Privacy Impact Assessment - Sourcing Nederland · The organizational privacy impact assessment...

PON Congres 13 Oktober 2016

Everything you always wanted to know about

privacy impact assessments but where afraid to

ask

Albert Holl

Copyright © 2016 Capgemini Consulting. All rights reserved.

Introduction

Canada

United States

Mexico

Brazil

Argentina

All over Europe

Morocco

Australia

People’s Republicof China

India

Chile

Guatemala

Singapore

Philippines

Taiwan

Vietnam

UnitedArab Emirates

Malaysia

New Zealand

Japan

South Africa

Colombia

2

2,500+ Capgemini resources worldwide with Cybersecurity skills

Cybersecurity awareness & training

Security transformation, operating model implementation,

program management

Implementation of security solutions & managed security

services (e.g. SOC)

Digital security assessment & strategy and

risk management

Strategy, Governance, & People

Application security testing & technical security testing

(e.g. SCADA)

Transformation

Build & Operations

Agenda:

• Introduction to Privacy Impact Assessments (PIA)

• Privacy impact assessment of the organization

• PIA tooling during implementation and operation

• PIA & Privacy-by-design as an enabler for new digital initiatives


What is a Privacy Impact Assessment? There is a lot of confusion in the market on when and how to conduct a PIA.

In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. […]

GDPR recital 84

[…] types of processing […] involve using new technologies […] In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk.

GDPR recitals 89, 90

3

Literally, the GDPR defines the PIA (data protection impact assessment) as the assessment of new technologies of personal data processing (art.35), while recitals put it in the broader context of compliance management.


Privacy Impact Assessments (PIA’s) can be performed for various purposes and therefore different approaches are needed in particular contexts

1. PIA on organization - scope: privacy governance & policies

The organizational privacy impact assessment reviews basically all GDPR articles and gives insight to define the organizations privacy governance and policy framework.

2. PIA on operations – scope: business processes, systems & people

The operational privacy impact assessment is very much related to the responsibility of the controller (art.24, GDPR). It reviews the technical & organizational measures of the existing operations to be compliant with the GDPR.

3. PIA on new business initiatives – scope: new product & service development, marketing programs, campaigns, etc.

Data protection impact assessment (as described in art.35, GDPR) are required, where the usage of new technologies is likely to result in a high risk to the rights and freedoms of natural persons. Risk mitigating measures have to be designed into products by default (art.25, GDPR).

Three different PIA approaches are presented

4

1. Organizational PIA

Stepping stone to create a comprehensive GDPR governance & policy framework


The Organizational PIA is based on the new EU data privacy regulation, common industry standards and best practices.

Organizational PIA

The main objective of the Organizational PIA is to determinethe needed measures to make the organization privacycompliant at a governance and policy level.

In practice, the NYMITY standard provides a good frameworkto perform the assessment, it contains 55 compliancecontrols and 84 optional performance indicators. TheOperational PIA is clustered in the following 13 privacymanagement categories:

1. Governance Structure

2. Personal Data Inventory

3. Privacy Policy

4. Privacy Into Operations

5. Training & Awareness

6. Information Security Risk

7. Manage Third-Party Risk

8. Maintain Notices

9. Right of Individuals

10. New Operational Practices

11. Data Breach Management

12. Data Handling Monitoring

13. Track External Criteria

Deliverables & Reporting

Reporting is arranged according to the NYMITY privacymanagement categories and based on the individualcompliance and performance indicators.

6

The Organizational PIA delivers the following output:

Compliance report vs. GDPR baseline

GDPR readiness benchmark vs. industry peers

Roadmap of GDPR measures to reach GDPR compliance


Proposal for a phased program approach towards GDPR compliance

Organizations are requested to be GDPR compliant by May 25, 2018 . A phased program approach is advisable to ensure in-time implementation completion.

