3. INTRODUCTION
The purpose of the General Data Protection Regulation (GDPR) is to modernize data
protection and provide greater protection to individuals through the standardization
and harmonization of previously fragmented data protection legislations.
Is new EU legislation that comes into effect on May 25th 2018
4. WHAT IS THE PURPOSE OF GDPR?
• DATA PROTECTION IS ABOUT
PROTECTING PEOPLES
PRIVACY. WITH THE CONTINUED
GROWTH OF THE INTERNET,
MODERN DAY LIVING HAS BECOME
MORE DATA DRIVEN RESULTING
IN BUSINESS LOOKING FOR NEW
WAYS TO LEVERAGE THE POWER
OF TECHNOLOGY AND THE
INTERNET
This data driven world is much
more interconnected, making it
much harder to limit the harm to
individuals if data protection goes
wrong. The results of this may
leave an individual exposed to
identity theft, financial loss or
criminal exploitation
Companies are given personal
information in good faith and are
responsible for ensuring that the
personal information given to them is
protected in a way that will not
compromise the individual. How
personal information is protected
depends on the type of personal
information a company collects and
how the company will use that
information. This means that data
protection is contextual and every
company will have its own way of
meeting its data protection
requirements
5. CHANGES TO THE EXISTING
REGULATION
What the GDPR brings to the current regulatory
framework
6. CHANGES TO THE EXISTING REGULATION
What does the GDPR bring (compared to the existing Data Protection Directive))
Applies to all entities targeting data subjects in the EU, even if they are based out of the
EU.
Fines ranging between 2 to 4% of the global annual turnover or €10 - 20 million
Personal data now includes location data, IP addresses, online and technology identifiers.
Reinforced rights: Access, rectification, restriction, erasure, objection to processing; no
automated processing and profiling.
Required for processing, where there is no other legal obligation.
Report a personal data breach to the Data Protection Authority within 72hrs.
Data Protection Authorities (DPA) of main establishment can act as lead DPA,
supervising processing activities throughout the EU.
Binding Corporate Rules as tools for data transfers outside the EU and EEA are now
embedded in law, where there is no adequate decision to perform a transfer.
International data transfers
One-stop shop
Data breach notification
Consent
Data subjects rights
Expanded definitions
Sanctions
Broader territorial scope
8. IMPORTANT TERMINOLOGY
DATASUBJECT
An individual who is the subject of the information or data.
DATACONTROLLER
A person, company or organisation who determines the
purposes and means of processing personal data
DATAPROCESSOR
A person, company or organisation who processes personal data
on behalf of the controller
8
9. PERSONAL IDENTIFIABLE INFORMATION (PII)
Any type of information relating directly or indirectly to an identified or identifiable natural person and can lead to the
identification of an individual when used alone or combined with other relevant data. Examples are:
General Personal Data
Name, Surname
Gender
Date of birth
Home Address
ID Number
Personal email address
Biometric data (photograph / video)
Behavioral information
Financial Information
Social Security Numbers
Account numbers (bank accounts, credit cards, etc.)
Personal Identification Numbers (PINs)
Passwords to financial accounts
Income information
Personal Identifiable Information
Sensitive Information
Racial or ethnic origin
Religious beliefs
Health Information
Sexual orientation
Political views
Criminal convictions / Security measures / Offenses
Health Information
Medical records
Physical / mental health information
Health plan
Health history
10. DATA PROTECTION ROLES
Data subject
Data controller
Data processor
Supervisory
authority (SA) /
Data Protection
Authority (DPA)
1
0
11. AN INDIVIDUAL’S RIGHTS
The GDPR seeks to balance the rights of an individual, or data subject in relation to their personal information with the need a
company has to hold and process personal information.
The right
of Access
The right
to Object
The right to
Rectification
The right to
Erasure
Rights in relation to
Automated
decision- making &
Profiling
The right to
Data Portability
The right to
Restrict processing
1
1
12. CORE PRINCIPLES
Processing of personal data
Integrity and confidentiality
Processing data in a secure manner, providing
protection against unauthorised actions, loss,
damage and destruction.
Lawfulness and fairness
Applying legitimate grounds for
collecting data ensuring there is no
negative impact on the data subject. Data Subject rights
Informing the data subject about his
rights regarding processing his
personal data.
Purpose limitation
Collecting and processing data for
specified, explicit and legitimate
purpose.
Data transfer and Disclosure
Applying protection safeguards and
measures on data transferred to
third parties.
Data minimisation
GDPR
Privacy
Principles
Collecting and processing data
adequately and relatively to what it
is necessary in relation to the
purposes for which they are
processed. Transparency
Processing data in a lawful, fair and
transparent manner in relation to the
data subject.
Accuracy
Ensuring data is accurate and up to date in
relation to the purposes for which they are
processed, and erased or rectified
accordingly.
Accountability
Introducing technical and
organizational measures to ensure
data processing is performed in
accordance with the GDPR
Storage limitation
Keeping data for no longer than is
necessary for the purposes for which they
are processed.
