SO
Uploaded byStephen Owen
935 views

Data privacy impact assessment

The document is a practical guide for conducting a Data Privacy Impact Assessment (DPIA) to ensure compliance with GDPR and assess risks associated with personal data processing. It outlines steps for preparation, discovery, and remediation, emphasizing the importance of involving stakeholders and following best practices to mitigate privacy risks. Failing to perform a DPIA when necessary can lead to significant fines from supervisory authorities.

Embed presentation

Downloaded 45 times
DATA PRIVACY IMPACT ASSESSMENT A PRACTICAL GUIDE FOR PERFORMING CLOUD SECURITY & DATA PRIVACY ARCHITECT PROFESSIONAL FELLOW OF INFORMATION PRIVACY◉ CISSP ◉ CCSK◉ AWS-CSA(PROF) ◉ FIP CIPP/E CIPM STEPHEN OWEN
COUNTDOWN TO MAY 25TH WHY PERFORM A DPIA ? ◉ HELPS ASSESS THE IMPACT OF PROCESSING PERSONAL DATA ◉ REQUIRED WHEN PROCESSING IS LIKELYTO RESULT IN HIGH RISKTO INDIVIDUALS’ RIGHTS & FREEDOMS ◉ NOT MANDATORY FOR ALL PROCESSING OPERATIONS BY GOOD PRACTICE Under the GDPR, non compliance with DPIA requirements can lead to significant fines imposed by ICO or other EU lead supervisory authorities A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of an individual
WHY ELSE PERFORM A DPIA ? DEMONSTRATE POSITIVESTEPS TOWARDS COMPLIANCE ◉ AIDS OPERATION OF YOUR INFORMATION SECURITY MANAGEMENT SYSTEM ◉STIMULATES CLARITY, RELEVANCE AND CURRENCY DPIA ROI INVENTORY VENDOR CONTRACTS RETENTION PERIODS PRIVACYNOTICES SECURITYCONTROLS VENDOR RISK ASSESSMENTS SUBJECT ACCESS REQUESTS PROCESSING REASONS PRIVACY DEBT REGISTER& RISKLOG CONSENT
GET HELP FROM CERTIFIED PROFESSIONALS!! PREPARATION ◉ LISTVENDORS WHO ACCESS OR PROCESS PERSONAL DATA YOU CONTROL ◉ IDENTIFY DATACUSTODIANS ◉ COMPARTMENTALISE INTERNAL SYSTEMS ◉ PERSONAL / SENSITIVE DATA ◉ NUMBER OF RECORDS & RETENTION PERIODS ◉ TYPE OF PROCESSING ACTIVITES SPEND PROPORTIONALTIME ◉ SECURITY POSTURE ◉ DEVISE METRICS & SCORING MATRIX
MAPPING DATA FLOWS DISCOVERY ◉ USE PLAIN LANGUAGE IN COMMMUNICATIONS AND QUESTIONNAIRES DISCOVERYSCOPETOPICS ◉ WHO WHAT WHY WHEN WHERE HOW ◉ CONSIDER GEOGRAPHIES – WHERE DOES MY DATA FLOW ◉ HOW IS DATA USED? ◉ HAS DATA BEEN ENRICHED WITH OTHER DATA? ◉ RETENTION POLICES & PERIODS ◉ TYPES & LOCATIONS OF STORAGE ◉ WHAT SECURITY CONTROLS PROTECTING DATA ◉ ADEQUATE CONTRACTUAL CLAUSES
DISCOVERY RESULTS OBSERVATIONS ◉ IS DATA COLLECTED EXCESSIVE◉ NECESSARY◉ RELEVANT FOR PURPOSE? ◉ IS PROCESSED DATA ADEQUATE◉ ACCURATE◉ UP TO DATE? ◉ IS DATA RETENTION LEGITIMATE & APPROPRIATE? ◉ IS PERSONALINFORMATIONUSEDIN A WAY EXPECTEDBY THE INDIVIDUAL ◉ ARE SUBJECT ACCESS REQUEST PROCESSES IN PLACE & ADEQUATE? ◉ IS CONSENT FREELY GIVEN & RECORDED? ◉ ARE TECHNICAL CONTROLS APPROPRIATE & ADEQUATE? ◉ IS THERE A FORMAL PROCESS FOR PRIVACY TRAINING AND AWARENESS? ◉ IS DATA ACCESS RECORDED? ◉ INFORMATION CLASSIFICATION & DISCLOSURE CONTROLS?
TAKE REASONABLE STEPS REMEDIATION ◉ REDUCE PRIVACY RISK ◉ ELIMINATE ◉ REDUCE ◉ ACCEPT ◉PRIORITISE DISCOVERY RESULTSINTO ACTIONS ◉POST IMPLEMENTATION GAP ANALYSIS FOR RESIDUAL PRIVACY RISK ◉ OBTAIN SIGN-OFFBEFORE REMEDIATION ◉ FLAG REMEDIATION RAG STATUS TO SENIOR STAKEHOLDERS
TAKE A HOLISTIC APPROACH TOP TIPS ◉ USE EXISTING ORGANISATIONAL TAXONOMIES & ARCHITECURE ARTIFACTS ◉CONSIDER SWIM-LANES DIAGRAMS FOR SENSITIVE DATA ◉ADAPT APPROACH FROM DISCOVERY RESULTS ◉ENGAGE STAKEHOLDERS EARLY IN THE PROCESS EMBED IN TO BAU ◉ COLLABORATE WITH INTERNAL STAKEHOLDERS AT CONCEPT ◉EMPLOY PRIVACY-BY-DESIGN ◉ PLAN & SCHEDULE VENDOR ASSESSMENT REVIEWS ◉CAPTURE CHANGES ◉ VENDOR ◉ SYSTEMS ◉PLAN & SCHEDULE VENDOR CONTRACT REVIEWS
QUESTIONS & FEEDBACK CLOUD SECURITY & DATA PRIVACY ARCHITECT PROFESSIONAL FELLOW OF INFORMATION PRIVACY◉ CISSP ◉ CCSK◉ AWS-CSA(PROF) ◉ FIP CIPP/E CIPM STEPHEN OWEN

