SlideShare a Scribd company logo

pr Privacy Principles 230405 small.pdf

Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

Privacy Principles (GDPR)

Law
1 of 25
Download to read offline
1 Privacy Principles Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 05.04.2023
www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov Andrey Prozorov CISM, CIPP/E, CDPSE, LA 27001 Cybersecurity and Privacy expert 2
Privacy principles: a set of shared values governing the privacy protection of personally identifiable information (PII) when processed in information and communication technology systems ISO/IEC 29100:2011 Privacy framework 3
Privacy principles should be used to guide the design, development, and implementation of privacy policies and privacy controls. Additionally, they can be used as a baseline in the monitoring and measurement of performance, benchmarking and auditing aspects of privacy management programs in an organization. ISO/IEC 29100:2011 Privacy framework 4
5
1. GDPR: Principles relating to processing of personal data - https://eur-lex.europa.eu/eli/reg/2016/679/oj and https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr 2. The privacy principles of ISO/IEC 29100 - https://www.iso.org/standard/45123.html 3. Fair Information Practice Principles (FIPPs) - https://iapp.org/resources/article/fair-information-practices 4. APEC Information Privacy Principles - https://www.apec.org/publications/2017/08/apec-privacy-framework-(2015) 5. PIPEDA’s 10 fair information principles - https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal- information-protection-and-electronic-documents-act-pipeda/p_principle 6. The SCF Privacy Management Principle - https://www.securecontrolsframework.com/privacy-management-principles 7. The Australian Privacy Principles (APPs) - https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the- australian-privacy-principles 8. OECD Privacy Principles - http://oecdprivacy.org 9. Privacy implementation toolkit (all mindmaps) - https://www.patreon.com/posts/privacy-toolkit-66191153 External links 6
7
8
“Compliance with the spirit of these key principles is a fundamental building block for good data protection practice.” - ICO UK 9
10 1. Lawfulness, fairness and transparency Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’) • We must identify ‘lawful basis’ for collecting and using personal data (GDPR: Consent, Contract, Legal obligation, Vital interests, Public task, Legitimate interests). • We must use personal data in a way that is fair. This means we must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. • We must be clear, open and honest with people from the start about how we will use their personal data. ‘Right to be informed’
11 Right to be informed • Individuals have the right to be informed about the collection and use of their personal data. • We must provide individuals with information including: our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. - ”privacy information” • We must provide privacy information to individuals at the time we collect their personal data from them. • The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. • Getting the right to be informed can help us to build trust with data subjects.
Data Protection Policy Notices Contact point for requests (DPO) 12
The Policy shall: 1. Be available as documented information 2. Be communicated within the organization 3. Be available to interested parties, as appropriate The Policy should: 1. Be tailored to the objectives, priorities and the context of the organization 2. Be short, clear and valuable 3. Not include confidential information 4. Be approved by executive management 5. Be easily accessible (website / internal portal / meeting rooms) 6. Be reviewed on a regular basis 13
14 2. Purpose limitation Why are we processing? Personal data shall be: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’) • We must be clear about our purposes. • We need to record our purposes as part of our documentation obligations and specify them in our privacy information for individuals. • We can only use the personal data for a new purpose if either this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law. • + Data protection by design and by default
15 3. Data minimisation and proportionality What exactly do we need for our purpose? Personal data shall be: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) We must ensure the personal data we are processing is: • Adequate – sufficient to properly fulfil our stated purpose; • Relevant – has a rational link to that purpose; and • Limited to what is necessary – we do not hold more than we need for that purpose. + Data protection by design and by default
16 4. Accuracy Making sure that the data is correct Personal data shall be: d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) • We should take all reasonable steps to ensure the personal data we hold is not incorrect. • We may need to keep the personal data updated, although this will depend on what we are using it for. • If we discover that personal data is incorrect or misleading, we must take reasonable steps to correct or erase it as soon as possible. • +Right to rectification
17 5. Data retention (storage limitation) How long will we keep the data? Personal data shall be: e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); • We must not keep personal data for longer than we need it. • We need to think about – and be able to justify – how long we keep personal data. This will depend on our purposes for holding the data. • We need a data retention policy. • We should also periodically review the data we hold, and erase or anonymise it when we no longer need it. • +Right to be forgotten
18 6. Data security (integrity and confidentiality) How can we keep the data safe against the risk of interference? Personal data shall be: f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). • We must ensure that we have appropriate security measures in place to protect the personal data we hold.
19 Art. 32 GDPR Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • the pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
20 ISO 27001: ISMS + information security controls
21 7. Accountability Accountability Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (security) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [6 principles] (‘accountability’)
22 • Accountability is directly addressed to the controller (either public or private entity). • The controller is responsible for ensuring compliance with data protection principles and obligations as stipulated in the GDPR and to be able to demonstrate compliance both to individuals and to the DPA on an ongoing basis. • The principle of accountability requires documenting compliance and being able to provide such documentation upon request to the competent DPA (concept of proactive and demonstrable compliance).
23 7 principles GDPR sets out seven key principles: 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality (security) 7. Accountability ICO UK: ”These principles should lie at the heart of our approach to processing personal data.”
24 One more recommendation: Focus on the principles during assessments 1. Gap analysis 2. DPIA / PIA 3. Internal audit 4. Management Review
25 Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov My Privacy Implementation Toolkit - www.patreon.com/posts/privacy-toolkit-66191153

