Successfully reported this slideshow.

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

25

Share

1 of 171
1 of 171

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

25

Share

Download to read offline

The topics covered in this presentation are:

• Context of GDPR - this contains information on other directives and regulations relating to GDPR to provide details on its wider content
• Personal Information - this reiterates what is meant by personal information and so what is covered by GDPR
• Principles of GDPR - this identifies some of the key principles that underpin GDPR and will affect its operation and the particular provisions of the GDPR intended to give effect to those principles
• Implementing and Operating GDPR - this discusses approaches to operationalising GDPR within organisations
• GDPR and Outsourcing - this contains details on the particular topic of outsourcing that will be impacted by GDPR
• Data Governance - this puts GDPR into wider Data Governance context
• Data Ethics- this briefly discusses the wider issue of data ethics in the context of GDPR

The impact of GDPR cannot really be estimated or quantified at this stage. There is a wider regulatory context for GDPR. The range of data compliance regulations is only growing. Achieving GDPR compliance has the potential to be very expensive, especially for larger organisations. GDPR compliance should be addressed in the context of wider data governance. Existing methodologies should be reused where possible.

The topics covered in this presentation are:

• Context of GDPR - this contains information on other directives and regulations relating to GDPR to provide details on its wider content
• Personal Information - this reiterates what is meant by personal information and so what is covered by GDPR
• Principles of GDPR - this identifies some of the key principles that underpin GDPR and will affect its operation and the particular provisions of the GDPR intended to give effect to those principles
• Implementing and Operating GDPR - this discusses approaches to operationalising GDPR within organisations
• GDPR and Outsourcing - this contains details on the particular topic of outsourcing that will be impacted by GDPR
• Data Governance - this puts GDPR into wider Data Governance context
• Data Ethics- this briefly discusses the wider issue of data ethics in the context of GDPR

The impact of GDPR cannot really be estimated or quantified at this stage. There is a wider regulatory context for GDPR. The range of data compliance regulations is only growing. Achieving GDPR compliance has the potential to be very expensive, especially for larger organisations. GDPR compliance should be addressed in the context of wider data governance. Existing methodologies should be reused where possible.