13. PROCESSING PERSONAL DATA
Consent Contractual
necessity
Legal
obligation
Vital
interests
Public
interest
Legitimate
interests
Legitimate bases for processing
1
3
https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/
14. ACTIONS TO BE TAKEN
8 key measures to be taken
Although GDPR legislation is, of course, a legal given, its implementation has organisational and IT elements as well. a total of 8 measures to be implemented:
1. DATA PRIVACY POLICY &
AWARENESS PROGRAM
5. ADAPTING THE AGREEMENTS BETWEEN
CONTROLLERS AND PROCESSORS (THIRD
P
ARTIES)
6. ADJUSTING COMMUNICATION TO THE
‘ DATA SUBJECTS’ THROUGH ‘PRIVACY
NOTICES’
2. MAINTAINING A REGISTER OF
PROCESSING ACTIVITIES & DATA
3. PRIVACY IMPACT ASSESSMENTS (PIAs)
ON THE CRITICAL PROCESSES
7. DATA BREACH NOTIFICATION
8. APPOINTMENT OF A DATA
PROTECTION OFFICER (DPO)
4. IMPLEMENTING SECURITY MEASURES
(PRIVACY BY DESIGN AND DEFAULT)
15. Assess
Capture
Store
Use
Destroy
Data Protection by Design and by Default
Data Protection Impact Assessment (DPIA)
Documentation
Retention Period
Right to erasure
Portability
Third Party copies
Appropriate use
Consent
Manage Consent
Restricted
International Transfers
Safe and Secure
Restricted Access
Data Inventory
Subject Access Requests
Contracts with Data Processors
Data breaches
Data Minimisation
Privacy Notices
Privacy Rights
Obtain Consent
SUMMARY OF GDPR INFORMATION LIFE CYCLE
16. HOW PENALTIES AND FINES ARE INCURRED
The level of fines will be dependent on the nature, gravity and duration of the
infringement and take into account any remediation measures a company has
undertaken.
Fines can incurred for a range of infringements and are not limited to the list
below:
A breach of GDPR Principles
Issues around the individuals rights
Unlawful data processing
Breaches of Sensitive Personal Information
Transferring data to countries without adequate protections
Processing where consent cannot be proven or has been withdrawn
1
6
17. AUDITING GDPR
Auditors will be indispensable in helping enterprises adhere to these rules and maintain compliance
1
7
Auditing GDPR is about assessing the controls put in
Place to respond to risk; it should consider the trio of
risk across all facets of an enterprise:
• People
• Processes
• Technology
People
Processes
Technology
18. AUDITING GDPR
1
8
GDPR Article 5 (2) states, “The controller shall be responsible for, and be able to
demonstrate compliance” with GDPR by ensuring that personal data are processed
in accordance with the following six principles:
Lawfulness, fairness and transparency
Purpose limitations
Data minimization
Accuracy
Storage limitations
Integrity and confidentiality
In reality, the controller is accountable for ensuring compliance with the six key
principles. Auditors are concerned with validating the level of compliance.
19. 1- LAWFULNESS, FAIRNESS AND TRANSPARENCY
1
9
“GDPR Article 5 states, Data shall be…processed lawfully, fairly and in a transparent
manner in relation to the data subject:
The regulation requires that all the enterprise’s processes relating to personal data be evidenced,
form an inventory of what data are processed on which systems, where they are stored and with
whom they are shared. This should provide the necessary summary of processes from which the
auditor can work
Lawfulness : Auditors must ensure that enterprises have the systems and processes in place to
ensure that these rights are not breached.
20. FAIRNESS AND TRANSPARENCY
2
0
In terms of GDPR, it can be said that fairness is achieved when the data controller has put in
place working procedures for data subjects to exercise their legal rights without hindrance,
These rights are exercised through a subject access request (SAR)
A GDPR SAR audit will be an audit of processes and the design and effective implementation
of controls.
Request Validation Response
Fairness : In terms of GDPR, it can be said that fairness is achieved when the data controller has
put in place working procedures for data subjects to exercise their legal rights without hindrance
21. TRANSPARENCY
2
1
“GDPR Article 12 requires that any information the data controller (enterprise) gives to the data
subject (individual) about its data processing practices must be concise, transparent, intelligible and in
easily accessible form, and must be provided in writing within one month, at the latest.
Transparency : In addition to auditors reviewing and validating the SAR response log, they
also need to consider whether the information provided is indeed concise, complete, accurate and
easily understandable.
22. 2- ACCURACY
2
2
“GDPR Article 5 states, Personal data shall be… accurate, and, where necessary, kept up to date;
every reasonable step must be taken to ensure that personal data that are inaccurate…are erased or
rectified without delay….:
Each data stream may have been replicated by various departments and individuals for different
uses. Auditors must recognize the risk posed by shadow IT and unstructured data.
Accuracy : Auditors should seek to assess the completeness of the data discovery exercise and the
actions that followed.
