SlideShare a Scribd company logo

EU GDPR: The role of the data protection officer

Download as PPTX, PDF
IT Governance Ltd
IT Governance Ltd

This webinar covers: - An overview of the regulatory landscape - Territorial scope - Remedies, liabilities and penalties - Security of personal data - Data protection officer View the webinar here: https://www.youtube.com/watch?v=u285y9hhgOo

Business
1 of 26
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Introduction • Adrian Ross • GRC consultant – Infrastructure services – Business process re-engineering – Business intelligence – Business architecture – Intellectual property – Legal compliance – Data protection and information security – Enterprise risk management 2
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 IT Governance Ltd: GRC One-stop shop All verticals, all sectors, all organisational sizes
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Agenda • An overview of the regulatory landscape • Territorial scope • Remedies, liabilities and penalties • Security of personal data • Data protection officer 4
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 The nature of European law • Two main types of legislation: – Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a Directive º UK Data Protection Act 1998 – Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a Regulation
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Article 99: Entry into force and application This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES • On 8 April 2016 the Council adopted the Regulation. • On 14 April 2016 the Regulation was adopted by the European Parliament. • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. • http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final Text of the Directive: http://data.consilium.europa.eu/doc/document/ST- 5419-2016-REV-1/en/pdf
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Articles 1 – 3: Who, and where? • Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data – The protection of the processing personal data – The unrestricted movement of personal data within the EU • In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. • The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. • It applies to controllers not in the EU
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Remedies, liabilities and penalties • Natural Persons have rights – Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. – Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. – Controller involved in processing shall be liable for damage caused by processing. • Administrative fines – Imposition of administrative fines will in each case be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; – € 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year – € 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data breaches in the UK • January to March 2016 - 448 new cases • Data breaches by sector – Health (184) – Local government (43) – Education (36) – General business (36) – Finance, insurance and credit (25) – Legal (25) – Charitable and voluntary (23) – Justice (18) – Land or property services (17) – Other (41) Source: UK Information Commissioner’s Office
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Key facts about cyber breaches Which organisations suffered data breaches in 2015? • 69% of large organisations • 38% of small organisation What was the median number of breaches per company? • Large organisations: 14 • Small organisations: 4 What was the average cost of the worst single breach? • Large organisations: £1.46m - £3.14m • Small organisations: £75k - £311k What will happen next year? • 59% of respondents expect more breaches this year than last • PwC and BIS: 2015 ISBS Survey 10 60% of breached small organisations close down within 6 months – National Cyber Security Alliance
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 What sorts of breaches? Of Large Organisations: • External attack – 69% • Malware or viruses – 84% • Denial of service – 37% • Network penetration (detected) – 37% – (if you don’t think you’ve been breached, you’re not looking hard enough) • Know they’ve suffered IP theft – 19% • Staff-related security breaches – 75% • Breaches caused by inadvertent human error – 50% 11 PwC and BIS: 2015 ISBS Survey
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Article 33: Personal data breaches • The definition of a personal data breach in GDPR: – A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • DPOs appointed in three situations: – Where the processing is carried out by a public body; – Where core activities require regular and systematic monitoring of personal data on a large scale; – Where core activities involve large-scale processing of sensitive personal data. Module IV
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • Article 37: Designation of the data protection officer – Group undertakings can appoint a single DPO – Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size – DPO can represent categories of controllers and processors – DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified – May fulfill the role as part of a service contract – Controller or processor must publish DPO and notify supervisory authority
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 38: Position of the data protection officer – Controller and processor must ensure proper and timely involvement of the DPO – Controller and processor must provide support through necessary resources – DPO has a large degree of independence – Protected role within the organisation – Direct access to highest management – Data subject has clear access to DPO – Bound by confidentiality in accordance with EU law – No conflict of interest arising from additional tasks or duties Module IV
