GDPR digest - tmaclub.com · ARE YOU GDPR READY? {More than a MORTGAGE CLUB} GDPR digest
The GDPR and its requirements for implementing data protection impact assessments (DPIAs)
-
Upload
it-governance-ltd -
Category
Business
-
view
41 -
download
1
Transcript of The GDPR and its requirements for implementing data protection impact assessments (DPIAs)
The GDPR and its requirements for
implementing data protection impact
assessments (DPIAs)
Presented by:
• Alan Calder, founder and executive chairman, IT Governance
7 September 2017
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Alan Calder
• Founder of IT Governance
• The single source for IT governance, cyber risk management and IT
compliance
• IT Governance: An International Guide to Data Security and ISO 27001/ISO
27002, 6th edition (Open University textbook)
• www.itgovernance.co.uk
Introduction
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance Ltd: GRC one-stop shop
All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• The GDPR’s impact and the benefits of conducting a DPIA
• The legal requirements for a DPIA under the GDPR
• High-risk DPIAs and prior consultation with the supervisory authority
• DPIAs and their links to an organisation’s risk management
framework
• The practical steps to conduct a DPIA
Agenda
Copyright IT Governance Ltd 2017 – v1.0
The GDPR’s impact and the
benefits of conducting a DPIA
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR’s impact
• UK organisations that process personal data only have a short time to make sure that
they are compliant.
• The Regulation extends the data rights of individuals, and requires organisations to
develop clear policies and procedures to protect personal data, and adopt appropriate
technical and organisational measures.
“This Regulation shall be binding in its entirety and directly
applicable in all Member States.”
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
8 April 2016
Council of the European Union
adopted the GDPR
12 April 2016
The GDPR was adopted by the
European Parliament
4 May 2016
The official text of the Regulation was published in
the Official Journal of the EU
24 May 2016
The Regulationentered into
force
25 May 2018
The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Material and territorial scope
Natural person = a living individual
• Natural persons have rights
associated with:
– The protection of personal
data
– The processing of personal
data
– The unrestricted movement of
personal data within the EU
In material scope:
– Personal data that is
processed wholly or partly by
automated means;
– Personal data that is part of a
filing system, or intended to
be.
The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place.
It applies to controllers outside the EU that provide services into the EU.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Penalties
Administrative fines
Copyright IT Governance Ltd 2017 – v1.0
• Administrative fines will, in each case, be effective, proportionate and
dissuasive, and take account of the technical and organisational
measures that have been implemented.
€10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.
€20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Key terms
Article 35: Data protection impact assessments help identify and
address risks at an early stage by analysing how the proposed uses of
personal information and technology will work in practice, and
proposing methods to mitigate identified risks.
A process to identify and reduce the privacy risks of a project or a system.
An effective DPIA should be initiated and maintained throughout the development and implementation of a project or system.
Analyse how a particular project or system will affect the privacy and rights of the data subjects involved.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: TRANSPARENCY
Helps individuals understand how
and why their information is being used.
It addresses:
Principle 1 – Fair and lawful processing
Principle 2 – Purpose limitation
Improve how you use information.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: TRUST
Publish your DPIA to build TRUST.
Applies to all GDPR principles,
particularly principle 6 – Security.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: FINANCIAL
Identifying a problem early will generally
require a simpler and less costly solution.
Minimise the
amount
of information
you collect.
It applies to principle 3 - Data minimisation
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: AWARENESS
Increase awareness of privacy and data protection issues within your organisation.
.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: COMPLIANCE
Complywith your
GDPR obligations.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: ASSURANCE
Individuals will be
reassured your
project has
followed best
practice.
The legal requirements for a DPIA
under the GDPR
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Legal requirements for a DPIA
Article 35: Data protection impact assessment
• A DPIA is required:– Where processing, in particular using new technologies, and
taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
• DPIA is particularly required in the case of:– Automated processing, including profiling, and on which
decisions are based that produce legal effects concerning natural persons;
– Large-scale processing of special categories of data or of personal data relating to criminal convictions;
– A systematic monitoring of a publicly accessible area on a large scale.
The controller shall seek the advice of the DPO
Supervisory authority to publish a list of operations that require a
DPIA.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Legal requirements for a DPIA
A DPIA will set out as a minimum:
• a systematic description of the processing and purposes;
• legitimate interests (where applicable) pursued by the controller;
• an assessment of the necessity and proportionality of the processing;
• an assessment of the risks to the rights and freedoms of the data subjects;
• the measures envisaged to address the risks, including:
Compliance with approved codes of conduct should be taken into account.
all safeguards and security measures to protect data and to demonstrate compliance;
• Where appropriate, consult the data subjects
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• If the outcome of the screening is that a standard DPIA is not required then it
might still be useful to carry out a ‘light touch’ DPIA exercise.
