SlideShare a Scribd company logo

CERN 5 Things you should know about Data Protection

Download as PPTX, PDF
EUDAT, profile picture
EUDAT

The document provides an overview of key aspects of data protection that organizations should be aware of: 1) Personal data belongs to individuals and must be processed fairly and for specific purposes, with transparency about how and why data is used. 2) Inappropriately handling personal data without consent or legitimate basis is illegal. Organizations must implement training, policies, and accountability measures to ensure compliant internal data practices. 3) Personal data cannot be freely shared without appropriate safeguards like contracts, as the controller remains responsible for privacy protections. International transfers require ensuring an adequate level of protection. 4) Organizations have an obligation to appropriately secure personal data and respect individuals' rights to their data, such as access,

Technology
Related topics:
Data Protection Practices
1 of 18
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
CERN 5 Things you should know about Data Protection
5 things you should know about Data Protection 2 David Foster Head of Data Privacy Protection January 2018
Opening Sing-along My personal data are mine To abuse them is a crime You cannot share You must take care Or risk a hefty fine 3 David Foster 2018
1. My Personal data are mine • Personal data belong to the individual • They are not yours to use as you see fit, not even if they are public! • Fair processing • Legitimate Basis (hint: consent is a problem) • Specific Purpose • Privacy notices should declare what, how and why data are processed • One is unlikely to be enough! • One notice for each independent service. • Data Protection Impact Assessments (DPIA) may be needed. 4
2. To abuse them is a crime • The scope of personal data is wide • Attributes, Photos, Electronic Identifiers …. • The scope of processing is broad • Analysing, Copying, Viewing …. • This is complex to communicate inside an organisation • Internal training • Internal policies • Accountability • It may help to consolidate processes and infrastructure • Approved storage systems • Managed internal transfers • Be wary of automated decision making and profiling 5
3. You cannot share • Without safeguards because privacy travels with the data • Responsibility rests with the controller • Contracts, codes of conduct, binding corporate rules • Records of transfers • Extra-territorial reach • This may be a difficult culture change within organisations used to freely sharing personal data • Complexity may increase with ePrivacy 6
4. You must take care • You need to look after other peoples data • Appropriate organisational and technical measures • Risks with unnecessary data retention • ISO27001 for data security and handling is a good starting point • Individuals have rights to their data you are processing (even if not absolute rights) • Must be clear mechanisms to exercise the 8 basic rights, which should be in the privacy notice • Privacy by default and by design • Anonymise or pseudonymise 7
5. Or risk a hefty fine • Its all about managing risk • “Compliance”, per-se, does not exist • Fines can be large depending on the infraction • Violation of principles carry the larger fine • Mitigation of risk of large fines • A demonstrable attempt at implementing the legislative requirements • Internal Training, Policies, Accountability, Management Commitment • Having a DPO and accepting their advice 8
Finally … 9
Key Obligations of an Organization • A29 Advice • “employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence; • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications; • employees should receive effective information about the monitoring that takes place; and • any international transfer of employee data should take place only where an adequate level of protection is ensured.” 10
Employers Must: • A29 Advice • “ensure that data is processed for specified and legitimate purposes that are proportionate and necessary; • take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose; • apply the principles of proportionality and subsidiarity regardless of the applicable legal ground; • be transparent with employees about the use and purposes of monitoring technologies; • enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data; • keep the data accurate, and not retain them any longer than necessary; and • take all necessary measures to protect the data against unauthorised access and • ensure that staff are sufficiently aware of data protection obligations.” 11
Typical Reactions • Fiction: “This is just administration so doesn’t concern me” • Fact: This is part of the professional responsibilities • Fiction: “OK, I will do it and then I can forget about it” • Fact: This is an ongoing and continual process • Fiction: “Just tell me what to do so I don’t have to think about it” • Fact: Privacy considerations have to become part of the culture as simple prescriptions for all possible situations are not possible. 12
Monitoring • Principles • Employees must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. (Necessary but not in itself sufficient) • Data collected that includes personal data should be for a specific legitimate purpose. • Monitoring data should be anonymised by default. • A29 Advice on limitations to monitoring • “geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited), • data-oriented (e.g. personal electronic files and communication should not be monitored), and • time-related (e.g. sampling instead of continuous monitoring).” • Blocking is better than monitoring • Questions • Are you handling this appropriately? • Are you “over-collecting” data with the risk of “further processing”? • How will you separate personal and work-related data? • Do you have a clear IT monitoring policy with appropriate safeguards? 13
Storage • Principles • Ensure that data are not accidentally processed. • Ensure that deleted data stays deleted • A29 • “It should be ensured that employees can designate certain private spaces to which the employer may not gain access unless under exceptional circumstances.” • Some Questions • Are all services where personal data are stored “fit for purpose”? • Can you demonstrate adequate technical measures? (ISO27001) • What are you policies for different classes of data on automatic deletion? 14
End-user devices • Principles • Do not process non-work related personal data on devices allowed for private use, or in a private context (home). • A29 • “Select the most privacy protecting defaults” • Provide (acceptable use) policies. “This allows employees to adapt their behaviour to prevent being monitored when they legitimately use IT work facilities for private use” • Some Questions • Do you have sufficient measures to allow for truly private use of facilities? (Laptops, Network, Storage etc) • Are you offering enough advice on the use of IT facilities? 15
Typical and generic problems • Collecting too much data - violates data minimisation • Because you have a single “Web form” • Using unsecured transfer mechanisms - violates appropriate technical measures • Email • Processing data without controls - violates appropriate organisational measures • Excel spreadsheets, Laptops etc. • Personal Data kept because it “might be useful” - violates retention periods. • Archives • Data stored on other services (internal and external) without privacy protecting agreements - violates appropriate safeguards. • Almost every storage system or platform 16
Finally, 5 things to do 1. Know where you are processing • Data mapping 2. Know what you are doing • Privacy notices 3. Know why you are doing it • Internal review of processing operations 4. Know how you are doing is correct • Technical measures and controls 5. Know when you should stop doing it • Retention periods 17
Good Luck! 18 Facebooks has put together: “the largest cross functional team” comprising “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”. “Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. Source: https://techcrunch.com/2018/01/20/wtf-is-gdpr/

