2017-09-07 gdpr webinar the gdpr and its …...the gdpr and its requirements for implementing data...

The GDPR and its requirements for

implementing data protection impact

assessments (DPIAs)

Presented by:

• Alan Calder, founder and executive chairman, IT Governance

7 September 2017

Copyright IT Governance Ltd 2017 – v1.1

TM

www.itgovernance.co.uk

• Alan Calder

• Founder of IT Governance

• The single source for IT governance, cyber risk management and IT

compliance

• IT Governance: An International Guide to Data Security and ISO 27001/ISO

27002, 6th edition (Open University textbook)

• www.itgovernance.co.uk

Introduction

http://www.itgovernance.co.uk/

https://www.itgovernance.co.uk/shop/product/eu-gdpr-a-pocket-guide?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

https://www.itgovernance.co.uk/shop/product/eu-gdpr-a-pocket-guide?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

https://www.itgovernance.co.uk/shop/product/it-governance-an-international-guide-to-data-security-and-iso27001iso27002-sixth-edition?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

https://www.itgovernance.co.uk/shop/product/it-governance-an-international-guide-to-data-security-and-iso27001iso27002-sixth-edition?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

https://www.itgovernance.co.uk/shop/product/iso27001-2013-book-set-two-books-on-iso-27001-2013?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars

https://www.itgovernance.co.uk/shop/product/iso27001-2013-book-set-two-books-on-iso-27001-2013?utm_source=presentation&utm_medium=Webinar&utm_campaign=GDPRWebinars


TM


IT Governance Ltd: GRC one-stop shop

All verticals, sectors and all organisational sizes


TM


• The GDPR’s impact and the benefits of conducting a DPIA

• The legal requirements for a DPIA under the GDPR

• High-risk DPIAs and prior consultation with the supervisory authority

• DPIAs and their links to an organisation’s risk management

framework

• The practical steps to conduct a DPIA

Agenda


The GDPR’s impact and the

benefits of conducting a DPIA


TM


The GDPR’s impact

• UK organisations that process personal data only have a short time to make sure that

they are compliant.

• The Regulation extends the data rights of individuals, and requires organisations to

develop clear policies and procedures to protect personal data, and adopt appropriate

technical and organisational measures.

“This Regulation shall be binding in its entirety and directly

applicable in all Member States.”

Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679

8 April 2016

Council of the European Union

adopted the GDPR

12 April 2016

The GDPR was adopted by the

European Parliament

4 May 2016

The official text of the Regulation was published in

the Official Journal of the EU

24 May 2016

The Regulationentered into

force

25 May 2018

The GDPR will apply


TM


Material and territorial scope

Natural person = a living individual

• Natural persons have rights

associated with:

– The protection of personal

data

– The processing of personal

data

– The unrestricted movement of

personal data within the EU

In material scope:

– Personal data that is

processed wholly or partly by

automated means;

– Personal data that is part of a

filing system, or intended to

be.

The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place.

It applies to controllers outside the EU that provide services into the EU.


TM


Penalties

Administrative fines


• Administrative fines will, in each case, be effective, proportionate and

dissuasive, and take account of the technical and organisational

measures that have been implemented.

€10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.

€20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.


TM


Key terms

Article 35: Data protection impact assessments help identify and

address risks at an early stage by analysing how the proposed uses of

personal information and technology will work in practice, and

proposing methods to mitigate identified risks.

A process to identify and reduce the privacy risks of a project or a system.

An effective DPIA should be initiated and maintained throughout the development and implementation of a project or system.

Analyse how a particular project or system will affect the privacy and rights of the data subjects involved.


TM


The benefits of a DPIA: TRANSPARENCY

Helps individuals understand how

and why their information is being used.

It addresses:

Principle 1 – Fair and lawful processing

Principle 2 – Purpose limitation

Improve how you use information.


TM


The benefits of a DPIA: TRUST

Publish your DPIA to build TRUST.

Applies to all GDPR principles,

particularly principle 6 – Security.


