Thursday, May 1, 2014

EU Data Protection on one slide


I tend to explain European personal data protection based on this one slide. It covers the basic notions which are then used to dig deeper in further sessions. 


We will go through the five areas on this slide. 

1.     The “when?” or the scope;

2.     The “who?” or the players on the stage;

3.     The “why?” which is both positive and negative;

4.     The “what?” or in this case the general goal of the regulations and the bridge to the last part ;

5.     The “how?” or the rather technical rules the (European) legislator has set to process personal data, which I like to present as this quadrant or flower if you wish, which can later be unfolded as we enter into more detail.

So let us skim through it, to lay the foundations on which we will build later on.


First, when do the (European) data protection regulations apply?

Remember 4 words: “processing of personal data”, which is a broad concept. There is some more to it, as there also has to be a jurisdictional node with Europe; but the activity in scope is “processing of personal data”.

Personal data is defined as “any information relating to an identified or identifiable natural person” (the data subject). The data subject is considered to be identifiable when he or she “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural or social identity”. So we are not only talking about your identity card, but also all information that is linked to your social security number, to your DNA or fingerprints, to your linkedin or facebook profile, to your photograph, to your telephone number, to your customer or credit card number, etc. And there is the increasing angle of combining so many data that ‘only you’ come out, often referred to as big data analytics.


Processing is defined as “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” We can fairly say that is almost everything you can do with personal data.

  
Second, who are the player on the stage of this all?

The protagonist, the lead character, is the data subject. He or she is the natural person to whom data is linked to make it personal data.

The antagonist, the character opposite the data subject, is the controller. It is the body, often a corporation or government, “which alone or jointly with others determines the purposes and means of the processing of personal data”. If the latter is determined by law, the law can indicate who the controller is. The controller is the prime target of the (current) (European) data protection regulations.

And thirdly there is the side kick of the controller, the processor. It is the body, often a corporation, distinct from the controller or his staff, that following the instructions of the controller does (some of) the actual processing on behalf of the controller.



Now that we know the major notions of the scope and the players, and before moving on to what should be done and how, let us look at why you should be interested in the rest of the story? Well, there are the three perspectives of the players.

a.   The data subject wants to know what his rights are under the law.

b.  The processor wants to know what the controller is required to do under the law, to understand

a.     In cases where agreements are negotiated

                                               i.     why the controller wants a written agreement with him,

                                              ii.     what clauses are the minimum the controller needs to have to be compliant,

b.     in cases where the processor for whatever reason wants to work with standard terms and conditions

                                               i.     how he can draft terms and conditions that a customer–controller, subject to the law, can and will (more easily) accept

                                              ii.     (or to move even a step further on the ladder of customer “service”) how he can facilitate things for that customer–controller, subject to the law, not in the least to convince its lawyers, compliance or information security department, or data protection officer, e.g. by providing clear, to-the-point information in the contracting phase and by providing third party audit assurance during the execution of the agreement,

c.     And last but not least, the controller wants to comply to the law

a.     To avoid negative consequences

                                               i.     to avoid fines, and other sanctions

                                              ii.     to avoid the hassle of a procedure or even an investigation of the data protection authorities on his premises

                                             iii.     to avoid reputational damage should a non-compliance (a breach, but others like inappropriate use of data as well) make the news headlines or start a protest on social media

                                            iv.     to avoid being the target of active hacking

b.      (but more and more also) to reap positive benefits of compliance

                                               i.     to give comfort to their customers and staff, or even better to make them proud to be part of such “ethical”, “respectful” community

                                              ii.     to differentiate themselves from their competitors, and thus to use it as a marketing tool

                                             iii.     to leverage it into better internal procedures

                                            iv.     to be prepared when – unexpectedly – there is an incident, so that they can profit from the “remote miss” advantage


I hope you are convinced ! At least to continue exploring the rest… 

So now let’s jump back to what is regulated. The (European) regulations mainly want to support the unified market of the European Union. Therefore there has to be free flow of goods, people, capital, and services; but also of information and (personal) data. However, for the member states to trust each other, a bar of minimum protection of that data had to be set, to allow a free flow of personal data (in Europe). To set that bar the European legislator has looked at information theory, and has chosen to put the data subject and his trust and (reasonable) expectations central. Around that they build the rule set that primarily targets the controller.
The regulations themselves are – at present - mainly set out in a 1995 Directive. 
A Directive is – in short – a legislative tool for the European legislator to indicate what the member states should implement in their national legislation. So the Directive by itself in principle is not meant to have immediate effect in the member states’ jurisdictions. That is the reason why the actual implementation may (slightly) differ from member state to member state.

But the big pillars can in my opinion be presented like this. The controller should be in control of the data he processes, as he received a “mandate” (if you want) from the data subject to process the data and he should live up to the trust the data subject gave him. 
  • That trust is purpose bound. The data can only be used for a certain finality. And that finality, purpose or goal will impact how the data is processed at the start (the collection), during its lifetime (keeping it accurate), and at the end of its lifetime (when it should be deleted).
  • For each use of the data there should also be a basis for legitimacy. As a baseline there are 6 theoretical basis for legitimacy, where most corporations that are controllers, can only use 4. Next to that baseline, there are more specific rules for
(a) special categories of data like sensitive data or judicial data and
(b) in case the data is (partially) processed outside of the European Union
  • Thirdly the regulations require transparency on the data processing, both the the data subject (best known as “privacy statements”) and to the authorities (in notifications that sometimes require the authorities to allow the processing).
  • As a forth pillar I use the broad concept of organization. Obviously the controller has to organize for the other aspects as well, but here we are looking at  
(a) the internal governance and accountability, which is a link to your general organizational structure and (risk) management, including outsourcing (to processors) 
(b) the organizational and technical measures to secure the data, more or less your classic information security 
(c) how the organization should be able to promptly react to a data subject exercising one of the rights acknowledged by the law

These four pillars should be respected throughout the data processing, end-to-end from collection to deletion of the data.
They should also be applied proportionately. The more important the (reasonable) expectation of the data subject or the divergence therefrom, in other words the implementation effort should be in line with the importance of the data in terms of volume and sensitivity.

All this may still sound a bit abstract. That is why in follow-up presentations these aspects will be further elaborated.

Hope you follow along on the journey.



(CALL-TO-ACTION: should anyone with a good voice be willing to read this post to a microphone and send it to me in an audio-file to assemble it under the slide in a video, I would be very greatful. I tried doing it myself, but my voice does not seem to lend itself for this kind of work. :-))
Posted by at
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)