The Compliance Briefing, hosted by the iGaming Academy, is coming to London County Hall on October 12th 2017, designed to educate the online betting and gaming industry on upcoming regulatory changes that will impact their businesses.
The event will be a deep-dive into the issues of the General Data Protection Regulation and the EU 4th Money Laundering Directive. These changes to the law are set to disrupt the everyday operations of the online gaming sector, so it is crucial that the industry knows how to tackle the issues that will arise. The General Data Protection Regulation GDPR is set to become enforceable in May 2018, and will overhaul the way online gaming companies collect, use and process data. Users will now have more power over their own personal data meaning companies will be held accountable for the data they store. EU 4th Money Laundering Directive As the most sweeping AML legislation in Europe in years, the 4th Money Laundering Directive introduces new strengthened obligations and an extended framework, which significantly affects the procedures associated with anti-money laundering processes in the iGaming industry. The October conference follows on from a successful event hosted in Malta in June 2017, with companies from across the gaming spectrum in attendance. Delegates learned how to put a compliance plan into action. Compliance Briefing: London will once again showcase a wealth of top industry names and expert speakers, who will be providing a framework for compliance tailored for the online gaming businesses in attendance. The new directives will offer a complex set of challenges, and the conference aims to break these down and guide attendees effectively through the hurdles. Recent research has shown that many organisations have not put the necessary time or resources into regulatory compliance, leaving them at significant risk of penalties, fines and reputational damage. Tickets are now available for the Compliance Briefing: London, with early-bird discounts on offer for a limited time. VISIT OUR COMPLIANCE BRIEFING: LONDON OVERVIEW TO LEARN MORE
0 Comments
The countdown to compliance with the General Data Protection Regulation (GDPR) has begun. Organisations providing products or services to EU customers or processing customer data from the EU will have to meet significant requirements before May 2018. Failure to comply with the regulation can result in fines of up to 4% of an organisation’s previous year’s annual global turnover or €20 million, whichever is greater. This means that substantial planning is required to ensure compliance with the new regulation as well as existing national data protection regulation.
Here is what you need to know: Where data processing activities and any potential privacy breaches are considered high-risk, organisations will be required to conduct Data Protection Impact Assessments (DPIAs) resulting in additional cost and resource to operational projects. Evidence of DPIAs performed and any resulting mitigation activities will need to be maintained. The organisation may choose to perform DPIAs themselves or procure them as third party service. Privacy breaches will need to be reported by Data Controllers to the Supervisory Authority within 72 hours of becoming aware of it. If the breach is likely to be considered high risk to the “rights and freedoms” of individuals, notification must also be made to those affected – unless adequate security controls such as encryption can be proven. Third parties who are processing data on an organisation’s behalf must report breaches to its respective Data Controllers and can be held liable for breaches if found not to have followed instruction on required security controls from controllers. Robust incident response and management processes will therefore be essential. A Data Protection Officer (DPO) will be mandatory for some organisations including Public Authorities and any organisation obliged to do so by local law. A DPO will also be required if the processing includes large scale “regular and systematic monitoring” of data subjects or processing of Sensitive Data such as medical history, criminal records and religious beliefs. The DPO does not need to be an employee of the organisation, and may be provided as a Virtual DPO service from a third party but must be based within the EU. Organisations will have to show evidence that privacy in a service or product has been considered from the concept stage and not only at the point of delivery. Finally, individual customers will be able to request deletion of all their personal information processed or shared by a data controller. Individuals will also be able to request their personal information is made available, in a commonly used and readable format, in order to transfer it to another data controller. By Rob Bickmore, Principal Security Consultant at NTT Security JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE The one year countdown to GDPR compliance has officially began. For those of you still wondering what all the fuss is about, new research by Ponemon has revealed that public companies suffer on average a 5% share price drop immediately following disclosure of a breach. The EU General Data Protection Regulation (GDPR) will ensure there’s no room to hide: as of 25 May 2018, if you’ve been breached you must notify the Supervisory Authority within 72 hours of becoming aware, unless particular circumstances apply.
