The LFF – Lantern Fund Forum is the seventh edition of one of the most important event focused on Asset Management, Investment Tools and Fundamental Analysis, organized in Switzerland.
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti Stefano
1. Lugano (CH), 20 and 21 November 2017
GDPR AND GRC: GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
FOR DATA PROTECTION
Andrea LEONARDI - Stefano MICHELOTTI
1
A partner of Minerva Group Service
2. Stefano MICHELOTTI is Co-Founder and Chairman of Minerva Group Service
s.c.c.p.a , a cooperative joint stock consortium company that is the hub of a
network of companies (consortium companies). Minerva Group Service is
strongly committed to providing professional and business services (e.g. GRC,
GDPR, ISO Management System, Cybersecurity, Project Management, etc.). He is
advisor, trainer and auditor for GDPR, Risk Management (ISO 31000) and
Compliance Management (ISO 19600).
LEONARDI, Andrea (CONSULTANT, TRAINER, AUDITOR – MINERVA GROUP SERVICE)
MICHELOTTI, Stefano (CHAIRMAN– MINERVA GROUP SERVICE)
Graduating from Bocconi University with over 20 years experience in several
industries, functions and projects, Andrea LEONARDI is Co-Founder and Vice
President of Minerva Gorup Service s.c.c.pa, a company focused in providing
advisory, training and audit services. He is advisor , trainer and auditor for GDPR
and related ISO standards (e.g. ISO27001 Information Security Management
System, ISO 20000-1 IT Service Management System, ISO 22301 Business
Continuity Management System).
http://www.linkedin.com/pub/andrea-
leonardi/18/2a3/442
@AndreaLeonardix
https://www.linkedin.com/in/stefano-michelotti-
49a30418/
@StefanoArchisto
SPEAKERS
2
www.minervagroupservice.it
3. GDPR IS LANDING ON YOUR PLANET …ARE YOU READY?
GDPR
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of
27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation)
What and When?
EU Data Subjects
Who and Where?
Processing
(automated means
or other)
25 May
2018
Tempus fugit ….
Personal
data
Controller
Personal
data
Why?
“information relating to an identified or
identifiable natural person (‘data
subject’)“
No GDPR (compliance) ?! No (Business ) Party …GDPR
How?
€
Controller
….and huge administrative fines !
Supervisory
Authority
…up to 4 % of the total
worldwide annual turnover
Fines
Compliance Governance
Risk
Management
A GRC road map to GDPR…
…following ISO Management Systems!
3
4. What?
CHAPTER II Principles
Section 1 Transparency and
modalities
Section 2 Information and
access to personal data
Section 3 Rectification and
erasure
Section 4 Right to object and
automated individual
decision-making
Section 5 Restrictions
CHAPTER III Rights of the
data subject
CHAPTER I General
provisions
Foreword (173 items)
GDPR
GDPR
4
5. CHAPTER IV Controller
and processor
Section 1 General obligations
Section 2 Security of personal
data
Section 3 Data protection
impact assessment and prior
consultation
Section 4 Data protection
officer
Section 5 Codes of conduct
and certification
What?GDPR
5
6. CHAPTER V Transfers of
personal data to third
countries or international
organisations
CHAPTER VI Independent
supervisory authorities
Section 1 Independent
status
Section 2 Competence,
tasks and powers
CHAPTER VII Cooperation
and consistency
CHAPTER VIII Remedies,
liability and penalties
CHAPTER IX Provisions
relating to specific
processing situations
CHAPTER X Delegated
acts and implementing
acts
What?GDPR
6
7. DATA SUBJECT
GDPR
Applies
Who?
CHAPTER I General
provisions
“This Regulation applies to the processing of personal data wholly or partly by automated
means and to the processing other than by automated means of personal data which form
part of a filing system or are intended to form part of a filing system “
PROCESSING
PERSONAL
DATA
FILING
SYSTEM
GDPR
7
8. PERSONAL
DATA
CHAPTER I General
provisions
genetic
data
biometric
data’
data
concerning
health
“any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural
person;”
Who?GDPR
8
9. PROCESSING
CHAPTER I General
provisions
profiling
any operation or set of operations which is performed on personal data or on sets of
personal data, whether or not by automated means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction
PERSONAL
DATA
pseudonymisat
ion’
any form of automated processing of personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural person, in particular to analyse or predict
aspects concerning that natural person's performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location or movements
the processing of personal data in such a manner that the personal data can no longer be
attributed to a specific data subject without the use of additional information, provided that
such additional information is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to an identified or identifiable