More Related Content

PPTX
SOC 2 presentation. Overview of SOC 2 assessment
byModu9
 
PDF
𝐃𝐫𝐚𝐟𝐭 𝐃𝐏𝐃𝐏 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐑𝐞𝐠𝐮𝐥𝐚𝐭𝐢𝐨𝐧𝐬 (𝟐𝟎𝟐𝟓)
byMansi Kandari
 
PPTX
DPIA
byMartyn Ripley
 
PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
PDF
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PPTX
GDPR Presentation slides
byNaomi Holmes
 
SOC 2 presentation. Overview of SOC 2 assessment
byModu9
 
𝐃𝐫𝐚𝐟𝐭 𝐃𝐏𝐃𝐏 𝐏𝐫𝐢𝐯𝐚𝐜𝐲 𝐑𝐞𝐠𝐮𝐥𝐚𝐭𝐢𝐨𝐧𝐬 (𝟐𝟎𝟐𝟓)
byMansi Kandari
 
DPIA
byMartyn Ripley
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
GDPR Presentation slides
byNaomi Holmes
 

What's hot

PDF
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
ISO 27701
byUtkarshDhiman4
 
PPTX
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
PDF
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
PPT
Isms awareness training
bySAROJ BEHERA
 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
byPriyanka Aash
 
PDF
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
PDF
ISO 27001 (v2013) Checklist
byIvan Piskunov
 
PDF
Personal Data Protection in Indonesia
byEryk Budi Pratama
 
PPTX
Information Security Governance and Strategy
byDam Frank
 
PDF
Fraud Risk Assessment- detection and prevention- Part- 2,
byTahir Abbas
 
PDF
Privacy-ready Data Protection Program Implementation
byEryk Budi Pratama
 
PPTX
Iso 27001 isms presentation
byMidhun Nirmal
 
PDF
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
PPTX
Data Protection Officer Dashboard | GDPR
byCorporater
 
PPTX
All you wanted to know about iso 27000
byRamana K V
 
PDF
Isms awareness presentation
byPranay Kumar
 
PDF
Everything you Need to Know about The Data Protection Officer Role
byHackerOne
 
PDF
ISO 27001 ISMS MEASUREMENT
byGaffri Johnson
 
PDF
What about GDPR?
byMartin Hawksey
 
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27701
byUtkarshDhiman4
 
CISSP - Chapter 1 - Security Concepts
byKarthikeyan Dhayalan
 
ISO 27001_2022 Standard_Presentation.pdf
bySerkanRafetHalil1
 
Isms awareness training
bySAROJ BEHERA
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
byPriyanka Aash
 
Common Practice in Data Privacy Program Management
byEryk Budi Pratama
 
ISO 27001 (v2013) Checklist
byIvan Piskunov
 
Personal Data Protection in Indonesia
byEryk Budi Pratama
 
Information Security Governance and Strategy
byDam Frank
 
Fraud Risk Assessment- detection and prevention- Part- 2,
byTahir Abbas
 
Privacy-ready Data Protection Program Implementation
byEryk Budi Pratama
 
Iso 27001 isms presentation
byMidhun Nirmal
 
Enabling Data Governance - Data Trust, Data Ethics, Data Quality
byEryk Budi Pratama
 
