SlideShare a Scribd company logo

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

Download as PPTX, PDF
IT Governance Ltd
IT Governance Ltd

This webinar covers: -The GDPR’s impact and the benefits of conducting a DPIA​ -The legal requirements for a DPIA under the GDPR​ -High-risk DPIAs and prior consultation with the supervisory authority​ -DPIAs and their links to an organisation’s risk management framework​ -The practical steps to conduct a DPIA You can watch the webinar here https://www.youtube.com/watch?v=fm9Ysg4LUQg&t=640s

Business
1 of 41
The GDPR and its requirements for implementing data protection impact assessments (DPIAs) Presented by: • Alan Calder, founder and executive chairman, IT Governance 7 September 2017
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook) • www.itgovernance.co.uk Introduction
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The GDPR’s impact and the benefits of conducting a DPIA • The legal requirements for a DPIA under the GDPR • High-risk DPIAs and prior consultation with the supervisory authority • DPIAs and their links to an organisation’s risk management framework • The practical steps to conduct a DPIA Agenda Copyright IT Governance Ltd 2017 – v1.0
The GDPR’s impact and the benefits of conducting a DPIA
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR’s impact • UK organisations that process personal data only have a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Material and territorial scope Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data – The processing of personal data – The unrestricted movement of personal data within the EU In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. It applies to controllers outside the EU that provide services into the EU.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Penalties Administrative fines Copyright IT Governance Ltd 2017 – v1.0 • Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. €20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key terms Article 35: Data protection impact assessments help identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice, and proposing methods to mitigate identified risks. A process to identify and reduce the privacy risks of a project or a system. An effective DPIA should be initiated and maintained throughout the development and implementation of a project or system. Analyse how a particular project or system will affect the privacy and rights of the data subjects involved.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: TRANSPARENCY Helps individuals understand how and why their information is being used. It addresses:  Principle 1 – Fair and lawful processing  Principle 2 – Purpose limitation Improve how you use information.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: TRUST Publish your DPIA to build TRUST. Applies to all GDPR principles, particularly principle 6 – Security.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: FINANCIAL Identifying a problem early will generally require a simpler and less costly solution. Minimise the amount of information you collect. It applies to principle 3 - Data minimisation
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: AWARENESS Increase awareness of privacy and data protection issues within your organisation. .
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: COMPLIANCE Comply with your GDPR obligations.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: ASSURANCE Individuals will be reassured your project has followed best practice.
The legal requirements for a DPIA under the GDPR
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Legal requirements for a DPIA Article 35: Data protection impact assessment • A DPIA is required: – Where processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. • DPIA is particularly required in the case of: – Automated processing, including profiling, and on which decisions are based that produce legal effects concerning natural persons; – Large-scale processing of special categories of data or of personal data relating to criminal convictions; – A systematic monitoring of a publicly accessible area on a large scale. The controller shall seek the advice of the DPO Supervisory authority to publish a list of operations that require a DPIA.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Legal requirements for a DPIA A DPIA will set out as a minimum: • a systematic description of the processing and purposes; • legitimate interests (where applicable) pursued by the controller; • an assessment of the necessity and proportionality of the processing; • an assessment of the risks to the rights and freedoms of the data subjects; • the measures envisaged to address the risks, including:  Compliance with approved codes of conduct should be taken into account.  all safeguards and security measures to protect data and to demonstrate compliance; • Where appropriate, consult the data subjects
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • If the outcome of the screening is that a standard DPIA is not required then it might still be useful to carry out a ‘light touch’ DPIA exercise. • In any case, it will still be useful to retain a record of the answers so they can be referred to in future if necessary. Not all projects will require the same level of analysis. Legal requirements for a DPIA Is a full DPIA required?
High-risk DPIAs and prior consultation with the supervisory authority
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk What is risk? • The effect of uncertainty on objectives (ISO 31000 etc). • A combination of the likelihood of an incident occurring and the impact, if it does occur, on the organisation. • A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action (businessdictionary.com). • Risk can be good or bad.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Privacy risk and what it means Risks to individuals: the potential for damage or distress. Risks to organisation: financial and/or reputational impact of a data breach. Privacy risk should already be on the CORPORATE RISK REGISTER
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of privacy risk Inaccurate, insufficient or out-of-date Kept for too long Excessive or irrelevant Disclosed to wrong people Insecurely transmission/storage Used in ways that are unacceptable or unexpected Data that is:
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of where you might use a DPIA A new IT system for storing and accessing personal data. Data sharing initiative. An Unexpected or more intrusive purpose. Monitoring members of the public. Database that consolidates information held by separate parts of an organisation.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk treatment What actions address the risks? Reduce the impact to an acceptable level
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Prior consultation Article 36: Prior consultation • Controller shall consult the supervisory authority prior to processing where the DPIA indicates a “high risk to the rights and freedoms of the data subjects”: – Supervisory authority shall provide written advice to the controller – Request for controller to provide further information – Information on purposes and means – Information on measures and safeguards – The contact details of the DPO – A copy of the data protection impact assessment – Any other information requested
DPIAs and their links to an organisation’s risk management framework
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks Article 32: “Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.” KEY AREAS: – Information/cyber security management systems (e.g. ISO 27001) – Business continuity management systems (e.g. ISO 22301) – Personal information management systems (e.g. BS 10012) Certifications do not remove or reduce accountability for data protection – but will demonstrate non-negligence in approaching the Article 32 requirement. Copyright IT Governance Ltd 2017 – v1.0
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks • Article 32: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. • “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” • “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1) DPO plays key bridging role between corporate risk management, broader cyber security risk management and managing risks to personal data. NB: Network and Information Security Directive and Government Cyber Security Strategy
The practical steps to conduct a DPIA
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 1 Identify the need for a DPIA
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 2 Describe the information flow
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 3 Identify privacy and related risks
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 4 Identify and evaluate privacy solutions
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 5 Sign-off and record outcome
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 6 Integrate the outcomes into the project plan
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 7 Monitor and evaluate; feed lessons learned back into the process NB: Consult with stakeholders as needed, before, during and after.
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Data Protection Officer (DPO) as a Service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities. • Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001- compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy
Questions?

