SlideShare a Scribd company logo

GDPR Webinar Lessons on Data Protection

Jim Kaplan CIA CFE
Jim Kaplan CIA CFE

This document provides an agenda and overview of a webinar on lessons learned from the General Data Protection Regulation (GDPR) and applying the GDPR's data protection principles. The webinar agenda includes discussing common data security failures, managing personal data breaches, and the seven data protection principles. It also provides background on the webinar presenter and introduces the company hosting the webinar, AuditNet.

Business
1 of 18
Download to read offline
7/6/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA General Data Protection Regulation (GDPR) Webinar7 Lessons Learned and Data Protection Principles About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
7/6/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you meet the criteria for earning CPE, you will receive a link via email to download your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated if you did not receive the first mailing. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
7/6/2020 3 IMPORTANT INFORMATION REGARDING CPE! • ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated after the initial distribution. • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • You must opt-in for our mailing list. If you indicate, you do not want to receive our emails your registration will be cancelled, and you will not be able to attend the Webinar. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC 5 6
7/6/2020 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA Page 8 • Lessons to be learned from common data security failures. • The seven data protection principles – how to apply them and demonstrate compliance. 7 8
7/6/2020 5 Agenda 1. European Interpretations 2. Managing personal data breaches 3. Effects of Negotiating a Data Protection Addendum 4. New Laws Inspired by GDPR; from California to Brazil 3 GDPR LESSONS News, Developments and First Enforcement Trends of GDPR Since GDPR Day  Data protection authorities have started to audit companies, for example:  German data protection authority has started to audit 50 companies from various sectors  another German data protection authority has started to investigate several hospitals in relation to their handling of health data  the UK data protection authority investigated companies who provide data analytics for political purposes SINCE G-DAY 9 10
7/6/2020 6 News, Developments and First Enforcement Trends of GDPR Since GDPR Day  The Italian authority says that its investigations will in particular address the following aspects:  Information of data subjects  Requirements for valid consent and other legal bases for data processing  Data retention policies  Security measures  Data processing agreements  Appointment of data protection officers ITALY News, Developments and First Enforcement Trends of GDPR Since GDPR Day Conflicting guidance from authorities across Europe  For example, in the context of study agreements concerning pharmaceuticals and medical devices:  The UK Health Research Authority took the position that hospitals are data processors of study sponsors  The German working group of the ethics commissions rather suggests that hospitals and study sponsors are typically joint controllers  Conflicting guidance creates challenges to developing a joint GDPR compliance strategy for Europe EUROPEAN VARIANCES 11 12
7/6/2020 7 Data Breaches: 5 lessons learned  GDPR is important but … there is more than GDPR  GDPR imposes strict compliance / requirements on organizations having to deal with personal data breaches BUT many other breach / security frameworks (might) come into play (prudential, non-EU ones, etc.) DATA BREACHES LESSONS LEARNED Data Breaches: 5 lessons learned  Interaction with DPAs requires caution DATA BREACHES LESSONS LEARNED  Transparency and accountability are important data protection principles but in dealing with DPAs, especially in the breach context, controllers should remind themselves that they are the ones to assess whether or not they are facing a reportable breach (and that they might have to defend their choices later on)  There are no “off the record” conversations with DPAs. What you tell them is on their file 13 14
7/6/2020 8 Negotiating DPAs with Third Parties Requirements controllers must impose on processors under Article 28. E.g.:  Only act on controller’s documented instructions  Commitments re confidentiality, deletion / return of personal data  Audit rights, appointment of sub-processors, etc.  Ensuring of security  Direct obligations that a recipient may have under GDPR. E.g.:  Controller obligations: Keeping a record, appointing a DPO, conducting DPIAs, providing fair processing notices / obtaining consents, liaising with supervisory authorities, data subjects, etc.  Processor obligations: Keeping a record, appointing a DPO, notifying a controller of personal data breach / that instructions infringe law, etc. DPAS AND THIRD PARTIES  Typical points of concern for service providers in negotiations  Responsibility for ensuring processing complies with law  Retaining control and consistency of terms over supply chain and audits  Personal data breach notification  Responsibility for ensuring appropriateness of security  Liabilities  May be spelled out in data privacy agreement, or addendum documents DPAS AND SERVICE PROVIDER 15 16