The Problem with Shadow IT With a piece of legislation as broad and complex as the GDPR, it can be tough knowing where to start. An essential first step, however, is data mapping. This will help understand what data you’re processing, how and where it’s stored, who it’s shared with and how it’s protected. This is all information which you absolutely must know. After all, you can’t protect data if you don’t know where it is, what it is and how it’s currently controlled. This is where things might get a little tricky thanks to shadow IT. Unfortunately, users will be users and many may have bypassed the IT function in a bid to work in a faster and more productive way. It’s important to bear this in mind as you begin your data mapping. Cloud-based services are a particular favourite: both consumer-grade and business platforms can be registered and set-up quite easily by employees. Either way they must be mapped, so pay close attention to data flowing out of the network to such platforms. Reducing Risk Once you know where the data is, Article 25 of the GDPR states that you’ll need to “implement appropriate technical and organisational measures” to ensure compliance. There are no prescriptive technologies mentioned in the regulation, aside from encryption and pseudonymisation, so much of it boils down to the “state of the art” and received best practices. For some UK firms currently complying with the Data Protection Act, there may in fact be little extra required, although just how little will depend on each organisation. Data minimisation is one such best practice. Once you have classified what you store and process, it would be a good idea to go through and delete any non-essential customer data, thereby reducing your risk. As the GDPR states: “only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.” Still, it can be tricky knowing if your technical controls are “appropriate” enough. To help with this, consider following an “approved certification mechanism” like ISO 27001. There are certainly areas in the GDPR which this internationally recognised standard doesn’t cover — such as the right to data portability — but when it comes to data security, it’s pretty well aligned. This makes access controls a vital part of any GDPR compliance plans. We recommend risk-based, adaptive multi-factor authentication which can identify on the fly when log-ins seem risky and request more information from the user to complete authentication. The research revealed a worrying disconnect between the expectations of customers and the priorities of IT professionals. For example, 73% of consumers polled said organisations have an obligation to control access to their information, yet just 44% of IT security practitioners agreed. Be in no doubt, however, European regulators will come down hard on any firm they believe hasn’t taken adequate steps to safeguard consumers’ personal data. As key members of the compliance team over the next 12 months, IT has a vital role to play ensuring data is secured at all times according to best practices. By Barry Scott, CTO EMEA at Centrify JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE Although the GDPR is EU legislation, those organisations hoping to hide behind Brexit will need to rethink their strategy – unlike EU directives, the GDPR’s regulations will come into effect immediately, meaning that as of May 2018, UK businesses will have to abide by the rules. With only one year to go to prepare for the incoming data protection rules, business must act now or face substantial financial penalties. This new legislation will overhaul the current legal framework and will see the law get tougher on transparency, the collection of data, and the role of consent.
According to technology giant, IBM, more data has been created in the past two years than ever before, with an estimated 2.5 quintillion bytes shared every day. People are posting to social media, shopping online, and browsing the internet like never before and consequently, sharing their personal information with multiple companies all over the world. With such vast amounts of data growing at an unprecedented rate, protection of personal information is getting stricter. Trust and integrity are important to individuals who share their details and it is essential that businesses respect this by using data appropriately and transparently. This is why, as of May 2018, the Data Protection Act 1998 (DPA) will be replaced with the European-wide General Data Protection Regulation (GDPR). In addition, the GDPR has a wider territorial impact than the DPA. The legislation applies to any business which offers goods or services to, or monitors the behaviour of, individuals residing in the Union, regardless of the location of the business. Therefore, even those businesses outside of the EU – including a post-Brexit Britain – will have to set up robust processes and policies if they wish to sell to or monitor consumers living in EU states. Transparency poses one of the biggest changes that the GDPR will enforce. Whilst this element had implicit requirements in the Data Protection Act 1998, its significance will be elevated with the new legislation. In order to be transparent, businesses have to be thoroughly open with individuals about how data is collected and used. It is therefore critical that organisations review the ways in which they gather personal information, the legal basis for processing, their policies on data retention, and how they share the data with third parties. Firms will also have to demonstrate that they are compliant with the new law when it comes to accountability. It will be imperative that businesses update procedures and policies by keeping meticulous records of documents, carrying out Privacy Impact Assessments, and implementing Privacy by Design and Default in all activities. Demonstrating accountability will demand a greater input of time and energy from firms, to make certain that they are minimising any potential risks in breaching the law. Such onerous procedures will place a significantly greater burden on the data capabilities of a business, and put increased pressure on information offers and engineering teams that are already in short supply. Consent is another aspect that has been changed substantially under the new regime. Consent will need to be explicit, specific, unconditional and capable of being easily withdrawn, so businesses can no longer rely on silence, inactivity, default settings or pre-ticked boxes as the basis for permission. According to the ICO’s draft guidance, organisations will now have to identify up front any third parties who are going to rely on consent to use personal information, meaning those businesses will no longer be able to rely on the ‘we may pass your data to partners of our choice’ statement. In light of these changes, businesses that rely on consent as the basis of any processing should review the suitability of this approach and see whether there is another lawful basis, such as the use of legitimate business interest, that can be used instead. Although the GDPR will come into force in just under a year, it is crucial that businesses do not dwell and start acting now to ensure they are ready for the new changes. Failing to comply can have significant financial consequences – breaches will cost companies up to 4 per cent of their annual turnover or €20 million, whichever is higher. Taking action now will ensure that businesses safeguard themselves from not only the increased fines but the devastating reputational damage a data breach can have on a firm. By Andrew Hartshorn, a partner in the information law team at Shakespeare Martineau. JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE The European General Data Protection Regulation (GDPR), which will become effective on May 25, 2018, is set to shake up how businesses collect, store and use personal information.
