Download to read offline
More Related Content
Similar to PIMS-DOC-05-4-Privacy-Awareness-Presentation.pptx
![5G Explained! A High Level Overview [Introduction]](https://cdn.slidesharecdn.com/ss_thumbnails/5gexplainedahighleveloverview-260119165306-cc137a3e-thumbnail.jpg?width=640&height=640&fit=bounds)
PIMS-DOC-05-4-Privacy-Awareness-Presentation.pptx
- 2. Privacy legislation main points Keyterms and privacy principles Rights of the PII principal Data protection officer and privacy impact assessments International data transfers How we comply Helping us stay compliant Summary and questions
- 3. Concerns the protectionof Personally Identifiable Information (PII) Usually applies to all organizations processing PII from a relevant place Mandatory breach notification and financial penalties
- 4. The EU • GDPR USA •CCPA Brazil • LGPD
- 5. Personally Identifiable Information(PII) “… any information that (a) can be used to identify the PII principal to whom such information relates, or (b) is or might be directly or indirectly linked to a PII principal.” ISO/IEC 29100:2011
- 6. Name Address Phonenumber Email address Date of birth Marital status Tax code Bank details Passwords Driving licence Passport number Purchase history IP address Mobile phone serial number
- 7. Racial or ethnicorigin Political opinions Religious or philosophical beliefs Trade union membership Genetic data Biometric data Health data Data concerning sex life Sexual orientation
- 9. “… natural person towhom the personally identifiable information (PII) relates.” ISO/IEC 29100:2011 PII Principal
- 10. Processing of PII • “… operationor set of operations performed upon personally identifiable information (PII). • Note 1 to entry: Examples of processing operations of PII include, but are not limited to, the collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction of PII.” • ISO/IEC 29100:2011
- 11. Taking an order froma customer Arranging delivery of goods Employee payroll Recording CCTV
- 12. Sending marketing emails Recording details in a CRMsystem Keeping training records Answering customer enquiries
- 13. PII Controller • “…privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (PII) other than natural persons who use data for personal purposes.” ISO/IEC 29100:2011
- 14. PII Processor • “…privacy stakeholder that processes personally identifiable information (PII) on behalf of and in accordance with the instructions of a PII controller.” • ISO/IEC 29100:2011
- 15. Lawfulness, fairness andtransparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality
- 16. Information Access Rectification Erasure(right to be forgotten) Restriction of processing Notification of rectification or erasure Data portability Object Object to automated decision making
- 19.
- 20. Privacy impact assessments Issues a PIAshould consider include: Systematic description of processing Legal basis of the processing, such as legitimate interest Necessity and proportionality
- 21. Other issues a PIA should consider include: Risks torights and freedoms Controls to treat unacceptable risks Consultation with PII principals, where appropriate
- 22. Only transfer PII tonations deemed “adequate” Safeguards must be agreed and in place prior to transfer Binding corporate rules may be used within an international organization Standard contractual clauses are published by the relevant authority, such as the EU for the GDPR
- 27. Read and follow our data protection policy Process access requests promptly Recognise the importance ofprotecting PII Only use PII for the defined purposes
- 28. Be fair and transparent aboutour use of PII Keep PII confidential Consider data protection in new developments Handle any breaches in a professional way
Editor's Notes
- #2 This presentation is intended as an initial introduction to the ideas of privacy information management, including the key terms and the main areas of focus. Implementation Guidance Purpose of this document This presentation is primarily intended to make the main stakeholders, such as management and board members, aware of the main points of relevant data privacy legislation. Areas of the standard addressed All areas of the ISO27701 standard are addressed by this document. General Guidance This is a high-level overview of the main points only and is intended for people who may have heard of data privacy legislation such as the GDPR, but not know what it contains, or its implications for the organization. You may decide to tailor the presentation to specific audiences e.g. business departments. Tailoring may involve adding additional slides, taking some out and changing the contents of some of them. Review Frequency We would recommend that this document is reviewed after each presentation to ensure it is covering the required areas, based on feedback from each time it is delivered. Toolkit Version Number ISO27701 Toolkit Version 1 Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088. Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document. Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
- #3 The following areas are going to be covered today. Please bear in mind that data privacy is a big topic so we are really only covering a selection of the main points.