More Related Content

More from Alan McSweeney

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

  1. 1. GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney
  2. 2. Topics • Context of GDPR – this contains information on other directives and regulations relating to GDPR to provide details on its wider content • Personal Information – this reiterates what is meant by personal information and so what is covered by GDPR • Principles of GDPR – this identifies some of the key principles that underpin GDPR and will affect its operation and the particular provisions of the GDPR intended to give effect to those principles • Implementing and Operating GDPR – this discusses approaches to operationalising GDPR within organisations and the IT system changes required • GDPR and Outsourcing – this contains details on the particular topic of outsourcing that will be impacted by GDPR • Data Governance – this puts GDPR into wider Data Governance context • Data Ethics– this briefly discusses the wider issue of data ethics in the context of GDPR March 28, 2018 2
  3. 3. GDPR Impact • GDPR and its related regulations have different impacts depending on the profile of an organisation and the way in which it collects and process information about individuals • GDPR impacts on the areas of: − Data Governance − Privacy Management − Security Management − Risk Management • Existing business processes and IT systems will need to be modified and new processes and systems acquired to support the successful operation of GDPR • The operation of outsourcing arrangements will be impacted by GDPR March 28, 2018 3 Data Governance Privacy Management Security Management Risk Management
  4. 4. GDPR Impact • Organisations have personal data in many locations used by many different applications using different storage technologies • GDPR now requires a new and more strict data regime to implement, operate and enforce • Organisations should consider a consistent approach across all personal data platforms March 28, 2018 4 Personal Data Landscape
  5. 5. No One Solution • There is no one solution to achieving GDPR compliance that applies to all organisations and to all aspects of GDPR • Organisations need to define their GDPR compliance strategy and their approach to data governance before looking at long-term solutions March 28, 2018 5
  6. 6. Reuse Existing Standards And Methodologies • There are existing, detailed, well-proven, well-documented methodologies in the areas such as approaches to data governance, data privacy, information security management, digital filing, supplier governance and managing outsourcing relationships that can be successfully re-used to achieve the necessary GDPR compliance without the need to look for new approaches • The wheel is not getting any rounder - it does not need to be reinvented • So use existing well-proven frameworks and methodologies to systematically improve skills, experience and practise in key competency areas • The world does not need new frameworks and methodologies – it needs existing ones well-implemented March 28, 2018 6 r d πd πr2 1800 900 2700 3600
  7. 7. Reuse Existing Standards And Methodologies March 28, 2018 7 GDPR Data Governance Data Management Information Security Outsourcing Management Records Management COBIT TOGAF DMBOK ISO 15489 Records Management ISO 16175 Standard for Digital Filing ISO 27001 Information Security Management Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
  8. 8. ISO 15489 Records Management • ISO 15489 defines the concepts and principles from which approaches to the creation, capture and management of records are developed: − Records, metadata for records and records systems − Policies, assigned responsibilities, monitoring and training supporting the effective management of records − Recurrent analysis of business context and the identification of records requirements − Records controls − Processes for creating, capturing and managing records • ISO 15489 applies to the creation, capture and management of records regardless of structure or form, in all types of business and technological environments, over time March 28, 2018 8
  9. 9. No Silver Bullet • There is not silver bullet to achieve GDPR compliance • Just a bunch of regular bullets to fire at the problem March 28, 2018 9
  10. 10. Tactical And Strategic Approaches • Take a multi- track approach to achieving appropriate, risk-based GDPR compliance March 28, 2018 10 Tactical Analysis, Scope and Design Strategy, Strategic Sourcing and Implementation • Request Logging and Tracking Facility • Consent Tracking • Notices • Policies • DPO • Supplier Review • Personal data collection and processing profiling • Personal data business process definition and ownership assignment • Definition of wider set of GDPR processes • Personnel certification • Define and agree strategic approach and operating framework • Source and implement strategic solutions and associated operational processes
  11. 11. GDPR Context March 28, 2018 11
  12. 12. Wider Context Of GDPR • There are many related regulations and directives • The data protection landscape is becoming increasingly crowded and the burden on organisations more onerous March 28, 2018 12 Treaty on the Functioning of the European Union (TFEU) European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) GDPR ePrivacy Regulation EU Digital Single Market (DSM) NIS DirectiveeIDAS Directive on Privacy and Electronic Communications Police and Criminal Justice Directive
  13. 13. Wider Context Of GDPR • The GDPR (http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A32016R0679) exists within the context of the wider EU Digital Single Market (DSM) strategy and a related set of regulations and directives • The DSM is a strategy of the European Commission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues • The stated objective of the GDPR is to increase trust in and the security of digital services in order to advance digital opportunities for citizens and businesses in Europe • The stated aim is to strengthen the position of the EU as a digital economy world leader March 28, 2018 13
  14. 14. Police and Criminal Justice Directive • Police and Criminal Justice Directive - Directive (EU) 2016/680 on the protection of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repeals Council Framework Decision 2008/977/JHA – will apply from 6 May 2018 • Creates a coherent framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security • The Police and Criminal Justice Directive harmonises the laws in the Member States in respect of the exchange of information between police and judicial authorities • Applies to both cross-border and domestic processing of personal data and it aims to improve cooperation of the Member States in the fight against terrorism and other serious crime across the EU, in that, it guarantees that personal data transferred outside the EU by criminal law enforcement authorities will be adequately protected March 28, 2018 14
  15. 15. Directive on Security of Network and Information Systems (NIS Directive) • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) comes into force on 10 May, 2018 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194: TOC • NIS Directive applies to: − Operators of Essential Services (OES) that are established in the EU. Certain businesses operating in critical national infrastructure (CNIs) − Seven sectors affected by the NIS Directive are energy, transport, banking, financial market infrastructure, health, water and digital infrastructure − Digital Service Providers (DSP) with search engines, cloud computing services, and online marketplaces identified as the types of DSP that are subject to regulation − The onus is on organisations to determine for themselves whether they are DSPs and subject to the Directive’s security and notification requirements − The NIS Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million) March 28, 2018 15
  16. 16. Directive on Security of Network and Information Systems (NIS Directive) • Aim of the NIS Directive is to ensure there is a common and high-level of EU-wide information systems and network security and cyber security by: − Improving national information and network security capacity and effectiveness including having Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) − Increasing co-operation on information and network security across all Member States − Introducing binding security obligations and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) − Member States will be responsible for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in that country March 28, 2018 16
  17. 17. NIS Security Principles March 28, 2018 17 SecurityPrinciples Identify Asset Management Systems and/or services that are required to maintain or support essential services must be determined, understood and documented Business Environment Overall organisation mission, objectives, stakeholders, and activities are understood, prioritised and documented Governance Policies, procedures, and processes to manage and monitor the regulatory, legal, risk, environmental, and operational requirements are identified, understood and documented Risk Assessment and Risk Management Identify and understand the network security risk to operations, assets and individuals Protect Service Protection Policies and Processes Define, communicate and document policies to direct the overall approach to securing systems and data that support delivery of essential services Identity and Access Control Access to assets and associated facilities is limited to authorised users, processes or devices and to authorised activities and transactions/functions Data Security Information and records are managed and documented consistent with the risk strategy to protect the confidentiality, integrity, and availability of information System Security Network and information systems and technology critical for the delivery of essential services are protected from attack Resilient Networks and System Incorporate resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services Staff Awareness and Training Employees and partners are provided network security awareness education and training to perform their information security-related duties and responsibilities Detect Anomalies and Events Detection Anomalous and unusual activity is detected in a timely manner and the potential impact of events is understood Security Continuous Monitoring Information systems and assets are monitored in order to identify network security events and validate the effectiveness of protective measures Respond Response Planning Response processes are executed, maintained and documented to ensure timely response to detected network security events Analysis Analysis is conducted to ensure adequate response and to support recovery actions Mitigation Take actions to prevent expansion of an event, mitigate its effects and resolve the incident Improvements Response activities are improved and documented by incorporating lessons learned Communications Response activities are co-ordinated with internal and external stakeholders including law enforcement Recover Recovery Planning Execute recovery processes and procedures are executed to ensure timely restoration of systems affected by network security events Improvements Improve recovery planning by incorporating lessons learned Communications Coordinate restoration activities with internal and external parties, such as coordinating functions, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors
  18. 18. NIS Security Principles • Use these security principles to create an operational security framework to reduce the chances of a data breach March 28, 2018 18
