PrivacySolved is a proud member of Cyber Ireland, Ireland’s Cyber Security cluster. PrivacySolved x Cyber Ireland celebrates Cyber Ireland’s First Annual Conference in October 2021, marks European Cybersecurity Month #CyberSecMonth and highlights the annual Cybersecurity Awareness Month #CybersecurityAwarenessMonth. Published below is a collection of trusted information security resources, cybersecurity insights and tools to inform Ireland’s security ecosystem and community. This information is also very useful for our partners, friends and colleagues around the world. We are all connected.
The United Kingdom’s departure from the European Union and the Coronavirus Covid-19 Pandemic have been dramatic episodes. There is now a clear political push to create “Global Britain,” to excel economically and to be a pioneer in innovation. The UK is starting to rethink its future path. A new National Data Strategy and an Artificial Intelligence Strategy have set the tone. An EU/UK Data Protection Adequacy Agreement, a consultation on UK International Data Transfers, new ideas for UK Standard Contractual Clauses (SCCs) and proposed reform of the UK General Data Protection Regulation (GDPR), the regulator, enforcement and regulatory priorities all strongly suggest significant future divergence. This is major change; with more to come. Some changes will take place, while others, will fall away or transform into other outcomes. Change in UK data, GDPR, innovation, artificial intelligence strategy and regulation, is the only constant.
Companies and Organisations will need to track proposals, examine the details, participate in consultations, review legal developments and update their data governance outlook. Strategy and risk should also be reviewed and recalibrated. This resources page provides a dashboard of the most important changes to the UK landscape. It will be updated, as things develop, and as the bigger picture becomes clearer.
The Netherlands has strong information technology capabilities. According to the World Economic Forum, the country ranks 6th in the world as one of the most advanced and technology-enabled nations. In 2018, the Netherlands imported €61.2 billion euros worth of ICT goods and services. In the same year, exports of ICT-related goods and services (including re-exports) stood at €74.6 billion euros. The Netherlands’ technological environment is anchored by a robust digital infrastructure. The Dutch rank 2nd in the world for online connectivity, with over 98% of households having broadband connection. The Netherlands is a leading cybersecurity hub in Europe, home to Europe’s largest security cluster, The Hague Security Delta (HSD). HSD is a national network of more than 300 public and private organisations working together to accelerate cybersecurity solutions. The Netherlands is home to one of the largest internet exchanges in the world, the Amsterdam Internet Exchange (AMS-IX), and has one of the highest rates of internet connectivity in the world. The Amsterdam region houses nearly a third of Europe’s data centres, with growth expanding to Groningen and Middenmeer. The country is also home to Europol’s European Cyber Crime Center (EC3), NATO Communications and Information (NCI) Agency and the Global Forum for Cyber Expertise (GFCE) in The Hague.
The Netherlands ranks 4th out of 28 countries (27 EU member states and the UK), in the European Commission Digital Economy and Society Index (DESI) 2020. This ranking is based on pre-coronavirus pandemic analysis. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in the country, including key data centres. Demonstrating cybersecurity resilience in the country’s networks, information systems, private sector and public services is very important for national security, economic growth, investment, trust, and innovation. Companies and organisations can also use this information to set expectations and risk levels.
Putting Cybersecurity on the Agenda
In 2018, the Dutch National Cybersecurity Agenda was adopted to allow the Netherlands to benefit from the economic and social opportunities of digitalisation in a secure way and to protect national security in the digital world. Seven ambitions were outlined to allow the Netherlands to:
1. Have strong digital capabilities to detect, mitigate and respond decisively to cyber threats;
2. Contribute to international peace and security in the digital space;
3. Be at the forefront of digitally secure hardware and software;
4. Have resilient digital processes and a robust infrastructure;
5. Have successful barriers against cybercrime;
6. Lead the way in the field of cybersecurity knowledge development; and
7. Have an integrated and strong public-private approach to cybersecurity.
From Agenda to Reality: Key Points from Cyber Security Assessment Netherlands 2021
The Netherlands has moved from setting agendas and ambitions to becoming more proactive in European (and global) cybersecurity efforts. It also seeks to assess the national picture every year so that stakeholders can know the trends, risks, threats, strengths and areas for improvement. This shows both a proactive and transparent approach. The Cyber Security Assessment Netherlands 2021 (CSAN 2021 / CSAN) explains the active cyber threats, the likely impacts, resilience approaches and the risks. CSAN focuses on national security, which is defined annually by the National Coordinator for Security and Counterterrorism (NCTV) and the National Cyber Security Centre (NCSC NL).
