The document outlines a webinar presentation on the General Data Protection Regulation (GDPR), featuring Richard Cascarino, a data protection expert and founder of AuditNet. It covers key aspects such as the role of Data Protection Officers (DPO), definitions of personal data, privacy rights, and compliance responsibilities for organizations handling data of EU residents. The webinar emphasizes the importance of proper data handling, transparency, and accountability in accordance with GDPR requirements.

1. 6/17/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 6
DPO and Personal
Data
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2

2. 6/17/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4

3. 6/17/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6

4. 6/17/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
• The role of the data protection officer (DPO).
• What constitutes personal data.
• Accountability, the privacy compliance framework and a
personal information management system (PIMS).
7
8

5. 6/17/2020
5
DATA PROTECTION
PRINCIPLES
 Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and
transparency')
 The inclusion of the principle of transparency is a new provision within the GDPR.
 Data obtained for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes
 GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing.
Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose.
However there would be a need to consider pseudo anonymising the data.
 Data processed is adequate, relevant and limited to what is necessary
 Data is accurate and, where necessary, kept up to date
 Rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle
 Data should not to be kept longer than is necessary for the purpose
 GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for
archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.
 Appropriate technical and organisational measures against unauthorised or unlawful processing,
loss, damage or destruction
DATA PROTECTION
OFFICERS (DPO)
Only certain organizations will be required to appoint a DPO
If you don’t require a DPO – appoint someone to be the lead
 A DPO must be “all about data protection” and careful
consideration has to be taken when it comes to their place within
an organization.
The GDPR expressly prevents dismissal or penalty of the data
protection officer for performance of their tasks.
9
10

6. 6/17/2020
6
ROLE OF THE DPO
 DPO requirement applies to both controllers and
processors
 No exception for small or medium-sized companies, but
risk-based approach
 The GDPR requires the appointment of a DPO in three
cases:
 1.Public authorities or bodies (except courts)
 2.Private companies where the “core activities” consist of
 a)processing operations which require “regular and
systematic monitoring” of data subjects “on a large
scale”
 b)“large scale” processing of sensitive data or data
relating to criminal convictions and offences
CORE ACTIVITIES
 Key operations to achieve the controller‘s or processor‘s objectives
 Includes all activities where the processing of data forms an
inextricable part of the activity
 A hospital’s processing of patients’ health records
 Excludes support or ancillary functions for the organization‘s main
business
 An organization’s supporting activities, such as payroll of their
own employees or standard IT support
11
12

7. 6/17/2020
7
LARGE SCALE
 Depends on:
 the number of data subjects concerned
 the volume of data and/or range of different data items
 the duration or permanence of the processing
 the geographical extent
 EG
 Processing of customer data in the regular course of
business by insurance companies or banks
 Processing of patient data in the regular course of
business by a hospital
 Not processing of patient data by an individual physician
TASKS OF THE DPO
 Advisory role
 The controller, the processor and their employees
 Monitoring compliance
 With GDPR and other data protection legislation, but also internal
policies
 Advise on data protection impact assessments and monitor
performance (upon request)
 Cooperate with supervisory authorities (“SAs”)
 Contact point for SAs and data subjects
 Contact details of the DPO shall be published and communicated to
the SA
13
14

8. 6/17/2020
8
SOURCING THE DPO
 Single DPO if easily accessible from each
establishment
 Full-time or part-time employee
 Consultant / Outsource under contract
 Single role or part of another role
 A supporting team around the DPO
 No conflict of interest
 No position within the organization that leads them
to determine the purposes and the means of the
processing of personal data
 chief executive, chief operating, chief financial, chief medical
officer, head of marketing department, head of HR, head of IT
INDEPENDENCE
 Data controllers or processors should:
 Identify positions which would be incompatible with the DPO
function;
 Draw up internal rules to avoid “conflicts of interests;”
 Formally declare via internal & external comms & in policy
documentation that the DPO has no conflict of interests with regard
to function as a DPO, as a way of raising awareness of this
requirement;
 Include safeguards within the organization’s internal rules and
ensure that the publicly-posted DPO job description or the services
contract for an External DPO is sufficiently precise and detailed in
order to avoid a conflict of interests.
15
16

9. 6/17/2020
9
INDEPENDENT REPORTING
LINE
 Chief Compliance Officer;
 Audit team
 Report directly to the CEO, COO, Board, etc
 External contractor (i.e., outside consultant or counsel)
reporting to a C-level officer or the Board
 Other reporting line without conflicts
EXPERTISE REQUIRED
 Integrity and high professional ethics
 Expertise in national and European data protection laws and
practices
 In-depth understanding of GDPR
 Knowledge of the business sector and of the organization of the
controller
 Knowledge of the administrative rules and procedures of the
organization
 Autonomy - Does not receive any instructions regarding the
exercise of their tasks
 Not be dismissed or penalized by the controller (or the
processor) for performing their tasks
17
18