  19. 19. ePrivacy Regulation • In January 2017, the European Commission published its Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) − http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 • The ePrivacy Regulation aims to make more effective and to increase the level of protection of privacy and personal data processed in relation with electronic communications in accordance with the Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union and ensure greater legal certainty − Complements and particularises the GDPR • While the ePrivacy Directive applied to telecommunication providers, the ePrivacy Regulation will apply to all providers of electronic communications services – described as Over-the-Top (OTT) communications services such as Facebook Messenger, LinkedIn, Skype, WhatsApp and others • ePrivacy Directive - Directive 2002/58/EC – will be replaced by the ePrivacy Regulation in due course March 28, 2018 19
  20. 20. eIDAS (electronic IDentification, Authentication and trust Services) • The eIDAS Regulation - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Electronic Signatures Directive) – came into effect on 1 July, 2016 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG • Aims to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of electronic ID and consistent rules on trust services across the EU • Focuses on two areas: − Interoperability – Member States are required to create a common framework that will recognise electronic Identifications (eIDs) from other Member States and ensuring their authenticity and security − Transparency – eIDAS provides a list of trusted services that may be used within a centralised signing framework March 28, 2018 20
  21. 21. European Union Agency for Network and Information Security (ENISA) • European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe • Privacy and Data Protection by Design - https://www.enisa.europa.eu/publications/privacy-and-data- protection-by-design/at_download/fullReport − View of what needs to be done to achieve privacy and data protection by default. For example, it specifies that encryption and decryption operations must be carried out locally and not remotely because both encryption/ decryption keys and data must remain in the power of the data controller and processor if any privacy is to be maintained − Covers topics such as the use of cloud data storage where the data controller, not the cloud service provider, holds the encryption/ decryption keys • Handbook on Security of Personal Data Processing - https://www.enisa.europa.eu/publications/recommendations-on- european-data-protection-certification/at_download/fullReport − Guidelines for small to medium businesses on data security March 28, 2018 21
  22. 22. Article 29 Working Party • Article 29 Working Party - Working Party on the Protection of Individuals with Regard to the Processing of Personal Data – was established under Article 29 the Data Protection Directive (Directive 95/46/EC) http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A31995L0046 • Produced much useful material on the implementation and operation of GDPR March 28, 2018 22 Document Link Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826 Guidelines on Data Protection Impact Assessment (DPIA) http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 Guidelines on Data Protection Officers http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 Guidelines on Personal Data Breach Notification Under Regulation 2016/679 http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827 Guidelines on the Application and Setting of Administrative Fines http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889 Guidelines on the Lead Supervisory Authority http://ec.europa.eu/newsroom/document.cfm?doc_id=44102 Guidelines on the Right to "Data Portability" http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
  23. 23. European Data Protection Board (EDPB) • Article 68 of the GDPR provides for the establishment of the European Data Protection Board (EDPB), which will replace the Article 29 Working Party • Members of the EDPB are the heads of the supervisory authorities in each Member State (or their representatives) and the European Data Protection Supervisor (or their representative March 28, 2018 23
  24. 24. European Data Protection Supervisor (EDPS) • The post of European Data Protection Supervisor (EDPS) was established in 2004 under Regulation (EC) 45/2001, which regulation sets out the data protection standards that apply to the Union institutions • The post of EDPS is recognised in GDPR − The EDPS is a member of the EDPB, although the EDPS will only have voting rights where the issues involve principles and rules that are applicable to the institutions of the Union March 28, 2018 24
  25. 25. Personal Information March 28, 2018 25
  26. 26. Personal Information • Personal information is at the core of GDPR • Personal data is defined in Article 4(1) of the GDPR: − ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person • Information is personal if it is: − Owned by a person − About a person − Directed towards a person − Sent or posted or communicated by a person − Experienced by a person − Relevant to a person • The definition of personal data is very important − It does not just include information a person explicitly supplies − It includes implicit information such as browsing history • GDPR identifies special categories of personal data for which processing is subject to additional constraints − Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited March 28, 2018 26
  27. 27. Personal Information March 28, 2018 27 Personal Data Type Personal Data Items Personal Information Name, such as full name, maiden name, mother‘s maiden name, or alias Date of birth Place of birth Full home address Country, state, postcode or city of residence Marital status Telephone numbers, including mobile, business and personal numbers Information identifying personally owned property, such as vehicle registration number Passport number Social insurance or national insurance number Residence and geographic records Sexual orientation Biographical Data Specific age Height Weight Eye colour Hair colour Photographic image Gender Racial or ethnic origin Any defining physical characteristics Digital Footprint Digital identities, such as avatars and usernames/handles Logon details such as name, screen name, nickname, or handle Email address (if private from an association/club membership, etc.) IP addresses (in the EU) Geo-tracking information and location-based data Web usage behaviour or user preferences using persistent cookies Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address (MAC) address or other host-specific persistent static identifier that consistently Any information that links a particular person to a small, well-defined group Medical or Heath Data Patient identifier Number of sick days taken from employer and other information relating to any sick leave Visits to doctors Medical data Biological traits including DNA Fitness data Medical images such as X-rays, CT scans and ultra sound Biometric data such as fingerprints, retinal scans, voice signature or facial geometry Medication
  28. 28. Principles of GDPR March 28, 2018 28
  29. 29. Principles of GDPR • Core of the GDPR are stated principles governing data processing, which are supported by detailed provisions − Lawfulness, Fairness and Transparency: Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − Specified, Explicit and Legitimate Purpose: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Article 5(1)(b) − Adequate, Relevant and Limited: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed; Article 5(1)(c) − Accurate and Up-To-Date: Personal data shall be accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without undue delay; Article 5(1)(d) − Pseudonymisation/Storage Limits: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; Article 5(1)(e) − Security: Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; Article 5(1)(f) March 28, 2018 29
  30. 30. Implementation And Operational Principles Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One-Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions March 28, 2018 30
  31. 31. GDPR Implementation And Operational Principles March 28, 2018 31 Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One- Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions
  32. 32. Data Protection By Design and By Default • Article 25 of the GDPR requires that data protection is designed into the development of business processes for products and services − Appropriate measures to implement the data protection principles and to safeguard data must be put in place in an effective manner at the time the means of processing is determined and at the time of the processing itself − This is a mandatory requirement, breach of which can lead to a fine • Article 25(2) addresses the concept of data minimisation and provides that the controller should implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed − Obligation applies to the amount of personal data collected, the extent of processing and the period of storage and accessibility − Data Protection by design and by default requires a combination of systems and processes − Changes to existing IT systems and possible new IT systems will be required to achieve this March 28, 2018 32
  33. 33. Limitation and Minimisation • The collection of personal data should limited for specific and justifiable purposes • The amount of personal data collected should be minimised • The storage interval should be limited • The type of processing should be limited and necessary • There should be a legal basis for processing • Access should be controlled and excluded by default rather than being inclusive • Processing of special categories of personal data should be avoided unless absolutely required • Data security should occur as a matter of course. • Essentially, if there are any doubts and the data is not necessary, do not collect it March 28, 2018 33
  34. 34. One Common Set of Rules and One-Stop Shop • There will be one set of data protection rules across all EU Member States. • Each Member State must create an independent supervisory authority to hear complaints, investigate them and to take administrative actions and enforce sanctions - Articles 51-54 • Article 51 requires each Member State to provide for one or more independent public authority to be responsible for monitoring the application of the GDPR. • Under Article 51(2), supervisory authorities have a duty to contribute to the consistent application of the GDPR, as well as specific obligations to cooperate with one another and the Commission through the consistency process. • Article 57 of the GDPR lists tasks of supervisory authorities, while Article 58 lists their powers • The general tasks of a supervisory authority is to monitor and enforce the application of the GDPR • Additionally, Chapter VII on Cooperation and Consistency sets out detailed provisions on mutual assistance (Article 61) and on the conduct of joint operations (Article 62) • Article 58(4) provides that the exercise of the powers of a supervisory authority must be subject to appropriate safeguards, including effective judicial remedies and due process • Where an entity such as a multi-national has multiple locations in multiple EU states, it will have a single supervisory authority as its lead supervisory authority, based on the location of its main office • In this instance, the lead supervisory authority will act as a one-stop shop (OSS) to supervise all the processing activities of that business throughout the EU March 28, 2018 34
  35. 35. Certification • GDPR provides for a voluntary data protection certification regime to be established • There is no certification approach or regime defined yet • ENISA has documented a possible certification approach March 28, 2018 35