natural person
Who?GDPR
9
10. Where?
CONTROLLER
PROCESSOR
OFFERING
Goods
services
PROCESSING
EU EXTRA EU
DATA SUBJECT
Established in EU
UEMonitoring of behavioring
CHAPTER I General
provisions
“This Regulation applies to the processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union, regardless of whether the processing takes
place in the Union or not. 4.5.2016 L 119/32 Official Journal of the European Union EN “
“….This Regulation applies to the processing of personal data of data subjects who are in the Union by a
controller or processor not established in the Union, where the processing activities are related to: (a) the
offering of goods or services, irrespective of whether a payment of the data subject is required, to such
data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place
within the Union. “
GDPR
CONTROLLER
PROCESSOR
NOT established in EU
PROCESSING
10
12. €
COMPANY
Art. 8
CONTROLLER PROCESSOR
obligations of the
controller and the
processor
Art. 11
Art. 2539
Art. 4243
up to2 % of the total worldwide
annual turnover of the preceding
financial year
administrative
fines
up to 10 000 000 EUR
Infringements of the following provisions
obligations of the
controller and the
processor
CHAPTER II Principles
obligations of the
controller and the
processor
CHAPTER IV Controller
and processor
Why?GDPR
12
13. € up to 20 000 000 EUR
COMPANY
PROCESSING
basic principles
for processing
Art.5
Art.6
Art.7
Art.9
DATA SUBJECT
Infringements of the following provisions
Art.
1222
up to 4 % of the total worldwide
annual turnover of the preceding
financial year
administrative
fines
CHAPTER III Rights of the
data subject
Infringements of the following provisions
CHAPTER II Principles
Why?GDPR
13
15. ISO
29100
Standard ISO 29100:2011 «information technology – security techniques – privacy
framework»
Standard ISO 31000:2009 “Risk management — Principles and guidelines”ISO
31000
Standard ISO 19600:2014 «Compliance management systems — Guidelines»ISO
19600
How?GDPR
ISO
29134
ISO/IEC 29134 Information technology — Security techniques — Guidelines for privacy
impact assessment
ISO
19011
Standard ISO 19011:20111 “Guidelines for auditing management Systems”
15
16. How?GDPR
ISO
29100
CONTROLLER
PROCESSOR
PROCESSINGPII
Mapping
Roles, responsibilities and interactions
Principles COMPLIANCEPolicies
CONTROLS
“…the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing of personal
data…”
GDPR
GDPR
“…natural or legal person, public authority, agency or other body which processes personal
data on behalf of the controller;..”
GDPR “…appropriate technical and organisational
measures”
GDPR Principles
GDPR “…records of processing activities”
PRIVACY
FRAMEWOK
16
17. How?GDPR
DATA PROTECTION OFFICER
“..to inform and advise the controller or the processor and the employees who
carry out processing of their obligations pursuant to this Regulation and to
other Union or Member State data protection provisions; ..”
GDPR
“…to monitor compliance with this Regulation, with other Union or Member
State data protection provisions and with the policies of the controller or
processor in relation to the protection of personal data, including the
assignment of responsibilities, awareness-raising and training of staff involved
in processing operations, and the related audits; …”
“…to cooperate with the supervisory authority..”
“…to act as the contact point for the supervisory authority on issues relating to
processing, including the prior consultation referred to in Article 36, and to
consult, where appropriate, with regard to any other matter. “
ISO
19600
ISO
19011
ISO
19600
ISO
29134
ISO
27001
17
18. How?GDPR
ISO
31000
Establishing the
external context
Establishing the
internal context
Risk assessment
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Establishing the
context
Risk Management
GDPR
“…appropriate technical and
organisational measures”
GDPR
“…Taking into account the
nature, scope, context and
purposes of processing…”
GDPR
RISK MANAGEMENT
FRAMEWOK
“…the risks of varying likelihood
and severity for the rights and
freedoms of natural persons..”