Recommended

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
StephenGwadi
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
Ichec & ESC gdpr feb 2020
Ichec & ESC gdpr feb 2020Ichec & ESC gdpr feb 2020
Ichec & ESC gdpr feb 2020
Prof. Jacques Folon (Ph.D)
 
Information Quality And Data Protection
Information Quality And Data ProtectionInformation Quality And Data Protection
Information Quality And Data Protection
Castlebridge Associates
 

Recommended

GDPR and Security.pdf
GDPR and Security.pdfGDPR and Security.pdf
GDPR and Security.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Privacy_Engineering_Privacy Assurance_Lecture-Ecole_Polytechnic_Nice_SA-20150127
Frank Dawson
 
Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event Vuzion Love Cloud GDPR Event
Vuzion Love Cloud GDPR Event
Vuzion
 
week 7.pptx
week 7.pptxweek 7.pptx
week 7.pptx
StephenGwadi
 
Data Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data SubjectData Privacy Protection Competrency Guide by a Data Subject
Data Privacy Protection Competrency Guide by a Data Subject
John Macasio
 
Privacy by Design: legal perspective
Privacy by Design: legal perspectivePrivacy by Design: legal perspective
Privacy by Design: legal perspective
Dr. Mira Suleimenova, CIPPe
 
Ichec & ESC gdpr feb 2020
Ichec & ESC gdpr feb 2020Ichec & ESC gdpr feb 2020
Ichec & ESC gdpr feb 2020
Prof. Jacques Folon (Ph.D)
 
Information Quality And Data Protection
Information Quality And Data ProtectionInformation Quality And Data Protection
Information Quality And Data Protection
Castlebridge Associates
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
Ernest Staats
 
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptxETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
urvashipundir04
 
ALTOUR GDPR Compliance Statement v4
ALTOUR GDPR Compliance Statement v4ALTOUR GDPR Compliance Statement v4
ALTOUR GDPR Compliance Statement v4
Altour
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
Rui Gomes
 
Tech Matrix 20080523
Tech Matrix 20080523Tech Matrix 20080523
Tech Matrix 20080523
samsontamwaiho
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
- Mark - Fullbright
 
Esc gdpr oct 2018
Esc gdpr oct 2018Esc gdpr oct 2018
Esc gdpr oct 2018
Prof. Jacques Folon (Ph.D)
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
Nupur Samaddar
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
Ulf Mattsson
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
The Integrate Agency CIC
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
zayadeen2003
 
Lecture 6 data protection and access to client records
Lecture 6 data protection and access to client recordsLecture 6 data protection and access to client records
Lecture 6 data protection and access to client records
Newham College University Centre Stratford Newham
 
IT6701 Information Management Unit - V
IT6701 Information Management Unit - VIT6701 Information Management Unit - V
IT6701 Information Management Unit - V
pkaviya
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
OpenAIRE
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 

