SlideShare a Scribd company logo

My presentation- Ala about privacy and GDPR

Download as PPTX, PDF
Z
zayadeen2003

aout privacy in the audit cycle

Technology
1 of 33
AGENDA • INTRODUCTION • WHY GDPR • TERMS AND DEFINITIONS • GDPR PRINCIPLES • GDPR REQUIREMENTS • AUDITING GDPR.
INTRODUCTION The purpose of the General Data Protection Regulation (GDPR) is to modernize data protection and provide greater protection to individuals through the standardization and harmonization of previously fragmented data protection legislations. Is new EU legislation that comes into effect on May 25th 2018
WHAT IS THE PURPOSE OF GDPR? • DATA PROTECTION IS ABOUT PROTECTING PEOPLES PRIVACY. WITH THE CONTINUED GROWTH OF THE INTERNET, MODERN DAY LIVING HAS BECOME MORE DATA DRIVEN RESULTING IN BUSINESS LOOKING FOR NEW WAYS TO LEVERAGE THE POWER OF TECHNOLOGY AND THE INTERNET This data driven world is much more interconnected, making it much harder to limit the harm to individuals if data protection goes wrong. The results of this may leave an individual exposed to identity theft, financial loss or criminal exploitation Companies are given personal information in good faith and are responsible for ensuring that the personal information given to them is protected in a way that will not compromise the individual. How personal information is protected depends on the type of personal information a company collects and how the company will use that information. This means that data protection is contextual and every company will have its own way of meeting its data protection requirements
CHANGES TO THE EXISTING REGULATION What the GDPR brings to the current regulatory framework
CHANGES TO THE EXISTING REGULATION What does the GDPR bring (compared to the existing Data Protection Directive)) Applies to all entities targeting data subjects in the EU, even if they are based out of the EU. Fines ranging between 2 to 4% of the global annual turnover or €10 - 20 million Personal data now includes location data, IP addresses, online and technology identifiers. Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling. Required for processing, where there is no other legal obligation. Report a personal data breach to the Data Protection Authority within 72hrs. Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU. Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law, where there is no adequate decision to perform a transfer. International data transfers One-stop shop Data breach notification Consent Data subjects rights Expanded definitions Sanctions Broader territorial scope
DEFINITIONS What are the key aspects you need to know
IMPORTANT TERMINOLOGY DATASUBJECT An individual who is the subject of the information or data. DATACONTROLLER A person, company or organisation who determines the purposes and means of processing personal data DATAPROCESSOR A person, company or organisation who processes personal data on behalf of the controller 8
PERSONAL IDENTIFIABLE INFORMATION (PII) Any type of information relating directly or indirectly to an identified or identifiable natural person and can lead to the identification of an individual when used alone or combined with other relevant data. Examples are: General Personal Data Name, Surname Gender Date of birth Home Address ID Number Personal email address Biometric data (photograph / video) Behavioral information Financial Information Social Security Numbers Account numbers (bank accounts, credit cards, etc.) Personal Identification Numbers (PINs) Passwords to financial accounts Income information Personal Identifiable Information Sensitive Information Racial or ethnic origin Religious beliefs Health Information Sexual orientation Political views Criminal convictions / Security measures / Offenses Health Information Medical records Physical / mental health information Health plan Health history
DATA PROTECTION ROLES Data subject Data controller Data processor Supervisory authority (SA) / Data Protection Authority (DPA) 1 0
AN INDIVIDUAL’S RIGHTS The GDPR seeks to balance the rights of an individual, or data subject in relation to their personal information with the need a company has to hold and process personal information. The right of Access The right to Object The right to Rectification The right to Erasure Rights in relation to Automated decision- making & Profiling The right to Data Portability The right to Restrict processing 1 1
