Download - Privacy & Data Protection
The Road Ahead: Practical Implications & Best Practices
PRIVACY & DATA PROTECTION
Phani Krishna, CISA, CISM, CISSP, CAIIB...Head of IT Audit, Essentra Plc.
Disclaimer: The views, opinions, findings, and conclusions or recommendations expressed in this presentation are strictly those of the presenter and are for information purposes only. They do not necessarily reflect the views of Essentra or the other organizations served by the presenter. Essentra or the other organizations served, take no responsibility for any errors or omissions in, or for the correctness of, the information contained in this presentation.
‘Privacy’, a noun: “A state in which one is
not observed or disturbed by other
people” or “The state of being free
from public attention”
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
Privacy & Data Protection
Data/ Informatio
n
Privacy
SecurityLegal
Compliance
‘Privacy’ of a natural living person is the state of not being
observed or disturbed without their explicit
consent to do so.
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
PII & Scope
http://www.usan.com/uncategorized/understanding-pii-personally-identifiable-information-in-the-contact-center/
Any information that can identify a natural person directly, indirectly or when combined
with other available information
The Seven Dimensions
PRIVACY OF DATA AND IMAGE (INFORMATION)
PRIVACY OF BEHAVIOR AND ACTION
PRIVACY OF COMMUNICATION
PRIVACY OF ASSOCIATION
PRIVACY OF THOUGHTS AND FEELINGS
PRIVACY OF LOCATION AND SPACE(TERRITORIAL)
PRIVACY OF PERSON
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
Data protection Law & Regulation
Forrester’s 2016 Data Protection Heat Map- Countries are continuing to move toward the Europe standard for data protection
(from 1 June 2017)Failure to report
leakage, damage or loss of personal data
Disclosure of personal
information in breach of
a lawful contract or
without consent
Serious or repeated
breach of the Australian
Privacy Principles
Privacy Directives / EU
GDPR
Privacy Shield
Industry specific such as HIPAA / Privacy act 1974
• 1980 OECD guidelines on the Protection of Privacy and Trans border flows of Personal Data (updated 2013) Only recommended to member countries
• Global Privacy Enforcement Network (GPEN)
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
Privacy objectives of General Data Protection Regulation (GDPR)
1 Protect the Privacy rights
2 Uniform regulation across EU
3 Define(widen) the scope of PII
4 Uniform cross boarder data transfers
5 Address the online data privacy concerns
6 Facilitate the economic activities with uniform privacy requirements
7 Harmonize the regulatory oversight
Rights of Data Subjects
Data Subject - Right
to privacy
Know the Why? How?
Where? Till when?
etc. Request informati
on through a defined method
Request to rectify/
modify
Object transfer
or processin
g
Right to be
forgotten
Data portability without hindrance
where feasible
Object the
automated decision
making including profiling
Organizational Requirements
• Legitimate, specified & explicit consentCollection
• Adequate, relevant and limitedData
• Lawful, transparent & fairProcess
• Accurate & up to dateQuality
• As consented & necessaryRetention
• Protect - State of the ArtSecure
• Controllers & Processors – Civil & Criminal Liabilities
Accountability
• Detect, Contain & Notify – Administrative FinesBreach
• One stop Data Protection Authority for EU businessOne Stop
What are we planning to cover? Introduction to Privacy & Data Protection PII definition and Scope Data protection Law & Regulation
ASIA (India) EMEA (EU) Americas (USA)
Practical Implications of Privacy & GDPR Objectives Rights of Data subjects Organizational Requirements
Best Practices for GDPR compliance Assessment Framework & Controls Compliance
Assessment
Data AssessmentFrameworkGap AssessmentPrivacy Impact AssessmentBusiness Impact AssessmentRisk Assessment
Framework & Controls
ENTERPRISE GOVERNANCE
Privacy Governance
Privacy Policies & Procedures
Privacy Risk Management
Awareness
Privacy Program
Management
Training
Privacy Operations
Support
Planning &
Selection
Projects &
Controls
Monitor &
Reporting
Audit & Review Require
ments
RightsLogging
BreachAssess
MitigateMeasure
Review
GDPR Compliance Best practices
ENTERPRISE GRC FRAMEWORK
AssessmentFramework & ControlsPrivacy by design – Data MinimizationData Quality & Rights ManagementData Protection OfficerEncryption & IT Security best practicesCross Border Data transferCertificationLogging & Monitoring
Discussion