This document provides an agenda and overview of a webinar on lessons learned from the General Data Protection Regulation (GDPR) and applying the GDPR's data protection principles. The webinar agenda includes discussing common data security failures, managing personal data breaches, and the seven data protection principles. It also provides background on the webinar presenter and introduces the company hosting the webinar, AuditNet.
1. 7/6/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar7
Lessons Learned and
Data Protection
Principles
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial Award
Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 7/6/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4
3. 7/6/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6
4. 7/6/2020
4
ABOUT RICHARD CASCARINO,
MBA, CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
7
TODAY’S AGENDA
Page 8
• Lessons to be learned from common data security
failures.
• The seven data protection principles – how to apply
them and demonstrate compliance.
7
8
5. 7/6/2020
5
Agenda
1. European Interpretations
2. Managing personal data breaches
3. Effects of Negotiating a Data Protection
Addendum
4. New Laws Inspired by GDPR; from California to Brazil
3
GDPR LESSONS
News, Developments and First Enforcement Trends of
GDPR Since GDPR Day
Data protection authorities have started to audit
companies, for example:
German data protection authority has started to audit
50 companies from
various sectors
another German data protection authority has started
to investigate several
hospitals in relation to their handling of health data
the UK data protection authority investigated companies
who provide data
analytics for political purposes
SINCE G-DAY
9
10
6. 7/6/2020
6
News, Developments and First Enforcement Trends of
GDPR Since GDPR Day
The Italian authority says that its investigations will in
particular address the following aspects:
Information of data subjects
Requirements for valid consent and other legal bases for
data processing
Data retention policies
Security measures
Data processing agreements
Appointment of data protection officers
ITALY
News, Developments and First Enforcement Trends of
GDPR Since GDPR Day Conflicting guidance from authorities across Europe
For example, in the context of study agreements concerning
pharmaceuticals and medical devices:
The UK Health Research Authority took the position that
hospitals are data processors of study sponsors
The German working group of the ethics commissions
rather suggests that hospitals and study sponsors are
typically joint controllers
Conflicting guidance creates challenges to developing a
joint GDPR compliance strategy for Europe
EUROPEAN VARIANCES
11
12
7. 7/6/2020
7
Data Breaches: 5 lessons learned
GDPR is important but … there is more than GDPR
GDPR imposes strict compliance / requirements on
organizations having to deal with personal data breaches
BUT many other breach / security frameworks (might)
come into play (prudential, non-EU ones, etc.)
DATA BREACHES LESSONS
LEARNED
Data Breaches: 5 lessons learned
Interaction with DPAs requires caution
DATA BREACHES LESSONS
LEARNED
Transparency and accountability are important data
protection principles but in dealing with DPAs, especially in
the breach context, controllers should remind themselves
that they are the ones to assess whether or not they are
facing a reportable breach (and that they might have to
defend their choices later on)
There are no “off the record” conversations with DPAs. What
you tell them is on their file
13
14
8. 7/6/2020
8
Negotiating DPAs with Third Parties Requirements controllers must impose on processors under
Article 28. E.g.:
Only act on controller’s documented instructions
Commitments re confidentiality, deletion / return of personal
data
Audit rights, appointment of sub-processors, etc.
Ensuring of security
Direct obligations that a recipient may have under GDPR. E.g.:
Controller obligations: Keeping a record, appointing a DPO,
conducting DPIAs, providing fair processing notices /
obtaining consents, liaising with supervisory authorities, data
subjects,
etc.
Processor obligations: Keeping a record, appointing a DPO,
notifying a controller of personal data breach / that
instructions infringe law, etc.
DPAS AND THIRD PARTIES
Typical points of concern for service providers in
negotiations
Responsibility for ensuring processing complies
with law
Retaining control and consistency of terms over
supply chain and audits
Personal data breach notification
Responsibility for ensuring appropriateness of
security
Liabilities
May be spelled out in data privacy agreement, or
addendum documents
DPAS AND SERVICE
PROVIDER
15
16
9. 7/6/2020
9
Negotiating DPAs: The customer’s perspective Typical points of concern:
Right to object to sub-processors limited to
specific or important reasons
Objection must not be random but based on
objective reasons
DPAS AND CUSTOMERS
Data Breaches: 5 lessons learned
Data breach notification is a test for your LSA’s election
In a cross-border processing context, EU-based controllers
designate a Lead Supervisory Authority
This requires proper documentation to be in place, supported
by ad hoc assessment
LSA is not available to all controllers (i.e., only to “EU-based”)
Very relevant in a breach notification context, as controller
only needs to notify their LSA (using and gathering
information on a single form)
Caution is necessary in case of doubts as to whom is your LSA
(see WP29 breach guidelines). Multiple notifications might be
necessary / prudent
DATA BREACHES LESSONS
LEARNED
17
18
10. 7/6/2020
10
Data Breaches: 5 lessons learned
The When, How and Why of communication to data subjects
When a data breach is likely to result in a high risk to the rights
and freedoms of data subjects, the controller shall communicate
to the data subjects
Question
What is high risk (and how to assess it)?