More Related Content

PPTX
Cloud computing - When is Deletion Deletion?
Lancaster University Library
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
PPT
Your Employees and Information Security
Shred-it
 
PPTX
Privacy: The New Software Development Dilemma
Security Innovation
 
PPT
DPA seminar presentation
Rodonoghue72
 
PPTX
Prepare Your Firm for GDPR
MyComplianceOffice
 
PDF
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
PPTX
Privacy experience in Plone and other open source CMS
Interaktiv
 
Cloud computing - When is Deletion Deletion?
Lancaster University Library
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Your Employees and Information Security
Shred-it
 
Privacy: The New Software Development Dilemma
Security Innovation
 
DPA seminar presentation
Rodonoghue72
 
Prepare Your Firm for GDPR
MyComplianceOffice
 
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
Privacy experience in Plone and other open source CMS
Interaktiv
 

What's hot (20)

PPT
3 02
Pranaya Krishna
 
PDF
2. Asset Security
Sam Bowne
 
PDF
3. Security Engineering
Sam Bowne
 
PPT
Privacy, Security & Access to Data
Cybera Inc.
 
PPTX
Umphrey hutcherson-ecu-cause2010-rev5
umphreym
 
PPTX
Privacy by Design: White Papaer
Kristyn Greenwood
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Employee monitoring updated
Advent IM Ltd
 
PPTX
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
PPTX
Introduction to Health Informatics Ch11 power point
bradleyl2
 
PPTX
Privacy by Design - taking in account the state of the art
James Mulhern
 
PDF
1. Security and Risk Management
Sam Bowne
 
PDF
CISSP-WEB
MEHMET FATIH YALDIZ
 
PDF
Data Privacy Compliance Awareness Planning Strategy Assessment Methodology Fr...
SlideTeam
 
PPTX
Steal This Data - Email Security and DLP
GalaxyTech International
 
PDF
3GRC approach to GDPR V 0.1 www.3grc.co.uk
►David Clarke FBCS CITP
 
PDF
GDPR and ISO27001 mapping EL
Eugene Lee
 
PPTX
Digital Preservation Discussion Group
Axiell ALM
 
PPTX
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
PDF
GDPR for Non-European Region - Financial Services EL
Eugene Lee
 
3 02
Pranaya Krishna
 
2. Asset Security
Sam Bowne
 
3. Security Engineering
Sam Bowne
 
Privacy, Security & Access to Data
Cybera Inc.
 