18
19. How?GDPR
ISO
29134
19
Preparing the grounds
for PIA
process for conducting
a PIA
General
Determine whether a
PIA is necessary
(threshold analysis)
Preparation of the PIA
Perform the PIA
Follow the PIA
Report structure
PIA Report
General
Scope of PIA
Risk Assessment
Risk Treatment Plan
Conclusions and
Decisions
PIA Public Summary
Annex A (informative)
Scale criteria on the
level of impact and on
the likelihood
22. How?GDPR
Standard ISO/IEC 20000-1:2011 « Information technology — Service management —
Part 1: Service management system requirements»
ISO
20000-1
ISO
27001
Standard ISO/IEC 27001:2013 «Information technology — Security Techniques –
Information Security Management Systems – Requirements»
ISO
222301
Standard ISO 22301:2012 “Societal security — Business continuity management systems
— Requirements”
22
23. How?GDPR
Design and transition of new or changed services
SMS ISO 20000-1 PROCESS
Control processes
Configuration management
Change management
Release and deployment
management
Service delivery processes
Capacity management
Service continuity &
availability management
Service level management
Information security
Management
Budgeting &
accounting for services
Service reporting
Resolution
processes
Relationship processes
Incident and service request
management
Problem management
Business relationship
management
Supplier management
SMS ISO 20000-1 and relationships with ISMS ISO
27001 and BCMS ISO 22301
A.17
ISO 27001, Annex A
ISO
22301
ISO
27001
ISO
20000-1
23
24. How?GDPR
Design and transition of new or changed services
SMS ISO 20000-1 PROCESS
Control processes
Configuration management
Change management
Release and deployment
management
Service delivery processes
Capacity management
Service continuity &
availability management
Service level management
Information security
Management
Budgeting &
accounting for services
Service reporting
Resolution
processes
Relationship processes
Incident and service request
management
Problem management
Business relationship
management
Supplier management
SMS ISO 20000-1 and main relationships with GDPR
ISO
20000-1
GDPR
Privacy by design
Privacy by default
GDPR
Privacy breach GDPR
GDPRRights of the
data subject
GDPR
External
processors and
third parties
24
GDPRPrivacy Impact
assessment
27. How?GDPR
ISO
27001
Annex A
A.5
Information Security
Policy
A.6
Organization of
Information Security
A.7
Human Resource
Security
A.8
Assett Management
A.9
Access Control
A.10
Cryptography
A.11
Physical and
Environmental Security
A.12
Operations Security
A.13
Communication
Security
A.14
System Acquisition,
development and
maintenance
A.15
Supplier relationships
A.16
Information Security
Incident Management
A.17
Information Security
aspects of business
continuity
A.18
Compliance
GDPR
“…appropriate technical and organisational measures”
27
28. How?GDPR
A.18 Compliance
A.18
A.18.1.4 privacy and protection of personal identifiables information (PII)
A.18.1 compliance with legal and contractual requirements
CLAUSE
CONTROL OBJECTIVE
CONTROL
ISO
19600
ISO
27001
Annex A
28
29. How?GDPR
ISO
22301
(BIA) BUSINESS
IMPACT ANALYS
PROCESSING DATA
Incident
RISK
ASSESSMENT
DISRUPTION
DATA SUBJECT
Impact
Loss of Availability
RESILIENCE
BUSINESS
CONTINUITY
STRATEGY
GDPR
Privacy by design
Privacy by default
GDPR
(PIA) Privacy Impact
Assessment
GDPR Privacy breach
BUSINESS
CONTINUITY
PLANS
TESTING AND
EXERCISING
GDPR
ISO
31000
ISO
29134
29
30. GDPR: AN INFOGRAPHIC
GDPR
purposes of processing
DATA PROCESSING
operations on data
data
GOVERNANCE
RISK
MANAGEMENT
COMPLIANCE
data
Information &
Consent
Storage
Rights of the Data Subject
Risk (confidentiality, integrity ,availability)
Controller
Processors & Data handlers
DPO
Perimeter and means in data processing
GRC in data processing
Resilience
Privacy Impact Assessmen
Personal data breach
doc
ORGANIZATION
& HR PHYSICAL SITES
INFORMATION
TECHNOLOGY
doc IT
(«privacy by default & privacy by design»)
cloud
Transmission Dissemination
IT
IT
Issues of Supervisory Authority
Technical and organisational measures
proce
dures
(«cybersecurity»)
EU DataSubjects
ISO
29100
ISO
31000
ISO
29134
ISO
19600
(including external Datacenter)
(internal and external))
ISO
27001
ISO
27018
ISO
22301
ISO
20000-1
Desig
nation
Records of
processing
activities
…and relationships with
main ISO standards
Training
and
Awareness
GDPR
30