Organizational PIA Concept Roll-out

Phase 2 Phase 4

±6 month±6 month1-3 month

Activities are detailed, based on the Organizational PIA

Typical activities

1. Conduct stakeholder analysis.

2. Create data protection & privacy target picture 2018.

3. GDPR gap-analyse (as-is / to-be).

4. Formulate transition planning and roadmap 2017/18.

5. Define operating model, program structure and planning for the next phases.

6. Develop Business Case to justify investments in data protection & privacy.

early 2017 25-05-18

Implementation

Phase 3mid 2017 end 2017

±6 month

Data Protection & Privacy Program

Development of GDPR policy framework and operating model-Design of data protection and privacy assets

Pilot & organisation-wide Roll-out

Phase 1

Budget cycle 2017

7

2. Operations PIA

Embedding GDPR requirements in current processes, systems and the hearts & minds of people


An Operations PIA should be performed to assess and consolidate the privacy impact on existing business processes, IT systems and the people involved

Operations PIA

The main objective of the Operations PIA is to measure thegap between the privacy policy framework and the actualoperations (read: processes, systems and the hearts andminds of people).

During the execution of the Operations PIA, an individualpolicy might be applied to hundreds of processes andsystems, engaging with large numbers of individuals in theorganization. Therefore, a practical and (semi-) automatedapproach is needed to manage the Operations PIAprocesses.

Key characteristics of the Operations PIA are:

Assessment of large numbers of processes & systems

Organizational wide engagement with management, policy makers and employees

Risk-based identification of critical assets

Embedded procedure to select processes and systems to perform the Operations PIA’s on

Reporting facilities on GDPR compliance status

Delivery of mitigation proposals

Monitoring of mitigation execution

9

Tooling

There are different tools available to support OperationsPIA’s. Usually these tools are workflow based, offer role-based reporting (e.g. privacy officer, systems owner, etc.)and provide a privacy compliance dashboard.

Two examples of Operations PIA tools are the NYMITYAttestor and the Capgemini SMART PIA. Usage of largenumbers of spreadsheets has proven not to be practical inperforming Operational PIA’s.

9


Tool example: SMART PIA offers an number of standard features and reporting facilities to support Operations PIA’s

Features

The SMART PIA tool allows fast and repeatable OperationsPIA’s on lager numbers of processes and systems. Due to itsautomated workflow, the assessments are efficient and easyto manage. The individual results can be consolidated in thetool.

Build-in questionnaires are based on the GDPR regulation,and can be enriched with other baselines, e.g. BCRs.

Currently the following features are available, or can beprovided through configuration:

Privacy Impact Assessments/BCRs

Workflow to support Business/ IT involvement

Management reporting

Data inventory per systems

Vendor risk management assessments

Business impact assessments

Multi-lingual assessments

Multiple jurisdictions supported

10

Deliverables & Reporting

SMART PIA provides role-based reporting (e.g. privacyofficer, systems owner, etc.) with dashboards on thefollowing topics:

Triage progress

PIA progress

Gap description

Risk description

Proposed mitigations

Overall PIA Impact

Example of an overall PIA impact report

10

3. New Business PIA

The GDPR data protection impact assessment and privacy-by-default


Make the approach easy, so you can ALWAYS perform a New Business PIA !

When is a New Business PIA needed?

12

When do I have to perform a New Business PIA?

Art. 35 says ... still waiting for DPA advice

ALWAYS !

?

EASY !


You want to conduct new business, not be bothered by privacy constraints....

Business drivers

13

New Business PIA characteristics

Large numbers (100+) of initiatives, projects and use cases that need to be assessed

Quick insight provided in risk profile of all new initiatives Short execution lead-times to avoid ROI delay CPO has limited time so primary focus on decision

making and high risk initiatives Build privacy compliance into solutions by default Align with external customer privacy expectations

Source: Privacy Please: Why Retailers Need to Rethink Personalization, Capgemini Consulting research, 2015, http://bit.ly/1PC5Tia

New business initiatives rely more and more on personal data usage, e.g.