Auditors should:
Review the process undertaken by the business to locate and cleanse the data
• Review the rules that are put in place to minimize the instance of shadow IT systems and manage
unstructured data
• The strategic audit plan should cover data quality. Traditionally, data quality audits have focused on corporate
data; with GDPR, these audits now need to cover personal data.
23. 3- PURPOSE LIMITATION
2
3
“GDPR Article 5 states, Personal data…shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes.”
Purpose limitations : Auditors should expect that records are flagged with a reference to a defined
purpose that will in turn define the basis. Auditors should also expect to see evidence of validation and
a link to a records retention and deletion policy.
24. 4- DATA MINIMIZATION
2
4
“GDPR Article 5 states, “Personal data…shall be adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed”
Data Minimization: The key for the auditor is to assess the processes and associated rules that
have been established to validate the data collected.
Thus, to comply with GDPR, enterprises must implement data minimization rules and
processes at every step of the data life cycle.
25. 5- STORAGE LIMITATION
2
5
“GDPR Article 5 states, “Personal data shall be kept in a form which permits identification of data
subjects for no longer than necessary for the processing purposes; personal data may be stored for
longer periods insofar as the personal data will be processed solely for archiving purposes in the
public interest, scientific or historical research purposes or statistical purposes”
Storage limitation: Auditors should approach with caution and consider retention in terms of other
legislation and regulation before GDPR and the enterprise’s needs. GDPR only replaces existing data
protection legislation and does not overwrite other existing legislation such as that relating to record
retention (e.g., for tax purposes)..
The key phrase to consider here is “permits identification.” Auditors should conclude from this that
so long as the systems and processes work to anonymize the data at a given point in time then it is
acceptable to keep and utilize the data for modeling
An enterprise should build into its records retention and deletion policies (both manual and
electronic) the rules that ensure compliance with legislation and regulation
Enterprises can easily fail to comply with GDPR by failing to safeguard personal data upon disposal of
hardware and software
26. 6- CONFIDENTIALITY, INTEGRITY AND AVAILABILITY
2
6
“GDPR Article 5 states, “Personal data must be processed using appropriate technical and
organizational security measures, including protection against unauthorized or unlawful processing
and against accidental loss, destruction or damage.
27. 2
7
Providing audit assurance on GDPR is not a one-off
process; the regulation requires auditors to consider personal
data throughout the enterprise’s annual audit plan
29. 7
9
7
9
KEY POINTS
Data Privacy Impact Assessment
(DPIA)
Data Transfers to Third
Countries / Organisations
Awareness & Training
Data Protection Officer
(DPO)
Marketing
Data Breach Notification
Privacy by Design &
by Default
Consent prior processing
Third Party agreements
Data Erasure GDPR
Reporting to Supervising
Authorities
Data Retention & Storage
Security
Legal involvement
Inventory of processing
Incident Response & Crisis
Management
Data Portability
Automated processing
30. PERSONAL
DATA
REMEMBER
MUST BE PROCESSED FOR SPECIFIC PURPOSES
ONLY AND NOT FOR ANYTHINGELSE
When using personal data, make sure to use it only
for the purposes that you told them about or that
they agreed to, so that there are no surprises.
2
MUST BE FAIRLYAND LAWFULLY PROCESSED
Make sure to handle people's personal data only in
ways they would expect, and be open and
transparent about how you intend to use the data.
1
31. PERSONAL
DATA
REMEMBER
3 MUST BE ADEQUATE, RELEVANT AND NOTEXCESSIVE
When collecting personal data, do not collect more
data than needed.
4 MUST BE ACCURATE AND UP TODATE
Ensure that data you collect about your clients or
employees is accurate, for example, the correct
spelling of a name. It is also important to check
that your records are up to date.
32. PERSONAL
DATA
REMEMBER
5 MUST NOT BE KEPT FOR LONGER THAN IS NECESSARY
Do not keep personal data for longer than it is needed, and
put procedures in place for archiving and destroying
personal data when it is no longer needed.
6
MUST BE PROCESSED IN LINE WITH
INDIVIDUALS’ RIGHTS
the right to access a copy of the personal data
you hold about them
or to have their personal datarectified,
blocked, erased or destroyed
or even the right to dataportability
they can object to processing of theirdata
or opt out of directmarketing
they can exercise their right to beforgotten
and claim compensation for damages if their
rights are not respected
33. PERSONAL
DATA
REMEMBER
7
• MUST BE KEPT SECURE
• KEEP PERSONAL DATA SECURE AND CONFIDENTIAL, USING, OF COURSE, IT
MEASURES (SUCH AS ENCRYPTION) BUT ALSO ORGANISATIONAL MEASURES TO
ENSURE YOUR PEOPLE AND SUPPLIERS DO NOT BREACH THIS CONFIDENTIALITY.
8 MUST NOT BE TRANSFERRED TO OTHER
COUNTRIES WITHOUT ADEQUATE PROTECTION
Before sending personal data to another
country, make sure that adequate measures
are put in place.