I fjor hadde jeg gleden av å få dele noen tanker om datasikkerhet og personvern både generelt og i Norge spesielt i Financier Worldwides årlige publikasjon Data Protection & Privacy Laws – Annual Review 2014. I magasinet uttaler en rekke eksperter seg om disse temaene i sine respektive land. Her kan du lese intervjuet hvor jeg blant annet peker på at en særlig bekymring i Norge i dag er å beskytte våre data mot utenlandske organisasjoner og stater.
Q: In your experience, do companies pay enough attention to the risks associated with data protection? Are they beginning to fully understand their duties of confidentiality and privacy in the digital age?
Oseid: Although in the recent years there has been increasing attention on the importance of securing personal and corporate data, in our experience both the private and public sectors are not sufficiently mature in their understanding and management of the associated risks. At the same time, there has been an increased market demand for IT hosting and cloud services, but a safe home for servers is only part of the data protection picture. We have also seen an increasing demand for assistance with statement of compliance (SOC) reports in the IT area.
Q: Could you outline the latest legal and regulatory developments affecting corporate storage, handling and transfer of data in your region?
Oseid: One of the more notable recent regulatory developments has been amendment § 6-3 to the Norwegian Personal Data Regulations. Until last summer, companies had to apply for formal approval from the Norwegian Data Protection Authority every time they wished to transfer personal data to countries outside the EU. The new amendment requires the data controller to communicate the transfer to the Data Protection Authority by submitting a duly completed and signed standard contract before the transfer of personal data takes place. This procedural simplification will likely facilitate the transfer of personal data to countries outside the EU, and as a result increase the offshoring of services.
Q: In what ways have global authorities increased their monitoring and enforcement activities with respect to data protection and privacy in recent years?
Oseid: The EU has recently increased enforcement activities with respect to data protection and privacy. The EU’s regulation on data protection aims at “making sure our rules are future-proof and fit for the digital age”. The proposition is based on ‘one continent, one law’, effective sanctions, the fact that non-Europeans must respect European law, the right to be forgotten, and the concept of a ‘one-stop shop’. National data protection authorities will be correspondingly strengthened to improve local enforcement of the EU rules. By proposing this as a regulation instead of a directive, there will be a single set of rules on data protection across the EU EEA.
Q: What insights can we draw from recent high-profile data breaches? What impact have these situations had on the data protection landscape?
Oseid: One of the current key concerns in Norway is related to the protection of information from foreign entities and governments. As a result of recent high profile breaches and disclosures, the use of cloud computing services from companies situated in Norway has increased. A local company has recently advertised that they will refuse to hand over data to either authorities or other bodies without an official court ruling. This company has, as a result, obtained several new customers. Foreign cloud computing companies are also making plans to establish themselves in Norway, for similar reasons.
Q: The use of third parties, such as consultants, agents and distributers, exposes firms to unique data protection risks. What are some of these risks and what steps can be taken to mitigate them?
Oseid: Third parties often need access to important corporate and sensitive information to perform their work. Key mitigation measures need to be both contractual – NDAs, clear contracts outlining what the consultant is and is not allowed to do, including penalties for breaches – and technological – use of role-based access control systems, segregation of infrastructure and data, use of activity log monitoring solutions, granting access to critical corporate systems and information only through company controlled PCs, and so on. In addition, a growing number of internet based software tools are used by employees without consent from their employers, and this could lead to breaches of privacy law, since such tools may transfer personal data to the distributor without prior consent.
Q: What can companies do to manage internal data privacy risks and threats, such as liabilities arising from lost devices or the actions of rogue employees?
Oseid: Companies can never protect themselves 100 percent from rogue employees. The potential for damage is, however, greater today than in the past due to the ease of rapid proliferation of electronically stored information. Organisations need to implement adequate internal control systems and access solutions to control the information available to employees, and how they can distribute it. Devices such as smart phones, tablets and PCs are a clear risk, as it is certain that some will be lost over time. Minimum security measures should include encryption, use of strong passwords and biometrics, remote wiping, and so on. Companies should also not forget to manage out-of-date equipment that is scrapped or re-sold – equipment should always be professionally wiped, and its decommissioning should be confirmed.
Q: What advice can you offer to companies on managing data risk, installing internal compliance processes and maintaining compliance on data privacy going forward?
Oseid: The new EU proposals within personal data regulations intensify the commitment companies will need to make in order to be compliant with upcoming regulations. It is presumed that fines for non-compliance may increase to up to 5 percent of a company’s global annual sales. Companies should consider implementing Binding Corporate Rules (BCR) as an internal control system within the company – these rules formalise how personal data and critical information is to be handled. Depending on the new EU proposals, BCR-like data handling may become the norm and the consequence failing to be ready for this may be costly.
First published in Financier Worldwide, Data Protection & Privacy Laws – Annual Review 2014 –http://www.financierworldwide.com/annual-review-data-protection-privacy-laws-2014/#.VOZhWY2BH0c