Recommended

Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 

Recommended

Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Business Continuity Plan Development
Business Continuity Plan DevelopmentBusiness Continuity Plan Development
Business Continuity Plan DevelopmentDavid Nichols
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)Extentia Information Technology
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentationSudarsan Reddy
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
IT Audit Methodologies
IT Audit MethodologiesIT Audit Methodologies
IT Audit MethodologiesSALIH AHMED ISLAM
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxRahulGarg294918
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity ManagementLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 

More Related Content

What's hot

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiEryk Budi Pratama
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementSALIH AHMED ISLAM
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in IndonesiaEryk Budi Pratama
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Dr. Ahmed Al Zaidy
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowPECB
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxRahulGarg294918
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationEryk Budi Pratama
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Continuity and Resilience
 

What's hot (20)

The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
Urgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data PribadiUrgensi RUU Perlindungan Data Pribadi
Urgensi RUU Perlindungan Data Pribadi
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
A compliance officer's guide to third party risk management
A compliance officer's guide to third party risk managementA compliance officer's guide to third party risk management
A compliance officer's guide to third party risk management
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
Personal Data Protection in Indonesia
Personal Data Protection in IndonesiaPersonal Data Protection in Indonesia
Personal Data Protection in Indonesia
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10Fundamentals of Information Systems Security Chapter 10
Fundamentals of Information Systems Security Chapter 10
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
ISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to knowISO/IEC 27701 vs GDPR: What you need to know
ISO/IEC 27701 vs GDPR: What you need to know
 
IT Audit Methodologies
IT Audit MethodologiesIT Audit Methodologies
IT Audit Methodologies
 
skillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptxskillcast-gdpr-training-presentation-q320.pptx
skillcast-gdpr-training-presentation-q320.pptx
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Business Continuity Management
Business Continuity ManagementBusiness Continuity Management
Business Continuity Management
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program ImplementationPrivacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
 
Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000Implementing a Risk Management System based on the ISO 31000
Implementing a Risk Management System based on the ISO 31000
 

Similar to The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRMatt Stubbs
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxHillaryObomighie
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associatesMohsin Termezy
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...CIO Edge
 
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...Mailjet
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer IT Governance Ltd
 
EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know Sarah Crabb
 

Similar to The GDPR and its requirements for implementing data protection impact assessments (DPIAs) (20)

The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance 
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPR
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Big Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPRBig Data LDN 2017: Applied AI for GDPR
Big Data LDN 2017: Applied AI for GDPR
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPR
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
ABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptxABCON-AGM-2021-Final-2.pptx
ABCON-AGM-2021-Final-2.pptx
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associates
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
 
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...
How to Work With 3rd Party Software Providers Under GDPR - A Digital Marketin...
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know EU GDPR: What You Really Need to Know
EU GDPR: What You Really Need to Know
 

More from IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0IT Governance Ltd
 

More from IT Governance Ltd (18)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPR
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Recently uploaded

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...lizamodels9
 

Recently uploaded (20)

NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
 

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

  • 1. The GDPR and its requirements for implementing data protection impact assessments (DPIAs) Presented by: • Alan Calder, founder and executive chairman, IT Governance 7 September 2017
  • 2. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Alan Calder • Founder of IT Governance • The single source for IT governance, cyber risk management and IT compliance • IT Governance: An International Guide to Data Security and ISO 27001/ISO 27002, 6th edition (Open University textbook) • www.itgovernance.co.uk Introduction
  • 3. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance Ltd: GRC one-stop shop All verticals, sectors and all organisational sizes
  • 4. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • The GDPR’s impact and the benefits of conducting a DPIA • The legal requirements for a DPIA under the GDPR • High-risk DPIAs and prior consultation with the supervisory authority • DPIAs and their links to an organisation’s risk management framework • The practical steps to conduct a DPIA Agenda Copyright IT Governance Ltd 2017 – v1.0
  • 5. The GDPR’s impact and the benefits of conducting a DPIA
  • 6. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR’s impact • UK organisations that process personal data only have a short time to make sure that they are compliant. • The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures. “This Regulation shall be binding in its entirety and directly applicable in all Member States.” Final text of the Regulation: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32016R0679 8 April 2016 Council of the European Union adopted the GDPR 12 April 2016 The GDPR was adopted by the European Parliament 4 May 2016 The official text of the Regulation was published in the Official Journal of the EU 24 May 2016 The Regulation entered into force 25 May 2018 The GDPR will apply
  • 7. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Material and territorial scope Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data – The processing of personal data – The unrestricted movement of personal data within the EU In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. The Regulation applies to controllers and processors in the EU, irrespective of where processing takes place. It applies to controllers outside the EU that provide services into the EU.
  • 8. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Penalties Administrative fines Copyright IT Governance Ltd 2017 – v1.0 • Administrative fines will, in each case, be effective, proportionate and dissuasive, and take account of the technical and organisational measures that have been implemented. €10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year. €20,000,000 or, in case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.
  • 9. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Key terms Article 35: Data protection impact assessments help identify and address risks at an early stage by analysing how the proposed uses of personal information and technology will work in practice, and proposing methods to mitigate identified risks. A process to identify and reduce the privacy risks of a project or a system. An effective DPIA should be initiated and maintained throughout the development and implementation of a project or system. Analyse how a particular project or system will affect the privacy and rights of the data subjects involved.
  • 10. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: TRANSPARENCY Helps individuals understand how and why their information is being used. It addresses:  Principle 1 – Fair and lawful processing  Principle 2 – Purpose limitation Improve how you use information.
  • 11. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: TRUST Publish your DPIA to build TRUST. Applies to all GDPR principles, particularly principle 6 – Security.
  • 12. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: FINANCIAL Identifying a problem early will generally require a simpler and less costly solution. Minimise the amount of information you collect. It applies to principle 3 - Data minimisation
  • 13. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: AWARENESS Increase awareness of privacy and data protection issues within your organisation. .
  • 14. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: COMPLIANCE Comply with your GDPR obligations.
  • 15. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The benefits of a DPIA: ASSURANCE Individuals will be reassured your project has followed best practice.
  • 16. The legal requirements for a DPIA under the GDPR
  • 17. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Legal requirements for a DPIA Article 35: Data protection impact assessment • A DPIA is required: – Where processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. • DPIA is particularly required in the case of: – Automated processing, including profiling, and on which decisions are based that produce legal effects concerning natural persons; – Large-scale processing of special categories of data or of personal data relating to criminal convictions; – A systematic monitoring of a publicly accessible area on a large scale. The controller shall seek the advice of the DPO Supervisory authority to publish a list of operations that require a DPIA.
  • 18. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Legal requirements for a DPIA A DPIA will set out as a minimum: • a systematic description of the processing and purposes; • legitimate interests (where applicable) pursued by the controller; • an assessment of the necessity and proportionality of the processing; • an assessment of the risks to the rights and freedoms of the data subjects; • the measures envisaged to address the risks, including:  Compliance with approved codes of conduct should be taken into account.  all safeguards and security measures to protect data and to demonstrate compliance; • Where appropriate, consult the data subjects
  • 19. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • If the outcome of the screening is that a standard DPIA is not required then it might still be useful to carry out a ‘light touch’ DPIA exercise. • In any case, it will still be useful to retain a record of the answers so they can be referred to in future if necessary. Not all projects will require the same level of analysis. Legal requirements for a DPIA Is a full DPIA required?
  • 20. High-risk DPIAs and prior consultation with the supervisory authority