The NCTV is the central government body responsible for counterterrorism, cybersecurity, national security, crisis management and state threats. NCTV’s core focus is to prevent and minimise social disruption. The NCSC NL is the central information hub and centre for expertise for cybersecurity in the Netherlands. NCSC NL helps to boost cyber resilience in society, specifically within central government and among critical providers.
Risks to National Security
Four risks to national security have been identified in CSAN:
1. Unauthorised access to information and its publication, particularly through espionage. For example, espionage targeting communications within the central government or the development of innovative technologies.
2. The inability to access processes, due to sabotage or the use of ransomware. For example, the infiltration of processes that ensure the distribution of electricity.
3. Major security breaches, such as through the abuse of global IT supply chains.
4. Large-scale outages: for example, where one or more processes are disrupted due to natural activity, technical interference or unintentional human action.
Differences in the Levels of Resilience
The CSAN reveals that there are significant differences in levels of resilience in the Netherlands. Large companies can invest in cybersecurity knowledge and skills. Suppliers of essential services and digital service providers also have a statutory duty of care, set out in the Network and Information Systems Security Act (Wet beveiliging netwerk- en informatiesystemen, Wbni). However, small businesses, including small and medium-sized enterprises (SMEs), often lack the expertise and resources to substantially upgrade their resilience efforts. SMEs are often targeted by sophisticated actors. This resilience gap has been identified as a work in progress to be solved, in part, by greater capacity building and information sharing.
Key Messages from CSAN
There is a clear acknowledgement that cyber incidents can paralyse society, and in particular:
Cybersecurity is a precondition for the functioning of society.
The digital threat is permanent.
Digital resilience is not yet in order everywhere because of the lack of basic measures.
Boosting resilience is the most important tool for managing cyber risks.
A complete and accurate picture of the resilience of critical processes is still missing.
Cyber risks are as great as ever and cannot be separated from other risks.
The Netherlands’ dependence on countries with offensive cyber programmes is a risk-increasing factor.
The main risks to national security are sabotage and espionage by states and the failure of systems. Also, cyberattacks by criminals (cybercrime).
The Covid-19 Effect
CSAN notes that since the start of the coronavirus pandemic, several COVID-19 themed cyberattacks have been observed, using a range of tool and tactics. Cyberattacks have been carried out on hospitals, research institutes and the World Health Organisation (WHO). Not only has the healthcare sector been targeted, but governments and companies had to deal with various attacks. The Police, the Public Prosecutor’s Office and Europol warned of the various forms of misuse, ranging from cybercriminal attacks to distribution of disinformation. COVID-19 also lends itself to social engineering attacks.
CSAN sets out a robust strategy for dealing with all forms of ransomware. It suggests that the most promising solution lies in structurally increasing the costs to the criminals against the benefits gained from ransomware attacks. It suggests that this can only be done if the Police, NCSC NL, the Public Prosecution Service, the public services, private partners and potential victims, unite and stand together. These stakeholders should proactively work together and share information and insights in a targeted manner. Information sharing is the key.
Cloud Services and Virtualisation: Questions for Companies and Organisations
In a unique approach, CSAN directedly addresses companies and organisations with key questions about digital transformation and the emerging risks. It focuses on cloud services and the cybersecurity risks associated with virtualisation. The key questions it asks are:
When designing your cloud environment, did you take the failure of this infrastructure into account (design for failure)?
What activities does your organisation perform in the cloud environment and how sensitive are these processes to interruption?
How is the data processed in the cloud environment stored? For complex or sensitive data processing, has replication at multiple data centre locations or ‘availability zones’ been considered? Note: Replication can ensure that important data are not lost in the event of disruption at one location but remains available at another location.
Do you know the basis upon which your organisation chose a public, private or hybrid cloud environment? Does this include the complex data processing and sensitive or unique data that plays a role in your organisational processes?
By asking these questions of all companies and organisations, NCTV and NCSC NL spark a debate but also places the onus on each entity to actively reduce their cyber risks and build resilience. It asks questions of individual entities, so that collective and national data security resilience can be increased.
Action Plan: Monitor the Cybersecurity threat landscape, Participate in Public/Private Cybersecurity efforts and Review Annual Assessments to influence corporate strategy
Companies, organisations, the public sector and investors must monitor the development of the Cybersecurity Agenda and the annual Dutch CSAN analysis. The Netherlands is vital for European data flows, global information technology and international supply chains. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should also be constantly assessed as this has been highlighted in the CSAN. NCSC NL has a strong reputation at home and abroad, especially working with the UK, Germany, USA and bodies such and the European Union Agency for Cybersecurity (ENISA), EUROPOL and NATO.