  36. 36. Notices, Responsibility and Accountability • The need for and the content of privacy statements on web sites and other entry points to digital information and services that was specified in the Data Protection Directive has been expanded • Article 5(1) of the GDPR requires data controllers to process personal data fairly and lawfully and in a transparent manner: the objective is to ensure that data subjects are aware of the processing of their personal data, the purposes for which the processing is taking place and data subjects’ rights in relation to personal data • Article 13 of the GDPR specifies the information that must be provided to a data subject. The legal obligation is on the controller, although the controller may use a third party agent (such as the processor) to provide the information on the controller’s behalf as long as the notice meets the required standards • Information may be provided by a privacy notice (also known as a fair processing notice, privacy policy or data protection notice) • The information must be clearly accessible and available “at the time when the data are obtained”, which, in general terms, means the time when the data is collected • Under Article 13(1) of the GDPR, the privacy notice must state: − The identity of the controller (and where applicable, the controller’s representative) − The contact details of the Data Protection Officer, if applicable − The purposes of the processing for which the personal data is intended as well as the legal basis for the processing − The recipients or categories of recipient of the personal data − If the controller transfers personal data, the fact that the controller intends to do so to a third country or international organisation (and related information in relation to such transfers) • The purposes of the processing must be described in accessible terms and clearly distinguished from one another March 28, 2018 36
  37. 37. Notices, Responsibility and Accountability • Article 13(2) of the GDPR requires that additional information should be provided where necessary to ensure fair and transparent processing − The retention period for personal data (or, where that is not possible, the criteria used to determine that period); − The data subject’s rights in relation to the personal data (being the right to request access to and rectification of personal data, the right to erasure of personal data, to restrict the processing of personal data, to object of the processing of personal data and right to data portability) − The right to lodge a complaint with a supervisory authority; − Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract and whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide the data; and − The existence of any automated decision-making, including profiling, and if it is to be used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject March 28, 2018 37
  38. 38. Notices, Responsibility and Accountability • There can be one general notices or several notices throughout the web site on those pages where personal information is being collected • It is best practice to include notices on all pages where personal information is required to be entered • Where the data subject already has the relevant information, the controller will not need to provide the information to the data subject - Article 13(4) • The information must be concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child; Article 12(1) • The information shall be provided in writing, or by other means, including, where appropriate, by electronic means • When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means March 28, 2018 38
  39. 39. Notices, Responsibility and Accountability March 28, 2018 39 Mandatory Privacy Notice Contents Specific Personal Information Collection Privacy Notice Contents Identity and the contact details of the data controller The length of time for which the personal data will be stored, or if that is not possible, the criteria used to determine it Contact details of the data protection officer, if one exists – see below The right to:  Request from the data controller access to  Request rectification or erasure of personal data  Restrict processing  Object to processing  Data portability The purposes of the processing of personal data and the legal basis for this processing (Article 6 Lawfulness of Processing) The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal Who receives the personal data The right to complain to Supervisory Authority Whether data is being transferred to a third country or international organisation and, if so, the safeguards that are being used and the means by which to obtain a copy of them or where they have been made available If the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract, as well as whether the person is obliged to provide the personal data and of the possible consequences of failure to provide the data The use of automated decision-making, including profiling and where this applies meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person
  40. 40. Notices, Responsibility and Accountability • The principle of Privacy By Design and By Default requires that data protection measures are designed and incorporated into the development of business processes and systems • The data controller is responsible for implementing effective measures and being able to demonstrate the compliance of processing activities even if the processing is carried out by a separate data processor on behalf of the data controller • Personal data should be pseudonymised as soon as possible after collection and expiry of its original use March 28, 2018 40
  41. 41. Data Protection Impact Assessment (DPIA) • The use of Privacy Impact Assessments (PIAs) was developed outside the EU, with the UK being the first supervisory authority in the EU to adopt the use of PIAs • In the UK, PIAs have been mandatory for Government departments for several years, as well as being widely used in the privacy sector • GDPR, in Article 35, introduces mandatory Data Protection Impact Assessments (DPIAs) in respect of high-risk processing, that is to say, processing that poses a high risk to the rights and freedoms of natural persons • Article 35(3) designates three specific types of processing as high-risk so that a DPIA is required for: − Processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person − Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10 − Systematic monitoring of a publicly accessible area on a large scale • In addition to these three cases in which a DPIA is mandatory, there is a general obligation to conduct a DPIA where there processing is likely to result in a high risk to the rights and freedoms of natural persons – see Article 35(1). • Under Article 35(4), the supervisory authority is required to make public a list of the kind of processing operations that are subject to the requirement for a DPIA under Article 35(1) and shall communicate the list to the EDPB March 28, 2018 41
  42. 42. Data Protection Impact Assessment (DPIA) • A DPIA must address: − A systematic description of the envisaged processing operations – this should include the flow of personal data through the systems and business processes as business activities are performed − The purpose of the processing (including, where applicable, the legitimate interest pursued by the controller) − An assessment of why the processing is being performed and how this is proportional to the underlying need − An assessment of the risks to the rights and freedoms of the persons affected − The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR, taking into account the rights and legitimate interests of data subjects concerned • Where the DPIA indicates that the processing remains high risk despite the application of measures to mitigate that risk, the controller must consult the supervisory authority before processing – see Article 36(1) • Member States must similarly consult the supervisory authority where they are preparing a proposal for a legislative measure to be adopted by the national parliament or for a regulatory measure based on legislation – see Article 36(4) March 28, 2018 42
  43. 43. Lawful Basis For Processing • Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − The person has consented to the processing of their personal data for one or more specific and prior notified purposes − It is needed for the performance of a contract to which the person is a party or in order to take steps at the request of the person before to entering into a contract − It is required to protect the vital interests of the person in question or of another person. − It is required so the data controlled can comply with a specific legal obligation − It is needed to perform a task carried out in the public interest or in the exercise of an official function of data controller − It is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the person is a child March 28, 2018 43
  44. 44. Consent • Explicit consent of the person must be obtained for data collection and processing, with Article 7 setting out the basic conditions required for a consent to be valid: − The consent must be freely given − A proper explanation of what the individual is consenting to must have been provided before the consent is obtained − Separate consents must be given for separate purposes − Consent can be refused − Consent can be withdrawn at any time • Consent should be informed − The identity of the controller and the processing purposes should be detailed − Silence or implied consent and pre-checked boxes on web pages are no longer valid − The organisation must ask for consent and obtain explicit consent − Plain language should be used and consent is unlikely to be achieved if data protection notices are unintelligible or over-complicated − Consent must be specific − Where the data processing has multiple purposes, consent should be given for all of them − The burden of proof that consent was obtained in a correct and explicit manner resides with the data controller − Consent management needs to include both the recording of consent and the circumstances under which it was provide and while there is no requirement that consent should be in writing, the evidential burden suggests that, in practical terms, this will occur March 28, 2018 44
  45. 45. Right of Access • Persons have the right to access their personal data and to get details about how this personal data is being processed • The right of subject access is complemented by the right, under Article 20 of the GDPR, to data portability • A controller is under an express obligation to facilitate the exercise by a data subject of their rights, including to subject access and data portability; Article 12(2). • A controller’s obligation under Article 20 (right of data portability) is to “transmit … data to another controller without hindrance” • Article 15(1) provides that a data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the information • The data controller has to provide − Access to the data itself − The categories of personal data concerned − With whom the data is shared (that is to say, the recipients or categories of recipients to whom the personal data is or will be disclosed and in particular, recipients in third countries) − The envisaged storage period for the data or, if it is not possible to so specify, the criteria used to determine that period − How it acquired the data in the sense that where the personal data was not collected from the data subject, any available information as to the source of the personal data − The existence of the right of rectification or erasure or restriction of processing of personal data − The right to lodge a complaint with a supervisory authority − The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) March 28, 2018 45
  46. 46. Right to Rectification/ Right to Completion • Article 16 of the GDPR provides for a right to rectification of inaccurate data, as well as a right to have incomplete data completed • Data must be rectified by the data controller without undue delay if the data is inaccurate and the data subject has so notified the data controller • The right to completion of data applies where the purpose of the processing makes it appropriate and the right may be complied with by providing a supplementary statement March 28, 2018 46
