The document outlines a webinar conducted by Richard Cascarino on becoming compliant with the General Data Protection Regulation (GDPR), covering topics such as handling data subject access requests (DSARs), the roles of data controllers and processors, and requirements for transferring personal data outside the EU. It emphasizes that organizations must ensure compliance by understanding GDPR regulations, conducting risk assessments, and maintaining documentation. Key points include the obligations of data controllers and processors, response times for DSARs, and the necessity of obtaining consent when processing personal information.

1. 10/14/2020
1
Richard Cascarino CISM,
CIA, ACFE, CRMA
General Data
Protection Regulation
(GDPR) Webinar 10
Becoming GDPR
Compliant
About Jim Kaplan, CIA, CFE
 President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
 Auditor, Web Site Guru,
 Internet for Auditors Pioneer
 IIA Bradford Cadmus Memorial Award
Recipient
 Local Government Auditor’s Lifetime
Award
 Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2

2. 10/14/2020
2
ABOUT AUDITNET® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,300 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
Page 3
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
• If you logged in with another individual’s confirmation email you will not receive
CPE as the confirmation login is linked to a specific individual
• This Webinar is not eligible for viewing in a group setting. You must be logged in with
your unique join link.
• We are recording the webinar and you will be provided access to that recording after
the webinar. Downloading or otherwise duplicating the webinar recording is expressly
prohibited.
• If you meet the criteria for earning CPE, you will receive a link via email to download
your certificate. The official email for CPE will be issued via cpe@email.cpe.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There may be a processing fee to have your CPE credit regenerated if you did not
receive the first mailing.
• Submit questions via the chat box on your screen and we will answer them either during
or at the conclusion.
• You must answer the survey questions after the Webinar or before downloading your
certificate.
3
4

3. 10/14/2020
3
IMPORTANT INFORMATION
REGARDING CPE!
• ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via cpe@email.cpe.io and it is important to white list this address. It is from this email
that your CPE credit will be sent. There may be a processing fee to have your CPE credit
regenerated after the initial distribution.
• We cannot manually generate a CPE certificate as these are handled by our 3rd party provider.
We highly recommend that you work with your IT department to identify and correct any email
delivery issues prior to attending the Webinar. Issues would include blocks or spam filters in
your email system or a firewall that will redirect or not allow delivery of this email from
Gensend.io
• You must opt-in for our mailing list. If you indicate, you do not want to receive our emails
your registration will be cancelled, and you will not be able to attend the Webinar.
• We are not responsible for any connection, audio or other computer related issues. You must
have pop-ups enabled on you computer otherwise you will not be able to answer the polling
questions which occur approximately every 20 minutes. We suggest that if you have any
pressing issues to see to that you do so immediately after a polling question.
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral presentation
accompanying them, are for educational purposes only and do not constitute
accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and complete,
AuditNet® makes no representations, guarantees, or warranties as to the accuracy or
completeness of the information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from the information
contained in this presentation, including any websites maintained by third parties and
linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
6

4. 10/14/2020
4
ABOUT RICHARD
CASCARINO, MBA, CIA,
CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of The Complete Guide for
CISA Examination Preparation out
5 October 2020
7
Copyright Richard Cascarino
TODAY’S AGENDA
Page 8
• Handling data subject access requests (DSARs).
• The roles of controllers and processors, and the
relationships between them.
• Transferring personal data outside the EU and the
mechanisms for compliance.
• How to become GDPR compliant using a compliance
gap assessment tool.
7
8

5. 10/14/2020
5
WHAT IS A DSAR?
Page 9
Article 15 of the General Data Protection Regulation (GDPR) grants
Europeans the right to ask for a copy of the personal data
A request from a data subject to be provided with a copy of the
personal data being processed by a Controller and an explanation of
the purposes for which personal data is being used
Specifically when anyone asks to receive a copy of the personal data
you may hold for them
Must come from the individual themselves (or an authorized
agent/parent/guardian)
Could be sent to any department and come from a variety of sources
May be submitted by email or social media and may be addressed to
the “wrong” department or person
Must be forwarded to the DPO
WHY REQUEST?
Page 10
To ensure:
The individual’s personal information is being processed
Who can access that information
The organization’s lawful basis for processing
The names or categories of any third parties that the
information has been shared with
The estimated period for which the personal data will be stored
The criteria used to determine the storage period
How the personal data was obtained
Information about automated decision-making, including
profiling, and the reasoning for and potential consequences of
the automation
9
10