7/6/2020 9 Negotiating DPAs: The customer’s perspective Typical points of concern:  Right to object to sub-processors limited to specific or important reasons  Objection must not be random but based on objective reasons DPAS AND CUSTOMERS Data Breaches: 5 lessons learned  Data breach notification is a test for your LSA’s election  In a cross-border processing context, EU-based controllers designate a Lead Supervisory Authority  This requires proper documentation to be in place, supported by ad hoc assessment  LSA is not available to all controllers (i.e., only to “EU-based”)  Very relevant in a breach notification context, as controller only needs to notify their LSA (using and gathering information on a single form)  Caution is necessary in case of doubts as to whom is your LSA (see WP29 breach guidelines). Multiple notifications might be necessary / prudent DATA BREACHES LESSONS LEARNED 17 18
7/6/2020 10 Data Breaches: 5 lessons learned  The When, How and Why of communication to data subjects  When a data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate to the data subjects  Question  What is high risk (and how to assess it)?  Methodology needs to be part of the incident response plan (building it at the same time of managing the breach is unpleasant) DATA BREACHES LESSONS LEARNED OVERSEAS IMPACT OF GDPR  The GDPR has inspired a number of similar laws in other countries, including Brazil and the State of California in the United States 19 20
7/6/2020 11 Brazil Data Protection Law Enacted in August 2018 and came into force in February 2020 with rights and obligations similar to the GDPR:  Applies to all processing of personal data  Extraterritorial application  Requires legal basis for processing  Significant fines (although not as high as those under the GDPR)  Data subject rights  Security requirements  Data breach notification requirements  Cross-border data transfer restrictions BRAZIL DATA PROTECTION LAW  Balance the rights of an individual with an organization’s legitimate need to process personal data  Promote openness and transparency  Establish and maintain trust and confidence  Promote good practice in the processing of information  Prevent damage and distress caused by unlawful or unauthorized processing DATA PROTECTION - PURPOSE OF THE ACT 21 22
7/6/2020 12 DATA PROTECTION PRINCIPLES Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')  The inclusion of the principle of transparency is a new provision within the GDPR. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes  GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing. Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose. However there would be a need to consider pseudo anonymising the data. Personal data shall be processed fairly and lawfully and, — in particular, shall not be processed unless (a)at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. FIRST PRINCIPLE: FAIR AND LAWFUL PROCESSING 23 24
7/6/2020 13 You must state: Data Controller’s identity The purpose for which the data are intended to be processed In specific circumstances, any further information which is necessary to make the processing generally fair e.g. if you are going to use personal data for direct marketing you must inform the data subject Must NOT deceive or mislead FIRST PRINCIPLE: FAIR AND LAWFUL PROCESSING The processing of personal data is necessary: for the performance of a contract with the individual; to comply with a legal obligation; to protect the vital interests of the individual; for the administration of justice, or the exercise of any statutory function for the legitimate interests of the organization, unless the interests of the individual would be prejudiced Or is with the consent of the individual FIRST PRINCIPLE: CONDITIONS FOR PROCESSING 25 26
7/6/2020 14 DATA PROTECTION PRINCIPLES Data processed is adequate, relevant and limited to what is necessary Data is accurate and, where necessary, kept up to date Data should not to be kept longer than is necessary for the purpose Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes Purpose must be “specified, explicit and legitimate” Data can be collected and used only for those purposes that have been transmitted to the data subject and about which the consent was received SECOND PRINCIPLE: PURPOSE 27 28
7/6/2020 15 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Under the GDPR you will actually have to justify the amount of data collected, so make sure to design an adequate policy and document it THIRD PRINCIPLE - ADEQUACY AND RELEVANCE OF DATA Data is accurate and, where necessary, kept up to date  Ensure that you do not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay  Rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle FORTH PRINCIPLE – ACCURATE AND UP TO DATE 29 30
7/6/2020 16 Data should not to be kept longer than is necessary for the purpose  GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.  Justify that this period is necessary for your specific objectives  Just in case” is not a reason to retain personal data after it is no longer required for the specified purpose(s) FIFTH PRINCIPLE – RETENTION  Retention periods will vary depending on:  Legal requirements for keeping data  Ongoing investigations/litigation  Industry best practice Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction You must implement efficient anonymization or pseudonymization systems to protect the identity of your clients You might also consider working towards gaining official certification, such as ISO 27001 to prove your commitment to cyber security SIXTH PRINCIPLE – INTEGRITY & CONFIDENTIALITY 31 32
7/6/2020 17 Record and prove compliance Thorough documentation of all policies that govern the collection and procession of data Able to demonstrate the documents that prove the compliance with the GDPR when requested by the authorities SEVENTH PRINCIPLE – ACCOUNTABILITY QUESTIONS? Any Questions? Don’t be Shy! 33 34
7/6/2020 18 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 36 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 35 36