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 39: Tasks of the data protection officer: – to inform and advise of obligations; – to monitor compliance; – to provide advice with regard to data protection impact assessments; – to monitor performance – to cooperate with the supervisory authority; – to liaise with the supervisory authority; – to have due regard to risk associated with processing operations. To advise on data protection impact assessments Module IV
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • The controller shall seek the advice of the DPO – where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural persons – DPIA is particularly required where: º Taking into account automated processing including profiling there are legal effects concerning natural persons; º The processing is on a large scale of special categories of data or personal data related to criminal convictions; º A systematic monitoring of publicly accessible area on a large scale.
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • A data protection impact assessment shall contain the following: – a systematic description of the purposes and means of the processing: – any legitimate interest pursued by the controller; – an assessment of the necessity and proportionality of the processing operations; – an assessment of the risks to the rights and freedoms of data subjects; – the measures envisaged to address the risks; – adherence to approved codes of conduct; – any consultation with data subjects on intended processing; – any processing in relation to a law to which the controller is subject; – any processing that changes the risk profile.
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Prior consultation • Article 36: Prior consultation • Controller shall consult the supervisory authority prior to processing where the DPIA indicates a “high risk to the rights and freedoms of the data subjects”: – Supervisory authority shall provide written advice to the controller – Request for controller to provide further information – Information on purposes and means – Information on measures and safeguards – The contact details of the DPO – A copy of the data protection impact assessment – Any other information requested
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • The realities of the role of the data protection officer – Legal knowledge of data protection Regulation is not enough – Must also have information security knowledge and skills – An understanding of how to deliver C, I and A within a management framework – A good understanding of risk management and risk assessments – Familiarity with and adherence to codes of conduct for industry sector – A good understanding of compliance standards and data marks – Able to carry out and interpret internal audits information security standard – Understand and be able to articulate privacy by design to delivery functions – Able to coordinate and advise on data breaches and notification – Able to make a cyber security incident response process work. – Leads co-operation with supervisory authority
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • Where does the role sit within the organisation – Outside delivery functions of IT or Business – The role is about delivering compliance – You cant have compliance under the direction of the delivery team – The DPO should sit within a Risk, Compliance or Governance function. – Independent of the business with direct access to the Board – An effective DPO should ensure that Data Protection is on Board Agenda – Company Directors now being considered personally liable for Data Breaches – Begin with EU GDPR Foundation Course
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 GDPR - Summary • Complete overhaul of data protection framework – Covers all forms of PII, including biometric, genetic and location data • Applies across all member states of the European Union • Applies to all organisations processing the data of EU citizens – wherever those organisations are geographically based • Specific requirements around rights of data subjects, obligations on controllers and processors, including privacy by design • Administrative penalties for breach up to 4% revenue or €20 million – Intended to be “dissuasive” • Data subjects have a right to bring actions (in their home state) and to receive damages if their human rights have been breached • Fines to take into account “the technical and organisational measures implemented…”
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Information security Processes People Technology
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Cyber security assurance • GDPR requirement – data controllers must implement: – “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation.” – Must include appropriate data protection policies – Organizations may use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance with their obligations” – ICO and BSI are both developing new GDPR-focused standards • ISO 27001 already meets the “appropriate technical and organisational measures” requirement • It provides assurance to the board that data security is being managed in accordance with the regulation • It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 IT Governance: GDPR one-stop shop • Accredited training – 1-Day Foundation Course – London OR Cambridge: http://www.itgovernance.co.uk/shop/p-1795-certified-eu- general-data-protection-regulation-foundation-gdpr-training-course.aspx – ONLINE http://www.itgovernance.co.uk/shop/p-1834-certified-eu-general-data- protection-regulation-foundation-gdpr-online-training-course.aspx • Practitioner course, classroom or online – www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protection- regulation-practitioner-gdpr-training-course.aspx • Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx • Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-data- protection-regulation-gdpr-documentation-toolkit.aspx • Consultancy support – Data audit – Transition/implementation consultancy – www.itgovernance.co.uk/dpa-compliance-consultancy.aspx
TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk

Recommended

Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 

Recommended

Revising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRRevising policies and procedures under the new EU GDPR
Revising policies and procedures under the new EU GDPRIT Governance Ltd
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Mark Honeyball
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?Accountability under the GDPR: What does it mean for Boards & Senior Management?
Accountability under the GDPR: What does it mean for Boards & Senior Management?IT Governance Ltd
 
Appointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRAppointing a Data Protection Officer under the GDPR
Appointing a Data Protection Officer under the GDPRIT Governance Ltd
 
Data Breaches and the EU GDPR
Data Breaches and the EU GDPRData Breaches and the EU GDPR
Data Breaches and the EU GDPRIT Governance Ltd
 
The first steps towards GDPR compliance 
The first steps towards GDPR compliance The first steps towards GDPR compliance 
The first steps towards GDPR compliance IT Governance Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingIT Governance Ltd
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersIT Governance Ltd
 
Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPRIT Governance Ltd
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practiceZoneFox
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshellInitio
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is hereRichard Hogg,Global GDPR Offerings Evangelist
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for TechiesLilian Edwards
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 

More Related Content

What's hot

GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practiceZoneFox
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...IT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...IT Governance Ltd
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceIT Governance Ltd
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingIT Governance Ltd
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshellInitio
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceIT Governance Ltd
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?VYTIS MALECKAS
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRIT Governance Ltd
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...IT Governance Ltd
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017Cliff Ashcroft
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRHans Demeyer
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection RegulationRamiro Cid
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 

What's hot (20)

Preparing for EU GDPR
Preparing for EU GDPRPreparing for EU GDPR
Preparing for EU GDPR
 
GDPR in practice
GDPR in practiceGDPR in practice
GDPR in practice
 
The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...The GDPR and its requirements for implementing data protection impact assessm...
The GDPR and its requirements for implementing data protection impact assessm...
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
The GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for complianceThe GDPR’s impact on your business and preparing for compliance
The GDPR’s impact on your business and preparing for compliance
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 
Risk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR complianceRisk assessments and applying organisational controls for GDPR compliance
Risk assessments and applying organisational controls for GDPR compliance
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
Data transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPRData transfers to countries outside the EU/EEA under the GDPR
Data transfers to countries outside the EU/EEA under the GDPR
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...Addressing penetration testing and vulnerabilities, and adding verification m...
Addressing penetration testing and vulnerabilities, and adding verification m...
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017EU General Data Protection Regulation - Update 2017
EU General Data Protection Regulation - Update 2017
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
 
EU General Data Protection Regulation
EU General Data Protection RegulationEU General Data Protection Regulation
EU General Data Protection Regulation
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 

Similar to EU GDPR: The role of the data protection officer

Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRIT Governance Ltd
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360DataStax
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...IT Governance Ltd
 
Data Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your businessData Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your businessEversheds Sutherland
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideBlack Duck by Synopsys
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associatesMohsin Termezy
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT LegalCyber Watching
 
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016bhalasz
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)Napier University
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRIryna Chekanava
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceIT Governance Ltd
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Sébastien Roques
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRCase IQ
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)RAKESH S
 
Big data minute privacy
Big data minute privacyBig data minute privacy
Big data minute privacyGuyVanderSande
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...CIO Edge
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRShadi A. Razak
 

Similar to EU GDPR: The role of the data protection officer (20)

Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360GDPR: The Catalyst for Customer 360
GDPR: The Catalyst for Customer 360
 
Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...Legal obligations and responsibilities of data processors and controllers und...
Legal obligations and responsibilities of data processors and controllers und...
 
Data Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your businessData Security Breach – knowing the risks and protecting your business
Data Security Breach – knowing the risks and protecting your business
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical GuideFLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 
eu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associateseu-market-access-gdpr-fundamentals-by-risk-associates
eu-market-access-gdpr-fundamentals-by-risk-associates
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
Fintech and Data Protection by Balint Halasz and Zoltan Tarjan 25 10 2016
 
The general data protection act overview
The general data protection act overviewThe general data protection act overview
The general data protection act overview
 
EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)EU Data Protection Legislation, Peter Ridley (HPE)
EU Data Protection Legislation, Peter Ridley (HPE)
 
CyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPRCyNation: 7 Things You Should Know about EU GDPR
CyNation: 7 Things You Should Know about EU GDPR
 
GDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to complianceGDPR challenges for the healthcare sector and the practical steps to compliance
GDPR challenges for the healthcare sector and the practical steps to compliance
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
 
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...Ipswitch and cordery on the road " All you need to know about GDPR but are t...
Ipswitch and cordery on the road " All you need to know about GDPR but are t...
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
Big data minute privacy
Big data minute privacyBig data minute privacy
Big data minute privacy
 
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
Digital Enterprise Festival Birmingham 13/04/17 - Ian West Cognizant VP Data ...
 
CyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPRCyNation - 7 things you should know about EU-GDPR
CyNation - 7 things you should know about EU-GDPR
 

More from IT Governance Ltd

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksIT Governance Ltd
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get startedIT Governance Ltd
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security cultureIT Governance Ltd
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardIT Governance Ltd
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...IT Governance Ltd
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeIT Governance Ltd
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurityIT Governance Ltd
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber securityIT Governance Ltd
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0IT Governance Ltd
 

More from IT Governance Ltd (10)

GDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risksGDPR compliance and information security: Reducing data breach risks
GDPR compliance and information security: Reducing data breach risks
 
Business Continuity Management: How to get started
Business Continuity Management: How to get startedBusiness Continuity Management: How to get started
Business Continuity Management: How to get started
 
Staff awareness: developing a security culture
Staff awareness: developing a security cultureStaff awareness: developing a security culture
Staff awareness: developing a security culture
 
GDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on boardGDPR compliance: getting everyone in the organisation on board
GDPR compliance: getting everyone in the organisation on board
 
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
Cyber Essentials plays a key role in the Cyber Resilience Strategy for Scotla...
 
Creating an effective cyber security awareness programme
Creating an effective cyber security awareness programmeCreating an effective cyber security awareness programme
Creating an effective cyber security awareness programme
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
Using international standards to improve EU cyber security
Using international standards to improve EU cyber securityUsing international standards to improve EU cyber security
Using international standards to improve EU cyber security
 
Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0Implementing PCI DSS v 2.0 and v 3.0
Implementing PCI DSS v 2.0 and v 3.0
 

Recently uploaded

Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchirictsugar
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...lizamodels9
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxMarkAnthonyAurellano
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...lizamodels9
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Seta Wicaksana
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 

Recently uploaded (20)

Marketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent ChirchirMarketplace and Quality Assurance Presentation - Vincent Chirchir
Marketplace and Quality Assurance Presentation - Vincent Chirchir
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
Lowrate Call Girls In Sector 18 Noida ❤️8860477959 Escorts 100% Genuine Servi...
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptxContemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
Contemporary Economic Issues Facing the Filipino Entrepreneur (1).pptx
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
Call Girls In Radisson Blu Hotel New Delhi Paschim Vihar ❤️8860477959 Escorts...
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...Ten Organizational Design Models to align structure and operations to busines...
Ten Organizational Design Models to align structure and operations to busines...
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 