TM


The benefits of a DPIA: FINANCIAL

Identifying a problem early will generally

require a simpler and less costly solution.

Minimise the

amount

of information

you collect.

It applies to principle 3 - Data minimisation


TM


The benefits of a DPIA: AWARENESS

Increase awareness of privacy and data protection issues within your organisation.

.


TM


The benefits of a DPIA: COMPLIANCE

Complywith your

GDPR obligations.


TM


The benefits of a DPIA: ASSURANCE

Individuals will be

reassured your

project has

followed best

practice.

The legal requirements for a DPIA

under the GDPR


TM


Legal requirements for a DPIA

Article 35: Data protection impact assessment

• A DPIA is required:– Where processing, in particular using new technologies, and

taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.

• DPIA is particularly required in the case of:– Automated processing, including profiling, and on which

decisions are based that produce legal effects concerning natural persons;

– Large-scale processing of special categories of data or of personal data relating to criminal convictions;

– A systematic monitoring of a publicly accessible area on a large scale.

The controller shall seek the advice of the DPO

Supervisory authority to publish a list of operations that require a

DPIA.


TM



A DPIA will set out as a minimum:

• a systematic description of the processing and purposes;

• legitimate interests (where applicable) pursued by the controller;

• an assessment of the necessity and proportionality of the processing;

• an assessment of the risks to the rights and freedoms of the data subjects;

• the measures envisaged to address the risks, including:

Compliance with approved codes of conduct should be taken into account.

all safeguards and security measures to protect data and to demonstrate compliance;

• Where appropriate, consult the data subjects


TM


• If the outcome of the screening is that a standard DPIA is not required then it

might still be useful to carry out a ‘light touch’ DPIA exercise.

• In any case, it will still be useful to retain a record of the answers so they can

be referred to in future if necessary.

Not all projects will require the same level of analysis.


Is a full DPIA

required?

High-risk DPIAs and prior

consultation with the supervisory

authority


TM


What is risk?

• The effect of uncertainty on objectives (ISO 31000 etc).

• A combination of the likelihood of an incident occurring

and the impact, if it does occur, on the organisation.

• A probability or threat of damage, injury, liability, loss, or

any other negative occurrence that is caused by external

or internal vulnerabilities, and that may be avoided

through pre-emptive action (businessdictionary.com).

• Risk can be good or bad.


TM


Privacy risk and what it means

Risks to individuals: the potential for

damage or distress.

Risks to organisation: financial and/or

reputational impact of a data breach.

Privacy risk should already be on the

CORPORATE RISK REGISTER


TM


Examples of privacy risk

Inaccurate, insufficient or out-of-date

Kept for too long Excessive or irrelevant

Disclosed to wrong people

Insecurely transmission/storage

Used in ways that are unacceptable or

unexpected

Data that is:


TM


Examples of where you might use a DPIA

A new IT

system for

storing and

accessing

personal data.

Data sharing initiative.

An Unexpected or more

intrusive purpose.

Monitoring members of the

public.

Database that

consolidates information

held by separate parts

of an organisation.


TM


Risk treatment

What actions

address the risks?

Reduce the impact to

an acceptable level


TM


Prior consultation

Article 36: Prior consultation

• Controller shall consult the supervisory authority prior to processing

where the DPIA indicates a “high risk to the rights and freedoms of

the data subjects”:

– Supervisory authority shall provide written advice to the controller

– Request for controller to provide further information

– Information on purposes and means

– Information on measures and safeguards

– The contact details of the DPO

– A copy of the data protection impact assessment

– Any other information requested

DPIAs and their links to an

organisation’s risk management

framework


TM


The GDPR and risk management frameworks

Article 32: “Adherence to an approved code of conduct as referred to in

Article 40 or an approved certification mechanism as referred to in

Article 42 may be used as an element by which to demonstrate

compliance with the requirements set out in paragraph 1 of this Article.”

