The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and organisations and data subjects alike are mostly in the dark about what it means and how it affects them This is a summary of the regulation and how businesses can leverage the implementation of international standards such as ISO 27001 to meet the requirements of the regulation.
2. “ You grant FaceApp a perpetual, irrevocable, nonexclusive, royalty-free,
worldwide, fully-paid, transferable sub-licensable license to use,
reproduce, modify, adapt, publish, translate, create derivative works
from, distribute, publicly perform and display your User Content and any
name, username or likeness provided in connection with your User
Content in all media formats and channels now known or later developed,
without compensation to you. ”
FaceApp
TERMS AND CONDITIONS EXTRACT
A few months ago, this seemingly ‘fun’ app became the center of
controversy as aspects of its Terms and conditions raised Data Privacy
concerns.
This is just an example of many instances of how it has become important
for both businesses and users to identify Data Privacy and their Data
Privacy and Protection obligations and needs respectively, and respond
accordingly.
3. GDPR
I N A N U T S H E L L
GDPR constitutes the protection of personal data
of employees, customers and others and broadens
the rights of individuals with respect to their
Personal Data.
4. Types of Data
§ Personally identifiable information, including
names, addresses, date of births, social security
numbers
§ Web-based data, including user location, IP
address, cookies, and RFID tags
§ Health (HIPAA) and genetic data
§ Biometric data
§ Racial and/or ethnic data
§ Political opinions
§ Sexual orientation
§ The business has a presence in an EU country;
§ Even if there is no presence in the EU, the
company still processes personal data of
European residents;
§ There is more than 250 employees; and
§ (Even if there is fewer than 250 employees, if
the data-processing impacts the rights and
freedoms of its data subjects
Could it be you?
WHO NEEDS TO BE GDPR COMPLIANT?
5. DATA MAPPING
In order for any organization to put in place an effective Data Protection regime, they have to identify and document
all the data it processes, and the points at which the organization interacts with this data
DATA DOCUMENTATION
With the necessity to limit the retention of data and the kind of processing etc. it is necessary to maintain information
regarding issues such as when data was collected, the reason for collection etc.
DATA GOVERNANCE PRINCIPLES
This is the foundation of data protection by design and default, where the organization needs to provide guidance on
authorization and limitations to access to personal information based on for example, employee roles and
responsibilities.
MONITORING OF DATA
This refers to the need for organizations to continuously monitor the security of data e.g. Instances of unauthorized
access to systems in which data is stored etc. and out in place mechanisms that can allow response to such incidents
and breach notification.
GDPR
K E Y
C O N C E P T S
7. o Liability and accountability of all Data Processors and Controllers.
o Designation of a DPO.
o Consent of the Data Subject.
o New Principles to comply with.
o Provision of the Rights of Data Subjects.
o Mandatory Data breach Notification.
GDPR
I M P L I C A T I O N S T O B U S I N E S S
8. 1. Enhanced Cybersecurity: Reduce the cost of Data
Breaches and other downtime caused by loss/theft
of data.
2. Improved Data Management: Know precisely which
personal data you hold, where, why and who has
access to it Etc.
3. Increase Marketing Return on Investment: You will
do a clean up of your customer DB, KYC Data etc.
4. Customer Confidence: GDPR Compliance will help
signify to customers that you care about the privacy
of their data.
5. Data Security Culture
Benefits of GDPR Compliance to
Organizations
9. § ISO 27001 is the International Standard for Information Security
Management Systems.
§ It provides a systematic approach to determining:
o What information needs to be protected,
o The reason why it should be protected,
o How to protect it ,and
o What to protect it from.
ISO 27001
10. Relationship Between GDPR & ISO 27001
ISO 27001 is an international information security standard that provides requirements for implementing, maintaining and improving an
information security management system (ISMS). An ISMS is a framework of policies and procedures that includes the legal, technical and
physical controls involved in an organizations IT risk management processes.
Compliance with ISO 27001 best practices helps organizations better manage its security risks, protect sensitive data, and identify the scope
and limitations of their security programs.
Compliance with standards such as ISO 27001 helps organization’s demonstrate compliance with ISO 27001 GDPR (Article 24).
Assurance:
GDPR recommends the use of
standards as a way of
providing assurance that the
organization is managing
information security risks.
More than Personal Data:
While the focus of GDPR is
personal Data, ISO 27001 will
provide a framework for the
protection of the
organization’s information
assets as a whole.
Controls and Security
Framework:
GDPR specifies the regulations
but allows the organization to
chose the appropriate
technical and organizational
controls to mitigate its data
protection risks. Majority of
these controls are addressed
by ISO 27001.
People, Processes and
Technology:
ISO 27001 approach to risk
management is holistic and
provides risk mitigation not
only from a technology
perspective, but also people
and process risks.
Accountability:
Both Frameworks require
accountability for Information
Security and Data Protection
from Top Management.
11. I. We have Certified Data Protection Officers.
II. We have extensive experience in implementing Information security/cybersecurity Frameworks.
Our consultants are trained in the recently released ISO/IEC 27701:2019
Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
I. We are ISO 27001 Certified.
II. We can help your organization automate compliance with both GDPR and ISO 27001 using ISO Manager.
III. We can automate GDPR and Information security Awareness Training for your organization using KnowBe4.
IV. PECB, NITA, ISOManager Partners.
GDPR
W H Y C H O O S E S E N T I N E L A F R I C A T O
P R O V I D E G D P R T R A I N I N G / C O N S U L T I N G
S E R V I C E S ?