CORE PRINCIPLES Processing of personal data Integrity and confidentiality Processing data in a secure manner, providing protection against unauthorised actions, loss, damage and destruction. Lawfulness and fairness Applying legitimate grounds for collecting data ensuring there is no negative impact on the data subject. Data Subject rights Informing the data subject about his rights regarding processing his personal data. Purpose limitation Collecting and processing data for specified, explicit and legitimate purpose. Data transfer and Disclosure Applying protection safeguards and measures on data transferred to third parties. Data minimisation GDPR Privacy Principles Collecting and processing data adequately and relatively to what it is necessary in relation to the purposes for which they are processed. Transparency Processing data in a lawful, fair and transparent manner in relation to the data subject. Accuracy Ensuring data is accurate and up to date in relation to the purposes for which they are processed, and erased or rectified accordingly. Accountability Introducing technical and organizational measures to ensure data processing is performed in accordance with the GDPR Storage limitation Keeping data for no longer than is necessary for the purposes for which they are processed.
PROCESSING PERSONAL DATA Consent Contractual necessity Legal obligation Vital interests Public interest Legitimate interests Legitimate bases for processing 1 3 https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
ACTIONS TO BE TAKEN 8 key measures to be taken Although GDPR legislation is, of course, a legal given, its implementation has organisational and IT elements as well. a total of 8 measures to be implemented: 1. DATA PRIVACY POLICY & AWARENESS PROGRAM 5. ADAPTING THE AGREEMENTS BETWEEN CONTROLLERS AND PROCESSORS (THIRD P ARTIES) 6. ADJUSTING COMMUNICATION TO THE ‘ DATA SUBJECTS’ THROUGH ‘PRIVACY NOTICES’ 2. MAINTAINING A REGISTER OF PROCESSING ACTIVITIES & DATA 3. PRIVACY IMPACT ASSESSMENTS (PIAs) ON THE CRITICAL PROCESSES 7. DATA BREACH NOTIFICATION 8. APPOINTMENT OF A DATA PROTECTION OFFICER (DPO) 4. IMPLEMENTING SECURITY MEASURES (PRIVACY BY DESIGN AND DEFAULT)
Assess Capture Store Use Destroy Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Retention Period Right to erasure Portability Third Party copies Appropriate use Consent Manage Consent Restricted International Transfers Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Data breaches Data Minimisation Privacy Notices Privacy Rights Obtain Consent SUMMARY OF GDPR INFORMATION LIFE CYCLE
HOW PENALTIES AND FINES ARE INCURRED  The level of fines will be dependent on the nature, gravity and duration of the infringement and take into account any remediation measures a company has undertaken. Fines can incurred for a range of infringements and are not limited to the list below:  A breach of GDPR Principles  Issues around the individuals rights  Unlawful data processing  Breaches of Sensitive Personal Information  Transferring data to countries without adequate protections  Processing where consent cannot be proven or has been withdrawn 1 6
AUDITING GDPR Auditors will be indispensable in helping enterprises adhere to these rules and maintain compliance 1 7 Auditing GDPR is about assessing the controls put in Place to respond to risk; it should consider the trio of risk across all facets of an enterprise: • People • Processes • Technology People Processes Technology
AUDITING GDPR 1 8 GDPR Article 5 (2) states, “The controller shall be responsible for, and be able to demonstrate compliance” with GDPR by ensuring that personal data are processed in accordance with the following six principles:  Lawfulness, fairness and transparency  Purpose limitations  Data minimization  Accuracy  Storage limitations  Integrity and confidentiality In reality, the controller is accountable for ensuring compliance with the six key principles. Auditors are concerned with validating the level of compliance.
1- LAWFULNESS, FAIRNESS AND TRANSPARENCY 1 9 “GDPR Article 5 states, Data shall be…processed lawfully, fairly and in a transparent manner in relation to the data subject: The regulation requires that all the enterprise’s processes relating to personal data be evidenced, form an inventory of what data are processed on which systems, where they are stored and with whom they are shared. This should provide the necessary summary of processes from which the auditor can work Lawfulness : Auditors must ensure that enterprises have the systems and processes in place to ensure that these rights are not breached.
FAIRNESS AND TRANSPARENCY 2 0 In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance, These rights are exercised through a subject access request (SAR) A GDPR SAR audit will be an audit of processes and the design and effective implementation of controls. Request Validation Response Fairness : In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance
TRANSPARENCY 2 1 “GDPR Article 12 requires that any information the data controller (enterprise) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form, and must be provided in writing within one month, at the latest. Transparency : In addition to auditors reviewing and validating the SAR response log, they also need to consider whether the information provided is indeed concise, complete, accurate and easily understandable.