10. 6/17/2020
10
WP29 SPECIFIES
 Level of Expertise: It is essential that the DPO understand how to
build, implement, & manage data protection programs.
 The more complex or high-risk the data processing activities are,
the greater the expertise the DPO will need.
 Professional Qualities: DPOs need not be lawyers, but they must
have expertise in member state and European data protection law,
including an in-depth knowledge of the GDPR
 DPOs must also have a reasonable understanding of the
organization's technical and organizational structure and be
familiar with information technologies and data security
 In the case of a public authority or body, the DPO should have sound
knowledge of its administrative rules & procedures
THE NEW DPO
 Get familiar with the processing activities and existing rules and
processes
 Understand the scope of your tasks and responsibilities
 Statutory tasks versus optional tasks (for instance, maintaining the
record of processing activities)
 Identify key issues and contact persons
 Identify budget and other resource requirements
 Draw up a work plan and prioritize
 Regularly attend relevant meetings and speak to employees and
senior management (in some countries Works Councils are
important)
 Regularly report to senior management
 Keep up to date (training)
19
20

11. 6/17/2020
11
IN PRACTICE
 50 million euros (approx. $56 million) — was
issued by the French Data Protection Authority
(CNIL) in January 2019 against Google.
 The fine was related to a “lack of transparency,
inadequate information and lack of valid consent
regarding the ads personalization.”
 The structure of Google’s privacy policy and terms and
conditions were too complicated for users, and the use of pre-
ticked boxes as a consent mechanism did not establish a legal
basis for data processing to deliver targeting advertising.
 Represented approximately .04% of revenue,
 far from the 4% potential penalty.
DATA DEFINITIONS
 “data relates to an individual if it refers to the identity,
characteristics or behaviour of an individual or if such
information is used to determine or influence the way in which
that person is treated or evaluated”
Working Party Opinion 4/2007 on the concept of personal data
21
22

12. 6/17/2020
12
GDPR DATA DEFINITIONS REGARDLESS
OF NATIONALITY OR EU RESIDENCE
23
Personal Data (from GDPR)
“…means any information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
Examples:
• Name
• Identification number (e.g., SSN)
• Location data (e.g., home address)
• Online identifier (e.g., e-mail address,
screen names, IP address, device IDs)
• Genetic data (e.g., biological samples
from an individual)
• Biometric data (e.g., fingerprints, facial
recognition)
“The GDPR also requires compliance from non-EU organizations that offer goods or services to
EU residents or monitor the behavior of EU residents.”
Source: Brief: You Need An Action Plan For The GDPR; Forrester Research; October 2016
ADDITIONAL PERSONAL DATA
DEFINITIONS
 Online identifiers
 Device identifiers
 Cookie IDs
 IP addresses
 Pseudonymized data
 (the technique of processing personal data in such a way that it
can no longer be attributed to a specific individual, without the
use of additional information which must be kept separately and
be subject to appropriate security to ensure non-attribution.
Pseudoanonymised data is still a form of personal data but its use
is encouraged (e.g. for extra security of the data, for historical /
scientific research or for statistical purposes).
 Sensitive includes genetic and biometric
data
23
24

13. 6/17/2020
13
WHAT IS ‘SENSITIVE’
PERSONAL DATA?
Sensitive personal data is information that relates to:
Race & ethnicity
Political opinions
Religious beliefs
Membership of trade unions
Physical or mental health
Sexuality
Criminal offences
ENHANCED PERSONAL PRIVACY
RIGHTS
The General Data Protection Regulation
(GDPR) imposes new rules on organizations
that offer goods and services to people in the
European Union (EU), or that collect and
analyze data tied to EU residents, no matter
where they are located.
25
26

14. 6/17/2020
14
ENHANCED PERSONAL PRIVACY
RIGHTS
Right to be informed
Right to erasure
Right to data portability
Right to restriction
Right to rectification
Right of access
 Including additional processing details
Right to object
Right to prevent automated processing,
including profiling
DATA FLOWS
 What type of personal data flows does the organization
handle?
 Recruitment data
 Employee data
 Customer data
 Incident data
 Patient data
 User data
 Describe the data flows: input, transferring, processing,
storage, erasure, relevant systems/applications, current
safety measure
27
28