6. 10/14/2020
6
OBLIGATIONS
Page 11
Organizations don’t automatically have to comply with
every DSAR they receive
manifestly unfounded
 one that the individual sends to disrupt the organisation, or which
contains unsubstantiated accusations against the organisation
excessive
 based on how often you collect personal data
Repetitive
Organizations that reject on those bases must be
capable of demonstrating their justification
Each request to be considered on a case-by-case
basis
YOU MAY NEED
Page 12
Proof of ID (if the requester is an employee or ex employee this
may not be necessary if it is obvious to you who they are)
Proof of relationship/authority (for example if information is
requested about a child or by an agent)
Whether they are interested in specific information (if they request
ALL personal data you cannot restrict this)
To know what their relationship is with your organization
Whether they wish to see CCTV images of them (if relevant) and
request a photograph, description of clothes worn, dates of visits
etc.
Whether they require the information to be provided in writing or
whether they will accept it in an electronic form
11
12

7. 10/14/2020
7
PROCESSING REQUIREMENTS
Page 13
No fee allowed
In most circumstances
A “reasonable fee” when a request is manifestly unfounded,
excessive or repetitive
Access may be refused if excessive, unfounded or repetitive
requests
Refusal includes right to appeal to the organization’s
supervisory authority
Fee must be based on the administrative cost of complying
with the request
If no personal data is held about the individual they
must be informed of this
RESPONSE TIMES
Page 14
Generally organizations required to provide the
requested information within one month
Where requests are complex or numerous,
organizations are permitted to extend the deadline to
three months
Response explaining delay still required within one month
No limit on how a DSAR must be made
Verbally
Electronically
If request is made electronically, the information must be
provided in a commonly used file format
13
14

8. 10/14/2020
8
WHAT TO RELEASE
Page 15
If the information contains personal data relating to other
individuals consideration must be given whether/how to redact this
or judge it to be reasonable to disclose
Such information can be disclosed with the consent of other
parties
Where consent is not feasible consideration must be given to the
privacy impact and/or how your duty of confidentiality to these
other parties should the information be disclosed
Any justification for disclosure of personal relating to other parties
must be documented
CONTROLLERS AND
PROCESSORS
GDPR imposes specific obligations on “Processors”,
“Controllers”, and others with regard to their vendor
relationships and the protection of “Personal Data”
GDPR requires companies to conduct appropriate due
diligence on processors and to have contracts containing
specific provisions relating to data protection
Duty of the processor to notify the controller and the
controller to notify the supervisory authority when the
personal data breach is likely to lead to a high risk to the data
subject’s rights and freedoms
15
16

9. 10/14/2020
9
CONTROLLERS AND
PROCESSORS
“Controller”
 the natural or legal person, public authority, agency or any
other body which alone or jointly with others determines the
purposes and means of the processing of personal data.
“Processor”
 a natural or legal person, public authority, agency or any other
body which processes personal data on behalf of the controller
CONTROLLERS AND
PROCESSORS
When the processing of personal data of EU data subjects is
done by a controller or processor that is not present in the
EU, the GDPR applies in activities related to offering goods
or services to EU citizens (free and paying services) and
behavior monitoring of EU data subjects
A non-EU company which processes the data of EU citizens
needs to appoint a representative in the EU
17
18

10. 10/14/2020
10
CONTROLLERS AND
PROCESSORS
The GDPR concerns all companies which process personal
data of citizens (‘data subjects’) who reside in the EU,
regardless of where these companies (the ‘data processors’
and ‘data controllers’) are located
When the processing of personal data of EU data subjects is
done by a controller or processor that is not present in the
EU, the GDPR applies in activities related to offering goods
or services to EU citizens (free and paying services) and
behavior monitoring of EU data subjects
 Controller
 Alone or jointly with others determines the purposes and
means of processing personal data.
 Processor
 Processes personal data on behalf of the controller.
 Both controllers and processors regulated directly under
GDPR.
 Controllers have more responsibilities, for example:
 Providing notices to data subjects, responding to exercise of
subject rights, appointing representative in EEA, notifying
supervisory authorities and data subjects of data breaches,
maintaining records of processing.
39
CONTROLLER VS. PROCESSOR
19
20