2- ACCURACY 2 2 “GDPR Article 5 states, Personal data shall be… accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay….:  Each data stream may have been replicated by various departments and individuals for different uses. Auditors must recognize the risk posed by shadow IT and unstructured data. Accuracy : Auditors should seek to assess the completeness of the data discovery exercise and the actions that followed. Auditors should:  Review the process undertaken by the business to locate and cleanse the data • Review the rules that are put in place to minimize the instance of shadow IT systems and manage unstructured data • The strategic audit plan should cover data quality. Traditionally, data quality audits have focused on corporate data; with GDPR, these audits now need to cover personal data.
3- PURPOSE LIMITATION 2 3 “GDPR Article 5 states, Personal data…shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Purpose limitations : Auditors should expect that records are flagged with a reference to a defined purpose that will in turn define the basis. Auditors should also expect to see evidence of validation and a link to a records retention and deletion policy.
4- DATA MINIMIZATION 2 4 “GDPR Article 5 states, “Personal data…shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” Data Minimization: The key for the auditor is to assess the processes and associated rules that have been established to validate the data collected. Thus, to comply with GDPR, enterprises must implement data minimization rules and processes at every step of the data life cycle.
5- STORAGE LIMITATION 2 5 “GDPR Article 5 states, “Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” Storage limitation: Auditors should approach with caution and consider retention in terms of other legislation and regulation before GDPR and the enterprise’s needs. GDPR only replaces existing data protection legislation and does not overwrite other existing legislation such as that relating to record retention (e.g., for tax purposes).. The key phrase to consider here is “permits identification.” Auditors should conclude from this that so long as the systems and processes work to anonymize the data at a given point in time then it is acceptable to keep and utilize the data for modeling An enterprise should build into its records retention and deletion policies (both manual and electronic) the rules that ensure compliance with legislation and regulation Enterprises can easily fail to comply with GDPR by failing to safeguard personal data upon disposal of hardware and software
6- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY 2 6 “GDPR Article 5 states, “Personal data must be processed using appropriate technical and organizational security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
2 7 Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise’s annual audit plan
IN A NUTSHELL What are the key points to remember
7 9 7 9 KEY POINTS Data Privacy Impact Assessment (DPIA) Data Transfers to Third Countries / Organisations Awareness & Training Data Protection Officer (DPO) Marketing Data Breach Notification Privacy by Design & by Default Consent prior processing Third Party agreements Data Erasure GDPR Reporting to Supervising Authorities Data Retention & Storage Security Legal involvement Inventory of processing Incident Response & Crisis Management Data Portability Automated processing
PERSONAL DATA REMEMBER MUST BE PROCESSED FOR SPECIFIC PURPOSES ONLY AND NOT FOR ANYTHINGELSE When using personal data, make sure to use it only for the purposes that you told them about or that they agreed to, so that there are no surprises. 2 MUST BE FAIRLYAND LAWFULLY PROCESSED Make sure to handle people's personal data only in ways they would expect, and be open and transparent about how you intend to use the data. 1
PERSONAL DATA REMEMBER 3 MUST BE ADEQUATE, RELEVANT AND NOTEXCESSIVE When collecting personal data, do not collect more data than needed. 4 MUST BE ACCURATE AND UP TODATE Ensure that data you collect about your clients or employees is accurate, for example, the correct spelling of a name. It is also important to check that your records are up to date.
PERSONAL DATA REMEMBER 5 MUST NOT BE KEPT FOR LONGER THAN IS NECESSARY Do not keep personal data for longer than it is needed, and put procedures in place for archiving and destroying personal data when it is no longer needed. 6 MUST BE PROCESSED IN LINE WITH INDIVIDUALS’ RIGHTS  the right to access a copy of the personal data you hold about them  or to have their personal datarectified, blocked, erased or destroyed  or even the right to dataportability  they can object to processing of theirdata  or opt out of directmarketing  they can exercise their right to beforgotten  and claim compensation for damages if their rights are not respected
PERSONAL DATA REMEMBER 7 • MUST BE KEPT SECURE • KEEP PERSONAL DATA SECURE AND CONFIDENTIAL, USING, OF COURSE, IT MEASURES (SUCH AS ENCRYPTION) BUT ALSO ORGANISATIONAL MEASURES TO ENSURE YOUR PEOPLE AND SUPPLIERS DO NOT BREACH THIS CONFIDENTIALITY. 8 MUST NOT BE TRANSFERRED TO OTHER COUNTRIES WITHOUT ADEQUATE PROTECTION Before sending personal data to another country, make sure that adequate measures are put in place.