15. 6/17/2020
15
WHERE THE SUBJECT PROVIDES
THE DATA
 Controller identity and contact details
 The right to lodge a complaint with a supervisory authority.
 DPO contact details, where applicable
 Whether controller uses automated decision-making (including
profiling), and information about logic involved, and significance and
consequences of processing for the data subject.
 Purposes of processing
 Legal basis for processing
 Legitimate interests, where applicable
 Recipients or categories of recipients
 Whether the provision of personal data is a statutory or contractual requirement
or obligation, and the consequences of failure to provide such data.
 Details of transfers outside EEA and safeguards in place
 Retention period, or criteria used to determine it Data subject’s rights including
access, correction, erasure, restriction, objection, data portability
 Where processing based on consent, the right to withdraw it at any time
RIGHT TO ACCESS
 A data subject has the right to obtain from a data controller:
 confirmation that his or her personal data is being processed
 a copy of the personal data on request (unless adversely affects
the rights and freedoms of others)
 Other information about the processing, including
 purposes; categories of personal data; recipients; retention period;
rights to correction, erasure, restriction, objection; right to make
complaint to supervisory authority; personal data source(s) if
collected from third party; whether controller uses automated
decision-making, including profiling, the logic used, and
consequences of processing for the data subject.
 When the data subject makes the request electronically, must
provide the information in a commonly used electronic form,
unless the data subject requests the information in a different
format. If requested, the information may be provided orally,
provided that the identity of the data subject is proven by other
means.
29
30

16. 6/17/2020
16
RIGHT TO BE FORGOTTEN
(UK)
In certain circumstances, individuals can
request that the personal data is erased without
undue delay – e.g. where they withdraw consent
and no other legal ground for processing applies
Must therefore inform third parties that data
subject has requested erasure of any links to, or
copies of, data
ISO/IEC 27701 PRIVACY INFORMATION
MANAGEMENT SYSTEM (PIMS)
A framework for personally identifiable information
(PII) controllers and PII processors to manage
privacy controls
Benefits of PIMS
 Gives transparency between stakeholders
 Helps build trust
 Provides a more collaborative approach
 More effective business agreements
 Clearer roles and responsibilities
 Reduces complexity by integrating with ISO/IEC 27001
31
32

17. 6/17/2020
17
EUROPEAN DIGITAL SINGLE
MARKET
Covers digital marketing, e-commerce and
telecommunications
Major pillars
Access to online products and services
Conditions for digital networks and services to grow
and thrive
Growth of the European digital economy
Uses GDPR to help harmonize data privacy
across all of Europe
ISO/IEC 27701 AS A POTENTIAL
CERTIFICATION MECHANISM
Compliance can:
Significantly reduce compliance workloads by negating the
need to support multiple certifications
Increase trust between organizations and customers by
demonstrating compliance with data privacy laws
Generate evidence that Data Protection Officers can
provide to senior management and board members to
show their progress in privacy regulatory compliance
Increase the opportunities for business and commerce
through the EU Digital Single Market and cross-border data
flows
33
34

18. 6/17/2020
18
ISO/IEC 27701 AND GDPR
Objectives
Demonstrate the visibility of PIMS in scale across the
market
Encourage to adopt pan-European GDPR certification
Demonstrate to the market that PIMs holds up as a
comprehensive GDPR evidence set
US LEGISLATION
 California Consumer Privacy Act Ma
 State statute intended to enhance privacy rights and
consumer protection for residents of California
 Took effect on January 1, 2020
Six Statutory rights:
1.To be provided with information on what personal information is collected about
them and the purposes for which that personal information is used.
2. To be provided with information on what personal information is sold or disclosed
for a business purpose and to whom.
3. To opt out of the sale of their personal information to third parties (or in the case
of minors under age 16, to require an opt in before the sale of their personal
information).
4. To request the deletion of their personal information.
5. Not to be subject to discrimination for exercising any of the above rights,
including being denied goods or services or being charged a different price, or being
subjected to a lower level of quality, of such goods or services.
6. To seek statutory damages of $100 to $750 for breaches of unencrypted personal
information that arise as a result of a business’ violation of its duty to
implement and maintain reasonable security procedures.

35
36

19. 6/17/2020
19
APPLIES TO
 For profit business entities in CA that:
 Gross revenue of 25 million dollar or more
 Receives or share more then 50,000 consumers, households, or
devices
 More than 50% of revenue from the sale of PHI Exception for
HIPAA, CMIA ( California Medical Information Act), GLBA
(Gramm Leach Bliley Act ) statues
REQUIREMENTS
 Business required to post details on website or other public means
how they’re using or not using consumer data for rolling 12 months
and opt out instructions
 Businesses will have to develop processes and procedures to
accommodate all consumer rights including data mapping / access
reports
 Requirements for businesses to reasonably safeguard consumer
data
 Significant damage implications for business if fail to comply
(enforced by CA AG)
 Consumers have a private right of action but it’s limited ($100 to
$750 per violation)
 Fines for business $7500 per violation
37
38

20. 6/17/2020
20
QUESTIONS?
Any Questions?
Don’t be Shy!
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
39
40

21. 6/17/2020
21
THANK YOU!
Page 41
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
41