More Related Content

Similar to pr Privacy Principles 230405 small.pdf

Compliance poster
Compliance posterCompliance poster
Compliance poster
Rui Gomes
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
The Integrate Agency CIC
 

Similar to pr Privacy Principles 230405 small.pdf (20)

GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptxETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
ETHICAL ISSUES RELATED TO DATA COLLECTION.pptx
 
ALTOUR GDPR Compliance Statement v4
ALTOUR GDPR Compliance Statement v4ALTOUR GDPR Compliance Statement v4
ALTOUR GDPR Compliance Statement v4
 
Compliance poster
Compliance posterCompliance poster
Compliance poster
 
Tech Matrix 20080523
Tech Matrix 20080523Tech Matrix 20080523
Tech Matrix 20080523
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
Security Industry Association Privacy Framework
Security Industry Association Privacy FrameworkSecurity Industry Association Privacy Framework
Security Industry Association Privacy Framework
 
Esc gdpr oct 2018
Esc gdpr oct 2018Esc gdpr oct 2018
Esc gdpr oct 2018
 
General Data Protection Regulation or GDPR
General Data Protection Regulation or GDPRGeneral Data Protection Regulation or GDPR
General Data Protection Regulation or GDPR
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
#CyberSafeLambeth
#CyberSafeLambeth#CyberSafeLambeth
#CyberSafeLambeth
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
My presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPRMy presentation- Ala about privacy and GDPR
My presentation- Ala about privacy and GDPR
 
Lecture 6 data protection and access to client records
Lecture 6 data protection and access to client recordsLecture 6 data protection and access to client records
Lecture 6 data protection and access to client records
 
IT6701 Information Management Unit - V
IT6701 Information Management Unit - VIT6701 Information Management Unit - V
IT6701 Information Management Unit - V
 
Legal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research dataLegal and ethical considerations for sharing research data
Legal and ethical considerations for sharing research data
 
Data privacy & social media
Data privacy & social mediaData privacy & social media
Data privacy & social media
 

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001

More from Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001 (20)

NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?NIST Cybersecurity Framework (CSF) 2.0: What has changed?
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
 
pr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdfpr ISMS Documented Information (lite).pdf
pr ISMS Documented Information (lite).pdf
 
ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)ISO Survey 2022: ISO 27001 certificates (ISMS)
ISO Survey 2022: ISO 27001 certificates (ISMS)
 
12 Best Privacy Frameworks
12 Best Privacy Frameworks12 Best Privacy Frameworks
12 Best Privacy Frameworks
 
Cybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdfCybersecurity Frameworks for DMZCON23 230905.pdf
Cybersecurity Frameworks for DMZCON23 230905.pdf
 
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal PurposesMy 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
My 15 Years of Experience in Using Mind Maps for Business and Personal Purposes
 
From NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdfFrom NIST CSF 1.1 to 2.0.pdf
From NIST CSF 1.1 to 2.0.pdf
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
How to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdfHow to use ChatGPT for an ISMS implementation.pdf
How to use ChatGPT for an ISMS implementation.pdf
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdf
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
Supply management 1.1.pdf
Supply management 1.1.pdfSupply management 1.1.pdf
Supply management 1.1.pdf
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
GDPR RACI.pdf
GDPR RACI.pdfGDPR RACI.pdf
GDPR RACI.pdf
 
GDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdfGDPR and Personal Data Transfers 1.1.pdf
GDPR and Personal Data Transfers 1.1.pdf
 

Recently uploaded

一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
e9733fc35af6
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
Fir La
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
Airst S
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
ss
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
irst
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
F La
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
e9733fc35af6
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
CssSpamx
 

Recently uploaded (20)

Career As Legal Reporters for Law Students
Career As Legal Reporters for Law StudentsCareer As Legal Reporters for Law Students
Career As Legal Reporters for Law Students
 