- #4 More and more blocs, countries and states are introducing new legislation covering privacy. As an example, the GDPR is possibly one of the most significant pieces of legislation to come out of the European Commission in many years and was subject to a considerable amount of debate prior to its publication in 2016. It is different to the previous Directive in that it is a Regulation. This means that it became law in all of the member states of the EU at the same time. The objective of the GDPR is not only to protect EU citizens’ personal data but also to smooth the flow of data between countries, so aiding commerce. The 25th May 2018 was the key date by which organizations must be compliant with the GDPR if they collect and process the personal data of EU citizens, whether or not the organization is based within the EU. A major change to previous legislation in the EU is the requirement to notify a supervisory authority of a personal data breach where there is a risk to the rights and freedoms of data subjects. Note that this may not apply to all such breaches and, as with all such legislation, we need to be clear about when we must notify and when we are not compelled to. Fines for non-compliance are increased by the GDPR to a maximum of 4% of global turnover. Actual penalties will depend on a number of factors including the cause and size of the breach, the controls in place and the degree of co-operation with the supervisory authority. The GDPR is generally taken as the “gold standard” of privacy legislation and similar laws in other countries will have varying degrees of similarity with it.
- #5 As well as the EU, other countries are increasingly creating privacy legislation; two examples are the California Consumer Privacy Act (CCPA) in the USA, and the General Data Protection Law (LGPD) in Brazil. Some countries have had privacy legislation in place for some time, including PIPEDA in Canada and the Privacy Act in Australia.
- #6 A fundamental question that will underpin our work on privacy is “what exactly is personally identifiable information (PII)?”. Basically we’re talking about data about people; not corporations or things, and they have to be living. The principle of PII is that it is owned by the person it refers to and, as we will see later, they have rights over it.
- #7 After discussing the types of information that your organization processes that would be considered to be personal data, see how your list compares to these examples. This will depend on your industry and a large number of other factors.
- #8 Some types of personal data are considered by the GDPR to be special category data which requires a higher level of protection. These types are listed here. Discuss which of these are processed within your organization and why the GDPR has marked these as being special. What could be the effect on the data subject if this information were to be made public or used by someone else?
- #9 Some types of personal data are considered by the GDPR to be special category data which requires a higher level of protection. These types are listed here. Discuss which of these are processed within your organization and why the GDPR has marked these as being special. What could be the effect on the data subject if this information were to be made public or used by someone else?
- #10 The PII principal is the person who may exercise their rights over their PII, and is the one who may be affected by a breach.
- #11 If we store PII and do anything with it, we are processing it. It generally has to be in some form of filing system or organized in some way, and in most privacy legislation there are various exceptions to rule out individuals such as a householder employing a nanny.
- #12 Discuss the activities that your organization performs that would be considered to be processing under the GDPR. If you have a list from your own organization, you may like to use it here.
- #13 Discuss the activities that your organization performs that would be considered to be processing under the GDPR. If you have a list from your own organization, you may like to use it here.
- #14 We are a controller if we decide what PII to collect and what we are going to do with it, even if we actually get another party to physically do the processing. If we co-operate with another party in collecting the data and deciding what to do with it, we may be a Joint PII Controller.
- #15 A PII processor performs a role under the direction of a PII controller and can only do what the controller dictates. An example would be a cloud service provider who provides the facilities for an organization to collect PII from their customers; the organization is the controller and the cloud service provider is the processor.
- #16 Much of the privacy legislation worldwide is based on the same general principles. Again, if we take the GDPR as an example, this states the six principles shown on the slide. These principles are supported by the further principle of accountability. When collecting and processing PII the rules organizations must generally follow are: They must have a lawful reason for collecting the PII and must do it in a fair and transparent way They must only use the PII for the reason they collected it They mustn’t collect any more PII than they need It has to be accurate They can’t keep it any longer than they need it for They must protect the PII The accountability principle (from the GDPR) maintains that an organization is responsible for making sure that 1-6 happen.
