SECURITY
MADEIN.LU
»»Privacy by design: soon, a must have!

Privacy by design: soon, a must have!

By on - Last modified: June 9, 2016 Business

For its 4th edition, the Cybersecurity Breakfast celebrated the “Data Protection Day”, by covering and discussing the new personal data protection’s legislation. Allen & Overy hosted this event, which brought together 4 experts on the subject:

  • Catherine Di Lorenzo (Allen & Overy);
  • Michèle Feltz (CNPD);
  • Matthieu Farcot (Securitymadein.lu);
  • Mélanie Gagnon (MGSI).

A full house and a very attentive audience testified to the interest in the subject. It perfectly follows the ongoing trends and facts:

  1. a public increasingly aware of the issues and in need of a better protection;
  2. incidents that made the headlines in the recent months (VTECH in particular);
  3. substantial regulatory changes expected within + – 2 years.

GDPR : the new European paradigm

The GDPR or “General Data Protection Regulation” is the result of 3 years of discussions at various levels and replaces the current directive. It will be officially launched sometime in 2018, without the need to be introduced into the national legislation.

The new regulation amends the current directive, especially when it comes to the definition of personal data, adding location and login credentials to the list of information that can assist in the identification of a person. The definition of the processing of personal data does not change but the concept of ” pseudonymisation ” has been introduced, that is to say, the possibility of applying a specific ruling to a personal data so that it can’t anymore be allocated to a person.

Besides, the new regulation provides details on the measures to take in order to ensure the protection, integrity and availability of personal data and the notification requirements in the event of data loss. Last but not least, the penalties for non-compliance with this new regulation will be calculated based on the global turnover of companies (2-4%) and depending on the seriousness of the offense.

Matthieu Farcot referred to the VTECH case that hit the headlines late 2015, with a large leak of data (6,368,509 profiles including 5,014 in Luxembourg) involving children and containing numerous sensitive data such as passwords. Collateral damages can be expected for those who have the bad habit of using the same password for different services.

Privacy by Design

A number of bad practices have been highlighted following the VTECH case. The concept of “Privacy by design” will emerge in the future as new standard, which allows users to better and systematically control the collection of personal data, based on the assumption that the highest protection should be proposed by default. The Privacy by design is a preventive approach that integrates data protection requirements from the start, already during the creation of the applications or online services. If the incident occurs despite all, suffering in silence is no longer an option. A number of services are available, such as CIRCL’s ones in order to help businesses and organizations to cope when a disaster occurs.

In addition and to conclude the Data Protection Day, on January the 28th, the CNPD and ADPL co-organised an evening-event focusing on the role of the Digital Privacy Officer (DPO). They released a job description and underlined the importance of such a position within a company. Pascal Steichen, CEO of SECURITYMADEIN.LU, used this opportunity to tackle the Privacy by Design topic during the evening, in his presentation.

 

Privacy by design: soon, a must have!

By on - Last modified: June 9, 2016 Business

For its 4th edition, the Cybersecurity Breakfast celebrated the “Data Protection Day”, by covering and discussing the new personal data protection’s legislation. Allen & Overy hosted this event, which brought together 4 experts on the subject:

  • Catherine Di Lorenzo (Allen & Overy);
  • Michèle Feltz (CNPD);
  • Matthieu Farcot (Securitymadein.lu);
  • Mélanie Gagnon (MGSI).

A full house and a very attentive audience testified to the interest in the subject. It perfectly follows the ongoing trends and facts:

  1. a public increasingly aware of the issues and in need of a better protection;
  2. incidents that made the headlines in the recent months (VTECH in particular);
  3. substantial regulatory changes expected within + – 2 years.

GDPR : the new European paradigm

The GDPR or “General Data Protection Regulation” is the result of 3 years of discussions at various levels and replaces the current directive. It will be officially launched sometime in 2018, without the need to be introduced into the national legislation.

The new regulation amends the current directive, especially when it comes to the definition of personal data, adding location and login credentials to the list of information that can assist in the identification of a person. The definition of the processing of personal data does not change but the concept of ” pseudonymisation ” has been introduced, that is to say, the possibility of applying a specific ruling to a personal data so that it can’t anymore be allocated to a person.

Besides, the new regulation provides details on the measures to take in order to ensure the protection, integrity and availability of personal data and the notification requirements in the event of data loss. Last but not least, the penalties for non-compliance with this new regulation will be calculated based on the global turnover of companies (2-4%) and depending on the seriousness of the offense.

Matthieu Farcot referred to the VTECH case that hit the headlines late 2015, with a large leak of data (6,368,509 profiles including 5,014 in Luxembourg) involving children and containing numerous sensitive data such as passwords. Collateral damages can be expected for those who have the bad habit of using the same password for different services.

Privacy by Design

A number of bad practices have been highlighted following the VTECH case. The concept of “Privacy by design” will emerge in the future as new standard, which allows users to better and systematically control the collection of personal data, based on the assumption that the highest protection should be proposed by default. The Privacy by design is a preventive approach that integrates data protection requirements from the start, already during the creation of the applications or online services. If the incident occurs despite all, suffering in silence is no longer an option. A number of services are available, such as CIRCL’s ones in order to help businesses and organizations to cope when a disaster occurs.

In addition and to conclude the Data Protection Day, on January the 28th, the CNPD and ADPL co-organised an evening-event focusing on the role of the Digital Privacy Officer (DPO). They released a job description and underlined the importance of such a position within a company. Pascal Steichen, CEO of SECURITYMADEIN.LU, used this opportunity to tackle the Privacy by Design topic during the evening, in his presentation.