2017-10-04 GDPR webinar Conducting a data flow mapping ... ·
Transcript of 2017-10-04 GDPR webinar Conducting a data flow mapping ... ·
Conducting a data flow mapping
exercise under the GDPR
Presented by: • Alan Calder, founder and executive chairman, IT Governance
4 October 2017
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Alan Calder
• Founder of IT Governance
• The single source for IT governance, cyber risk management and IT
compliance
• IT Governance: An International Guide to Data Security and ISO 27001/ISO
27002, 6th edition (Open University textbook)
• www.itgovernance.co.uk
Introduction
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance Ltd: GRC one-stop shop
All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• The General Data Protection Regulation’s (GDPR) impact, liabilities
and penalties.
• Data flows and identifying the key elements.
• The benefits of conducting a data mapping exercise.
• The challenges of data mapping.
• Techniques and best practices for data flow mapping.
• Live demonstration of the Data Flow Mapping Tool.
Agenda
Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR’s impact
• UK organisations that process personal data only have a short time to make sure that
they are compliant.
• The Regulation extends the data rights of individuals, and requires organisations to
develop clear policies and procedures to protect personal data, and adopt appropriate
technical and organisational measures.
“This Regulation shall be binding in its entirety and directly
applicable in all Member States.”
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
8 April 2016
Council of the European Union
adopted the GDPR
12 April 2016
The GDPR was adopted by the
European Parliament
4 May 2016
The official text of the Regulation was published in
the Official Journal of the EU
24 May 2016
The Regulationentered into
force
25 May 2018
The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Material and territorial scope
Natural person = a living individual
• Natural persons have rights
associated with:
– The protection of personal data.
– The processing of personal
data.
– The unrestricted movement of
personal data within the EU.
In material scope:
– Personal data that is
processed wholly or partly by automated means.
– Personal data that is part of a
filing system, or intended to
be.
The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place.
The Regulation applies to controllers outside the EU that provide services into the EU.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Penalties
Administrative fines
Copyright IT Governance Ltd 2017 – v1.0
• Administrative fines will, in each case, be effective, proportionate and
dissuasive, and take account of the technical and organisational
measures that have been implemented.
€10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.
€20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Data flows under GDPR
A data flow is a transfer of information from one location to another.
For example:
When mapping information flow, you should identify the interaction points between the parties involved.
NB: Cloud providers present their own challenges.
Inside and outside the European
Union.
From suppliers and sub-suppliers
through to customers.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Data flows under the GDPR
Consider the potential future uses of the information collected, even if it is not
immediately necessary.
Ensure the people who will be using
the information are consulted on the
practical implications.
Walk through the information
lifecycle to
identify unforeseen or unintended
uses of the data.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Data mapping challenges
Identify
personal
data
Identify
appropriate
technical and
organisational
safeguards
Understand
legal and
regulatory
obligations
Trust and
confidence
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Identify the key elements
Data items
Name, email, address Health data, criminal records Biometrics, location data
Formats
Hardcopy (paper records) Digital (USB) Database
Transfer methods
Post, telephone, social media Internal (within group) External (data sharing)
Locations
Offices Cloud Third parties
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Data flow mapping – techniquesTe
chn
iqu
es
Inspect existing documents
Facilitation workshops
Questionnaires
Observation
Whiteboard – freeform diagrams
Template drawings (Visio, mind map tools)
Post-it notes
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Workflow inputs and outputs:
– How is personal data collected (e.g. form, online, call centre, other)?
– Who is accountable for personal data?
– What is the location of the systems/filing systems containing the data?
– Who has access to the information?
– Is the information disclosed/shared with anyone (e.g. suppliers, third parties)?
– Does the system interface with, or transfer information to, other systems?
Data flow mapping
Questions to ask?
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Data flow example
HR usersHR
systemFinance system
Workforce metrics
EmailRecruitment system
Third-party users
CV database
Outplacement data
Candidate information
Agency employment
screeningRecruitment services
Outsourced management
Outplacement services
Candidates
HR
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DFA
STEP 1
Document the scope and
purposes of processing
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DFA
STEP 2
Add personal data to a data flow map of the process
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DFA
STEP 3
Add the supporting
assets used to process
personal data
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DFA
STEP 4
Add data transfers to
show the flow of data
between assets
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DFA
STEP 5 Review the
process
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Self-help materials
A pocket guide
www.itgovernance.co.uk/shop/P
roduct/eu-gdpr-a-pocket-guide
Implementation manual
www.itgovernance.co.uk/shop/Pr
oduct/eu-general-data-protection-
regulation-gdpr-an-
implementation-and-compliance-guide
Documentation toolkit
www.itgovernance.co.uk/shop/P
roduct/eu-general-data-
protection-regulation-gdpr-
documentation-toolkit
Compliance Gap Assessment
Tool
www.itgovernance.co.uk/shop/Pr
oduct/eu-gdpr-compliance-gap-
assessment-tool
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Training courses
One-day accredited Foundation course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
Four-day accredited Practitioner course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
One-day data protection impact assessment (DPIA) workshop
(classroom)
www.itgovernance.co.uk/shop/Product/data-protection-impact-
assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Data Flow Mapping Tool
• Gain full visibility over the flow of data
through your organisation.
• Simplify the process of creating data flow
maps.
• Create consistent, visual representations of
the flow of personal data through all your
business processes.
Find out more >>
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Gap analysisOur experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.
• Data flow audit
Data mapping involves plotting all of your data flows, which requires drawing up an extensive inventory of the data to understand where it flows from, within and to. This type of analysis is a key requirement of the GDPR.
• Data Protection Officer (DPO) as a Service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.
• Implementing a personal information management system (PIMS)Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.
• Implementing an information security management system (ISMS) compliant with ISO 27001
We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located.
• Cyber Health CheckThe two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.
IT Governance: GDPR one-stop shop
GDPR consultancy