The Netherland’s data protection approach should also be monitored in conjunction with the National Cyber Security Agenda and CSAN. This completes the information security and data governance picture. Autoriteit Persoonsgegevens (also called The Dutch DPA), is the data protection and General Data Protection Regulation (GDPR) regulator. It is relatively large, sufficiently funded, consistent and adopts an analytical risk-based approach. It leads with education, guidance and recommendations but will issue fines where it considers these are appropriate. Recently, it has used its strongest penalties to respond to data breaches, data about children, health data (including Covid-19 data), intrusive new technologies and surveillance.
The Netherlands stands as a good example of a transparent, effective and active cybersecurity strategy. The agenda and strategy have been operationalised and is assessed annually. The country has championed the multidisciplinary and cross-sector approach to building resilience. Its data protection regulatory system is also stable, consistent and set to expand to respond to new technology, European co-operation, global initiatives and the intensifying cybersecurity landscape.
On 4 June 2021, the European Commission published its new data protection Standard Contractual Clauses (SCCs) for General Data Protection Regulation (GDPR) international data transfer compliance. These clauses replace the pre-GDPR clauses published in 2010 and 2014. The new clauses are more fully aligned with the GDPR and the Court of Justice of the European Union’s decision in the Schrems II case of 2020. The clauses came into force on 27 June 2021. From 27 September 2021, all new data protection international transfer arrangements must use the new SCCs. By the end of December 2022, all contracts that transfer the personal data of individuals based in the EU must be updated to reflect the new SCCs. This means that comprehensive data protection updating will be required across a wide range of supply chains.
Key Things to Know about the New SCCs
The key purpose of the new SCCs is to imbed GDPR-compliant and legally binding contractual terms into supply chains and value chains, around the world. The key definitions to understand are Data Exporters (based in the EU) and Data Importers (based outside of the EU). The SCCs are organised into four modules: (a) Controller to Controller, (b) Controller to Processor, (c) Processor to Processor and (d) Processor to Controller. Each module can be used as a stand-alone contract or the modules can be used together to form a more comprehensive agreement.
The new SCCs have a so-called docking clause, that allows Data Exporters and Data Importers to be added to the clauses over time. This allows maximum flexibility. There are clauses in the SCCs that limit and manage onward data transfers and ensure holistic data protection compliance. Another innovation is the need for Transfer Impact Assessments (TIAs), which must be performed and recorded for all personal data transfers from the EU to countries outside of the EU (third countries).
The UK is in a special position because of Brexit, its departure from the European Union. It is now a third country and so the new SCCs do not apply to it. All data transfers from the UK to third countries may still rely on the EU’s old SCCs and the additional requirement of TIAs. In the longer term, the UK will formulate its own guidance and standard clauses for international transfers.
Inside the Standard Contractual Clauses (SCCs) Project
For the largest companies and organisations, similar contract remediation projects took place in 2010, 2014 and between 2015 and 2016 after the Schrems I case invalidated EU/US Safe Harbor. Work may also have been done in the lead up to May 2018, when GDPR fully came into force. Lessons from these previous efforts can inform current and future SCC projects. However, current SCC implementation projects will be more complicated because of the detailed requirements of GDPR, more complex supply chains, modern cloud computing services, the presence of big data stores and the use of modern pseudonymisation, hashing and anonymisation techniques.
For SCC projects, here is the Insider’s Guide to effective planning and delivery:
The Data Strategy
Companies and organisations should adopt a clear strategy position about their data and international data flows. The new EU SCCs should not be implemented only as a “papering exercise.” The work should complement the strategy and seek savings, economies of scale and innovation. Supply chains could be simplified, international data flows trimmed and data processors audited and removed, if necessary.
Data Flows, Risks and Records of Processing Activities (ROPA)
Adopting the new SCCs could also allow organisations to put their global data protection compliance credentials to the test. It is an opportunity to mature Records of Processing Activities under Article 30 of the GDPR. Transfer Impact Assessments can be used to risk assess countries, sectors and organisations as a way of identifying, managing and reducing risks. The risk-based approach should be comprehensive and cover political, economic, human rights, regulatory, international sanctions and information security risks. With this information, companies and organisations could then seek to add contractual, organisational or technical safeguards to respond to these risks.
The Project Plan and The Multidisciplinary Team
Effective SCC implementation requires a clear project plan and resources, including a realistic and flexible financial budget. Even more important, is a multidisciplinary team including the Data Protection Office (or Data Protection Professionals), Information Security, procurement, the legal team, the service managers, audit and compliance teams. The combined knowledge of these teams, when well organised, can add detail and precision to the work. Service managers and procurement teams often know most about contracting partners, because of their day to day experience and often long-established relationships. External advisors and technology solutions may help to expand the expertise and improve benchmarking.