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
一比一原版(纽大毕业证书)美国纽约大学毕业证如何办理
 
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
一比一原版(IC毕业证书)帝国理工学院毕业证如何办理
 
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam TakersPhilippine FIRE CODE REVIEWER for Architecture Board Exam Takers
Philippine FIRE CODE REVIEWER for Architecture Board Exam Takers
 
一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理一比一原版伦敦南岸大学毕业证如何办理
一比一原版伦敦南岸大学毕业证如何办理
 
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
一比一原版(RMIT毕业证书)皇家墨尔本理工大学毕业证如何办理
 
5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf5-6-24 David Kennedy Article Law 360.pdf
5-6-24 David Kennedy Article Law 360.pdf
 
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptxCASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
CASE STYDY Lalman Shukla v Gauri Dutt BY MUKUL TYAGI.pptx
 
一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书一比一原版(USC毕业证书)南加州大学毕业证学位证书
一比一原版(USC毕业证书)南加州大学毕业证学位证书
 
Mischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutesMischief Rule of Interpretation of statutes
Mischief Rule of Interpretation of statutes
 
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
一比一原版(TheAuckland毕业证书)新西兰奥克兰大学毕业证如何办理
 
Chambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&AChambers Global Practice Guide - Canada M&A
Chambers Global Practice Guide - Canada M&A
 
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation StrategySmarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
Smarp Snapshot 210 -- Google's Social Media Ad Fraud & Disinformation Strategy
 
一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理一比一原版悉尼科技大学毕业证如何办理
一比一原版悉尼科技大学毕业证如何办理
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
Common Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdfCommon Legal Risks in Hiring and Firing Practices.pdf
Common Legal Risks in Hiring and Firing Practices.pdf
 
ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.ARTICLE 370 PDF about the indian constitution.
ARTICLE 370 PDF about the indian constitution.
 
The Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in GreeceThe Main Procedures for a Divorce in Greece
The Main Procedures for a Divorce in Greece
 
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSSASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
ASMA JILANI EXPLAINED CASE PLD 1972 FOR CSS
 
Navigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptxNavigating Employment Law - Term Project.pptx
Navigating Employment Law - Term Project.pptx
 