Recommended

Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Agile auditing for financial services
Agile auditing for financial services Agile auditing for financial services
Agile auditing for financial services Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliersJim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
 

Recommended

Focused agile audit planning using analytics
Focused agile audit planning using analyticsFocused agile audit planning using analytics
Focused agile audit planning using analyticsJim Kaplan CIA CFE
 
Agile auditing for financial services
Agile auditing for financial services Agile auditing for financial services
Agile auditing for financial services Jim Kaplan CIA CFE
 
When is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudWhen is a Duplicate not a Duplicate? Detecting Errors and Fraud
When is a Duplicate not a Duplicate? Detecting Errors and FraudJim Kaplan CIA CFE
 
mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) mplementing and Auditing GDPR Series (10 of 10)
mplementing and Auditing GDPR Series (10 of 10) Jim Kaplan CIA CFE
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update SlidesJim Kaplan CIA CFE
 
Tracking down outliers
Tracking down outliersTracking down outliers
Tracking down outliersJim Kaplan CIA CFE
 
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...
Touchstone Research for Internal Audit 2020 – A Look at the Now and Tomorrow ...Jim Kaplan CIA CFE
 
How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel How to get auditors performing basic analytics using excel
How to get auditors performing basic analytics using excel Jim Kaplan CIA CFE
 
General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal AuditorJim Kaplan CIA CFE
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal AuditorsJim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditorsJim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity SlidesJim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12Jim Kaplan CIA CFE
 
Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsJim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
 
How to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital worldHow to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital worldJim Kaplan CIA CFE
 
What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?Jim Kaplan CIA CFE
 
IT Fraud Series: Data Analytics
IT Fraud Series: Data AnalyticsIT Fraud Series: Data Analytics
IT Fraud Series: Data AnalyticsJim Kaplan CIA CFE
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 

More Related Content

What's hot

General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 Jim Kaplan CIA CFE
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Jim Kaplan CIA CFE
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Jim Kaplan CIA CFE
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Jim Kaplan CIA CFE
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal AuditorJim Kaplan CIA CFE
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program Jim Kaplan CIA CFE
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Jim Kaplan CIA CFE
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Jim Kaplan CIA CFE
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated AnalyticsJim Kaplan CIA CFE
 
Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsJim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingJim Kaplan CIA CFE
 
How to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital worldHow to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital worldJim Kaplan CIA CFE
 
What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?Jim Kaplan CIA CFE
 
IT Fraud Series: Data Analytics
IT Fraud Series: Data AnalyticsIT Fraud Series: Data Analytics
IT Fraud Series: Data AnalyticsJim Kaplan CIA CFE
 

What's hot (20)