Recommended

GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
EMMAIntl
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
Ernest Staats
 

Recommended

GDPR
GDPRGDPR
GDPR
Gopi PD
 
GDPR infographic
GDPR infographicGDPR infographic
GDPR infographic
Marketing Team at Crown Worldwide Group
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
Olivier Vandeputte
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
The Pathway Group
 
GDPR: Training Materials by Qualsys
GDPR: Training Materials by QualsysGDPR: Training Materials by Qualsys
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
EMMAIntl
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
Ernest Staats
 
Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
N N
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1
rtjbond
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
ClinosolIndia
 
Data privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptxData privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptx
kandalamsailaja17
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
Cobweb
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
Owako Rodah
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
DAMA Ireland
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
NetworkIQ
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
dan hyde
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
CIOWomenMagazine
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
PECB
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
brunomase
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
Harrison Clark Rickerbys
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?
TobyRobinson13
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
PromptCloud
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
AnitaRaj43
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
Pixlogix Infotech
 

More Related Content

Similar to My presentation- Ala about privacy and GDPR

Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
N N
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1
rtjbond
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
BrightPay Payroll and Auto Enrolment Software
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
ClinosolIndia
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?
TobyRobinson13
 

Similar to My presentation- Ala about privacy and GDPR (20)

Guide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulationGuide to-the-general-data-protection-regulation
Guide to-the-general-data-protection-regulation
 
Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1Auditing your EU entities for data protection compliance 5661651 1
Auditing your EU entities for data protection compliance 5661651 1
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...GDPR The New Data Protection Law coming into effect May 2018. What does it me...
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
 
GDPR for your Payroll Bureau
GDPR for your Payroll BureauGDPR for your Payroll Bureau
GDPR for your Payroll Bureau
 
Data Privacy and consent management .. .
Data Privacy and consent management .. .Data Privacy and consent management .. .
Data Privacy and consent management .. .
 
Data privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptxData privacy and consent management (K.sailaja).pptx
Data privacy and consent management (K.sailaja).pptx
 
GDPR: Your Journey to Compliance
GDPR: Your Journey to ComplianceGDPR: Your Journey to Compliance
GDPR: Your Journey to Compliance
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
DAMA Ireland - GDPR
DAMA Ireland - GDPRDAMA Ireland - GDPR
DAMA Ireland - GDPR
 
GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing Mindset
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdfData Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
Data Privacy Compliance Navigating the Evolving Regulatory Landscape.pdf
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
 
Why GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC FrameworkWhy GDPR Must Be an Integral Part of Your GRC Framework
Why GDPR Must Be an Integral Part of Your GRC Framework
 
GDPR and Analytics
GDPR and AnalyticsGDPR and Analytics
GDPR and Analytics
 
GDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business AdvisorsGDPR Breakfast Briefing for Business Advisors
GDPR Breakfast Briefing for Business Advisors
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?How does GDPR Regulation help in Data Protection and Data Privacy?
How does GDPR Regulation help in Data Protection and Data Privacy?
 
Impact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and ProcessingImpact of GDPR on Data Collection and Processing
Impact of GDPR on Data Collection and Processing
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 