Umphrey hutcherson-ecu-cause2010-rev5
umphreym
 
Privacy by Design: White Papaer
Kristyn Greenwood
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Employee monitoring updated
Advent IM Ltd
 
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Introduction to Health Informatics Ch11 power point
bradleyl2
 
Privacy by Design - taking in account the state of the art
James Mulhern
 
1. Security and Risk Management
Sam Bowne
 
CISSP-WEB
MEHMET FATIH YALDIZ
 
Data Privacy Compliance Awareness Planning Strategy Assessment Methodology Fr...
SlideTeam
 
Steal This Data - Email Security and DLP
GalaxyTech International
 
3GRC approach to GDPR V 0.1 www.3grc.co.uk
►David Clarke FBCS CITP
 
GDPR and ISO27001 mapping EL
Eugene Lee
 
Digital Preservation Discussion Group
Axiell ALM
 
Advantage ppt data breaches km approved - final (djm notes)
Dan Michaluk
 
GDPR for Non-European Region - Financial Services EL
Eugene Lee
 
Ad

Similar to CERN 5 Things you should know about Data Protection (20)

PDF
GDPR webinar for business leaders
Deeson
 
PDF
The principles of the Data Protection Act in detail - uk
- Mark - Fullbright
 
PDF
data-privacy-egypt-what-you-need-know-en.pdf
kiruthigajawahar6
 
PPT
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
PDF
Data Privacy Program – a customized solution for the new EU General Regulatio...
IAB Bulgaria
 
PPTX
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
PDF
data privacy handbook: A starter guide to data privacy compliance
DesmondMontgomery2
 
PDF
Prep your app for gdpr compliance
Asanka Nissanka
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PDF
1307 Privacy Act
Zowie Murray
 
PPT
Personal privacy and computer technologies
sidra batool
 
PDF
Employment and Labour Law Seminar - June 13, 2013
This account is closed
 
PDF
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
PPTX
Data protection training emea new joiners. mandatory quiz
Deborahchiesa
 
PPTX
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
PPTX
Charity Law Updates for 2018: Making the Most of Change
IBB Law
 
PPT
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
GDPR: Day 1 and beyond
NCVO - National Council for Voluntary Organisations
 
GDPR webinar for business leaders
Deeson
 
The principles of the Data Protection Act in detail - uk
- Mark - Fullbright
 
data-privacy-egypt-what-you-need-know-en.pdf
kiruthigajawahar6
 
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
IAB Bulgaria
 
The General Data Protection Regulation (GDPR) in Ireland-What You Should Know
Terry Gorry
 
data privacy handbook: A starter guide to data privacy compliance
DesmondMontgomery2
 
Prep your app for gdpr compliance
Asanka Nissanka
 
3A – DATA PROTECTION: ADVICE
CFG
 
1307 Privacy Act
Zowie Murray
 
Personal privacy and computer technologies
sidra batool
 
Employment and Labour Law Seminar - June 13, 2013
This account is closed
 
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
Data protection training emea new joiners. mandatory quiz
Deborahchiesa
 
What does GDPR mean for your business?
BrightPay Payroll and Auto Enrolment Software
 
Charity Law Updates for 2018: Making the Most of Change
IBB Law
 
Legal And Regulatory Dp Challenges For The Financial Services Sector
MSpadea
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
GDPR: Day 1 and beyond
NCVO - National Council for Voluntary Organisations
 
Ad

More from EUDAT (20)

PDF
EUDAT_Brochure_Generica_Jan_UPDATED(5).pdf
EUDAT
 
PDF
EUDAT Booklet Mar22 (2).pdf
EUDAT
 
PDF
EUDAT_Brochure_Generica_Jan_UPDATED (1).pdf
EUDAT
 
PDF
EUDAT Brochure - B2HANDLE.pdf
EUDAT
 
PDF
EUDAT Brochure - B2DROP.pdf
EUDAT
 
PDF
EUDAT Brochure - B2SHARE.pdf
EUDAT
 
PDF
EUDAT Brochure - B2SAFE.pdf
EUDAT
 
PDF
EUDAT Brochure - B2FIND(1).pdf
EUDAT
 
PDF
EUDAT Brochure - B2ACCESS.pdf
EUDAT
 
PDF
Rob Carrillo - Writing effective service documentation for EUDAT services
EUDAT
 