General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6 General Data Protection Regulation Webinar 6
General Data Protection Regulation Webinar 6
 
General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10General Data Protection Regulation for Auditors 5 of 10
General Data Protection Regulation for Auditors 5 of 10
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
 
How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides How to detect fraud like a pro detective slides
How to detect fraud like a pro detective slides
 
Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10) Implementing and Auditing GDPR Series (9 of 10)
Implementing and Auditing GDPR Series (9 of 10)
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
Ethics and the Internal Auditor
Ethics and the Internal AuditorEthics and the Internal Auditor
Ethics and the Internal Auditor
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal Auditors
 
How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program How to use ai apps to unleash the power of your audit program
How to use ai apps to unleash the power of your audit program
 
Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?Is Your Audit Department Highly Effective?
Is Your Audit Department Highly Effective?
 
Ethics for internal auditors
Ethics for internal auditorsEthics for internal auditors
Ethics for internal auditors
 
Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation Implementing and Auditing General Data Protection Regulation
Implementing and Auditing General Data Protection Regulation
 
Cybersecurity Slides
Cybersecurity SlidesCybersecurity Slides
Cybersecurity Slides
 
Driving More Value With Automated Analytics
Driving More Value With Automated AnalyticsDriving More Value With Automated Analytics
Driving More Value With Automated Analytics
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
Enhanced fraud detection with data analytics
Enhanced fraud detection with data analyticsEnhanced fraud detection with data analytics
Enhanced fraud detection with data analytics
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of samplingHow analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
How to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital worldHow to build a data analytics strategy in a digital world
How to build a data analytics strategy in a digital world
 
What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?What's the Difference between GRC and Combined Assurance?
What's the Difference between GRC and Combined Assurance?
 
IT Fraud Series: Data Analytics
IT Fraud Series: Data AnalyticsIT Fraud Series: Data Analytics
IT Fraud Series: Data Analytics
 

Similar to GDPR Webinar Lessons on Data Protection

Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Jim Kaplan CIA CFE
 
How to data mine your print reports
How to data mine your print reports How to data mine your print reports
How to data mine your print reports Jim Kaplan CIA CFE
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling Jim Kaplan CIA CFE
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018Human Capital Department
 
How to prepare for your first anti fraud review
How to prepare for your first anti fraud reviewHow to prepare for your first anti fraud review
How to prepare for your first anti fraud reviewJim Kaplan CIA CFE
 
Right to Audit Clauses: What you need to know!
Right to Audit Clauses: What you need to know!Right to Audit Clauses: What you need to know!
Right to Audit Clauses: What you need to know!Jim Kaplan CIA CFE
 
Retrospective data analytics slides
Retrospective data analytics slidesRetrospective data analytics slides
Retrospective data analytics slidesJim Kaplan CIA CFE
 
Forensic and investigating audit reporting
Forensic and investigating audit reportingForensic and investigating audit reporting
Forensic and investigating audit reportingJim Kaplan CIA CFE
 
Are You a Smart CAAT or a Copy CAAT
Are You a Smart CAAT or a Copy CAATAre You a Smart CAAT or a Copy CAAT
Are You a Smart CAAT or a Copy CAATJim Kaplan CIA CFE
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Jim Kaplan CIA CFE
 
How ERM and audit work together, a combined assurance approach
How ERM and audit work together, a combined assurance approach How ERM and audit work together, a combined assurance approach
How ERM and audit work together, a combined assurance approach Jim Kaplan CIA CFE
 
Cybersecurity Series - Cyber Defense for Internal Auditors
Cybersecurity Series - Cyber Defense for Internal AuditorsCybersecurity Series - Cyber Defense for Internal Auditors
Cybersecurity Series - Cyber Defense for Internal AuditorsJim Kaplan CIA CFE
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection Jim Kaplan CIA CFE
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 

Similar to GDPR Webinar Lessons on Data Protection (20)

GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4
 
Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10) Implementing and Auditing GDPR Series (2 of 10)
Implementing and Auditing GDPR Series (2 of 10)
 