My presentation- Ala about privacy and GDPR

  • 1.
  • 2. AGENDA • INTRODUCTION • WHY GDPR • TERMS AND DEFINITIONS • GDPR PRINCIPLES • GDPR REQUIREMENTS • AUDITING GDPR.
  • 3. INTRODUCTION The purpose of the General Data Protection Regulation (GDPR) is to modernize data protection and provide greater protection to individuals through the standardization and harmonization of previously fragmented data protection legislations. Is new EU legislation that comes into effect on May 25th 2018
  • 4. WHAT IS THE PURPOSE OF GDPR? • DATA PROTECTION IS ABOUT PROTECTING PEOPLES PRIVACY. WITH THE CONTINUED GROWTH OF THE INTERNET, MODERN DAY LIVING HAS BECOME MORE DATA DRIVEN RESULTING IN BUSINESS LOOKING FOR NEW WAYS TO LEVERAGE THE POWER OF TECHNOLOGY AND THE INTERNET This data driven world is much more interconnected, making it much harder to limit the harm to individuals if data protection goes wrong. The results of this may leave an individual exposed to identity theft, financial loss or criminal exploitation Companies are given personal information in good faith and are responsible for ensuring that the personal information given to them is protected in a way that will not compromise the individual. How personal information is protected depends on the type of personal information a company collects and how the company will use that information. This means that data protection is contextual and every company will have its own way of meeting its data protection requirements
  • 5. CHANGES TO THE EXISTING REGULATION What the GDPR brings to the current regulatory framework
  • 6. CHANGES TO THE EXISTING REGULATION What does the GDPR bring (compared to the existing Data Protection Directive)) Applies to all entities targeting data subjects in the EU, even if they are based out of the EU. Fines ranging between 2 to 4% of the global annual turnover or €10 - 20 million Personal data now includes location data, IP addresses, online and technology identifiers. Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no automated processing and profiling. Required for processing, where there is no other legal obligation. Report a personal data breach to the Data Protection Authority within 72hrs. Data Protection Authorities (DPA) of main establishment can act as lead DPA, supervising processing activities throughout the EU. Binding Corporate Rules as tools for data transfers outside the EU and EEA are now embedded in law, where there is no adequate decision to perform a transfer. International data transfers One-stop shop Data breach notification Consent Data subjects rights Expanded definitions Sanctions Broader territorial scope
  • 7. DEFINITIONS What are the key aspects you need to know
  • 8. IMPORTANT TERMINOLOGY DATASUBJECT An individual who is the subject of the information or data. DATACONTROLLER A person, company or organisation who determines the purposes and means of processing personal data DATAPROCESSOR A person, company or organisation who processes personal data on behalf of the controller 8
  • 9. PERSONAL IDENTIFIABLE INFORMATION (PII) Any type of information relating directly or indirectly to an identified or identifiable natural person and can lead to the identification of an individual when used alone or combined with other relevant data. Examples are: General Personal Data Name, Surname Gender Date of birth Home Address ID Number Personal email address Biometric data (photograph / video) Behavioral information Financial Information Social Security Numbers Account numbers (bank accounts, credit cards, etc.) Personal Identification Numbers (PINs) Passwords to financial accounts Income information Personal Identifiable Information Sensitive Information Racial or ethnic origin Religious beliefs Health Information Sexual orientation Political views Criminal convictions / Security measures / Offenses Health Information Medical records Physical / mental health information Health plan Health history
  • 10. DATA PROTECTION ROLES Data subject Data controller Data processor Supervisory authority (SA) / Data Protection Authority (DPA) 1 0
  • 11. AN INDIVIDUAL’S RIGHTS The GDPR seeks to balance the rights of an individual, or data subject in relation to their personal information with the need a company has to hold and process personal information. The right of Access The right to Object The right to Rectification The right to Erasure Rights in relation to Automated decision- making & Profiling The right to Data Portability The right to Restrict processing 1 1
  • 12. CORE PRINCIPLES Processing of personal data Integrity and confidentiality Processing data in a secure manner, providing protection against unauthorised actions, loss, damage and destruction. Lawfulness and fairness Applying legitimate grounds for collecting data ensuring there is no negative impact on the data subject. Data Subject rights Informing the data subject about his rights regarding processing his personal data. Purpose limitation Collecting and processing data for specified, explicit and legitimate purpose. Data transfer and Disclosure Applying protection safeguards and measures on data transferred to third parties. Data minimisation GDPR Privacy Principles Collecting and processing data adequately and relatively to what it is necessary in relation to the purposes for which they are processed. Transparency Processing data in a lawful, fair and transparent manner in relation to the data subject. Accuracy Ensuring data is accurate and up to date in relation to the purposes for which they are processed, and erased or rectified accordingly. Accountability Introducing technical and organizational measures to ensure data processing is performed in accordance with the GDPR Storage limitation Keeping data for no longer than is necessary for the purposes for which they are processed.