  47. 47. Right to Erasure - The “Right To Be Forgotten” • Article 17 of the GDPR confers a right to request erasure of, and cessation of processing, personal data including any copies related to them − Where the personal data are no longer necessary in relation to the purposes for which they are collected − Where the person has withdrawn their consent − Where the person objects to the processing under Article 21(1)and there are no overriding legitimate grounds for the processing − Where the processing of the personal data does not otherwise comply with the GDPR − The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject − The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) • A request for erasure can be refused where the processing is necessary for one of the exempt purposes specified in Article 17(3), that is to say, where the processing is necessary for: − The exercise of the rights of freedom of expression and information; − Compliance with a legal obligation or the exercise of a discretionary power; − Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3); − Archiving and research purposes; − Establishment, exercise or defence of legal claims March 28, 2018 47
  48. 48. Right to Erasure - The “Right To Be Forgotten” • Article 19 requires a data controller to communicate any rectification or erasure of personal data or restriction of processing to any person to whom the data has been disclosed “unless this proves impossible or involves disproportionate effort” • If the data subject asks, the controller must provide details of those persons to whom the data was disclosed March 28, 2018 48
  49. 49. Right To Restriction Of Processing • Under Article 18, a data subject has the right to restrict processing of personal data in four specified circumstances: − The accuracy of the personal data is contested by the data subject, in which case the restriction will be for a period enabling the controller to verify the accuracy of the personal data − The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead – it is not entirely clear what is meant by this provision as, if the data subject does not want the erasure of the personal data, the inference is that the data subject consents to the processing of the data − The controller no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims − The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject March 28, 2018 49
  50. 50. Right to Object / Prohibition Automated Decision- Making • Article 21(1) confers on a data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning the data subject which is based on Article 6(1)(e) or (f), including profiling based on those provisions • Article 6(1)(e) permits data processing where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, while Article 6(1)(f) renders lawful processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party • The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims • Article 22(1) prohibits automated decision-making subject to a number of exceptions − Automated decisions subject to Article 22 are decisions based solely on automated processing that produce legal effects concerning the data subject or significantly affect the data subject March 28, 2018 50
  51. 51. Data Portability • A person must be able to transfer their personal data from one controller to another without being prevented by the data controller - Article 20 − This covers both the information content – what was supplied – and the metadata • The right to data portability is the “right to receive the personal data concerning [the data subject], which [the data subject] has provided to a controller” – see Article 20(1) • The right applies where consent to data processing has been provided under Article 6(1)(a) (express consent) or Article 9(2)(a) (special categories of personal data) and where the processing is automated • The right does not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – see Article 20(3) • The right to data portability does not arise − Where data is processed by a controller under a legal duty or in exercise of discretionary powers − Where processing is necessary in order to protect the vital interests of the data subject or of another natural person − Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller March 28, 2018 51
  52. 52. Data Protection Officer • Article 37 sets out the circumstances in which designation of a Data Protection Officer (DPO) is mandatory for certain data controllers and data processors • All public authorities (except for courts) • Where the core activities of the controller or processor monitor individuals systematically (such as tracking and profiling on the Internet) and on a large scale • Where the core activities of the controller or processor consist of large scale processing of the special categories of data under Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 • The DPO is independent (Article 38(3)) and must be given sufficient resources (Article 38(2)) to carry out their tasks effectively. • Article 37(5) provides that the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of a DPO set out in Article 39 − The DPO should be skilled and experienced in managing IT processes, data security (including dealing with network attacks) and be knowledgeable in the issues around the holding and processing of personal and sensitive data − The skills required depend on the organisation and the processing it performs − The DPO should also know the administrative rules and procedures of the organisation − The organisation should include the DPO in all issues relating to the protection of personal data in a timely manner March 28, 2018 52
  53. 53. Pseudonymisation • Pseudonymisation” is defined in Article 4(5) of the GDPR • Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person • Article 29 Working Party: − “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful security measure.” • Encryption is a form of pseudonymisation − The original data cannot be read − The process cannot be reversed without the correct decryption key − GDPR requires that this additional information be kept separate from the pseudonymised data. • Pseudonymisation reduces risks associated with data loss or unauthorised data access − Pseudonymised data is still regarded as personal data and so remains covered by the GDPR − It is viewed as part of the Data Protection By Design and By Default principle • Pseudonymisation is not mandatory − Implementing pseudonymisation with existing IT systems and processes would be complex and expensive and, to that extent, pseudonymisation might be considered an example of unnecessary complexity within the GDPR March 28, 2018 53
  54. 54. Pseudonymisation • GDPR Recital 26 − The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. • Pseudonymisation is not anonymisation − Anonymisation means data cannot be attributed to a person − Pseudonymisation means data can be attributed to a person using additional information − Pseudonymisation just makes identifying persons from data more difficult, time-consuming and expensive March 28, 2018 54
  55. 55. Pseudonymisation • Article 89 (1): as a means of enhancing protection in case of further use of data for research and statistics • Article 6 (4): as a means of possibly contributing to the compatibility of further use of data • Article 25: as a means to contribute to “privacy by design” in data applications • Recital 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” March 28, 2018 55
  56. 56. Pseudonymisation • Pseudonymisation means removing the link between data and its attribution to a specific individual • Add a layer of complexity, time and expense to person identification • There are many (complex) approaches to pseudonymisation • Pseudonymisation aims to provide an extra layer of security − It does not stop personal data being lost − It just reduces the likelihood that lost personal data can be used March 28, 2018 56 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Key 2. Encrypted Data Read and Written And Decrypted Using Key
  57. 57. Handling of Data Breaches • is impossible to have 100% security 100% of the time and still collect and process information − So organisations should assume a data breach however minor will happen at some time − Security systems should be designed to facilitate the discovery of any breach as soon as possible; • It is important to reduce the scope and effect of the breach, the time to identify that the breach has occurred and to respond more quickly and effectively to limit the damage. − Organisations are responsible for the implementation and operation of sufficient countermeasures to prevent as much as possible, detect and handle breaches − A data breach in itself will not necessary attract administrative sanctions − The failure to have structures in place to prevent, detect and handle breaches will • A “personal data breach” is defined in Article 4(12) of the GDPR as: − “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” • A controller is required to document all cases of personal data breach comprising the facts relating to the personal data breach, its effects and the remedial action taken; Article 35(5) • Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller is under a legal obligation to notify the supervisory authority of a personal data breach within 72 hours (and if not an explanation of the delay) after having become aware of the data breach; Article 35(1) March 28, 2018 57
  58. 58. Handling of Data Breaches • Under Article 35(3), the notification must include: − A description of the nature of the personal data breach including, if possible, the categories and approximate number of persons affected and the categories and approximate number of personal data records affected − The name and contact details of the Data Protection Officer or other contact point where more information can be obtained − A description of the likely consequences of the personal data breach − A description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects • Persons affected by the data breach must be notified if the breach is likely to have a high risk to their rights – see Article 34(1) • Importantly, data controllers do not have to notify affected persons if protection measures were implemented that rendered the personal data unintelligible – see Article 34(3) − A notice required to be given to data subjects must describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the Data Protection Officer (or other contact point where more information can be obtained) − A description of the likely consequences of the personal data breach; and a description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects – see Article 34(2) (by reference to Article 33(b) to (d) March 28, 2018 58
  59. 59. Penalties and Sanctions • Failure to comply with GDPR can result in administrative penalties and other sanctions • Warnings – under Article 58(2), a supervisory authority has specific powers to issue warnings to a controller or processing that intended processing operations are likely to infringe the GDPR and reprimands where processing operations have infringed the GDPR • Data protection compliance audits – Article 58(1) confers on supervisory authorities investigative powers, including, at Article 58(1)(b) the power to carry out investigations in the form of data protection audits; • Fines - two levels of fines − €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is the greater, for failures relating to: • Conditions applicable to child's consent in relation to information society services • Failures in data processing and security • Notification of a personal data breach to the supervisory authority • Communication of a personal data breach to the data subject • Data protection impact assessment • Designation of the data protection officer • Certification − €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is the greater for failures relating to: • Principles relating to processing of personal data • Lawfulness of processing • Conditions for consent • Processing of special categories of personal data • Information and access to personal data • Information to be provided where personal data are collected from the data subject • Right of access by the data subject • Right to rectification • Right to erasure • Right to restriction of processing • Right to data portability • Automated individual decision-making, including profiling • Transfers of personal data to third countries or international organisations March 28, 2018 59