How to data mine your print reports
How to data mine your print reports How to data mine your print reports
How to data mine your print reports
 
IT Fraud and Countermeasures
IT Fraud and CountermeasuresIT Fraud and Countermeasures
IT Fraud and Countermeasures
 
How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling How analytics should be used in controls testing instead of sampling
How analytics should be used in controls testing instead of sampling
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
 
Future audit analytics
Future audit analyticsFuture audit analytics
Future audit analytics
 
How to prepare for your first anti fraud review
How to prepare for your first anti fraud reviewHow to prepare for your first anti fraud review
How to prepare for your first anti fraud review
 
Right to Audit Clauses: What you need to know!
Right to Audit Clauses: What you need to know!Right to Audit Clauses: What you need to know!
Right to Audit Clauses: What you need to know!
 
Retrospective data analytics slides
Retrospective data analytics slidesRetrospective data analytics slides
Retrospective data analytics slides
 
Internal Auditing Basics
Internal Auditing BasicsInternal Auditing Basics
Internal Auditing Basics
 
Forensic and investigating audit reporting
Forensic and investigating audit reportingForensic and investigating audit reporting
Forensic and investigating audit reporting
 
Are You a Smart CAAT or a Copy CAAT
Are You a Smart CAAT or a Copy CAATAre You a Smart CAAT or a Copy CAAT
Are You a Smart CAAT or a Copy CAAT
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
Structuring your organization for success with data analytics
Structuring your organization for success with data analytics Structuring your organization for success with data analytics
Structuring your organization for success with data analytics
 
How ERM and audit work together, a combined assurance approach
How ERM and audit work together, a combined assurance approach How ERM and audit work together, a combined assurance approach
How ERM and audit work together, a combined assurance approach
 
Cybersecurity Series - Cyber Defense for Internal Auditors
Cybersecurity Series - Cyber Defense for Internal AuditorsCybersecurity Series - Cyber Defense for Internal Auditors
Cybersecurity Series - Cyber Defense for Internal Auditors
 
Ethics for Internal Auditors
Ethics for Internal AuditorsEthics for Internal Auditors
Ethics for Internal Auditors
 
The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection The Future of Auditing and Fraud Detection
The Future of Auditing and Fraud Detection
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 

Recently uploaded

Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfmuskan1121w
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Serviceankitnayak356677
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMRavindra Nath Shukla
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Neil Kimberley
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurSuhani Kapoor
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxAbhayThakur200703
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitHolger Mueller
 

Recently uploaded (20)

Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
rishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdfrishikeshgirls.in- Rishikesh call girl.pdf
rishikeshgirls.in- Rishikesh call girl.pdf
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
Monte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSMMonte Carlo simulation : Simulation using MCSM
Monte Carlo simulation : Simulation using MCSM
 
Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023Mondelez State of Snacking and Future Trends 2023
Mondelez State of Snacking and Future Trends 2023
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service JamshedpurVIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
 
Non Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptxNon Text Magic Studio Magic Design for Presentations L&P.pptx
Non Text Magic Studio Magic Design for Presentations L&P.pptx
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
Progress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst SummitProgress Report - Oracle Database Analyst Summit
Progress Report - Oracle Database Analyst Summit
 