- #17 According to much of the legislation so far in place around the world, the PII principal has a number of rights over their personal data and as an organization we must ensure that we provide the mechanisms to allow them to exercise these rights. These include: Telling them clearly what PII we will collect and what we will do with it Allowing them to see their PII after we have collected it Changing the PII if it’s wrong Removing the PII if we have no legal right to hold it Not processing it if the PII principal doesn’t want us to Telling other processors about the PII principal’s wishes to get data corrected or erased Letting the PII principal take their data away Taking account of objections to what we hold and do with their PII Allowing a way to ask that a human being intervene instead of an algorithm when decisions are made We need to consider the best way to provide these rights to the PII principal so that they can be done in a timely way and without excessive cost to either party.
- #18 We may or may not need to appoint a data protection officer or similar role, depending on the PII we process, the applicable legislation and the type of organization we are. If we do need one, there are various options for providing the resource, but they must remain independent and not be unduly influenced by our organization’s management. If we have the right person with the right skills, they will be a valuable reference resource and will make the process of compliance easier.
- #19 Privacy legislation such as the GDPR can be very specific about the fact that there must be a contract where PII is processed, and what needs to be included in it. This may mean that we have to put contracts in place where there currently are none, and that all existing contracts that involve PII will need to be changed.
- #20 When we decide to process PII we will need to perform a privacy impact assessment (often also called a data protection impact assessment). This is to make sure that we are complying with data privacy principles in terms of the PII we collect and process and how we protect it. A PIA is basically a risk assessment and as part of it we may decide to consult with relevant supervisory authorities and with the PII principals involved.
- #21 When we decide to process PII we will need to perform a privacy impact assessment (often also called a data protection impact assessment). This is to make sure that we are complying with data privacy principles in terms of the PII we collect and process and how we protect it. A PIA is basically a risk assessment and as part of it we may decide to consult with relevant supervisory authorities and with the PII principals involved.
- #22 When we decide to process PII we will need to perform a privacy impact assessment (often also called a data protection impact assessment). This is to make sure that we are complying with data privacy principles in terms of the PII we collect and process and how we protect it. A PIA is basically a risk assessment and as part of it we may decide to consult with relevant supervisory authorities and with the PII principals involved.
- #24 These slides are intended to summarise what has already been done by your organization to ensure it is GDPR-compliant. Update it if not all of these items are yet in place. The main point is that a lot of work has been done by the compliance team to understand the GDPR and ensure that everything is ready to comply with it from day one. The role of the audience is to help to ensure that we stay compliant from here and into the future. This is just as important.
- #25 These slides are intended to summarise what has already been done by your organization to ensure it is GDPR-compliant. Update it if not all of these items are yet in place. The main point is that a lot of work has been done by the compliance team to understand the GDPR and ensure that everything is ready to comply with it from day one. The role of the audience is to help to ensure that we stay compliant from here and into the future. This is just as important.
- #26 These slides are intended to summarise what has already been done by your organization to ensure it is GDPR-compliant. Update it if not all of these items are yet in place. The main point is that a lot of work has been done by the compliance team to understand the GDPR and ensure that everything is ready to comply with it from day one. The role of the audience is to help to ensure that we stay compliant from here and into the future. This is just as important.
- #27 The following slides give examples of how you can help us to stay compliant with privacy legislation.
- #28 Now that the audience understands what the GDPR is, its fundamental principles, the main terms used and what the organization has done to make it compliant, this slide is about the role that everyone in the organization must play to maintain our compliance. Largely, this is about being able to recognise personal data and handling it in an appropriate way, as defined by our procedures. Explain where the Data Protection Policy is, and how they can obtain a copy to read. If the employee will be involved in processing data subject access requests, then it is assumed they will receive additional specific training for this role.
- #29 Now that the audience understands what the GDPR is, its fundamental principles, the main terms used and what the organization has done to make it compliant, this slide is about the role that everyone in the organization must play to maintain our compliance. Largely, this is about being able to recognise personal data and handling it in an appropriate way, as defined by our procedures. Explain where the Data Protection Policy is, and how they can obtain a copy to read. If the employee will be involved in processing data subject access requests, then it is assumed they will receive additional specific training for this role.
- #30 In summary, privacy legislation such as the GDPR is being introduced in many areas and the penalties of not complying with it can be severe. We need to be clear about what PII we collect, for what reason, and what we do with it. We also need to allow PII principals to exercise their rights. All of this will take time and resources to understand and implement.
- #31 Ask if there are any questions about the subject of the presentation. Questions may be recorded and used to enhance the presentation for the next time it is delivered.