  • 13. PROCESSING PERSONAL DATA Consent Contractual necessity Legal obligation Vital interests Public interest Legitimate interests Legitimate bases for processing 1 3 https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
  • 14. ACTIONS TO BE TAKEN 8 key measures to be taken Although GDPR legislation is, of course, a legal given, its implementation has organisational and IT elements as well. a total of 8 measures to be implemented: 1. DATA PRIVACY POLICY & AWARENESS PROGRAM 5. ADAPTING THE AGREEMENTS BETWEEN CONTROLLERS AND PROCESSORS (THIRD P ARTIES) 6. ADJUSTING COMMUNICATION TO THE ‘ DATA SUBJECTS’ THROUGH ‘PRIVACY NOTICES’ 2. MAINTAINING A REGISTER OF PROCESSING ACTIVITIES & DATA 3. PRIVACY IMPACT ASSESSMENTS (PIAs) ON THE CRITICAL PROCESSES 7. DATA BREACH NOTIFICATION 8. APPOINTMENT OF A DATA PROTECTION OFFICER (DPO) 4. IMPLEMENTING SECURITY MEASURES (PRIVACY BY DESIGN AND DEFAULT)
  • 15. Assess Capture Store Use Destroy Data Protection by Design and by Default Data Protection Impact Assessment (DPIA) Documentation Retention Period Right to erasure Portability Third Party copies Appropriate use Consent Manage Consent Restricted International Transfers Safe and Secure Restricted Access Data Inventory Subject Access Requests Contracts with Data Processors Data breaches Data Minimisation Privacy Notices Privacy Rights Obtain Consent SUMMARY OF GDPR INFORMATION LIFE CYCLE
  • 16. HOW PENALTIES AND FINES ARE INCURRED  The level of fines will be dependent on the nature, gravity and duration of the infringement and take into account any remediation measures a company has undertaken. Fines can incurred for a range of infringements and are not limited to the list below:  A breach of GDPR Principles  Issues around the individuals rights  Unlawful data processing  Breaches of Sensitive Personal Information  Transferring data to countries without adequate protections  Processing where consent cannot be proven or has been withdrawn 1 6
  • 17. AUDITING GDPR Auditors will be indispensable in helping enterprises adhere to these rules and maintain compliance 1 7 Auditing GDPR is about assessing the controls put in Place to respond to risk; it should consider the trio of risk across all facets of an enterprise: • People • Processes • Technology People Processes Technology
  • 18. AUDITING GDPR 1 8 GDPR Article 5 (2) states, “The controller shall be responsible for, and be able to demonstrate compliance” with GDPR by ensuring that personal data are processed in accordance with the following six principles:  Lawfulness, fairness and transparency  Purpose limitations  Data minimization  Accuracy  Storage limitations  Integrity and confidentiality In reality, the controller is accountable for ensuring compliance with the six key principles. Auditors are concerned with validating the level of compliance.
  • 19. 1- LAWFULNESS, FAIRNESS AND TRANSPARENCY 1 9 “GDPR Article 5 states, Data shall be…processed lawfully, fairly and in a transparent manner in relation to the data subject: The regulation requires that all the enterprise’s processes relating to personal data be evidenced, form an inventory of what data are processed on which systems, where they are stored and with whom they are shared. This should provide the necessary summary of processes from which the auditor can work Lawfulness : Auditors must ensure that enterprises have the systems and processes in place to ensure that these rights are not breached.
  • 20. FAIRNESS AND TRANSPARENCY 2 0 In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance, These rights are exercised through a subject access request (SAR) A GDPR SAR audit will be an audit of processes and the design and effective implementation of controls. Request Validation Response Fairness : In terms of GDPR, it can be said that fairness is achieved when the data controller has put in place working procedures for data subjects to exercise their legal rights without hindrance
  • 21. TRANSPARENCY 2 1 “GDPR Article 12 requires that any information the data controller (enterprise) gives to the data subject (individual) about its data processing practices must be concise, transparent, intelligible and in easily accessible form, and must be provided in writing within one month, at the latest. Transparency : In addition to auditors reviewing and validating the SAR response log, they also need to consider whether the information provided is indeed concise, complete, accurate and easily understandable.