GDPR Webinar Lessons on Data Protection

  • 1. 7/6/2020 1 Richard Cascarino CISM, CIA, ACFE, CRMA General Data Protection Regulation (GDPR) Webinar7 Lessons Learned and Data Protection Principles About Jim Kaplan, CIA, CFE  President and Founder of AuditNet®, the global resource for auditors (available on iOS, Android and Windows devices)  Auditor, Web Site Guru,  Internet for Auditors Pioneer  IIA Bradford Cadmus Memorial Award Recipient  Local Government Auditor’s Lifetime Award  Author of “The Auditor’s Guide to Internet Resources” 2nd Edition Page 2 1 2
  • 2. 7/6/2020 2 ABOUT AUDITNET® LLC • AuditNet®, the global resource for auditors, serves the global audit community as the primary resource for Web-based auditing content. As the first online audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the use of audit technology. • Available on the Web, iPad, iPhone, Windows and Android devices and features: • Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and Control Matrices • Webinars focusing on fraud, data analytics, IT audit, and internal audit with free CPE for subscribers and site license users. • Audit guides, manuals, and books on audit basics and using audit technology • LinkedIn Networking Groups • Monthly Newsletters with Expert Guest Columnists • Surveys on timely topics for internal auditors Introductions Page 3 HOUSEKEEPING This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. • If you logged in with another individual’s confirmation email you will not receive CPE as the confirmation login is linked to a specific individual • This Webinar is not eligible for viewing in a group setting. You must be logged in with your unique join link. • We are recording the webinar and you will be provided access to that recording after the webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited. • If you meet the criteria for earning CPE, you will receive a link via email to download your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated if you did not receive the first mailing. • Submit questions via the chat box on your screen and we will answer them either during or at the conclusion. • You must answer the survey questions after the Webinar or before downloading your certificate. 3 4
  • 3. 7/6/2020 3 IMPORTANT INFORMATION REGARDING CPE! • ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive an email with the link to download your CPE certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this address. It is from this email that your CPE credit will be sent. There may be a processing fee to have your CPE credit regenerated after the initial distribution. • We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We highly recommend that you work with your IT department to identify and correct any email delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in your email system or a firewall that will redirect or not allow delivery of this email from Gensend.io • You must opt-in for our mailing list. If you indicate, you do not want to receive our emails your registration will be cancelled, and you will not be able to attend the Webinar. • We are not responsible for any connection, audio or other computer related issues. You must have pop-ups enabled on you computer otherwise you will not be able to answer the polling questions which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see to that you do so immediately after a polling question. The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® LLC. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship. While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website. Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet® LLC 5 6
  • 4. 7/6/2020 4 ABOUT RICHARD CASCARINO, MBA, CIA, CISM, CFE, CRMA • Principal of Richard Cascarino & Associates based in Colorado USA • Over 28 years experience in IT audit training and consultancy • Past President of the Institute of Internal Auditors in South Africa • Member of ISACA • Member of Association of Certified Fraud Examiners • Author of Data Analytics for Internal Auditors 7 TODAY’S AGENDA Page 8 • Lessons to be learned from common data security failures. • The seven data protection principles – how to apply them and demonstrate compliance. 7 8
  • 5. 7/6/2020 5 Agenda 1. European Interpretations 2. Managing personal data breaches 3. Effects of Negotiating a Data Protection Addendum 4. New Laws Inspired by GDPR; from California to Brazil 3 GDPR LESSONS News, Developments and First Enforcement Trends of GDPR Since GDPR Day  Data protection authorities have started to audit companies, for example:  German data protection authority has started to audit 50 companies from various sectors  another German data protection authority has started to investigate several hospitals in relation to their handling of health data  the UK data protection authority investigated companies who provide data analytics for political purposes SINCE G-DAY 9 10