Organisations of all sizes will need to comply with the new regulations, which will affect the collection, storage and usage of personal information regarding EU citizens. But recent research suggests that as many as 20% of marketing agencies could go under if they incur a fine for breaching the rules. So how do marketeers prepare, especially when agencies are expected to manage customer information on a client’s behalf? If they do not want to fall into the data trap, new lines of responsibility will need to be drawn up. Organisations must not stick their heads in the sand regarding the new regulations, or believe that the rules do not apply to them without fully understanding them. Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR provides for a fine of up to €20 million or 4% of annual turnover (whichever is higher). What’s more, individuals can sue a business for compensation to recover both material damage and non-material damage, like distress. Not only can this significantly damage a brand, but potentially thousands of individual class actions could be launched. So, let’s consider the objectives of the GDPR. They are to: 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU. An issue that could catch agencies out is that even though the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. Digital minister Matt Hancock has also confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit. Under the terms of the GDPR, firms of over 250 employees must employ a Data Protection Officer (DPO). This person will be responsible for ensuring that a business collects and secures personal data responsibly. However, the requirement to appoint a DPO will also apply to small agencies employing less than 250 staff, if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9. So already it’s easy to see that the GDPR is going to cause almost all marketeers cause for concern as they recognise the need to re-evaluate how they collect, store and use personal data. But that’s only half the battle. The biggest challenge will be identifying where all the customer data resides, who ‘owns’ it and ensuring there are no forgotten repositories. Before implementing any new processes regarding the treatment of data, and requests for data under GDPR legislation, you must find all relevant data. The advice from the UK’s ICO and other national authorities concur with this approach, naming “identifying what data you hold” as a key step. Given how rapidly data is collected, created and stored by organisations, it would be impossible to find this out manually. What is correct at the beginning of this year could be wildly different in 6 months’ time. Moreover, attempting this manually will result in a catalogue of where people think data is held and processed (usually the systems designed to hold the data, like a CRM system) rather than where data is actually held (such as in a spreadsheet extracted from the CRM system to run a regular report). This task of creating a data inventory does not need to be arduous. Using Big Data and Machine Learning principles as part of an eDiscovery and data mapping process offers the ability to rapidly find and categorise data and to do so on an on-going basis – ensuring continual compliance for your business rather than just at a single point in time. After identifying your data, you need to be able to classify it. Not only for corporate governance but also for the purposes of the GDPR which distinguishes between Personal Data and Sensitive Personal Data. It’s crucial that classification is applied consistently, it shouldn’t be left to people to try to remember. Machine Learning and Big Data can ensure that nothing is left to chance and that every data point is classified as it should be. After your data has been identified and classified you will have a robust platform upon which to implement your processes. This third step is where you can work with the data and apply time-saving processes such as de-duplication, request handling, access management and the automation of processes. These are the first steps in what will be an on-going process. But I believe that these steps are crucial for any organisation that wants to get it right first time. Understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many organisations running into difficulty. In a perfect world, all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework. But in my experience, that’s just not the reality. Across the organisations we have worked with there is an average of 10GB of unstructured data per employee, and 9% of that data contains personally identifiable information. The tools that can help your organisation to become compliant are already available. They can help you implement new process and avoid the issues that have been discussed above. So act now and don’t be caught in the data trap when the GDPR comes into force next year. By Adrian Barrett, CEO and founder of Exonar JOIN US ON 12TH OCTOBER 2017 AT COMPLIANCE BRIEFING: LONDON - LEARN MORE HERE |
COMPLIANCE BRIEFING: LONDON
12 OCTOBER 2017 COUNTY HALL, LONDON |