This webinar covers:
-The GDPR’s impact and the benefits of conducting a DPIA
-The legal requirements for a DPIA under the GDPR
-High-risk DPIAs and prior consultation with the supervisory authority
-DPIAs and their links to an organisation’s risk management framework
-The practical steps to conduct a DPIA
You can watch the webinar here https://www.youtube.com/watch?v=fm9Ysg4LUQg&t=640s
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
The GDPR and its requirements for implementing data protection impact assessments (DPIAs)
1. The GDPR and its requirements for
implementing data protection impact
assessments (DPIAs)
Presented by:
• Alan Calder, founder and executive chairman, IT Governance
7 September 2017
2. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Alan Calder
• Founder of IT Governance
• The single source for IT governance, cyber risk management and IT
compliance
• IT Governance: An International Guide to Data Security and ISO 27001/ISO
27002, 6th edition (Open University textbook)
• www.itgovernance.co.uk
Introduction
3. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance Ltd: GRC one-stop shop
All verticals, sectors and all organisational sizes
4. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• The GDPR’s impact and the benefits of conducting a DPIA
• The legal requirements for a DPIA under the GDPR
• High-risk DPIAs and prior consultation with the supervisory authority
• DPIAs and their links to an organisation’s risk management
framework
• The practical steps to conduct a DPIA
Agenda
Copyright IT Governance Ltd 2017 – v1.0
6. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR’s impact
• UK organisations that process personal data only have a short time to make sure that
they are compliant.
• The Regulation extends the data rights of individuals, and requires organisations to
develop clear policies and procedures to protect personal data, and adopt appropriate
technical and organisational measures.
“This Regulation shall be binding in its entirety and directly
applicable in all Member States.”
Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679
8 April 2016
Council of the
European Union
adopted the
GDPR
12 April 2016
The GDPR was
adopted by the
European
Parliament
4 May 2016
The official text
of the Regulation
was published in
the Official
Journal of the EU
24 May 2016
The Regulation
entered into
force
25 May 2018
The GDPR will
apply
7. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Material and territorial scope
Natural person = a living individual
• Natural persons have rights
associated with:
– The protection of personal
data
– The processing of personal
data
– The unrestricted movement of
personal data within the EU
In material scope:
– Personal data that is
processed wholly or partly by
automated means;
– Personal data that is part of a
filing system, or intended to
be.
The Regulation applies to controllers and processors in the EU, irrespective of
where processing takes place.
It applies to controllers outside the EU that provide services into the EU.
8. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Penalties
Administrative fines
Copyright IT Governance Ltd 2017 – v1.0
• Administrative fines will, in each case, be effective, proportionate and
dissuasive, and take account of the technical and organisational
measures that have been implemented.
€10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide
annual turnover of the preceding financial year.
€20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual
turnover in the preceding financial year.
9. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Key terms
Article 35: Data protection impact assessments help identify and
address risks at an early stage by analysing how the proposed uses of
personal information and technology will work in practice, and
proposing methods to mitigate identified risks.
A process to identify and reduce the privacy risks of a project or a system.
An effective DPIA should be initiated and maintained throughout the development and
implementation of a project or system.
Analyse how a particular project or system will affect the privacy and rights of the data
subjects involved.
10. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: TRANSPARENCY
Helps individuals understand how
and why their information is being used.
It addresses:
Principle 1 – Fair and lawful processing
Principle 2 – Purpose limitation
Improve how you use information.
11. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: TRUST
Publish your DPIA to build TRUST.
Applies to all GDPR principles,
particularly principle 6 – Security.
12. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: FINANCIAL
Identifying a problem early will generally
require a simpler and less costly solution.
Minimise the
amount
of information
you collect.
It applies to principle 3 - Data minimisation
13. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: AWARENESS
Increase awareness
of privacy and data protection issues within your organisation.
.
14. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: COMPLIANCE
Comply
with your
GDPR obligations.
15. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The benefits of a DPIA: ASSURANCE
Individuals will be
reassured your
project has
followed best
practice.
17. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Legal requirements for a DPIA
Article 35: Data protection impact assessment
• A DPIA is required:
– Where processing, in particular using new technologies, and
taking into account the nature, scope, context and purposes
of the processing, is likely to result in a high risk to the rights
and freedoms of natural persons.
• DPIA is particularly required in the case of:
– Automated processing, including profiling, and on which
decisions are based that produce legal effects concerning
natural persons;
– Large-scale processing of special categories of data or of
personal data relating to criminal convictions;
– A systematic monitoring of a publicly accessible area on a
large scale.
The
controller
shall seek
the advice
of the DPO
Supervisory
authority to
publish a list
of operations
that require a
DPIA.
18. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Legal requirements for a DPIA
A DPIA will set out as a minimum:
• a systematic description of the processing and purposes;
• legitimate interests (where applicable) pursued by the controller;
• an assessment of the necessity and proportionality of the processing;
• an assessment of the risks to the rights and freedoms of the data subjects;
• the measures envisaged to address the risks, including:
Compliance with approved codes of conduct should be taken into account.
all safeguards and security measures to protect data and to demonstrate
compliance;
• Where appropriate, consult the data subjects
19. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• If the outcome of the screening is that a standard DPIA is not required then it
might still be useful to carry out a ‘light touch’ DPIA exercise.
• In any case, it will still be useful to retain a record of the answers so they can
be referred to in future if necessary.