Personalization and customization of product & services

Omni-channel customer experience requires consistent view on customer data (incl. permissions given)

Digital Airport Program Schiphol

Marketing ProgramBMW

http://bit.ly/1PC5Tia


Set-up a workflow to conduct structural New Business PIA’s on digital transformation programs in a effective and efficient way

14

PIA-Flow Steps

1. Select business use cases / business initiative.

2. Determine privacy impact in Privacy Risk Assessment.

3. Perform legal compliance check against privacy policy.

4. Check initiative against the company’s privacy commitments

5. Determine individual consent requirements (e.g. opt-in).

6. Provide Privacy guidance to business initiative.

7. Derive Privacy requirements for business initiative.

8. Deliver privacy requirements to business initiative.

During the first steps of the workflow the privacy risk will be assessed

Enable the Business to determine Privacy Impact:

Low → Standard set of privacy requirements applies.

Medium → Tailored set of privacy requirements is generated by PIA-Flow.

High → Generate PIA-Flow requirements and involve external stakeholders (e.g. regulators, consumer organizations, NGO’s)


An organization should make clear and concise privacy commitments to its customers and other stakeholders, and keep that promise.

15

PIA-Flow Steps









The New Business PIA ensures that all initiatives are checked against the privacy commitments

Stakeholder engagement is crucial in the realization of personal-data driven strategies

Research finds that customer privacy charter has great potential to differentiate companies from their competition

Examples of new big data initiatives and profiling made negative headlines (also fully compliant with law) ING (2014); Equens (2013)


Printed FlyerAmsterdam Privacy Conference 2012

Examples of Customer (Privacy) Charters

16


Determine the individual consent requirements that are required and advisable to enable the organizations business initiatives

17

PIA-Flow Steps









The New Business PIA provides a consistent permission management framework

Individual consent is a great opportunity for processing if personal data

User consent allows processing of personal data in most of the cases.

Be aware: consents-based relationships require sustainable customer value creation.

Consent is a powerful instrument to reinforce the legitimate business purpose chosen for the processing of personal data (…does customer really agree that this is a legitimate business purpose…).


Example of a permission management matrix, to determine the required means of consent for the various business purposes.

Determine appropriate measures for obtaining individual consent (e.g. from customers)

Means of consent

Transactional

Opt-in

Opt-in

Opt-out

Transparency

note

No use

Business purpose

Natu

re o

f pers

onal data

Increasing

sensitivity

of data

Privacy

intruding

Nature of

personal data:

e.g. customer

account data,

traffic data,

browsing

behavior,

financial data,

health data, etc.

Business purpose: delivery of service, logistics optimization, product development,

advertising, location based services, etc.

18


The New Business PIA provides privacy guidance and delivers privacy requirements to the business initiatives

19

PIA-Flow Steps









Deliver a tailored set of privacy requirements during the project starting phase

Deliver privacy requirements to the business initiatives

Support privacy-by-design principle by delivering tailored set of requirements to the business initiatives.

Build privacy compliance into solutions right from the start.

Consider for high-impact projects to perform design & test audits during the development phase, to ensure privacy requirements are actually implemented.


Recap: Three types of Privacy Impact Assessments (PIA’s) can be performed

1. Organizational PIA - objective: mature the privacy governance & policy framework.

2. Operations PIA – objective: close the gap between the privacy governance & policy framework and the operations (business processes, systems & people).

3. New Business PIA – objective: enable new business initiatives that increasingly rely on personal data usage.

Different PIA approaches are needed to reach the desired objectives

20

Contact details

Thank you

21

Primary contact person

Albert HollPrincipal Manager Privacy

Reykjavikplein 1P.O. Box 2575, 3500 GN UtrechtThe Netherlands

Phone: +31 645 886784E-Mail: [email protected]

Privacy Impact Assessment - Sourcing Nederland · The organizational privacy impact assessment...

Documents

Transcript of Privacy Impact Assessment - Sourcing Nederland · The organizational privacy impact assessment...