  60. 60. Implementing and Operating GDPR March 28, 2018 60
  61. 61. Implementing and Operating GDPR • GDPR compliance is achieved through a combination of processes and technology • Most of the impact that GDPR will have is on existing IT systems that process personal data • The effort to implement and operate GDPR will depend on the scope of the problem which is dictated by the amount of personal data the organisation collect and processes • The problem with many compliance initiatives is that they tend to be treated as single projects operating in an organisation silo rather than as being part of a wider and more general and shared compliance framework • Despite have a broad scope across the organisation, GDPR compliance will more likely in many cases be treated as yet another stand-alone initiative • It is simply not possible to quantify the volume and types of requests that individuals will make under GDPR March 28, 2018 61
  62. 62. GDPR Compliance Preparatory Steps 1. Determine the organisation’s role under the GDPR – data controller or data processor 2. Assign someone to the Data Protection Officer role/team 3. Implement consent management 4. Review and update data retention and data backup 5. Identify and document business processes and associated IT systems processing personal data 6. Identify and assess any cross-border data flows 7. Prepare for persons exercising their GDPR rights 8. Prepare for a data breach March 28, 2018 62
  63. 63. Determine The Organisation’s GDPR Role • Inform your employees about GDPR risks and appropriate behaviours by defining clear policies on the collection and use of personal data and any collaboration and sharing or maintenance of local uncontrolled copies • Implement security awareness and privacy training March 28, 2018 63
  64. 64. Fill The Data Protection Officer Role And Team • The primary role DPO is to ensure the organisation is compliant with GDPR • Initially, appoint someone to the DPO role irrespective of any legal necessity • The role does not have to be full-time • Once compliance is achieved the level of work may reduce • The DPO role is cross-functional. It spans the entire organisation, crossing the boundaries of business functions • These roles are often very difficult to implement as they encroach on the territories of business function leaders and, in doing so, encounter resistance • To be successful the DPO role needs to be supported from the highest levels in the organisation • Train personnel March 28, 2018 64
  65. 65. Implement Consent Management • Consent management involves: − Identifying all points where personal data is collected across all communication channels − Identifying the data processing processes where consent is required − Drafting GDPR consent management notices − Updating communication channels such as the organisation web site(s) with GDPR consent notices − If data is collected from children, implement an approach to collect consent from parents or guardians − Updating IT systems to record consent details and allow consents be subsequently updated March 28, 2018 65
  66. 66. Review And Update Data Retention And Backup • Reviewing existing approaches to data archival, retention and deletion, if any • Reviewing data backup processes to ensure data not being retained is not held on backups • Implement data retention and deletion policies and procedures • Update data backup policies and procedures March 28, 2018 66
  67. 67. Identify And Document Business Processes And Associated IT Systems Processing Personal Data • Create an inventory of personal data collected, created, processed and derived − Review the reasons why personal data is collected and stop collecting if it is not necessary or justifiable. • Identify any high-risk data collected or generated − Consider conducting DPIAs for these • Identify if you process any of the special categories of personal data and handle this instances in more detail − Consider conducting retrospective DPIAs for these • Where personal data is collected ensure explicit consent is obtained • Develop and implement notices on all personal data collection points − Identify points were consent is necessary. • Create an inventory of business processes where personal data is involved − Appoint business process owners − Document these business processes with those involved in their operation − Define business process review dates, at least annually • Document the legal grounds for processing this personal data • Create an inventory of IT systems that store and process personal data • Map the flow of personal data across business processes and IT systems from initial collection to its processing and ultimate deletion. • Consider initiating a business process review and update exercise that minimises the amount of personal data being collected and processed to reduce compliance overhead and risk March 28, 2018 67
  68. 68. Identify And Document Business Processes And Associated IT Systems Processing Personal Data • This data discovery and profiling work has the potential to be quite onerous, depending on the number of IT systems and processes involved in processing personal data. • Review your network security, especially on systems that contain personal data that can be accessed from outside the organisation • Identify any third-parties involved in data collection and data processing for your organisation such as IT outsourcing or business process outsourcing arrangements • For each of these outside organisations you must ensure that they too are compliant with GDPR: − Review their network security − Review their data retention policies to ensure personal data is deleted as soon as it is no longer needed − Review data backup processes and amend to ensure data not being retained is not held on backups − Ensure they appoint a DPO − Review their process for handling data breaches • Where suppliers fail to meet GDPR compliance requirements they must resolve these issues or you must replace the March 28, 2018 68
  69. 69. Organisation Conceptual Data Model • Consider building an organisation conceptual data model to assist with identifying personal data processing and data flows March 28, 2018 69
  70. 70. Generic Organisation Conceptual Data Model March 28, 2018 70
  71. 71. Generic Data Conceptual Data Model – Components - 1 of 2 28 March 2018 71 Component Description External Interacting Parties These are the range of external parties that supply data to and access data from the enterprise External Party Interaction Zones, Applications, Channels and Facilities These are the set of applications and data interface and exchange points provided specifically to External Interacting Parties to allow them supply data to and access data from the enterprise These can be hosted internally or externally or a mix of both External Third Party Applications These are third-party applications (such as social media platforms) that contain information about the enterprise or that are used by the enterprise to present information to or interact with External Interacting Parties or where the enterprise is referred to, affecting the perception or brand of the enterprise External Data Sensors Sources of remote data measurements External Party Interaction Zones Data Stores These are applications and sets of data created by the enterprise to be externally facing where external parties can access information and interact with the enterprise External Devices These are devices connected with services offered by the enterprise (such as ATMs and Kiosks) Date Intake/Gateway This is the set of facilities for handling data supplied to the enterprise including validation and transformation including a possible integration or service bus This can be hosted internally or externally or a mix of both Line of Business Applications This represents the set of line of business applications deployed on enterprise owned and managed infrastructure used by business functions to operate their business processes Organisation Operational Data Stores These are the various operational data stores used by the Line of Business Applications
  72. 72. Generic Data Conceptual Data Model – Components - 2 of 2 28 March 2018 72 Component Description Line of Business Applications Hosted Outside the Organisation This represents the set of line of business applications deployed on external infrastructure used by business functions to operate their business processes This includes cloud facilities such as external data storage and XaaS facilities and an integration service to connect external data to internal data External Application Operational Data Stores These are the various operational data stores used by the Line of Business Applications used by Line of Business Applications Hosted Outside the Organisation Data Mastering These are facilities to create and manage master data and data extracted from operational data to create a data warehouse and data extracts for reporting and analysis. This includes an extract, transformation and load facility These can be hosted internally or externally or a mix of both Data Reporting and Analysis Facilities This represents the range of tools and facilities to report on, analyse, mine and model data These can be hosted internally or externally or a mix of both Document Sharing and Collaboration These are tools used within the enterprise to share and collaborate on the authoring of documents Document Management Systems These are systems used to manage transactional and ad hoc structured and unstructured documents in a formal and controlled manner, including the metadata assigned to documents Desktop Applications These are applications used by individual users to view and author documents Document and Information Portal This provides structured access to documents and information including externally hosted applications providing these facilities Unstructured Data Stores These are storage locations for enterprise documentation
  73. 73. Zones Within Data Fabric Conceptual Data Model • Sets of components of conceptual data fabric model can be grouped into zones: − Internal – within the enterprise’s boundary − Cloud Extension – extensions to enterprise applications and data held in external cloud platforms − Interface – set of components responsible for getting data into and out of the enterprise and presenting data and applications externally − Externally Located Extension – infrastructure and applications that are connected to the wider enterprise network − External Controlled – components outside the enterprise but under the control of the enterprise − External Uncontrolled – components outside the enterprise and not under the direct control of the enterprise 28 March 2018 73
  74. 74. Why Create A Conceptual Data Fabric Model? • Conceptual data fabric model represents a rich picture of the enterprise’s data context − Embodies an idealised and target data view • Detailed visualisations represent information more effectively than lengthy narrative text − More easily understood and engaged with • Show relationships, interactions • Capture complexity easily • Provides a more concise illustration of state • Better tool to elicit information • Gaps, errors and omissions more easily identified • Assists informed discussions • Evolve and refine rich picture representations of as-in and to-be situations March 28, 2018 74
  75. 75. Identify and Assess Any Cross-Border Data Flows • The EDPS has produced guidance on international data transfers – see https://edps.europa.eu/data-protection/data-protection/reference-library/international- transfers_en • Transfers to any of the 28 EU member states (the status of the UK after BREXIT is not currently defined) are still allowed as well as to Norway, Liechtenstein and Iceland, that is countries that are members of the European Economic Area (EEA) • The European Commission has Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay to have an adequate level of protection so data transfers to these countries are also possible • In February 2016, after the previous Safe Harbour scheme was rendered invalid, the European Commission and the United States agreed on a framework for transatlantic data transfers called the EU-U.S. Privacy Shield • The European Commission officially deemed this to be adequate in July 2016 – see http://europa.eu/rapid/press-release_IP-16-2461_en.htm • In the absence of adequacy decisions for particular countries you should use proper and suitable safeguards such as Binding Corporate Rules (BCRs) and contracts. BCRs are described in Article 47 of GDPR and in the working document created by the Article 29 Working Party Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798 March 28, 2018 75