  • 6. 7/6/2020 6 News, Developments and First Enforcement Trends of GDPR Since GDPR Day  The Italian authority says that its investigations will in particular address the following aspects:  Information of data subjects  Requirements for valid consent and other legal bases for data processing  Data retention policies  Security measures  Data processing agreements  Appointment of data protection officers ITALY News, Developments and First Enforcement Trends of GDPR Since GDPR Day Conflicting guidance from authorities across Europe  For example, in the context of study agreements concerning pharmaceuticals and medical devices:  The UK Health Research Authority took the position that hospitals are data processors of study sponsors  The German working group of the ethics commissions rather suggests that hospitals and study sponsors are typically joint controllers  Conflicting guidance creates challenges to developing a joint GDPR compliance strategy for Europe EUROPEAN VARIANCES 11 12
  • 7. 7/6/2020 7 Data Breaches: 5 lessons learned  GDPR is important but … there is more than GDPR  GDPR imposes strict compliance / requirements on organizations having to deal with personal data breaches BUT many other breach / security frameworks (might) come into play (prudential, non-EU ones, etc.) DATA BREACHES LESSONS LEARNED Data Breaches: 5 lessons learned  Interaction with DPAs requires caution DATA BREACHES LESSONS LEARNED  Transparency and accountability are important data protection principles but in dealing with DPAs, especially in the breach context, controllers should remind themselves that they are the ones to assess whether or not they are facing a reportable breach (and that they might have to defend their choices later on)  There are no “off the record” conversations with DPAs. What you tell them is on their file 13 14
  • 8. 7/6/2020 8 Negotiating DPAs with Third Parties Requirements controllers must impose on processors under Article 28. E.g.:  Only act on controller’s documented instructions  Commitments re confidentiality, deletion / return of personal data  Audit rights, appointment of sub-processors, etc.  Ensuring of security  Direct obligations that a recipient may have under GDPR. E.g.:  Controller obligations: Keeping a record, appointing a DPO, conducting DPIAs, providing fair processing notices / obtaining consents, liaising with supervisory authorities, data subjects, etc.  Processor obligations: Keeping a record, appointing a DPO, notifying a controller of personal data breach / that instructions infringe law, etc. DPAS AND THIRD PARTIES  Typical points of concern for service providers in negotiations  Responsibility for ensuring processing complies with law  Retaining control and consistency of terms over supply chain and audits  Personal data breach notification  Responsibility for ensuring appropriateness of security  Liabilities  May be spelled out in data privacy agreement, or addendum documents DPAS AND SERVICE PROVIDER 15 16
  • 9. 7/6/2020 9 Negotiating DPAs: The customer’s perspective Typical points of concern:  Right to object to sub-processors limited to specific or important reasons  Objection must not be random but based on objective reasons DPAS AND CUSTOMERS Data Breaches: 5 lessons learned  Data breach notification is a test for your LSA’s election  In a cross-border processing context, EU-based controllers designate a Lead Supervisory Authority  This requires proper documentation to be in place, supported by ad hoc assessment  LSA is not available to all controllers (i.e., only to “EU-based”)  Very relevant in a breach notification context, as controller only needs to notify their LSA (using and gathering information on a single form)  Caution is necessary in case of doubts as to whom is your LSA (see WP29 breach guidelines). Multiple notifications might be necessary / prudent DATA BREACHES LESSONS LEARNED 17 18
  • 10. 7/6/2020 10 Data Breaches: 5 lessons learned  The When, How and Why of communication to data subjects  When a data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall communicate to the data subjects  Question  What is high risk (and how to assess it)?  Methodology needs to be part of the incident response plan (building it at the same time of managing the breach is unpleasant) DATA BREACHES LESSONS LEARNED OVERSEAS IMPACT OF GDPR  The GDPR has inspired a number of similar laws in other countries, including Brazil and the State of California in the United States 19 20
  • 11. 7/6/2020 11 Brazil Data Protection Law Enacted in August 2018 and came into force in February 2020 with rights and obligations similar to the GDPR:  Applies to all processing of personal data  Extraterritorial application  Requires legal basis for processing  Significant fines (although not as high as those under the GDPR)  Data subject rights  Security requirements  Data breach notification requirements  Cross-border data transfer restrictions BRAZIL DATA PROTECTION LAW  Balance the rights of an individual with an organization’s legitimate need to process personal data  Promote openness and transparency  Establish and maintain trust and confidence  Promote good practice in the processing of information  Prevent damage and distress caused by unlawful or unauthorized processing DATA PROTECTION - PURPOSE OF THE ACT 21 22
