CLARITY CRITICAL ISSUES. Your Data in the Cloud : Benefits & Risks GAIN CONTROL. berrydunn.com

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

The Cloud. IIA Seminar, York April 30 th

Tracking Compliance: Data Protection Risks and Remedies for Retail Janine Regan. charlesrussellspeechlys.com

EU Data Protection Compliance Trends - What US Companies Need to Know. 30 January 2013

Cloud Computing Security Issues

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

14 December 2006 GUIDELINES ON OUTSOURCING

A How-to Guide for Privacy, Big Data and the Cloud in the US and Asia Pacific

Cloud Computing: Risks and Auditing

EUROPEAN NETWORK OF CLOUD ASSOCIATIONS

CLOUD ARCHITECTURE DIAGRAMS AND DEFINITIONS

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

Recommendations for companies planning to use Cloud computing services

Cloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week

Data Processing Agreement for Oracle Cloud Services

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Presentation by: Mark Bailey, Partner IPTC. Managed services looking beneath the surface IPTC Webinars Thursday 15 March 2012

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

How to procure a secure cloud service

ARTICLE 29 DATA PROTECTION WORKING PARTY

Demystifying ITAM in the Cloud

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Cookies Compliance Advisory

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Privacy Risk Assessments

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Transcription:

Cloudscape 2016 8 March 2016 Cloud Data Protection Fitness - A Workout Dr Kuan Hon k@kuan0.com kuan.hon@pinsentmasons.com

General Data Protection Regulation Adoption 2016? Jurists / linguists to finalise 10 Mar meeting In force 2018? 2 year lead time

Last year Combining photos by Dennis Hill (cloud) and tanakawho (dog) both under CC BY 2.0

Today Photo by Gavin Schaefer under CC BY 2.0

Harmonisation, scharmonisation Graphic on Flickr, Winfried Veil @winfriedveil, reproduced with his kind permission

Beware of GDPR FUD Marketing initiatives! not cloud-washing but GDPR-scaremongering But - laypeople interpreting laws They re words, Jim, but not as we know them!

So AKA Data Protection Jobs For Life Regulation

Old tech / business models entrenched 1970s outsourcing Controller sub-processor processor Controller processor Processor has exclusive access / control over data delivered Processor s active processing of data, as per controller s instructions Processor Cloud Sub-processor(s) controller 1010 Controller 0101 cloud server Controller retains direct access / control over Internet ( shared responsibility ) Controller s own direct self-service processing using processor s service / systems Customised service Commoditised service / system

True concern Access to intelligible personal data by provider / others ( cloud or otherwise! ) Control access through law ( eg statutory obligation, contract ) and /or technology ( eg encryption, access controls ) Tech Law

GDPR s key changes affecting cloud DPD Controller obligations & liability Controller s processor use - Choose: security only - Contract terms: instructions, security - Ensure compliance GDPR Controller obligations & liability + processor obligations & liability Controller s processor use - Choose: GDPR compliance - Contract terms: + more, & more prescriptive ( cloud.. ) - ( Commission clauses ) - Ensure compliance - Sub-( other ) processors - prior consent / change + terms flow down

Practical impact Contracts - processors & controllers o fine if contract non-compliant; no grandfathering! Contracts ending after around mid-2018 add appropriate terms on change of law / change control, so contract can be changed: o compliance with contract terms requirements, & who bears what costs o responsibility & liability allocation, indemnities NB. existing ( even non-cloud ) contracts too

Cloud scenarios many sub-processors SaaS Provider IaaS / PaaS Provider Data Centre Provider(s) Cloud Customers ( or with IaaS / PaaS Provider direct ) [ Not just cloud! ] Connectivity Provider(s) ( carriers etc )

The workout! Photo by Randy Robertson under CC BY 2.0

A B S Accountability ( & Audit rights controller, regulator ) Big fines Board-level issue Security obligations incl. processors NIS Directive overlap?

Largest ICO Fine v. 4% Large FS Co s 2014 Global Turnover 18.0 m 16.0 m 14.0 m 12.0 m 10.0 m 8.0 m 6.0 m 4.0 m 2.0 m 0.0 m 2010 2011 2012 2013 2014 2015 Large FS Co 2014 (%) 20m = 15.3m 10m = 7.6m 10m 20m 4% 2% Fine

B I C E P S Breach notification NIS Directive too any data International transfers incl. onward Customising; Consent ( conditional? ) Enforcement resources? Strategic? Processor obligations, liability, contracts Security by design etc; mitigating fines Photo by PhotoAtelier under CC BY 2.0

P E C S Procedures organisational too eg online contracts - forms for info; consents Encryption, tokenisation, anonymisation, pseudonymisation etc. Codes & certifications Start now!!! Cropped from photo by Riordan King under CC BY 2.0

Practical points summary Contracts! and international transfers Sector-specific contract terms eg CSA, Eurocloud? - draft & submit for approval Safest to use only the cloud giants? can control supply chain, build EU DCs but enforcement targets? ( tho in own right ) Liability risk, so could others / giants leave EU / stop free services to EU residents?

Question Fitness of cloud for data protection laws or Fitness of data protection laws for cloud / new technologies?

Killing cloud quickly with DP? The GDPR's coming, soon to be law they say Middle of 20-18 may be the fateful day! What will this mean for clo-ud? Will cloud be here to sta-ay? Don't want to be pessimistic, not sure how we'll find a way Killing cloud quickly with DP, killing cloud quickly, with DP, tearing up SaaS, PaaS and I-aaS Killing cloud quickly, with DP? Full article www.scl.org/site.aspx?i=ed46375 Photo of Roberta Flack by Roland Godefroy CC BY SA 2.5

Thank you! Dr Kuan Hon Half lawyer half geek mostly harmless Twitter: Email: k @ my domain below; also kuan.hon@pinsentmasons.com www.kuan.com blog.kuan.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information