11. 10/14/2020
11
CONTROLLER AND
PROCESSOR
 Tasks and responsibilities of Controller, Processor
and Data Protection Officer:
 Records of processing activities and Logging
 Personal data breach handling (Incident
handling
 Data protection impact assessment and Prior
consultation
 Security of processing and Data protection by
design and by Default
THE DATA PROCESSOR
Someone who processes personal data
on behalf of the data controller
Examples include external payroll providers
The obligation to comply with the Act
is on the controller who must make sure
that the processor processes data fairly
and lawfully- under GDPR Data Processor has
some direct obligations
21
22

12. 10/14/2020
12
PRIVACY SHIELD (USA ONLY)
 The decision on the EU-U.S. Privacy Shield was adopted by the
European Commission on 12 July, 2016 Removed 2020
 Commercial sector
 Strong obligations on companies and robust enforcement
 U.S Government access
 Clear safeguards and transparency obligations
 Redress
 Directly with the company
 With the data protection authority
 Privacy shield panel
 Monitoring
 Annual joint review mechanism between US Department of
commerce and EU Commission
TRANSFERRING PERSONAL
DATA OUTSIDE THE EU
 Article 2(g): “recipient” shall mean a natural or legal person, public authority,
agency or any other body to whom data are disclosed, whether a third party
or not; however, authorities which may receive data in the framework of a
particular inquiry shall not be regarded as recipients
 Generally - (GDPR) restricts transfers of personal data to countries
outside the EEA. These restrictions apply to all transfers, no matter the
size of transfer or how often you carry them out
 Article 44: General principle for transfers
 Any transfer of personal data by controller or processor shall take place
only if certain conditions are complied with:
 a. Transfers on the basis of adequacy;
 b. Transfers subject to the appropriate safeguards
 c. Binding corporate rules apply.
23
24

13. 10/14/2020
13
ADEQUACY
Transfers on the basis of adequacy
 A transfer may take place where there is an adequate level of
protection
 The adequacy criteria:
 – the rule of law;
 – respect for human rights and fundamental freedoms;
 – relevant legislation, both general and sectoral, including:
 concerning public security
 defense
 national security
 criminal law
SUBJECT TO APPROPRIATE
SAFEGUARDS
 Legally binding agreement between public authorities or
bodies
 Standard data protection clauses in the form of template
transfer clauses adopted by the Commission
 Standard data protection clauses in the form of template
transfer clauses adopted by a supervisory authority and
approved by the Commission
25
26

14. 10/14/2020
14
SUBJECT TO APPROPRIATE
SAFEGUARDS
 Compliance with an approved code of conduct approved by a
supervisory authority
 Certification under an approved certification mechanism as provided
for in the GDPR
 Contractual clauses agreed authorized by the competent
supervisory authority
 Provisions inserted in to administrative arrangements between
public authorities or bodies authorized by the competent supervisory
authority
DEROGATIONS (EXEMPTIONS)
 Necessary for the establishment, exercise or defense of legal
claims
 Necessary to protect the vital interests of the data subject or
other persons, where the data subject is physically or legally
incapable of giving consent
 Made from a register which under UK or EU law is intended to
provide information to the public (and which is open to
consultation by either the public in general or those able to
show a legitimate interest in inspecting the register)
27
28

15. 10/14/2020
15
DEROGATIONS (EXEMPTIONS)
 Made with the individual’s informed consent
 Necessary for the performance of a contract between the
individual and the organization or for pre-contractual steps
taken at the individual’s request
 Necessary for the performance of a contract made in the
interests of the individual between the controller and another
person
 Necessary for important reasons of public interest
BINDING CORPORATE RULES
 Binding Corporate Rules (BCRs) are designed to allow
multinational companies to transfer personal data from the
European Economic Area (EEA) to their affiliates located
outside of the EEA
 Applicants must demonstrate that their BCRs put in place
adequate safeguards for protecting personal data throughout
the organization
 Existing model BCRs are Data Protection Directive (DPD)-
related
29
30

16. 10/14/2020
16
BECOMING GDPR
COMPLIANT
Page 31
 Step one – Understand the GDPR legal framework. ...
 Step two – create a Data Register. ...
 Step three – classify your data. ...
 Step four – Start with your top priority. ...
 Step five – assess and document additional risks and processes
...
 Step six – revise and repeat.
THE PROCESS
 Planning and Mobilization
 Setup the team, finalize the scope
 Determine what resources are needed
 Identify process owners and stakeholders, establish
consultation plan
 Perform the Assessment
 Consult stakeholders, analyze risks and legal gaps, create risk
map
 Determine necessary controls and remediation measures to
address legal gaps and risks
 Create risk management plan, get sign off
 Implement the control framework
 Deploy risk management controls
 Address legal gaps through remediation measures
 Monitor and evaluate on a regular basis
31
32