• In any case, it will still be useful to retain a record of the answers so they can
be referred to in future if necessary.
Not all projects will require the same level of analysis.
Legal requirements for a DPIA
Is a full DPIA
required?
High-risk DPIAs and prior
consultation with the supervisory
authority
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
What is risk?
• The effect of uncertainty on objectives (ISO 31000 etc).
• A combination of the likelihood of an incident occurring
and the impact, if it does occur, on the organisation.
• A probability or threat of damage, injury, liability, loss, or
any other negative occurrence that is caused by external
or internal vulnerabilities, and that may be avoided
through pre-emptive action (businessdictionary.com).
• Risk can be good or bad.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Privacy risk and what it means
Risks to individuals: the potential for
damage or distress.
Risks to organisation: financial and/or
reputational impact of a data breach.
Privacy risk should already be on the
CORPORATE RISK REGISTER
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Examples of privacy risk
Inaccurate, insufficient or out-of-date
Kept for too long Excessive or irrelevant
Disclosed to wrong people
Insecurely transmission/storage
Used in ways that are unacceptable or
unexpected
Data that is:
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Examples of where you might use a DPIA
A new IT
system for
storing and
accessing
personal data.
Data sharing initiative.
An Unexpected or more
intrusive purpose.
Monitoring members of the
public.
Database that
consolidates information
held by separate parts
of an organisation.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Risk treatment
What actions
address the risks?
Reduce the impact to
an acceptable level
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Prior consultation
Article 36: Prior consultation
• Controller shall consult the supervisory authority prior to processing
where the DPIA indicates a “high risk to the rights and freedoms of
the data subjects”:
– Supervisory authority shall provide written advice to the controller
– Request for controller to provide further information
– Information on purposes and means
– Information on measures and safeguards
– The contact details of the DPO
– A copy of the data protection impact assessment
– Any other information requested
DPIAs and their links to an
organisation’s risk management
framework
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR and risk management frameworks
Article 32: “Adherence to an approved code of conduct as referred to in
Article 40 or an approved certification mechanism as referred to in
Article 42 may be used as an element by which to demonstrate
compliance with the requirements set out in paragraph 1 of this Article.”
KEY AREAS:
– Information/cyber security management systems (e.g. ISO 27001)
– Business continuity management systems (e.g. ISO 22301)
– Personal information management systems (e.g. BS 10012)
Certifications do not remove or reduce accountability for data protection – but
will demonstrate non-negligence in approaching the Article 32 requirement.
Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR and risk management frameworks
• Article 32: “The controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk”.
• “In assessing the appropriate level of security account shall be taken in
particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to personal data transmitted, stored or otherwise processed.”
• “Taking into account the nature, scope, context and purposes of processing
as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with this Regulation.”
(Article 24-1)
DPO plays key bridging role between corporate risk management, broader
cyber security risk management and managing risks to personal data.NB: Network and Information Security Directive and Government Cyber Security Strategy
The practical steps to conduct a
DPIA
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 1 Identify the
need for a DPIA
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 2 Describe the information
flow
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 3 Identify privacy
and related risks
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 4
Identify and evaluate privacy
solutions
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 5 Sign-off and
record outcome
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 6
Integrate the outcomes into
the project plan
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 7
Monitor and evaluate; feed
lessons learned back into the
process
NB: Consult with stakeholders as needed, before, during and after.
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Self-help materials
A pocket guide
www.itgovernance.co.uk/shop/P
roduct/eu-gdpr-a-pocket-guide
Implementation manual
www.itgovernance.co.uk/shop/Pr
oduct/eu-general-data-protection-
regulation-gdpr-an-
implementation-and-compliance-
guide
Documentation toolkit
www.itgovernance.co.uk/shop/P
roduct/eu-general-data-
protection-regulation-gdpr-
documentation-toolkit
Compliance Gap Assessment
Tool
www.itgovernance.co.uk/shop/Pr
oduct/eu-gdpr-compliance-gap-
assessment-tool
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Training courses
One-day accredited Foundation course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
Four-day accredited Practitioner course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
One-day data protection impact assessment (DPIA) workshop
(classroom)
www.itgovernance.co.uk/shop/Product/data-protection-impact-
assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Gap analysis
Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.
• Data flow audit
Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.
• Data Protection Officer (DPO) as a Service
Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.
• Implementing a personal information management system (PIMS)
Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.
• Implementing an information security management system (ISMS) compliant with ISO 27001
We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located.
• Cyber Health Check
The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.
IT Governance: GDPR one-stop shop
GDPR consultancy
Questions?