EU GDPR: The role of the data protection officer

  • 1. The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk
  • 2. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Introduction • Adrian Ross • GRC consultant – Infrastructure services – Business process re-engineering – Business intelligence – Business architecture – Intellectual property – Legal compliance – Data protection and information security – Enterprise risk management 2
  • 3. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 IT Governance Ltd: GRC One-stop shop All verticals, all sectors, all organisational sizes
  • 4. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Agenda • An overview of the regulatory landscape • Territorial scope • Remedies, liabilities and penalties • Security of personal data • Data protection officer 4
  • 5. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 The nature of European law • Two main types of legislation: – Directives º Require individual implementation in each Member State º Implemented by the creation of national laws approved by the parliaments of each Member State º European Directive 95/46/EC is a Directive º UK Data Protection Act 1998 – Regulations º Immediately applicable in each Member State º Require no local implementing legislation º EU GDPR is a Regulation
  • 6. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Article 99: Entry into force and application This Regulation shall be binding in its entirety and directly applicable in all Member States. KEY DATES • On 8 April 2016 the Council adopted the Regulation. • On 14 April 2016 the Regulation was adopted by the European Parliament. • On 4 May 2016, the official text of the Regulation was published in the EU Official Journal in all the official languages. • The Regulation entered into force on 24 May 2016, and applies from 25 May 2018. • http://ec.europa.eu/justice/data-protection/reform/index_en.htm Final Text of the Directive: http://data.consilium.europa.eu/doc/document/ST- 5419-2016-REV-1/en/pdf
  • 7. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Articles 1 – 3: Who, and where? • Natural person = a living individual • Natural persons have rights associated with: – The protection of personal data – The protection of the processing personal data – The unrestricted movement of personal data within the EU • In material scope: – Personal data that is processed wholly or partly by automated means; – Personal data that is part of a filing system, or intended to be. • The Regulation applies to controllers and processors in the EU irrespective of where processing takes place. • It applies to controllers not in the EU
  • 8. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Remedies, liabilities and penalties • Natural Persons have rights – Judicial remedy where their rights have been infringed as a result of the processing of personal data. º In the courts of the Member State where the controller or processor has an establishment. º In the courts of the Member State where the data subject habitually resides. – Any person who has suffered material, or non-material, damage shall have the right to receive compensation from the controller or processor. – Controller involved in processing shall be liable for damage caused by processing. • Administrative fines – Imposition of administrative fines will in each case be effective, proportionate, and dissuasive º taking into account technical and organisational measures implemented; – € 10,000,000 or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year – € 20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year
  • 9. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data breaches in the UK • January to March 2016 - 448 new cases • Data breaches by sector – Health (184) – Local government (43) – Education (36) – General business (36) – Finance, insurance and credit (25) – Legal (25) – Charitable and voluntary (23) – Justice (18) – Land or property services (17) – Other (41) Source: UK Information Commissioner’s Office
  • 10. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Key facts about cyber breaches Which organisations suffered data breaches in 2015? • 69% of large organisations • 38% of small organisation What was the median number of breaches per company? • Large organisations: 14 • Small organisations: 4 What was the average cost of the worst single breach? • Large organisations: £1.46m - £3.14m • Small organisations: £75k - £311k What will happen next year? • 59% of respondents expect more breaches this year than last • PwC and BIS: 2015 ISBS Survey 10 60% of breached small organisations close down within 6 months – National Cyber Security Alliance
  • 11. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 What sorts of breaches? Of Large Organisations: • External attack – 69% • Malware or viruses – 84% • Denial of service – 37% • Network penetration (detected) – 37% – (if you don’t think you’ve been breached, you’re not looking hard enough) • Know they’ve suffered IP theft – 19% • Staff-related security breaches – 75% • Breaches caused by inadvertent human error – 50% 11 PwC and BIS: 2015 ISBS Survey
  • 12. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Article 33: Personal data breaches • The definition of a personal data breach in GDPR: – A 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • 13. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 37: Designation of the data protection officer • DPOs appointed in three situations: – Where the processing is carried out by a public body; – Where core activities require regular and systematic monitoring of personal data on a large scale; – Where core activities involve large-scale processing of sensitive personal data. Module IV
  • 14. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • Article 37: Designation of the data protection officer – Group undertakings can appoint a single DPO – Where controller or processor is a public authority a single DPO may be appointed for several such authorities depending on structure and size – DPO can represent categories of controllers and processors – DPO designated on the basis of professional qualities and knowledge of data protection law, but not legally qualified – May fulfill the role as part of a service contract – Controller or processor must publish DPO and notify supervisory authority
  • 15. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 38: Position of the data protection officer – Controller and processor must ensure proper and timely involvement of the DPO – Controller and processor must provide support through necessary resources – DPO has a large degree of independence – Protected role within the organisation – Direct access to highest management – Data subject has clear access to DPO – Bound by confidentiality in accordance with EU law – No conflict of interest arising from additional tasks or duties Module IV