Communication, Patience and Dynamism
It is important to remember that the EU SCCs will test supply chains and the relationships between Data Exporters and Data Importers. Communication at every level within each organisation and between the contracting parties is vital. A recognition that each party may prioritise and timetable contractual changes differently, is important. The SCC project can also become a place where other important issues are contested. This includes existing contract performance issues, contractual warranties, indemnities, information security schedules, key performance indicators, insurance, price and audit rights. Patience is required and the ability to remember the key reasons for the data sharing and data transfers. Timetables may slip, but each party should retain enthusiasm and dynamism to gain the required signatures and move to contract performance.
For assistance with EU/UK Standard Contractual Clauses Projects, Legal and Regulatory support, EU GDPR compliance, adopting data privacy certifications and Codes of Practice, contact PrivacySolved:
The Abu Dhabi Global Market (ADGM) Data Protection Law 2021 (DP Law) applies to the ADGM international financial centre free zone in Abu Dhabi, United Arab Emirates. The law was adopted on 14 February 2021. The new law updates and replaces the 2015 law. The ADGM DP Law protects the personal data held and processed by organisations that are registered in the ADGM as well as linked external organisations. New data protection principles include lawfulness, fairness, transparency and accountability. Individuals have new rights relating to data portability, automated decision-making and profiling. Businesses must be accountable and demonstrate compliance with expanded data protection principles. The ADGM Office of Data Protection, Commissioner of Data Protection, is the regulator. Enforcement starts on 14 August 2021, for organisations that registered at ADGM after 14 February 2021. ADGM organisations that were registered before 14 February 2021, must comply with the new law by 14 February 2022.
What types or organisations are covered by ADGM DP Law?
The law applies to businesses (controllers) that are registered in the ADGM and that process personal data or sensitive personal data. Businesses that process data on behalf of these organisations, such as their suppliers, are also covered by the law. Personal data used and stored outside of ADGM, but concerning ADGM registered organisations are covered by the law. Processors registered in ADGM who process personal data for controllers outside the ADGM are also covered by the law, to a limited extent.
2. What types of data or information are covered by ADGM DP Law?
The ADGM DP Law protects personal data, which is defined as any data relating to an identified natural person or identifiable natural person. This also includes data containing opinions and intentions about identified or identifiable individuals. The ADGM DP law also applies to sensitive personal data which is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), data about health, data about a person’s sex life or sexual orientation, personal data relating to criminal convictions and offences or related security measures.
3. What are the main ADGM DP Law obligations for businesses?
ADGM registered businesses must:
Register as a Data Controller with ADGM Office of Data Protection ($300 USD) and renew the registration every year ($100 USD)
Apply for permits to process sensitive personal data ($100 USD), apply to transfer personal data ($100 USD) and to register data processors.
Comply with the ADGM DP Law data protection principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability.
Appoint a Data Protection Officer (DPO), if high risk data processing takes place on a systematic or regular basis.
Report personal data breaches to the Office of Data Protection within 72 hours of becoming aware of it
Complete Data Protection Impact Assessments (DPIAs) for high risk data processing and report these to the ADGM Office of Data Protection. Put in place an appropriate policy for processing sensitive personal data.
Respond to the exercise of data protection rights from individuals within 2 months of receiving these requests.
4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR), will they automatically comply with ADGM DP Law?
Yes, in large part, but not completely. GDPR and ADGM DP Law have different scopes, definitions, special provisions and compliance requirements. However, there are important similarities. ADGM DP Law was enacted to include provisions that largely mirror the EU’s GDPR requirements. GDPR data mapping and records of processing activity logs can help to identify ADGM DP Law impacted personal data. GDPR Data Protection Notices, policies and GDPR processes used to respond to GDPR rights can assist ADGM DP Law compliance, but these must be tailored. Data processing agreements and online notices must be specifically updated. ADGM has published its own data protection standard contractual clauses, for personal data transfers outside of the ADGM.
5. Does the ADGM DP Law apply to foreign based companies and what are the penalties for breach of the law?
Yes, it can. If foreign businesses are registered in ADGM and process personal data in the ADGM then the ADGM DP Law will apply. The law also applies to foreign businesses that process data on behalf of organisations registered in the ADGM. The ADGM Commissioner of Data Protection can impose administrative fines of up to $28 million (USD).
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.