Methodology needs to be part of the incident response plan
(building it at the same time of managing the breach is
unpleasant)
DATA BREACHES LESSONS
LEARNED
OVERSEAS IMPACT OF GDPR
The GDPR has inspired a number of similar laws in other
countries, including Brazil and the State of California in the
United States
19
20
11. 7/6/2020
11
Brazil Data Protection Law Enacted in August 2018 and came into force in February 2020 with
rights and obligations similar to the GDPR:
Applies to all processing of personal data
Extraterritorial application
Requires legal basis for processing
Significant fines (although not as high as those under the GDPR)
Data subject rights
Security requirements
Data breach notification requirements
Cross-border data transfer restrictions
BRAZIL DATA PROTECTION
LAW
Balance the rights of an individual with an
organization’s legitimate need to process personal
data
Promote openness and transparency
Establish and maintain trust and confidence
Promote good practice in the processing of
information
Prevent damage and distress caused by
unlawful or unauthorized processing
DATA PROTECTION - PURPOSE OF
THE ACT
21
22
12. 7/6/2020
12
DATA PROTECTION
PRINCIPLES
Data processed lawfully, fairly and in a transparent manner
('lawfulness, fairness and transparency')
The inclusion of the principle of transparency is a new provision within the
GDPR.
Data obtained for specified, explicit and legitimate purposes
and not further processed in a manner that is incompatible
with those purposes
GDPR provisions include processing for public interest and/or scientific
purposes, widening the scope for further processing. Archiving, scientific /
historical research or statistical purposes would not been seen as incompatible
with this purpose. However there would be a need to consider pseudo
anonymising the data.
Personal data shall be processed fairly and lawfully
and, — in particular, shall not be processed unless
(a)at least one of the conditions in Schedule 2 is
met,
and
(b) in the case of sensitive personal data, at least one
of the conditions in Schedule 3 is also met.
FIRST PRINCIPLE: FAIR AND
LAWFUL PROCESSING
23
24
13. 7/6/2020
13
You must state:
Data Controller’s identity
The purpose for which the data are intended to
be processed
In specific circumstances, any further information
which is necessary to make the processing generally
fair
e.g. if you are going to use personal data for direct
marketing you must inform the data subject
Must NOT deceive or mislead
FIRST PRINCIPLE: FAIR AND
LAWFUL PROCESSING
The processing of personal data is
necessary:
for the performance of a contract with the individual;
to comply with a legal obligation;
to protect the vital interests of the individual;
for the administration of justice, or the exercise of any
statutory function
for the legitimate interests of the organization, unless the
interests of the individual would be prejudiced
Or is with the consent of the individual
FIRST PRINCIPLE: CONDITIONS
FOR PROCESSING
25
26
14. 7/6/2020
14
DATA PROTECTION
PRINCIPLES
Data processed is adequate, relevant and limited to what is
necessary
Data is accurate and, where necessary, kept up to date
Data should not to be kept longer than is necessary for the
purpose
Appropriate technical and organisational measures against
unauthorised or unlawful processing, loss, damage or
destruction
Personal data shall be obtained only for one or
more specified and lawful purposes and shall
not be further processed in any manner
incompatible with that purpose or those
purposes
Purpose must be “specified, explicit and
legitimate”
Data can be collected and used only for those
purposes that have been transmitted to the data
subject and about which the consent was
received
SECOND PRINCIPLE: PURPOSE
27
28
15. 7/6/2020
15
Personal data shall be adequate, relevant and
not excessive in relation to the purpose or
purposes for which they are processed
Under the GDPR you will actually have to justify
the amount of data collected, so make sure to
design an adequate policy and document it
THIRD PRINCIPLE - ADEQUACY
AND RELEVANCE OF DATA
Data is accurate and, where necessary, kept up
to date
Ensure that you do not retain old and outdated
contacts and ensure the erasure of inaccurate
personal data without delay
Rights for individuals in the GDPR e.g. data erasure,
data correction etc. which will impact on this principle
FORTH PRINCIPLE – ACCURATE
AND UP TO DATE
29
30
16. 7/6/2020
16
Data should not to be kept longer than is necessary for
the purpose
GDPR expands the list of exceptions permitting the storage of data
for longer periods where the data is being processed for archiving
purposes in the public interest and/or scientific purposes, and in
addition for statistical or historical purposes.
Justify that this period is necessary for your specific objectives
Just in case” is not a reason to retain personal data after it is no
longer required for the specified purpose(s)
FIFTH PRINCIPLE – RETENTION
Retention periods will vary depending on:
Legal requirements for keeping data
Ongoing investigations/litigation
Industry best practice
Appropriate technical and organisational
measures against unauthorised or unlawful
processing, loss, damage or destruction
You must implement efficient anonymization or
pseudonymization systems to protect the
identity of your clients
You might also consider working towards
gaining official certification, such as ISO 27001
to prove your commitment to cyber security
SIXTH PRINCIPLE – INTEGRITY
& CONFIDENTIALITY
31
32
17. 7/6/2020
17
Record and prove compliance
Thorough documentation of all policies that
govern the collection and procession of data
Able to demonstrate the documents that prove
the compliance with the GDPR when requested
by the authorities
SEVENTH PRINCIPLE –
ACCOUNTABILITY
QUESTIONS?
Any Questions?
Don’t be Shy!
33
34
18. 7/6/2020
18
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
THANK YOU!
Page 36
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
35
36