PDF
Ariyo - EUDAT CDI B2 services documentation
EUDAT
 
PDF
Introduction to eudat and its services
EUDAT
 
PPTX
Using B2NOTE: The U.Porto Pilot
EUDAT
 
PPT
OpenAIRE Advance - Kick off last week
EUDAT
 
PPT
European Open Science Cloud - Skills workshop
EUDAT
 
PPT
Linking service capabilities to data stweardship competences for professional...
EUDAT
 
PPT
FAIRness of training materials
EUDAT
 
PPT
Training by EOSC-hub - Integrating and Managing services for the European Ope...
EUDAT
 
PDF
Draft Governance Framework for the EOSC
EUDAT
 
PDF
Building Interoperable AAI for Researchers
EUDAT
 
EUDAT_Brochure_Generica_Jan_UPDATED(5).pdf
EUDAT
 
EUDAT Booklet Mar22 (2).pdf
EUDAT
 
EUDAT_Brochure_Generica_Jan_UPDATED (1).pdf
EUDAT
 
EUDAT Brochure - B2HANDLE.pdf
EUDAT
 
EUDAT Brochure - B2DROP.pdf
EUDAT
 
EUDAT Brochure - B2SHARE.pdf
EUDAT
 
EUDAT Brochure - B2SAFE.pdf
EUDAT
 
EUDAT Brochure - B2FIND(1).pdf
EUDAT
 
EUDAT Brochure - B2ACCESS.pdf
EUDAT
 
Rob Carrillo - Writing effective service documentation for EUDAT services
EUDAT
 
Ariyo - EUDAT CDI B2 services documentation
EUDAT
 
Introduction to eudat and its services
EUDAT
 
Using B2NOTE: The U.Porto Pilot
EUDAT
 
OpenAIRE Advance - Kick off last week
EUDAT
 
European Open Science Cloud - Skills workshop
EUDAT
 
Linking service capabilities to data stweardship competences for professional...
EUDAT
 
FAIRness of training materials
EUDAT
 
Training by EOSC-hub - Integrating and Managing services for the European Ope...
EUDAT
 
Draft Governance Framework for the EOSC
EUDAT
 
Building Interoperable AAI for Researchers
EUDAT
 

Recently uploaded (20)

PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Approach and Philosophy of On baking technology
30anthuong17
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