  • 16. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers Article 39: Tasks of the data protection officer: – to inform and advise of obligations; – to monitor compliance; – to provide advice with regard to data protection impact assessments; – to monitor performance – to cooperate with the supervisory authority; – to liaise with the supervisory authority; – to have due regard to risk associated with processing operations. To advise on data protection impact assessments Module IV
  • 17. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • The controller shall seek the advice of the DPO – where a process is using new technologies, and taking into account the nature, scope, context and purposes of the processing, there is a high risk to the rights and freedoms of natural persons – DPIA is particularly required where: º Taking into account automated processing including profiling there are legal effects concerning natural persons; º The processing is on a large scale of special categories of data or personal data related to criminal convictions; º A systematic monitoring of publicly accessible area on a large scale.
  • 18. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Data protection impact assessment • Article 35: Data protection impact assessment • A data protection impact assessment shall contain the following: – a systematic description of the purposes and means of the processing: – any legitimate interest pursued by the controller; – an assessment of the necessity and proportionality of the processing operations; – an assessment of the risks to the rights and freedoms of data subjects; – the measures envisaged to address the risks; – adherence to approved codes of conduct; – any consultation with data subjects on intended processing; – any processing in relation to a law to which the controller is subject; – any processing that changes the risk profile.
  • 19. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Prior consultation • Article 36: Prior consultation • Controller shall consult the supervisory authority prior to processing where the DPIA indicates a “high risk to the rights and freedoms of the data subjects”: – Supervisory authority shall provide written advice to the controller – Request for controller to provide further information – Information on purposes and means – Information on measures and safeguards – The contact details of the DPO – A copy of the data protection impact assessment – Any other information requested
  • 20. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • The realities of the role of the data protection officer – Legal knowledge of data protection Regulation is not enough – Must also have information security knowledge and skills – An understanding of how to deliver C, I and A within a management framework – A good understanding of risk management and risk assessments – Familiarity with and adherence to codes of conduct for industry sector – A good understanding of compliance standards and data marks – Able to carry out and interpret internal audits information security standard – Understand and be able to articulate privacy by design to delivery functions – Able to coordinate and advise on data breaches and notification – Able to make a cyber security incident response process work. – Leads co-operation with supervisory authority
  • 21. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Section 4: Data protection officers • Where does the role sit within the organisation – Outside delivery functions of IT or Business – The role is about delivering compliance – You cant have compliance under the direction of the delivery team – The DPO should sit within a Risk, Compliance or Governance function. – Independent of the business with direct access to the Board – An effective DPO should ensure that Data Protection is on Board Agenda – Company Directors now being considered personally liable for Data Breaches – Begin with EU GDPR Foundation Course
  • 22. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 GDPR - Summary • Complete overhaul of data protection framework – Covers all forms of PII, including biometric, genetic and location data • Applies across all member states of the European Union • Applies to all organisations processing the data of EU citizens – wherever those organisations are geographically based • Specific requirements around rights of data subjects, obligations on controllers and processors, including privacy by design • Administrative penalties for breach up to 4% revenue or €20 million – Intended to be “dissuasive” • Data subjects have a right to bring actions (in their home state) and to receive damages if their human rights have been breached • Fines to take into account “the technical and organisational measures implemented…”
  • 23. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Information security Processes People Technology
  • 24. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Cyber security assurance • GDPR requirement – data controllers must implement: – “appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the regulation.” – Must include appropriate data protection policies – Organizations may use adherence to approved codes of conduct or management system certifications “as an element by which to demonstrate compliance with their obligations” – ICO and BSI are both developing new GDPR-focused standards • ISO 27001 already meets the “appropriate technical and organisational measures” requirement • It provides assurance to the board that data security is being managed in accordance with the regulation • It helps manage ALL information assets and all information security within the organisation – protecting against ALL threats
  • 25. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 IT Governance: GDPR one-stop shop • Accredited training – 1-Day Foundation Course – London OR Cambridge: http://www.itgovernance.co.uk/shop/p-1795-certified-eu- general-data-protection-regulation-foundation-gdpr-training-course.aspx – ONLINE http://www.itgovernance.co.uk/shop/p-1834-certified-eu-general-data- protection-regulation-foundation-gdpr-online-training-course.aspx • Practitioner course, classroom or online – www.itgovernance.co.uk/shop/p-1824-certified-eu-general-data-protection- regulation-practitioner-gdpr-training-course.aspx • Pocket guide www.itgovernance.co.uk/shop/p-1830-eu-gdpr-a-pocket-guide.aspx • Documentation toolkit www.itgovernance.co.uk/shop/p-1796-eu-general-data- protection-regulation-gdpr-documentation-toolkit.aspx • Consultancy support – Data audit – Transition/implementation consultancy – www.itgovernance.co.uk/dpa-compliance-consultancy.aspx
  • 26. TM © IT Governance Ltd 2016 Copyright IT Governance Ltd 2016 – v1.0 Questions? aross@itgovernance.co.uk 0845 070 1750 www.itgovernance.co.uk