Data Protection Officer Dashboard | GDPR
byCorporater
 
All you wanted to know about iso 27000
byRamana K V
 
Isms awareness presentation
byPranay Kumar
 
Everything you Need to Know about The Data Protection Officer Role
byHackerOne
 
ISO 27001 ISMS MEASUREMENT
byGaffri Johnson
 
What about GDPR?
byMartin Hawksey
 

Similar to Data privacy impact assessment

PDF
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
How to Build a Privacy Program
bysecratic
 
PPTX
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
byAggregage
 
PDF
Operationalizing Privacy Impact Assessments(PIAs & DPIAs)
byraviishu kotnala
 
PPTX
Training Information Asset Owners
byTommy Vandepitte
 
PPTX
template ppt to design beautiful presesntation animation
byHarryEdward14
 
PDF
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
byAIIM International
 
PDF
What is a data protection impact assessment?
byInfinity Legal Solutions
 
PDF
What is a data protection impact assessment? what are the essential stages to...
byInfinity Legal Solutions
 
PPTX
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
PDF
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
byCillian Kieran
 
DOCX
DPIA template
byTommy Vandepitte
 
PDF
Wayne richard - pia risk management - atlseccon2011
byAtlantic Security Conference
 
PPTX
Data protection within development
byowaspsuffolk
 
PPTX
Brussels Privacy Hub: SATORI and iTRACK
byTrilateral Research
 
PDF
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
byAIIM International
 
PPT
Module 5 - ASP Privacy Management Certfication.ppt
bytrevor501353
 
PPTX
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
byDelphix
 
PPTX
Assessing the impact of security services
byJisc
 
PPTX
ITIL CSI approach for PDPA Management
byHeng Meng Tan
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
How to Build a Privacy Program
bysecratic
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
byAggregage
 
Operationalizing Privacy Impact Assessments(PIAs & DPIAs)
byraviishu kotnala
 
Training Information Asset Owners
byTommy Vandepitte
 
template ppt to design beautiful presesntation animation
byHarryEdward14
 
[Webinar Slides] Data Privacy – Learn What It Takes to Protect Your Information
byAIIM International
 
What is a data protection impact assessment?
byInfinity Legal Solutions
 
What is a data protection impact assessment? what are the essential stages to...
byInfinity Legal Solutions
 
Teradata's approach to addressing GDPR
byPaul O'Carroll
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
byCillian Kieran
 
DPIA template
byTommy Vandepitte
 
Wayne richard - pia risk management - atlseccon2011
byAtlantic Security Conference
 
Data protection within development
byowaspsuffolk
 
Brussels Privacy Hub: SATORI and iTRACK
byTrilateral Research
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
byAIIM International
 
Module 5 - ASP Privacy Management Certfication.ppt
bytrevor501353
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
byDelphix
 
Assessing the impact of security services
byJisc
 
ITIL CSI approach for PDPA Management
byHeng Meng Tan
 

Recently uploaded

PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
PDF
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
The CISO_Transformation_Playbook From Cost Centre to Chief Trust Officer
bysajjasridhar1990
 