  • 21. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk What is risk? • The effect of uncertainty on objectives (ISO 31000 etc). • A combination of the likelihood of an incident occurring and the impact, if it does occur, on the organisation. • A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action (businessdictionary.com). • Risk can be good or bad.
  • 22. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Privacy risk and what it means Risks to individuals: the potential for damage or distress. Risks to organisation: financial and/or reputational impact of a data breach. Privacy risk should already be on the CORPORATE RISK REGISTER
  • 23. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of privacy risk Inaccurate, insufficient or out-of-date Kept for too long Excessive or irrelevant Disclosed to wrong people Insecurely transmission/storage Used in ways that are unacceptable or unexpected Data that is:
  • 24. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Examples of where you might use a DPIA A new IT system for storing and accessing personal data. Data sharing initiative. An Unexpected or more intrusive purpose. Monitoring members of the public. Database that consolidates information held by separate parts of an organisation.
  • 25. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Risk treatment What actions address the risks? Reduce the impact to an acceptable level
  • 26. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk Prior consultation Article 36: Prior consultation • Controller shall consult the supervisory authority prior to processing where the DPIA indicates a “high risk to the rights and freedoms of the data subjects”: – Supervisory authority shall provide written advice to the controller – Request for controller to provide further information – Information on purposes and means – Information on measures and safeguards – The contact details of the DPO – A copy of the data protection impact assessment – Any other information requested
  • 27. DPIAs and their links to an organisation’s risk management framework
  • 28. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks Article 32: “Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.” KEY AREAS: – Information/cyber security management systems (e.g. ISO 27001) – Business continuity management systems (e.g. ISO 22301) – Personal information management systems (e.g. BS 10012) Certifications do not remove or reduce accountability for data protection – but will demonstrate non-negligence in approaching the Article 32 requirement. Copyright IT Governance Ltd 2017 – v1.0
  • 29. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The GDPR and risk management frameworks • Article 32: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. • “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” • “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Article 24-1) DPO plays key bridging role between corporate risk management, broader cyber security risk management and managing risks to personal data. NB: Network and Information Security Directive and Government Cyber Security Strategy
  • 30. The practical steps to conduct a DPIA
  • 31. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 1 Identify the need for a DPIA
  • 32. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 2 Describe the information flow
  • 33. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 3 Identify privacy and related risks
  • 34. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 4 Identify and evaluate privacy solutions
  • 35. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 5 Sign-off and record outcome
  • 36. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 6 Integrate the outcomes into the project plan
  • 37. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk The practical steps to conduct a DPIA STEP 7 Monitor and evaluate; feed lessons learned back into the process NB: Consult with stakeholders as needed, before, during and after.
  • 38. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Self-help materials A pocket guide www.itgovernance.co.uk/shop/P roduct/eu-gdpr-a-pocket-guide Implementation manual www.itgovernance.co.uk/shop/Pr oduct/eu-general-data-protection- regulation-gdpr-an- implementation-and-compliance- guide Documentation toolkit www.itgovernance.co.uk/shop/P roduct/eu-general-data- protection-regulation-gdpr- documentation-toolkit Compliance Gap Assessment Tool www.itgovernance.co.uk/shop/Pr oduct/eu-gdpr-compliance-gap- assessment-tool
  • 39. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk IT Governance: GDPR one-stop shop Training courses One-day accredited Foundation course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-foundation-gdpr-training-course Four-day accredited Practitioner course (classroom, online, distance learning) www.itgovernance.co.uk/shop/Product/certified-eu-general-data- protection-regulation-practitioner-gdpr-training-course One-day data protection impact assessment (DPIA) workshop (classroom) www.itgovernance.co.uk/shop/Product/data-protection-impact- assessment-dpia-workshop
  • 40. Copyright IT Governance Ltd 2017 – v1.1 TM www.itgovernance.co.uk • Gap analysis Our experienced data protection consultants can assess the exact standing of your current legal situation, security practices and operating procedures in relation to the Data Protection Act (DPA) or the GDPR. • Data flow audit Data mapping involves plotting out all of your data flows, which involves drawing up an extensive inventory of the data to understand where the data flows from, within and to. This type of analysis is a key requirement of the GDPR. • Data Protection Officer (DPO) as a Service Outsourcing the DPO role can help your organisation address the compliance demands of the GDPR while staying focused on your core business activities. • Implementing a personal information management system (PIMS) Establishing a PIMS as part of your overall business management system will make sure that data protection management is placed within a robust framework, which will be looked upon favourably by the regulator when it comes to DPA compliance. • Implementing an information security management system (ISMS) compliant with ISO 27001 We offer flexible and cost-effective consultancy packages, and a comprehensive range of bespoke ISO 27001 consultancy services, that will help you implement an ISO 27001- compliant ISMS quickly and without hassle, no matter where your business is located. • Cyber Health Check The two-day Cyber Health Check combines on-site consultancy and audit with remote vulnerability assessments to assess your cyber risk exposure. IT Governance: GDPR one-stop shop GDPR consultancy