17. 10/14/2020
17
BECOMING GDPR
COMPLIANT
Page 33
Prepare for your GDPR project
Create a project plan to implement GDPR.
Include the right stakeholders in your GDPR project
Conduct a readiness assessment to find out what tasks you
need to perform
Define your Personal Data Policy and other top-
level documents
BECOMING GDPR
COMPLIANT
Page 34
Create an inventory of processing activities
List your processing activities and how these map to legitimate
purposes defined in GDPR
Be sure your company has published the necessary privacy
notices for data subjects
Define an approach to manage data subject rights
33
34

18. 10/14/2020
18
BECOMING GDPR
COMPLIANT
Page 35
Implement a Data Protection Impact Assessment
(DPIA)
Conduct a DPIA when initiating a new project, or when
implementing a change to your information systems or a
product
Secure personal data transfers
Analyze what personal data is being transferred outside of
your company, and when
Take necessary legal and security measures to adequately
protect personal data when personal data is transferred
outside of the company
BECOMING GDPR
COMPLIANT
Page 36
Amend third-party contracts
Amend third-party contracts that include processing of
personal data to become compliant with the GDPR
Ensure the security of personal and sensitive data
Implement the necessary organizational and technical
measures to protect the personal data of data subjects
Consider privacy and protection when designing new systems
and processes
Define how to handle data breaches.
Set up the processes to identify and handle personal data
breaches
Prepare for notifications to the Supervisory Authority and data
subjects, if required, in the case of a personal data breach
35
36

19. 10/14/2020
19
AUTOMATED PERFORMANCE TOOLS
 One Trust
 Maintain Ongoing, Scalable Records to Demonstrate Global Privacy
Compliance
 Integrate Privacy by Design into Existing Processes
 Sharing Project Assessments Externally
 CENTRL's Privacy360
 Automate the full assessment process
 Use standard assessment templates or upload proprietary ones
 Track issues and manage process to remediation
 Reporting and analytics
 Vigilant Software
 Identify data security risks and determine the likelihood of their
occurrence and impact.
 Easily review and update DPIAs when changes in processing activities
occur.
 Share DPIA findings with stakeholders and data processors.
 Demonstrate that appropriate measures have been taken to comply with
the requirements of the GDPR.
ONETRUST
 OneTrust is the #1 most widely used privacy, security and trust
technology. More than 6,000 customers, including half of the Fortune
500, use OneTrust to build integrated programs that comply with the
CCPA, GDPR, LGPD, PDPA, ISO27001 and hundreds of the world’s
privacy and security laws. The OneTrust platform is powered by the
OneTrust Athena™ AI and robotic automation engine
https://www.onetrust.com/products/assessment-automation
37
38

20. 10/14/2020
20
PRIVACY 360
 As the compliance process continues, the Data Protection
Officer faces specific challenges that are preventing the
company from going forth with the envisioned data privacy
model
 Privacy 360 is a reporting module and a perfect solution for
the Data Protection Officer’s challenges. It gives a DPO an
overview of all data and locations where personal
information is stored about the specific data subject
 https://dataprivacymanager.net/solutions/privacy-360/
VIGILANT SOFTWARE
 Vigilant Software
 DPIA Tool – Conduct a data protection impact assessment in six
simple steps
 Assess and treat data security risks for every process in your
organization.
 Easily demonstrate measures taken for GDPR (General Data
Protection Regulation) compliance, essential to help you meet Article
35 requirements.
 Avoid unnecessary work with screening questions to determine if a
DPIA (data protection impact assessment) is necessary.
 Export reports, and share findings with stakeholders and third parties.
 Avoid errors and ensure completeness with a proven tool, aligned with
the GDPR and ICO’s (Information Commissioner’s Office)
requirements.
 Review, update and maintain DPIAs year after year.
https://www.vigilantsoftware.co.uk/topic/dpia
39
40

21. 10/14/2020
21
QUESTIONS?
Any Questions?
Don’t be Shy!
AUDITNET® AND CRISK
ACADEMY
• If you would like forever
access to this webinar
recording
• If you are watching the
recording, and would like
to obtain CPE credit for
this webinar
• Previous AuditNet®
webinars are also
available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
41
42

22. 10/14/2020
22
THANK YOU!
Page 43
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
43