  76. 76. Binding Corporate Rules (BCR) • Any BCRs must be legally binding and must specify clearly the duties and responsibilities of each participating member of the group of undertakings or group of enterprises engaged in a joint economic activity including their employees. BCRs must apply to every member of the group • The group of undertakings can include international organisations, business alliances, joint ventures, outsourcing arrangement, or shared economic activities • The BCR should cover: − Structure and members of the group sharing the joint economic activity − Contact details of overall group and of each member − Contact details for DPO function of each member − Details on data protection training for staff with access to personal data − Obligations towards the relevant supervisory authorities − The tasks of any DPO or other business function responsible with compliance monitoring. − Numbers or and details on the data transfers including the data being transferred − Purpose of the data transfers − Processing perform by each member of the group − Legally binding obligations of each member towards one another and towards the persons whose data is being processed − Statement of liability of data controller or data processor in EU with regards to breaches of the BCRs by any member outside the EU − Persons rights, the ways to exercise those right including the right to complain − Provision of information on the BCRs towards persons to meet obligations, duties and rights of information of the GDPR − Complaint procedures and complaint handling − Data protection audits including scope and frequency and the methods of correction to protect persons’ rights − Application of general data processing principles and generally accepted privacy principles March 28, 2018 76
  77. 77. Binding Corporate Rules (BCR) • Outsourcing review activity should also include: − Review all external data processing arrangements, including data storage and use of external applications, that store personal data − Determine the GDPR compliance of these processing arrangements and consider rationalising suppliers − Review the contracts and agreements associated with these arrangements − Update the agreements to include GDPR-specific details − Review and update supplier selection and procurement processes to include GDPR-specific requirements in selection factors and in new service contracts March 28, 2018 77
  78. 78. Prepare for Persons Exercising Their GDPR Rights • The operation of GDPR will give rise to the need to develop, implement and operate a number of business processes and associated standard operating procedures to implement the rights of persons under GDPR • The inventory of these processes includes: 1. Request Tracking 2. Consent and Consent Recording and Tracking 3. Consent Withdrawal 4. Access to Data 5. Data Rectification 6. Restriction of Processing 7. Data Objection 8. Profiling Objection 9. Data Erasure 10. Data Portability 11. Complaint Handling 12. Personal Data Breach Notification 13. Person Data Breach Notification 14. Record of Audits of Third-Party Data Processors • This is lengthy list of processes • Their definition, implementation and operation has the potential to be onerous March 28, 2018 78
  79. 79. Generalised Information Lifecycle And GDPR • To achieve compliance with GDPR, the lifecycles of personal data processes should be documented and formalised • In particular data archival, data retention and data deletion – stages in the information lifecycle that are currently infrequently not handled well, if at all – need to be implemented March 28, 2018 79 Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Preserve, Protect and Recover Archive and Recall Delete/Remove Implement Underlying Technology Architect, Budget, Plan, Design and Specify Present, Report, Analyse, Model
  80. 80. Information Lifecycle And GDPR • Architect, Budget, Plan, Design and Specify - This relates to the design and specification of the data storage and management and their supporting processes. This establishes the data management framework • Implement Underlying Technology - This is concerned with implementing the data-related hardware and software technology components. This relates to database components, data storage hardware, backup and recovery software, monitoring and control software and other items • Enter, Create, Acquire, Derive, Update, Integrate, Capture - This stage is where data originated, such as data entry or data capture and acquired from other systems or sources • Secure, Store, Replicate and Distribute - In this stage, data is stored with appropriate security and access controls including data access and update audit. It may be replicated to other applications and distributed • Present, Report, Analyse, Model - This stage is concerned with the presentation of information, the generation of reports and analysis and the created of derived information • Preserve, Protect and Recover - This stage relates to the management of data in terms of backup, recovery and retention/preservation • Archive and Recall - This stage is where information that is no longer active but still required in archived to secondary data storage platforms and from which the information can be recovered if required • Delete/Remove - The stage is concerned with the deletion of data that cannot or does not need to be retained any longer. Data has to be able to be disposed of in a managed, systematic and auditable way • Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund - This is not a single stage but a set of processes and procedures that cross all stages and is concerned with ensuring that the processes associated with each of the lifestyle stages are operated correctly and that data assurance, quality and governance procedures exist and are operated March 28, 2018 80
  81. 81. Map GDPR Processes And Their Impacts To Information Lifecycle March 28, 2018 81 Architect, Budget, Plan, Design and Specify Implement Underlying Technology Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Present, Report, Analyse, Model Preserve, Protect and Recover Archive and Recall Delete/ Remove Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund Request Tracking X X X X Consent and Consent Recording and Tracking X X X X X X X Consent Withdrawal X X X X X X X Access to Data X X X X X X X Data Rectification X X X X X X X Restriction of Processing X X X X X X X Data Objection X X X X X X X Profiling Objection X X X X X X X Data Erasure X X X X X X X X Data Portability X X X X X X X Complaint Handling X X X X Personal Data Breach Notification X X X X Person Data Breach Notification X X X X Record of Audits of Third- Party Data Processors X X X X
  82. 82. Request Tracking Facility – Sample Facility Required March 28, 2018 82 Information Item Description Date and Time Request Received The date and time that the request is received from the individual/authorised entity Received By The person of business function who logged the request Source The source of the request Request Type The type of the request Priority A priority assigned to the request Request Details A description of the request Requester Contacted for Clarification A flag indicating if the requester needs to be or was contacted to clarification Clarification Received Notes on clarification received Request Reviewed and Approved for Processing A flag indicating that the request contains sufficient details to allow it to be processed Date Request Processing Started The date that formal response processing started. The due date is calculated from this date, based on the request type Date Request Response Due The due date of the response Business Functions Affected by Request A list of business functions within the organisation affected by the request Third Parties Affected by Request A list of third-parties within the organisation affected by the request Request Sent to Business Functions <N> Details on the request sent to the business function, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected business function. There will be a sub workflow for each business function Request Sent to Third Party <N> Details on the request sent to the third party, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected third party. There will be a sub workflow for each business function Response Reviewed Date and Time The date and time that the response is received and collated Response Reviewed By The person who reviewed the response Response Redaction Required A flag indicating that the response needs to be redacted before it is issued to the requester Response Redaction Notes Notes on the nature of and reason for the redaction of the response Response Redaction Completed By The person who completed the redaction Response Redaction Reviewed By The person who reviewed the redaction Response Redaction Reviewed Date and Time The date and time the redaction was reviewed and approved Response Release Authorised By The person who authorise the release of the response Date and Time Response Issued The date and time the response was issued Response The response or details on where the response is stored Response Covering Communication The covering communication that accompanied the response
  83. 83. Prepare For A Data Breach • At a high-level, the activities involved in this include: − Identify Supervisory Authority contact details − Document a list of breach scenarios and identify steps to be performed − Create draft breach notifications including Supervisory Authority and personal contacts − Document breach management process including roles and responsibilities March 28, 2018 83
  84. 84. Approaches To Achieving Compliance • The owner of the business processes where personal data is collected and processed is responsible for compliance − The DPO is not responsible for compliance − The DPO assists with compliance − So the organisation should formally appoint business process owners − These business process owners should conduct privacy impact and risk assessments regularly • Risk management plays a large part of achieving compliance with GDPR − Business process owners should be able to informed decisions on how to address risks in their data processing processes within the processes for which they are responsible − Risks can be mitigated until the residual risk is within tolerable limits • Achieving compliance with GDPR should, in the first instance, focus on personal simplification, reduction and minimising the amount of personal data you collect and process, is possible − Consider moving to excluding access to personal data by default. − Review any processing performed by third-parties, any outsourcing arrangements or use of cloud systems or platforms • Review your sourcing and supplier selection factors and ensure they explicitly include security controls, privacy management and privacy control functions, certifications and approach to auditing • Note that mobile devices come under the ambit of GDPR if they are used for the processing of personal data − Data breaches occur when mobile devices are lost, resulting in unintended loss of control over personal data − A mobile device management facility including the ability to remotely wipe lost devices might be required − Previous Bring Your Own Device (BYOD) policies might need to be revisited employees do not consent to his personal device being remotely monitored and controlled March 28, 2018 84