CERN 5 Things you should know about Data Protection

  • 2. 5 things you should know about Data Protection 2 David Foster Head of Data Privacy Protection January 2018
  • 3. Opening Sing-along My personal data are mine To abuse them is a crime You cannot share You must take care Or risk a hefty fine 3 David Foster 2018
  • 4. 1. My Personal data are mine • Personal data belong to the individual • They are not yours to use as you see fit, not even if they are public! • Fair processing • Legitimate Basis (hint: consent is a problem) • Specific Purpose • Privacy notices should declare what, how and why data are processed • One is unlikely to be enough! • One notice for each independent service. • Data Protection Impact Assessments (DPIA) may be needed. 4
  • 5. 2. To abuse them is a crime • The scope of personal data is wide • Attributes, Photos, Electronic Identifiers …. • The scope of processing is broad • Analysing, Copying, Viewing …. • This is complex to communicate inside an organisation • Internal training • Internal policies • Accountability • It may help to consolidate processes and infrastructure • Approved storage systems • Managed internal transfers • Be wary of automated decision making and profiling 5
  • 6. 3. You cannot share • Without safeguards because privacy travels with the data • Responsibility rests with the controller • Contracts, codes of conduct, binding corporate rules • Records of transfers • Extra-territorial reach • This may be a difficult culture change within organisations used to freely sharing personal data • Complexity may increase with ePrivacy 6
  • 7. 4. You must take care • You need to look after other peoples data • Appropriate organisational and technical measures • Risks with unnecessary data retention • ISO27001 for data security and handling is a good starting point • Individuals have rights to their data you are processing (even if not absolute rights) • Must be clear mechanisms to exercise the 8 basic rights, which should be in the privacy notice • Privacy by default and by design • Anonymise or pseudonymise 7
  • 8. 5. Or risk a hefty fine • Its all about managing risk • “Compliance”, per-se, does not exist • Fines can be large depending on the infraction • Violation of principles carry the larger fine • Mitigation of risk of large fines • A demonstrable attempt at implementing the legislative requirements • Internal Training, Policies, Accountability, Management Commitment • Having a DPO and accepting their advice 8
  • 10. Key Obligations of an Organization • A29 Advice • “employers should always bear in mind the fundamental data protection principles, irrespective of the technology used; • consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence; • the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications; • employees should receive effective information about the monitoring that takes place; and • any international transfer of employee data should take place only where an adequate level of protection is ensured.” 10
  • 11. Employers Must: • A29 Advice • “ensure that data is processed for specified and legitimate purposes that are proportionate and necessary; • take into account the principle of purpose limitation, while making sure that the data are adequate, relevant and not excessive for the legitimate purpose; • apply the principles of proportionality and subsidiarity regardless of the applicable legal ground; • be transparent with employees about the use and purposes of monitoring technologies; • enable the exercise of data subject rights, including the rights of access and, as appropriate, the rectification, erasure or blocking of personal data; • keep the data accurate, and not retain them any longer than necessary; and • take all necessary measures to protect the data against unauthorised access and • ensure that staff are sufficiently aware of data protection obligations.” 11
  • 12. Typical Reactions • Fiction: “This is just administration so doesn’t concern me” • Fact: This is part of the professional responsibilities • Fiction: “OK, I will do it and then I can forget about it” • Fact: This is an ongoing and continual process • Fiction: “Just tell me what to do so I don’t have to think about it” • Fact: Privacy considerations have to become part of the culture as simple prescriptions for all possible situations are not possible. 12
  • 13. Monitoring • Principles • Employees must be informed of the existence of any monitoring, the purposes for which personal data are to be processed and any other information necessary to guarantee fair processing. (Necessary but not in itself sufficient) • Data collected that includes personal data should be for a specific legitimate purpose. • Monitoring data should be anonymised by default. • A29 Advice on limitations to monitoring • “geographical (e.g. monitoring only in specific places; monitoring sensitive areas such as religious places and for example sanitary zones and break rooms should be prohibited), • data-oriented (e.g. personal electronic files and communication should not be monitored), and • time-related (e.g. sampling instead of continuous monitoring).” • Blocking is better than monitoring • Questions • Are you handling this appropriately? • Are you “over-collecting” data with the risk of “further processing”? • How will you separate personal and work-related data? • Do you have a clear IT monitoring policy with appropriate safeguards? 13
  • 14. Storage • Principles • Ensure that data are not accidentally processed. • Ensure that deleted data stays deleted • A29 • “It should be ensured that employees can designate certain private spaces to which the employer may not gain access unless under exceptional circumstances.” • Some Questions • Are all services where personal data are stored “fit for purpose”? • Can you demonstrate adequate technical measures? (ISO27001) • What are you policies for different classes of data on automatic deletion? 14
  • 15. End-user devices • Principles • Do not process non-work related personal data on devices allowed for private use, or in a private context (home). • A29 • “Select the most privacy protecting defaults” • Provide (acceptable use) policies. “This allows employees to adapt their behaviour to prevent being monitored when they legitimately use IT work facilities for private use” • Some Questions • Do you have sufficient measures to allow for truly private use of facilities? (Laptops, Network, Storage etc) • Are you offering enough advice on the use of IT facilities? 15
  • 16. Typical and generic problems • Collecting too much data - violates data minimisation • Because you have a single “Web form” • Using unsecured transfer mechanisms - violates appropriate technical measures • Email • Processing data without controls - violates appropriate organisational measures • Excel spreadsheets, Laptops etc. • Personal Data kept because it “might be useful” - violates retention periods. • Archives • Data stored on other services (internal and external) without privacy protecting agreements - violates appropriate safeguards. • Almost every storage system or platform 16
  • 17. Finally, 5 things to do 1. Know where you are processing • Data mapping 2. Know what you are doing • Privacy notices 3. Know why you are doing it • Internal review of processing operations 4. Know how you are doing is correct • Technical measures and controls 5. Know when you should stop doing it • Retention periods 17
  • 18. Good Luck! 18 Facebooks has put together: “the largest cross functional team” comprising “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”. “Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. Source: https://techcrunch.com/2018/01/20/wtf-is-gdpr/