Documentation Strategy for GDPR
- Identify which control item fit and relates to GDPR
- Editing, Adding, Modify relates document or regulation
- Draft GDPR policy by referring back existing or edited document
For Example,
- Privacy and Personal Data Protection
- Draft the content table
- Referring table back to existing controls (regulation, rules)
3. Principle
1. Documented Policy
2. Minimize data collected
3. Do not retain data beyond purpose
4. Data Subject ownership to their Data
5. Breach notification
Must* notify data authorities within 72 hours once a personal data breach
discovered
Notify individual (data subjects) if high risk to their rights
6. Proven Records while legal requesting
2/8/2018eugeneleework@gmail.com 3
4. Lesson of GDPR
• Key Elements of GDPR
• Risk Assessment (DPIA)
• Documenting IT Procedures
• Data classification and Minima Data Lifetime
• Monitoring and Automation
• Extraterritoriality
• New law extend outside the EU, even there is no a physical
presence in the EU
• Especially e-commerce and cloud-based companies
2/8/2018eugeneleework@gmail.com 4
5. Data Protection Officer (DPO)
• Responsible for
• As Contactor (depends on condition)
• Creating access controls
• Reducing risk
• Ensuring compliance
• Responding to requests
• Reporting breaches within 72 hours
• Creating a strong data security policy
2/8/2018eugeneleework@gmail.com 5
6. Quick Start Mapping – Core
Element
• Data classification
• Define Information levels
• Metadata
• When was collected,Why was collected and its Purpose
• Governance
• GDPR security policies (personal data)
• Role and Privilege to which system (Authorization and Permission)
• ACL Policy,Who can access on limiting file
• Monitoring
• Unusual access patterns against files containing personal data
2/8/2018eugeneleework@gmail.com 6
7. Quick Start Mapping – Doc.
Plan.
• Documentation Strategy for GDPR
• Identify which control item fit and relates to GDPR
• Editing, Adding, Modify relates document or regulation
• Draft GDPR policy by referring back existing or edited document
• Example,
1. Privacy and Personal Data Protection
2. Draft the content table
3. Referring table back to existing controls (regulation, rules)
2/8/2018eugeneleework@gmail.com 7
8. Key Scope GDPR ISO27001
Guidance and Strategy Protection Policy
4、5、6
A.5 and its referral policy
Classification Data classification A.8.1、A.8.2
Metadata
HR、minimize data collected
CRM
Project
A.7、A.8、A.14、A.15
Governance
ACL on systems
HRMS、System which stored
personal information
A.6.1、A.8.1、A.8.3、A.9、
A.10、A11、A12、A.18.1.3、
A.18.1.4
Monitoring
Proven Logs on systems、
Monitor system、SysLog
6、10
A.8.3、A.9、A.11.1、A.12.4、
A.16
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 8
9. Key Scope GDPR ISO27001
New Role DPO A.6.1
ExtraTerritoriality (EU to US,
Privacy Shield)
Articles 3
HRMS, Saelsforce,CRM
A.7、A13.2、A.18
Privacy Shield Framework
Violations of basic principles
related to data security
Articles 5
5、6、7
A.5、A.6、A.7、A.13、
A.16、A.18
Violations of the core Privacy
by Design concepts
Articles 7
5、6、7
A.5、A.6、A.7、A.13、
A.16、A.18
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 9
10. Domain or Scope GDPR ISO27001
• Right to Erasure and to-
be-forgotten
• Able to discover and
target specific data when
ever intend to remove it
• Data subject can request
to erase the data held by
companies at any time
• Data processors have to
erase all whenever asked
Articles 17
HRMS, Saelsforce, CRM
6.1.2
A.7、A.8、A.12.3、
A.14.1.1、A.16
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 10
11. Domain or Scope GDPR ISO27001
Data Protection by Design
and By Default
Accountability and
Automation
Articles 25
6.1.2、6.1.3、7.5.3、9.1
A.6.1.5、A.7、A.8、
A.12.3、A.14.1.1、A.16
Not having records in order
2% of global revenue for
Records of Processing
Activities
Organizational measures to
process personal data
Articles 30
6、7、8
A.8、A.12.3、A.16、
A.18
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 11
12. Domain or Scope GDPR ISO27001
Security of Processing
Least privilege access,
Accountability by data
subject (the owner =
individuals)
Able to provide
measurement reports on
policies, processes
Articles 32
8.2、8.3
A.9、A.10、A.11、A.13、
A.16、A.15
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 12
13. Domain or Scope GDPR ISO27001
Notification of personal
data breach to the
supervisory authority
Prevent and alert on
data breach activity
Incidence response plan
Articles 33 A.16、A.18.1.4
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 13
14. Domain or Scope GDPR ISO27001
Not notifying the
supervising authority
and data subject about a
breach
Articles 34 A.16、A.18.1.4
Not conducting impact
assessments
Data Protection Impact
Assessment
Quantify data protection
risk profiles
Articles 35
6.1.2
A.6.1.3、A.8.2.1
Quick Start Mapping – cont.
2/8/2018eugeneleework@gmail.com 14