  85. 85. Approaches To Achieving Compliance • GDPR compliance cost could be substantial • PwC have conducted a number of surveys on the GDPR preparations and estimated budgets for 300 large organisations in the UK, US and Japan − The most recent survey is from July 2017 –see https://www.pwc.com/us/en/increasing-it- effectiveness/publications/general-data-protection-regulation-gdpr- budgets.html • Highlights − In July 2017, only 11% of executives surveyed said their companies have now finished operationalised preparations − Of the companies who said they have finished preparations, 88% reported spending more than USD 1 million on GDPR preparations and 40% reported spending more than USD 10 million − Among all companies, 60% said they plan to spend at least USD 1 million on GDPR preparation projects and 12% plan to spend more than USD 10 million March 28, 2018 85
  86. 86. Survey Of State Of GDPR Compliance – Preparation Status March 28, 2018 86
  87. 87. Survey Of State Of GDPR Compliance – Estimated Budget March 28, 2018 87
  88. 88. IT Systems And GDPR Compliance • There are multiple IT systems, each of which will store personal data − Personal data may also exist in the form of documents scanned into document management systems or documents generated and store in electronic folders or in email systems. • The same person will have different sets of data stored across these systems − The person may not uniquely identifiable across these systems − There may be variations in the spelling of names and addresses and different data formats March 28, 2018 88
  89. 89. High-Level Representation Of IT System Landscape And Personal Data March 28, 2018 89 Operational IT System 1 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Operational IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Scanned Documents External Documents Document Store Reporting IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Cloud Data Store
  90. 90. GDPR And Personal Data Landscape March 28, 2018 90 Personal Data Landscape Consent Fairness Lawful Transparency Retention and Deletion Anonymisation Pseudonymisation Accuracy and Currency Security Legitimate Purpose Accountability Minimisation Access Policies Appropriate Usage Data Lifecycle Data Ownership Data Governance
  91. 91. GDPR And Personal Data Landscape • GDPR now imposes strict and severe legislative constraints on the organisation’s personal data landscape March 28, 2018 91
  92. 92. IT System Compliance Options • Option 1: Modify each operational IT system to hold additional information such as GDPR flag indicating that the data is personal and comes under the scope of GDPR, retention details, consent details, deletion details − Potentially very expensive and time consuming − If the IT systems are sourced from third-parties these organisations may over time update their systems to allow the additional GDPR-related information to be stored • Option 2: Implement a separate system that takes data from the operational systems and that create a single consolidated view of personal data across these systems − Involves developing or sourcing a software system to provide this consolidated personal data management functionality − One of the issues with having a separate system is that changes that occur in the underlying operational systems have to be reflected in it • Both of these solution approaches just provide containers for GDPR- related information on personal data to be stored − That information has to be defined and completed and subsequently maintained March 28, 2018 92
  93. 93. GDPR Related Metadata • For each item of personal data collected after GDPR goes live and held in an application or stored outside IT systems, there is a need to maintain a set of GDPR-related metadata • Set of metadata will depend on the approach to handling the GDPR compliance processes • The metadata can be stored within each application or stored in a separate personal information management tool or be shared between them • The metadata can include: March 28, 2018 93 GDPR Metadata Description Personal Information Flag Flag indicating that the field contains personal data Sensitive Information Flag Flag indicating that the field contains sensitive personal data Retention Date The date up to which the information can be retained and after which it must be deleted Consent Identifier A link to where consent about the collection and processing of this data is held Consent Withdrawal Flag A flag indicating that consent to use the data has been withdrawn Data Erasure Flag A flag indicating that the data was erased GDPR Tracking Identifier Link to case management facility for activity relating to this field Restriction of Processing Flag A flag indicating that the processing of the data is restricted
  94. 94. Consolidated Personal Data Management • Implementation option 1 involves some form of Consolidated Personal Data Management that contains details on personal data being held in all organisation IT systems • Provides a centralised facility to operate GDPR without the need to make substantial changes to existing IT systems March 28, 2018 94 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Metadzta Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Consolidated Personal Data Management
  95. 95. Implementing Pseudonymisation • Pseudonymisation is concerned with removing the ability to link data to a person • Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format • Implementing pseudonymisation is complex • Remember - pseudonymisation is not a mandatory GDPR requirement March 28, 2018 95
  96. 96. Pseudonymisation • Pseudonymisation is widely used for research data containing personal information (such as medical trials) − https://www.openpseudonymiser.org/ • Data volumes very small and pseudonymisation performed in batch • Approach is not really suitable or scalable for a an operational business personal data processing environment March 28, 2018 96
  97. 97. Encryption And Key Pairs • Based on PKI (Public Key Infrastructure) • Based on Key Pairs • Each data sender and receiver gets a pair of keys: − Public Key − Private Key • The public keys are published and the private keys are kept secret • Communications involve only public keys and no private key is ever transmitted or shared • Anyone can encrypt with the public key, only one person can decrypt with the private key March 28, 2018 97
  98. 98. Key Pairs March 28, 2018 98 Data Application Data Store Public Key of Data Application Private Key of Data Application Public Key of Data Store Private Key of Data Store Data Application Knows This Data Store Knows This
  99. 99. Pseudonymisation And Key-Based Encryption • Pseudonymisation can be implemented using a single key pair or two key pairs • Single key pair − Encryption facility encrypts data using public key and decrypts using private key − Public and private keys are kept separate • Two key pairs − Data is encrypted twice – using the public key of the store and the private key of the application − Encryption facility encrypts data using public key of data store and the private key of data application and decrypts using private key − Public and private keys are kept separate March 28, 2018 99
  100. 100. Pseudonymisation And Single Key Pair March 28, 2018 100 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access – No Encryption 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Public Key 2. Encrypted Data Written Using Public Key 3. Encrypted Data Decrypted Using Private Key 4. Decrypted Data Available for Use Encryption/ Decryption Layer 3 4 Direct Data Access – Encryption
  101. 101. Pseudonymisation Using Separate Encryption • This involves using application-level encryption combined with Data Store Key − Data Application generates random characters − Data Application encrypts data using random character as key − Data Application encrypts random characters with Data Store public key − Combine encrypted data and encrypted key as data sent to Data Store March 28, 2018 101 1 Public Key Storeb1952360d460d463eefb9d7a a3b306668b3f5e36a064e4256 b546e6fdca93ee7 2 188a955f463ab8339ee7843ce 5f09a76ed702a457890186c74 2b2706e7ab0e63d51ebd8b19 f13e091182137f63856978 3 = +4
  102. 102. Key Encryption With Key Pairs March 28, 2018 102 Encrypted with Public Key of Data Store Encrypted with Private Key of Data Application Data Applicatio n Data StoreData Read and Write Layer Decrypted with Private Key of Data Store Decrypted with Public Key of Data Application Write Data Read Data Unencrypt ed Data Decrypted Data
  103. 103. Pseudonymisation With Separate Keys For Each Individual Person - Write March 28, 2018 103 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Write Data for Person 1 Step 1 Encrypt With Person 1 Public Key Step 2 Encrypt With Application Private Key Encrypted Data Decrypted Data Write
  104. 104. Pseudonymisation With Separate Keys For Each Individual Person - Read March 28, 2018 104 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Read Data for Person 1 Step 2 Encrypt With Data Application Public Key Step 3 Decrypt With Person 1 Private Key Encrypted Data Step 1 Request Data for Person 1 Decrypted Data Read
  105. 105. Pseudonymisation And Data Breaches • Pseudonymisation means removing the direct link between data and its attribution to a specific individual − Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format − Adds a layer of complexity, time and expense to person identification − There is still an indirect link so the data is usable − Data is not being anonymised • There are many (complex) approaches to pseudonymisation • Pseudonymisation provides an extra layer of security − It does not in itself stop personal data being lost − It just reduces the likelihood that lost or leaked personal data can be read – both the encrypted data and the means to decrypt it must be lost or leaked March 28, 2018 105
  106. 106. Implementing Pseudonymisation • Potentially complex and expensive, depending on the implementation approach − Pseudonymise at the level of the database of all data − Pseudonymise at the level of the individual data record • Multiple implementation options and approaches − Use encryption facilities provided by data store (such as database software) − Using single key pair encryption for all data − Use two key pairs encryption for all data − Using single key pair encryption for each data record − Use two key pairs encryption for each data record March 28, 2018 106
  107. 107. How Far To Pseudonymise? • What identifies a person − Name − Address − Sex on its own does not identify a person uniquely − Sex + Date Of Birth could − Sex + Date Of Birth + City could further − Image or video recording − Recording of telephone call March 28, 2018 107
  108. 108. GDPR Compliance Management • separate system approach can be extended to provide additional facilities for some or all of: − Define and manage business processes that use personal data − Log requests of various types and their processing − Continuously monitor operational systems to identify changes in personal data − Log details on personal data audits and DPIAs − Data breach management − Personal data access portal − Case management for GDPR work with workflow and tracking • There are software vendors that offer such compliance solutions that provide some or all of the range of functions − However, the market is still embryonic and the optimum approach to achieving GDPR compliance is still uncertain − Investing in such technologies now may be premature − There are vendors and developers of existing software products classified as Master Data Management (MDM) or Data Integration Hubs that offer similar facilities that may also be used March 28, 2018 108
  109. 109. GDPR Compliance Management • Separate compliance management system can implement required operational processes • Can include functions of Consolidated Personal Data Management to hold details on where personal data is held March 28, 2018 109 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Details Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 GDPR Compliance Management Business Process 1 Business Process 2 Request Manager

×