  • 12. 7/6/2020 12 DATA PROTECTION PRINCIPLES Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')  The inclusion of the principle of transparency is a new provision within the GDPR. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes  GDPR provisions include processing for public interest and/or scientific purposes, widening the scope for further processing. Archiving, scientific / historical research or statistical purposes would not been seen as incompatible with this purpose. However there would be a need to consider pseudo anonymising the data. Personal data shall be processed fairly and lawfully and, — in particular, shall not be processed unless (a)at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. FIRST PRINCIPLE: FAIR AND LAWFUL PROCESSING 23 24
  • 13. 7/6/2020 13 You must state: Data Controller’s identity The purpose for which the data are intended to be processed In specific circumstances, any further information which is necessary to make the processing generally fair e.g. if you are going to use personal data for direct marketing you must inform the data subject Must NOT deceive or mislead FIRST PRINCIPLE: FAIR AND LAWFUL PROCESSING The processing of personal data is necessary: for the performance of a contract with the individual; to comply with a legal obligation; to protect the vital interests of the individual; for the administration of justice, or the exercise of any statutory function for the legitimate interests of the organization, unless the interests of the individual would be prejudiced Or is with the consent of the individual FIRST PRINCIPLE: CONDITIONS FOR PROCESSING 25 26
  • 14. 7/6/2020 14 DATA PROTECTION PRINCIPLES Data processed is adequate, relevant and limited to what is necessary Data is accurate and, where necessary, kept up to date Data should not to be kept longer than is necessary for the purpose Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes Purpose must be “specified, explicit and legitimate” Data can be collected and used only for those purposes that have been transmitted to the data subject and about which the consent was received SECOND PRINCIPLE: PURPOSE 27 28
  • 15. 7/6/2020 15 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed Under the GDPR you will actually have to justify the amount of data collected, so make sure to design an adequate policy and document it THIRD PRINCIPLE - ADEQUACY AND RELEVANCE OF DATA Data is accurate and, where necessary, kept up to date  Ensure that you do not retain old and outdated contacts and ensure the erasure of inaccurate personal data without delay  Rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle FORTH PRINCIPLE – ACCURATE AND UP TO DATE 29 30
  • 16. 7/6/2020 16 Data should not to be kept longer than is necessary for the purpose  GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.  Justify that this period is necessary for your specific objectives  Just in case” is not a reason to retain personal data after it is no longer required for the specified purpose(s) FIFTH PRINCIPLE – RETENTION  Retention periods will vary depending on:  Legal requirements for keeping data  Ongoing investigations/litigation  Industry best practice Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction You must implement efficient anonymization or pseudonymization systems to protect the identity of your clients You might also consider working towards gaining official certification, such as ISO 27001 to prove your commitment to cyber security SIXTH PRINCIPLE – INTEGRITY & CONFIDENTIALITY 31 32
  • 17. 7/6/2020 17 Record and prove compliance Thorough documentation of all policies that govern the collection and procession of data Able to demonstrate the documents that prove the compliance with the GDPR when requested by the authorities SEVENTH PRINCIPLE – ACCOUNTABILITY QUESTIONS? Any Questions? Don’t be Shy! 33 34
  • 18. 7/6/2020 18 AUDITNET® AND CRISK ACADEMY • If you would like forever access to this webinar recording • If you are watching the recording, and would like to obtain CPE credit for this webinar • Previous AuditNet® webinars are also available on-demand for CPE credit http://criskacademy.com http://ondemand.criskacademy.com Use coupon code: 50OFF for a discount on this webinar for one week THANK YOU! Page 36 Jim Kaplan AuditNet® LLC 1-800-385-1625 Email:info@auditnet.org www.auditnet.org Follow Me on Twitter for Special Offers - @auditnet Join my LinkedIn Group – https://www.linkedin.com/groups/44252/ Like my Facebook business page https://www.facebook.com/pg/AuditNetLLC Richard Cascarino & Associates Cell: +1 970 819 7963 Tel +1 303 747 6087 (Skype Worldwide) Tel: +1 970 367 5429 eMail: rcasc@rcascarino.com Web: http://www.rcascarino.com Skype: Richard.Cascarino 35 36