Data privacy impact assessment

  • 1.
    DATA PRIVACY IMPACT ASSESSMENT APRACTICAL GUIDE FOR PERFORMING CLOUD SECURITY & DATA PRIVACY ARCHITECT PROFESSIONAL FELLOW OF INFORMATION PRIVACY◉ CISSP ◉ CCSK◉ AWS-CSA(PROF) ◉ FIP CIPP/E CIPM STEPHEN OWEN
  • 2.
    COUNTDOWN TO MAY25TH WHY PERFORM A DPIA ? ◉ HELPS ASSESS THE IMPACT OF PROCESSING PERSONAL DATA ◉ REQUIRED WHEN PROCESSING IS LIKELYTO RESULT IN HIGH RISKTO INDIVIDUALS’ RIGHTS & FREEDOMS ◉ NOT MANDATORY FOR ALL PROCESSING OPERATIONS BY GOOD PRACTICE Under the GDPR, non compliance with DPIA requirements can lead to significant fines imposed by ICO or other EU lead supervisory authorities A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of an individual
  • 3.
    WHY ELSE PERFORMA DPIA ? DEMONSTRATE POSITIVESTEPS TOWARDS COMPLIANCE ◉ AIDS OPERATION OF YOUR INFORMATION SECURITY MANAGEMENT SYSTEM ◉STIMULATES CLARITY, RELEVANCE AND CURRENCY DPIA ROI INVENTORY VENDOR CONTRACTS RETENTION PERIODS PRIVACYNOTICES SECURITYCONTROLS VENDOR RISK ASSESSMENTS SUBJECT ACCESS REQUESTS PROCESSING REASONS PRIVACY DEBT REGISTER& RISKLOG CONSENT
  • 4.
    GET HELP FROMCERTIFIED PROFESSIONALS!! PREPARATION ◉ LISTVENDORS WHO ACCESS OR PROCESS PERSONAL DATA YOU CONTROL ◉ IDENTIFY DATACUSTODIANS ◉ COMPARTMENTALISE INTERNAL SYSTEMS ◉ PERSONAL / SENSITIVE DATA ◉ NUMBER OF RECORDS & RETENTION PERIODS ◉ TYPE OF PROCESSING ACTIVITES SPEND PROPORTIONALTIME ◉ SECURITY POSTURE ◉ DEVISE METRICS & SCORING MATRIX
  • 5.
    MAPPING DATA FLOWS DISCOVERY ◉USE PLAIN LANGUAGE IN COMMMUNICATIONS AND QUESTIONNAIRES DISCOVERYSCOPETOPICS ◉ WHO WHAT WHY WHEN WHERE HOW ◉ CONSIDER GEOGRAPHIES – WHERE DOES MY DATA FLOW ◉ HOW IS DATA USED? ◉ HAS DATA BEEN ENRICHED WITH OTHER DATA? ◉ RETENTION POLICES & PERIODS ◉ TYPES & LOCATIONS OF STORAGE ◉ WHAT SECURITY CONTROLS PROTECTING DATA ◉ ADEQUATE CONTRACTUAL CLAUSES
  • 6.
    DISCOVERY RESULTS OBSERVATIONS ◉ ISDATA COLLECTED EXCESSIVE◉ NECESSARY◉ RELEVANT FOR PURPOSE? ◉ IS PROCESSED DATA ADEQUATE◉ ACCURATE◉ UP TO DATE? ◉ IS DATA RETENTION LEGITIMATE & APPROPRIATE? ◉ IS PERSONALINFORMATIONUSEDIN A WAY EXPECTEDBY THE INDIVIDUAL ◉ ARE SUBJECT ACCESS REQUEST PROCESSES IN PLACE & ADEQUATE? ◉ IS CONSENT FREELY GIVEN & RECORDED? ◉ ARE TECHNICAL CONTROLS APPROPRIATE & ADEQUATE? ◉ IS THERE A FORMAL PROCESS FOR PRIVACY TRAINING AND AWARENESS? ◉ IS DATA ACCESS RECORDED? ◉ INFORMATION CLASSIFICATION & DISCLOSURE CONTROLS?
  • 7.
    TAKE REASONABLE STEPS REMEDIATION ◉REDUCE PRIVACY RISK ◉ ELIMINATE ◉ REDUCE ◉ ACCEPT ◉PRIORITISE DISCOVERY RESULTSINTO ACTIONS ◉POST IMPLEMENTATION GAP ANALYSIS FOR RESIDUAL PRIVACY RISK ◉ OBTAIN SIGN-OFFBEFORE REMEDIATION ◉ FLAG REMEDIATION RAG STATUS TO SENIOR STAKEHOLDERS
  • 8.
    TAKE A HOLISTICAPPROACH TOP TIPS ◉ USE EXISTING ORGANISATIONAL TAXONOMIES & ARCHITECURE ARTIFACTS ◉CONSIDER SWIM-LANES DIAGRAMS FOR SENSITIVE DATA ◉ADAPT APPROACH FROM DISCOVERY RESULTS ◉ENGAGE STAKEHOLDERS EARLY IN THE PROCESS EMBED IN TO BAU ◉ COLLABORATE WITH INTERNAL STAKEHOLDERS AT CONCEPT ◉EMPLOY PRIVACY-BY-DESIGN ◉ PLAN & SCHEDULE VENDOR ASSESSMENT REVIEWS ◉CAPTURE CHANGES ◉ VENDOR ◉ SYSTEMS ◉PLAN & SCHEDULE VENDOR CONTRACT REVIEWS
  • 9.
    QUESTIONS & FEEDBACK CLOUDSECURITY & DATA PRIVACY ARCHITECT PROFESSIONAL FELLOW OF INFORMATION PRIVACY◉ CISSP ◉ CCSK◉ AWS-CSA(PROF) ◉ FIP CIPP/E CIPM STEPHEN OWEN