Tag Archives : data protection regulation

Risk Conversation at Board level: 2nd webinar with ecoDa and AIG

The second webinar dedicated to data protection and cybersecurity in our series “Risk Conversation at Board level”

PART I – How to adapt the risk governance to the changing regulatory landscape for personal data ?

23 February 2016 from 10:30 – 12:00

 

Speaker Biographies

Speaker Biographies

The two parts of the webinars are:

Webinar PART I Data Protection – how to adapt the risk governance to the changing regulatory landscape for personal data (Data Protection Officer, breach notifications, sanctions, hosting, transfer and treatment of personal data)?

Webinar PART II Cyber security – managing the consequences. How to identify, assess and mitigate the cyber risks? What should be the level of awareness of the Board? The Insurance part: the US example led by the existing regulations (mandatory breach and IT incident notification…)

The good management of data is now an essential part of the business model of many organisations. But with new dependencies linked to the increased use of external hosting, collection, treatment and transfer of data, it is also posing heavy challenges legal, IT and strategic issues.

If it is no longer a pure IT or legal issues; who is required to take the strategic decisions to allocate the right resources (staff and budget)? What role for the Board?

Should data protection be higher on the Board agenda?

How the Board members should get the right information on the specific data risks of their organisation to be in a deciding position?

Who will be the interface between the practical concerns and the need for strategic decisions?
Is there a role for the risk manager as the instrument to collect, consolidate and analyse the relevant information related to the data protection and the cybersecurity of the organization?


Final agreement on data protection regulation

With the European Parliament’s agreement on a final text for the General Data Protection Regulation on 17 December 2015, the new European data protection regulation is now likely to enter into force in spring 2018.

In this final version of the regulation, large organisations will have to pay specific attention to the five following provisions:

– The mandatory appointment of a data protection officer but only for organisations whose core activities consist of processing a large amount of personal data (‘regular and systematic monitoring of data subjects on a large scale’);

– Data Protection Impact Assessment will become mandatory when there is a high risk for the rights and freedoms of individuals , in particular when using new technology;

– Fines for breaching the regulation of up to 4% of global turnover;

– The notification of a personal data breach to the supervisory authority no later than 72 hours after having become aware of it;

– No effective system of ‘one decision, one outcome’ for cross-borders cases. EU citizens could still complain to their local data protection authority even if the case is already pending in another EU jurisdiction.

Blue_Mountain_Supercomputer
The final version of the regulation still gives each national data protection authority a margin of discretion on a case-by-case basis to matters like sanctions, definition of high risk processing, claims handling and so on.

This is preventing the regulation from achieving the initial ‘one stop shop’ wanted in the original proposal from the European Commission in 2012.

This compromise with the Council (co-legislator) and the European Commission is the result of many months of negotiations among the three EU institutions. The text has been adopted by the Civil Liberties Committee, which is leading the dossier at the European Parliament, and will now be formally endorsed during a plenary session of the Parliament in March or April.

Two years after its publication in the official journal of the EU, the new regulation will be fully applicable in 2018 in the European Union.


Cyber insurance market: incentives and improved cybersecurity for organisations

French and British initiatives are taking the role of insurance for cyber risks into account in their national strategy for cybersecurity.

In June 2014, the UK Government launched a joint initiative with some major British insurers to increase the level of IT security in UK companies. Called the Cyber Essentials scheme, it is based on certificates and will ensure that certified organisations have a certain amount of security measures in place. Cyber Essentials has been developed in close consultation with the insurance industry and is backed by AIG, Marsh, Swiss Re, the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA). Continue reading


Future Data Protection Regulation for holding private data?

The EU regulator is at the final stages to adopt the Data Protection Regulation which will set up new rules for operators on how private data must be managed.

In March 2014, the European Parliament strengthened several requirements such as making the applicable fines for breaching rules up to €100 million or 5% of annual worldwide turnover (whichever is greater) when the original proposal of the European Commission suggested fines “only” up to €1 million or 2% of annual worldwide turnover. Continue reading