Not all projects will require the same level of analysis.
Legal requirements for a DPIA
Is a full
DPIA
required?
21. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
What is risk?
• The effect of uncertainty on objectives (ISO 31000 etc).
• A combination of the likelihood of an incident occurring
and the impact, if it does occur, on the organisation.
• A probability or threat of damage, injury, liability, loss, or
any other negative occurrence that is caused by external
or internal vulnerabilities, and that may be avoided
through pre-emptive action (businessdictionary.com).
• Risk can be good or bad.
22. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Privacy risk and what it means
Risks to individuals: the potential for
damage or distress.
Risks to organisation: financial and/or
reputational impact of a data breach.
Privacy risk should already be on the
CORPORATE RISK REGISTER
23. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Examples of privacy risk
Inaccurate, insufficient
or out-of-date
Kept for too long Excessive or irrelevant
Disclosed to wrong
people
Insecurely
transmission/storage
Used in ways that are
unacceptable or
unexpected
Data that is:
24. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Examples of where you might use a DPIA
A new IT
system for
storing and
accessing
personal data.
Data sharing initiative.
An Unexpected or more
intrusive purpose.
Monitoring members of the
public.
Database that
consolidates information
held by separate parts
of an organisation.
25. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Risk treatment
What actions
address the risks?
Reduce the impact to
an acceptable level
26. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
Prior consultation
Article 36: Prior consultation
• Controller shall consult the supervisory authority prior to processing
where the DPIA indicates a “high risk to the rights and freedoms of
the data subjects”:
– Supervisory authority shall provide written advice to the controller
– Request for controller to provide further information
– Information on purposes and means
– Information on measures and safeguards
– The contact details of the DPO
– A copy of the data protection impact assessment
– Any other information requested
27. DPIAs and their links to an
organisation’s risk management
framework
28. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR and risk management frameworks
Article 32: “Adherence to an approved code of conduct as referred to in
Article 40 or an approved certification mechanism as referred to in
Article 42 may be used as an element by which to demonstrate
compliance with the requirements set out in paragraph 1 of this Article.”
KEY AREAS:
– Information/cyber security management systems (e.g. ISO 27001)
– Business continuity management systems (e.g. ISO 22301)
– Personal information management systems (e.g. BS 10012)
Certifications do not remove or reduce accountability for data protection – but
will demonstrate non-negligence in approaching the Article 32 requirement.
Copyright IT Governance Ltd 2017 – v1.0
29. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The GDPR and risk management frameworks
• Article 32: “The controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk”.
• “In assessing the appropriate level of security account shall be taken in
particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,
or access to personal data transmitted, stored or otherwise processed.”
• “Taking into account the nature, scope, context and purposes of processing
as well as the risks of varying likelihood and severity for the rights and
freedoms of natural persons, the controller shall implement appropriate
technical and organisational measures to ensure and to be able to
demonstrate that processing is performed in accordance with this Regulation.”
(Article 24-1)
DPO plays key bridging role between corporate risk management, broader
cyber security risk management and managing risks to personal data.
NB: Network and Information Security Directive and Government Cyber Security Strategy
31. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 1
Identify the
need for a DPIA
32. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 2
Describe the
information
flow
33. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 3
Identify privacy
and related
risks
34. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 4
Identify and
evaluate
privacy
solutions
35. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 5
Sign-off and
record
outcome
36. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 6
Integrate the
outcomes into
the project
plan
37. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
The practical steps to conduct a DPIA
STEP 7
Monitor and
evaluate; feed
lessons learned
back into the
process
NB: Consult with stakeholders as needed, before, during and after.
39. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
IT Governance: GDPR one-stop shop
Training courses
One-day accredited Foundation course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-foundation-gdpr-training-course
Four-day accredited Practitioner course (classroom, online, distance
learning)
www.itgovernance.co.uk/shop/Product/certified-eu-general-data-
protection-regulation-practitioner-gdpr-training-course
One-day data protection impact assessment (DPIA) workshop
(classroom)
www.itgovernance.co.uk/shop/Product/data-protection-impact-
assessment-dpia-workshop
40. Copyright IT Governance Ltd 2017 – v1.1
TM
www.itgovernance.co.uk
• Gap analysis
Our experienced data protection consultants can assess the exact standing of your current
legal situation, security practices and operating procedures in relation to the Data
Protection Act (DPA) or the GDPR.
• Data flow audit
Data mapping involves plotting out all of your data flows, which involves drawing up an
extensive inventory of the data to understand where the data flows from, within and to.
This type of analysis is a key requirement of the GDPR.
• Data Protection Officer (DPO) as a Service
Outsourcing the DPO role can help your organisation address the compliance demands of
the GDPR while staying focused on your core business activities.
• Implementing a personal information management system (PIMS)
Establishing a PIMS as part of your overall business management system will make sure
that data protection management is placed within a robust framework, which will be looked
upon favourably by the regulator when it comes to DPA compliance.
• Implementing an information security management system (ISMS) compliant with ISO
27001
We offer flexible and cost-effective consultancy packages, and a comprehensive range of
bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001-
compliant ISMS quickly and without hassle, no matter where your business is located.
• Cyber Health Check
The two-day Cyber Health Check combines on-site consultancy and audit with remote
vulnerability assessments to assess your cyber risk exposure.
IT Governance: GDPR one-stop shop
GDPR consultancy