data privacy - isacaghana.orgisacaghana.org/wp-content/uploads/2016/06/isaca... · llb, bsc, casp,...
TRANSCRIPT
THE SPEAKER:
Desmond Israel
Enterprise Privacy & Security Practitioner
LLB, BSC, CASP, QCS(VM), CCNSP, CCSC
REPRESENTING:
TEKI AKUETTEH FALCONER (MRS)
EXECUTIVE DIRECTOR
DATA PROTECTION COMMISSION, GHANA
EXPERIENCE:
3 Years in Data Privacy
10 Years in IT Security
12 Years in IT Business Development
8 Years in Public Speaking [IT Subject-Matter Expert]
BIO
The Data Protection Compliance Reporting Framework sets out data
controllers’ compliance reporting mechanism to the Data Protection
Commission.
Regulatory Compliance Reporting Framework (CRF)
Part of the Commission’s overall approach to ensuring compliance in
accordance with the Data Protection Act, 2012 (Act 843).
Purpose: Safeguard and enhance data protection through effective and timely
regulation of data controllers.
How: Yearly reporting and auditing mechanism
INTRODUCTION
This compliance reporting tool has 3 main
components;
Data Protection Compliance Guide
Compliance Reporting Mechanisms & Auditing
Processes
Compliance Fee Structure
INTRODUCTION
It is expected that data controllers should meet
these requirements for compliance.
It is aimed at those who have responsibilities for
data protection, in an organisation (e.g. data
supervisor)
It helps managers and administrators to
understand the full range of data protection
issues when processing personal data.
Compliance Guide
1# General Management
1. Policy on data protection.
2. Access to personal data, training and
guidance.
3. Contractual and other arrangements
relating to third party processing of
personal data.
4. Privacy impact assessment.
Compliance Guide
2# Lawfulness of Processing
Full extent of the processing, which is authorised by law
and/ or regulations.
Proof of lawful processing.
3# Transparency of processing
Awareness of data subjects.
Practical or technical difficulties in meeting the requirement.
Reasons for not meeting the requirement if any.
Compliance Guide
4# Quality of personal data
Assessment to ensure that personal data is
‘adequate, relevant and not excessive’ in the context
of each particular purpose.
Practical or technical difficulties in meeting the
requirements.
5# Retention and reasons for retention
Compliance Guide
6# Security safeguards of personal data
Security policy that covers all aspects of the processing of personal
data.
Evidence of implementation Security controls or procedures in
accordance with such policy.
Measures to ensure the integrity of the personal data and of its
processing.
Considerations taken into account during the development,
purchase or acquisition of hardware and software.
Confidentiality
Data sharing and cross-border data transfers.
Compliance Guide
7# Rights of Data Subjects
Policies and procedures that guarantee the rights of the
Data Subjects such as being informed of the nature of the
processing of personal data, receipt confirmation as to
whether or not personal data about them is being processed,
correction of personal data, etc.
Practical or technical difficulties in meeting such
requirements.
Compliance Guide
8# Notification policy and procedures
Policies and procedures on notification of security
compromises.
Security Compromises registered.
Notifications filed in accordance with the law.
9# Registration
Registration Status and number.
Compliance Guide
10# Training & Education
The levels of awareness of data protection within
the organisation.
Staff awareness of their data protection
responsibilities - including the need for
confidentiality.
Data protection training programme for staff.
Compliance Guide
11# Co-ordination and Compliance
Evidence of appointment of data protection
supervisor and/or compliance person.
Staff awareness of their role.
Mechanisms in place for formal review by the
supervisor of activities within the
organisation.
Compliance Guide
It is envisaged that this process
may take between one (1) month
and three (3) months depending on
the capacity of the Data Controller.
Auditing & Reporting
The process will entail the following:
Filing of the externally audited compliance report online.
Payment of appropriate fees.
Assessment of the report by the Commission through further checks
by staff or third party consultants on her behalf.
Issuing of the Commission’s interim report to the Data Controller.
Giving of timelines to ensure full compliance.
Follow-up enforcement actions.
Publication of the Commission’s final report and compliance status
(Full Compliance; Partial Compliance, Poor Compliance, Non-
Compliance).
Auditing & Reporting
Filing of Compliance
/ Payment of Fees
Assessment
Issue of
Interim
Report
Timelines for
Compliance
Filing of updated report
Follow-up enforcement
actions
Publication Compliance
Status
Compliance Cycle
Auditing & Reporting
CATEGORY Number of personal records
Category A Above 1,000,001
Category B 500,001 – 1,000,000
Category C 100,001 – 500,000
Category D 80,001 – 100,000
Category E 70,001 - 80,000
Category F 60,001-70,000
Category G 50,001-60,000
Category H 40,001-50,000
Category I 30,001-40,000
Category J 20,001-30,000
Category K 5,001-20,000
Category L 1-5000
Compliance & Fee Structure
COBiT 4.1 Control Objectives Key Areas DP Audit Compliance Guide
Deliver & Support DS11 Domain: Manage Data
DS11.1
Business Requirements for data management
Input for design
Minimizing errors and omission
Error-handling procedures
REQ.01 :General Management
REQ.09 :Registration
REQ.02 :Lawfulness of Processing
DS11.2
Storage & Retention Arrangements
Document preparation
Segregation of duties
REQ.05 :Retention and reasons for retention
REQ11 :Co-ordination and Compliance
DS11.3
Media Library Management Systems
Completeness and accuracy REQ.04 :Quality of personal data
DS11.4
Disposal
Detection, reporting & correction REQ.07 :Rights of Data Subjects
REQ.08 :Notification policy and procedures
DS11.5
Backup and restoration
Legal requirements
Retrieval & reconstruction mechanism
REQ.03 :Transparency of processing & Awareness of data subjects.
DS11.6
Security requirements for Data Management
Data Input by authorized staff REQ.6 :Security safeguards of personal data
REQ.11 :Co-ordination and Compliance
REQ.10 :Training & Education
CoBiT 4.1 Aligned
Miscellaneous
My Ten rules for data protection
compliance as a practitioner
1. Consent
2. Sensitive data
3. Individual rights
4. Review files
5. Disposal of records
6. Accuracy
7. Security
8. Disclosing data
9. Worldwide transfer
10. Third party processors
Merits of Data Protection Registration
Legal Compliance
Avoiding Fines
Better Business Management
Customer Security
Challenges of Data Protection
Registration:
Strict Maintenance of Data
The Cost
Training
Data Protection Procedures
1 2
3