  • 22. 2- ACCURACY 2 2 “GDPR Article 5 states, Personal data shall be… accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or rectified without delay….:  Each data stream may have been replicated by various departments and individuals for different uses. Auditors must recognize the risk posed by shadow IT and unstructured data. Accuracy : Auditors should seek to assess the completeness of the data discovery exercise and the actions that followed. Auditors should:  Review the process undertaken by the business to locate and cleanse the data • Review the rules that are put in place to minimize the instance of shadow IT systems and manage unstructured data • The strategic audit plan should cover data quality. Traditionally, data quality audits have focused on corporate data; with GDPR, these audits now need to cover personal data.
  • 23. 3- PURPOSE LIMITATION 2 3 “GDPR Article 5 states, Personal data…shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Purpose limitations : Auditors should expect that records are flagged with a reference to a defined purpose that will in turn define the basis. Auditors should also expect to see evidence of validation and a link to a records retention and deletion policy.
  • 24. 4- DATA MINIMIZATION 2 4 “GDPR Article 5 states, “Personal data…shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” Data Minimization: The key for the auditor is to assess the processes and associated rules that have been established to validate the data collected. Thus, to comply with GDPR, enterprises must implement data minimization rules and processes at every step of the data life cycle.
  • 25. 5- STORAGE LIMITATION 2 5 “GDPR Article 5 states, “Personal data shall be kept in a form which permits identification of data subjects for no longer than necessary for the processing purposes; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” Storage limitation: Auditors should approach with caution and consider retention in terms of other legislation and regulation before GDPR and the enterprise’s needs. GDPR only replaces existing data protection legislation and does not overwrite other existing legislation such as that relating to record retention (e.g., for tax purposes).. The key phrase to consider here is “permits identification.” Auditors should conclude from this that so long as the systems and processes work to anonymize the data at a given point in time then it is acceptable to keep and utilize the data for modeling An enterprise should build into its records retention and deletion policies (both manual and electronic) the rules that ensure compliance with legislation and regulation Enterprises can easily fail to comply with GDPR by failing to safeguard personal data upon disposal of hardware and software
  • 26. 6- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY 2 6 “GDPR Article 5 states, “Personal data must be processed using appropriate technical and organizational security measures, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
  • 27. 2 7 Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise’s annual audit plan
  • 28. IN A NUTSHELL What are the key points to remember
  • 29. 7 9 7 9 KEY POINTS Data Privacy Impact Assessment (DPIA) Data Transfers to Third Countries / Organisations Awareness & Training Data Protection Officer (DPO) Marketing Data Breach Notification Privacy by Design & by Default Consent prior processing Third Party agreements Data Erasure GDPR Reporting to Supervising Authorities Data Retention & Storage Security Legal involvement Inventory of processing Incident Response & Crisis Management Data Portability Automated processing
  • 30. PERSONAL DATA REMEMBER MUST BE PROCESSED FOR SPECIFIC PURPOSES ONLY AND NOT FOR ANYTHINGELSE When using personal data, make sure to use it only for the purposes that you told them about or that they agreed to, so that there are no surprises. 2 MUST BE FAIRLYAND LAWFULLY PROCESSED Make sure to handle people's personal data only in ways they would expect, and be open and transparent about how you intend to use the data. 1
  • 31. PERSONAL DATA REMEMBER 3 MUST BE ADEQUATE, RELEVANT AND NOTEXCESSIVE When collecting personal data, do not collect more data than needed. 4 MUST BE ACCURATE AND UP TODATE Ensure that data you collect about your clients or employees is accurate, for example, the correct spelling of a name. It is also important to check that your records are up to date.
  • 32. PERSONAL DATA REMEMBER 5 MUST NOT BE KEPT FOR LONGER THAN IS NECESSARY Do not keep personal data for longer than it is needed, and put procedures in place for archiving and destroying personal data when it is no longer needed. 6 MUST BE PROCESSED IN LINE WITH INDIVIDUALS’ RIGHTS  the right to access a copy of the personal data you hold about them  or to have their personal datarectified, blocked, erased or destroyed  or even the right to dataportability  they can object to processing of theirdata  or opt out of directmarketing  they can exercise their right to beforgotten  and claim compensation for damages if their rights are not respected
  • 33. PERSONAL DATA REMEMBER 7 • MUST BE KEPT SECURE • KEEP PERSONAL DATA SECURE AND CONFIDENTIAL, USING, OF COURSE, IT MEASURES (SUCH AS ENCRYPTION) BUT ALSO ORGANISATIONAL MEASURES TO ENSURE YOUR PEOPLE AND SUPPLIERS DO NOT BREACH THIS CONFIDENTIALITY. 8 MUST NOT BE TRANSFERRED TO OTHER COUNTRIES WITHOUT ADEQUATE PROTECTION Before sending personal data to another country, make sure that adequate measures are put in place.