pr Privacy Principles 230405 small.pdf

  • 1. 1 Privacy Principles Andrey Prozorov, CISM, CIPP/E, CDPSE, LA 27001 www.patreon.com/AndreyProzorov 1.0, 05.04.2023
  • 3. Privacy principles: a set of shared values governing the privacy protection of personally identifiable information (PII) when processed in information and communication technology systems ISO/IEC 29100:2011 Privacy framework 3
  • 4. Privacy principles should be used to guide the design, development, and implementation of privacy policies and privacy controls. Additionally, they can be used as a baseline in the monitoring and measurement of performance, benchmarking and auditing aspects of privacy management programs in an organization. ISO/IEC 29100:2011 Privacy framework 4
  • 5. 5
  • 6. 1. GDPR: Principles relating to processing of personal data - https://eur-lex.europa.eu/eli/reg/2016/679/oj and https://ico.org.uk/for- organisations/guide-to-data-protection/guide-to-the-general-data-protection- regulation-gdpr 2. The privacy principles of ISO/IEC 29100 - https://www.iso.org/standard/45123.html 3. Fair Information Practice Principles (FIPPs) - https://iapp.org/resources/article/fair-information-practices 4. APEC Information Privacy Principles - https://www.apec.org/publications/2017/08/apec-privacy-framework-(2015) 5. PIPEDA’s 10 fair information principles - https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal- information-protection-and-electronic-documents-act-pipeda/p_principle 6. The SCF Privacy Management Principle - https://www.securecontrolsframework.com/privacy-management-principles 7. The Australian Privacy Principles (APPs) - https://www.oaic.gov.au/privacy/australian-privacy-principles/read-the- australian-privacy-principles 8. OECD Privacy Principles - http://oecdprivacy.org 9. Privacy implementation toolkit (all mindmaps) - https://www.patreon.com/posts/privacy-toolkit-66191153 External links 6
  • 7. 7
  • 8. 8
  • 9. “Compliance with the spirit of these key principles is a fundamental building block for good data protection practice.” - ICO UK 9
  • 10. 10 1. Lawfulness, fairness and transparency Personal data shall be: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’) • We must identify ‘lawful basis’ for collecting and using personal data (GDPR: Consent, Contract, Legal obligation, Vital interests, Public task, Legitimate interests). • We must use personal data in a way that is fair. This means we must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. • We must be clear, open and honest with people from the start about how we will use their personal data. ‘Right to be informed’
  • 11. 11 Right to be informed • Individuals have the right to be informed about the collection and use of their personal data. • We must provide individuals with information including: our purposes for processing their personal data, our retention periods for that personal data, and who it will be shared with. - ”privacy information” • We must provide privacy information to individuals at the time we collect their personal data from them. • The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language. • Getting the right to be informed can help us to build trust with data subjects.
  • 13. The Policy shall: 1. Be available as documented information 2. Be communicated within the organization 3. Be available to interested parties, as appropriate The Policy should: 1. Be tailored to the objectives, priorities and the context of the organization 2. Be short, clear and valuable 3. Not include confidential information 4. Be approved by executive management 5. Be easily accessible (website / internal portal / meeting rooms) 6. Be reviewed on a regular basis 13
  • 14. 14 2. Purpose limitation Why are we processing? Personal data shall be: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’) • We must be clear about our purposes. • We need to record our purposes as part of our documentation obligations and specify them in our privacy information for individuals. • We can only use the personal data for a new purpose if either this is compatible with our original purpose, we get consent, or we have a clear obligation or function set out in law. • + Data protection by design and by default
  • 15. 15 3. Data minimisation and proportionality What exactly do we need for our purpose? Personal data shall be: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’) We must ensure the personal data we are processing is: • Adequate – sufficient to properly fulfil our stated purpose; • Relevant – has a rational link to that purpose; and • Limited to what is necessary – we do not hold more than we need for that purpose. + Data protection by design and by default
  • 16. 16 4. Accuracy Making sure that the data is correct Personal data shall be: d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) • We should take all reasonable steps to ensure the personal data we hold is not incorrect. • We may need to keep the personal data updated, although this will depend on what we are using it for. • If we discover that personal data is incorrect or misleading, we must take reasonable steps to correct or erase it as soon as possible. • +Right to rectification
  • 17. 17 5. Data retention (storage limitation) How long will we keep the data? Personal data shall be: e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); • We must not keep personal data for longer than we need it. • We need to think about – and be able to justify – how long we keep personal data. This will depend on our purposes for holding the data. • We need a data retention policy. • We should also periodically review the data we hold, and erase or anonymise it when we no longer need it. • +Right to be forgotten
  • 18. 18 6. Data security (integrity and confidentiality) How can we keep the data safe against the risk of interference? Personal data shall be: f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). • We must ensure that we have appropriate security measures in place to protect the personal data we hold.
  • 19. 19 Art. 32 GDPR Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: • the pseudonymisation and encryption of personal data; • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
  • 21. 21 7. Accountability Accountability Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (security) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [6 principles] (‘accountability’)
  • 22. 22 • Accountability is directly addressed to the controller (either public or private entity). • The controller is responsible for ensuring compliance with data protection principles and obligations as stipulated in the GDPR and to be able to demonstrate compliance both to individuals and to the DPA on an ongoing basis. • The principle of accountability requires documenting compliance and being able to provide such documentation upon request to the competent DPA (concept of proactive and demonstrable compliance).
  • 23. 23 7 principles GDPR sets out seven key principles: 1. Lawfulness, fairness and transparency 2. Purpose limitation 3. Data minimisation 4. Accuracy 5. Storage limitation 6. Integrity and confidentiality (security) 7. Accountability ICO UK: ”These principles should lie at the heart of our approach to processing personal data.”
  • 24. 24 One more recommendation: Focus on the principles during assessments 1. Gap analysis 2. DPIA / PIA 3. Internal audit 4. Management Review
  • 25. 25 Thanks, and good luck! www.linkedin.com/in/andreyprozorov www.patreon.com/AndreyProzorov My Privacy Implementation Toolkit - www.patreon.com/posts/privacy-toolkit-66191153