KEY AREAS:

– Information/cyber security management systems (e.g. ISO 27001)

– Business continuity management systems (e.g. ISO 22301)

– Personal information management systems (e.g. BS 10012)

Certifications do not remove or reduce accountability for data protection – but

will demonstrate non-negligence in approaching the Article 32 requirement.



TM


The GDPR and risk management frameworks

• Article 32: “The controller and the processor shall implement appropriate

technical and organisational measures to ensure a level of security

appropriate to the risk”.

• “In assessing the appropriate level of security account shall be taken in

particular of the risks that are presented by processing, in particular from

accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,

or access to personal data transmitted, stored or otherwise processed.”

• “Taking into account the nature, scope, context and purposes of processing

as well as the risks of varying likelihood and severity for the rights and

freedoms of natural persons, the controller shall implement appropriate

technical and organisational measures to ensure and to be able to

demonstrate that processing is performed in accordance with this Regulation.”

(Article 24-1)

DPO plays key bridging role between corporate risk management, broader

cyber security risk management and managing risks to personal data.NB: Network and Information Security Directive and Government Cyber Security Strategy

The practical steps to conduct a

DPIA


TM


The practical steps to conduct a DPIA

STEP 1 Identify the

need for a DPIA


TM



STEP 2 Describe the information

flow


TM



STEP 3 Identify privacy

and related risks


TM



STEP 4

Identify and evaluate privacy

solutions


TM



STEP 5 Sign-off and

record outcome


TM



STEP 6

Integrate the outcomes into

the project plan


TM



STEP 7

Monitor and evaluate; feed

lessons learned back into the

process

NB: Consult with stakeholders as needed, before, during and after.


TM


IT Governance: GDPR one-stop shop

Self-help materials

A pocket guide

www.itgovernance.co.uk/shop/P

roduct/eu-gdpr-a-pocket-guide

Implementation manual

www.itgovernance.co.uk/shop/Pr

oduct/eu-general-data-protection-

regulation-gdpr-an-

implementation-and-compliance-

guide

Documentation toolkit

www.itgovernance.co.uk/shop/P

roduct/eu-general-data-

protection-regulation-gdpr-

documentation-toolkit

Compliance Gap Assessment

Tool

www.itgovernance.co.uk/shop/Pr

oduct/eu-gdpr-compliance-gap-

assessment-tool

http://www.itgovernance.co.uk/shop/Product/eu-gdpr-a-pocket-guide?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-general-data-protection-regulation-gdpr-documentation-toolkit?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars

http://www.itgovernance.co.uk/shop/Product/eu-gdpr-compliance-gap-assessment-tool?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars


TM



Training courses

One-day accredited Foundation course (classroom, online, distance

learning)

www.itgovernance.co.uk/shop/Product/certified-eu-general-data-

protection-regulation-foundation-gdpr-training-course

Four-day accredited Practitioner course (classroom, online,

distance learning)

www.itgovernance.co.uk/shop/Product/certified-eu-general-data-

protection-regulation-practitioner-gdpr-training-course

One-day data protection impact assessment (DPIA)

workshop (classroom)

www.itgovernance.co.uk/shop/Product/data-protection-impact-

assessment-dpia-workshop

http://www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-foundation-gdpr-training-course

http://www.itgovernance.co.uk/shop/Product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course

http://www.itgovernance.co.uk/shop/Product/data-protection-impact-assessment-dpia-workshop?utm_source=webinar&utm_medium=presentation&utm_campaign=GDPRWebinars


TM


• Gap analysis

Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR.

• Data flow audit

Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR.

• Data Protection Officer (DPO) as a Service

Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities.

• Implementing a personal information management system (PIMS)

Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance.

• Implementing an information security management system (ISMS) compliant with ISO 27001

We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-compliant ISMS quickly and without hassle, no matter where your business is located.

• Cyber Health Check

The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure.


GDPR consultancy

Questions?

2017-09-07 gdpr webinar the gdpr and its …...the gdpr and its requirements for implementing data...

Documents