4. INTRODUCTION
•THINK ABOUT ALL THE DATA USERS GIVE TO GOOGLE, FACEBOOK, APPLE,
TWITTER, AMAZON AND MICROSOFT. GIVEN THAT SO MUCH DATA ARE
ALREADY BEING COLLECTED ABOUT CONSUMERS DAILY LIVES—FROM DATA
USERS VOLUNTARILY PROVIDE VIA APPS AND ORGANIZATIONS TO DATA
OBTAINED THROUGH SURVEILLANCE, ALL TOO OFTEN WITHOUT EVEN
KNOWING IT—SHOULD USERS BE LOOKING FOR DIFFERENT WAYS OF
THINKING ABOUT PRIVACY?
https://myaccount.google.com/dashboard?pli=1
5. INTRODUCTION
1. What is Data Privacy ?
2. What is Data Security ?
3. Data Privacy Vs. Security
Rights of an individual to trust that others will appropriately and respectfully collect, use, store, share and
dispose of his/her associated personal and sensitive information within the context, and according to the
purposes, for which it was collected or derived. What is appropriate depends on the associated
circumstances, laws and the individual’s reasonable expectations. An individual also has the right to
reasonably control and be aware of the collection, use and disclosure of his/her associated personal and
sensitive information
6. WHAT IS THE DIFFERENCE ?
DATA PRIVACY
IS CONCERNED WITH THE PROPER HANDLING OF
DATA AND QUESTIONS RELATED TO THE COLLECTION,
STORAGE, AND SHARE OF DATA
WHO’S ALLOWED ACCESS TO CONSUMER INFORMATION
Data Security
protecting data from any unauthorized third-party
access or malicious attacks and exploitation of data
Privacy, in general, is an individual’s right to freedom
from intrusion and prying eyes or the right of the person to
be left alone
7. Data breaches can be caused by a lack of security measures. To properly protect data and
comply with data protection laws you need to implement both Data Privacy and Data Security
strategies
In this (oversimplified) example the window is
a security control, while the curtain is privacy
control
Data security and data privacy often go
hand-in-hand
Excercise
So, if you are using Google Gmail account, your
password would be a method of data ………..,
while the way Google uses your data to
administer your account, would be data
……………..
8. Data protection is essentially amalgamated security and privacy.
Enhanced personal data protection involves greater data security and a higher level of data privacy.
13. CHALLENGE
The banking industry is one of the primary data
breach targets due to the perceived value of the
underlying data
Emerging growth opportunities and the rapid
adoption of digital technology. Increasingly :
Banks need to be flexible in sharing customer data,
and it is therefore critical that they achieve a
balance between how flexible data sharing can be
while also maintaining its privacy…
credit card and financial information’ are the most
private types of data, globally.
14. IMPORTANT TERMINOLOGY
DATASUBJECT
An individual who is the subject of the information or
data.
DATACONTROLLER
A person, company or organisation who determines
the purposes and means of processing personal data
DATAPROCESSOR
A person, company or organisation who processes
personal data on behalf of the controller
1
4
15. DATA PRIVACY TRENDS
1
5
DATA BREACH EVOLUTION
GROWING DATA BREACH
RISKS, MALICIOUS INSIDERS
AND CYBER ATTACKS.
GROWING THREAT OF
FINANCIAL MALWARES.
BREACHES DUE TO
UNINTENTIONAL USER
MISTAKES
REGULATORY EVOLUTION
INCREASED REGULATORY
FOCUS.
HARMONIZATION OF DATA
PROTECTION STANDARDS
ACROSS REGIONS.
TECHNOLOGY ADOPTION
SIMPLIFYING DATA PROTECTION
AND CONTROLLING COSTS.
INCREASING USE OF IDENTITY
AND ACCESS MANAGEMENT
SOLUTION.
USING SMARTPHONES FOR
SECURITY ( ALERTS, OTP , ETC.)
16. DATA PRIVACY TRENDS
1- PRIVACY WILL BECOME A BIGGER FOCUS IN EXECUTIVE-LEVEL AND BOARDROOM DISCUSSIONS
2- MORE COMPANIES WILL MOVE TO A SINGLE ENTERPRISE-WIDE PRIVACY STRATEGY
3- PRIVACY AND CYBERSECURITY FUNCTIONS WILL BECOME MORE INTEGRATED
4- THIRD-PARTY RISK MANAGEMENT WILL CONTINUE TO BE A MAJOR FOCUS NEW ROLES AND SHIFT
IN RESPONSIBILITY
5- PRIVACY WILL BECOME A BUSINESS DIFFERENTIATOR
19. DATA
PRIVACY
ACTIVITIES
• DEFINE AND IMPLEMENT A DATA PRIVACY PROGRAM.
• RE-DEFINE DATA GOVERNANCE POLICY FRAMEWORK, DATA
PRINCIPLES AND INTEGRATE THEM WITHIN EXISTING FUNCTIONS.
• RE-DEFINE REPORTING NEEDS FOR REQUISITE SENIOR
MANAGEMENT FOCUS.
• APPOINT DATA PROTECTION OFFICERS
• DESIGN AND DEVELOP PRIVACY IMPACT ASSESSMENTS.
• REVIEW AND UPDATE PARTNER AGREEMENTS FOR DATA PRIVACY
CLAUSES.
• DEFINE AND REVIEW SUPPLIER RELATIONSHIPS.
• CREATE AWARENESS ACROSS FUNCTIONS WITHIN THE
ENTERPRISE.
• DEVELOP AND ROLL OUT A ROLE-BASED INDUCTION PROGRAM.
• CONDUCT PRIVACY ASSESSMENTS REGULARLY AND AS AND
WHEN NEW PRODUCTS /PROCESSES ARE LAUNCHED.
Governance
20. DATA
PRIVACY
ACTIVITIES
• DEFINE TEMPLATES FOR DATA PRIVACY NOTICES.
• DEFINE PROCESSES FOR RECORDING CONSENT,
WITHDRAWAL OF CONSENT, CORRECTION OF STORED
DATA, DATA ERASURE AND PORTABILITY.
• DEFINE A POLICY FOR RETENTION AND DISPOSAL OF
DATA.
• INTEGRATE SECURITY SOLUTIONS WITH REGULAR
OPERATIONS.
• ESTABLISH DATA AUDIT TRAILS.
• MAINTAIN SYSTEM ACTIVITY REPORT LOGS, TEMPLATES,
RESPONSE RECORDS OF DATA SUBJECTS. • MAINTAIN
DATA SHARING LOGS, POLICIES, PROTOCOLS AND
DISCLOSURES.
Operations
21. DATA
PRIVACY
ACTIVITIES
• ASSESS IT SYSTEMS’ DATA PRIVACY ARCHITECTURES FOR
NEW REQUIREMENTS SUCH AS CONSENT MANAGEMENT,
DATA PRIVACY NOTICES, DATA ERASURE, PORTABILITY
AND BREACH NOTIFICATIONS.
• REMEDIATE AND RE-DESIGN APPLICATIONS TO ENABLE
PREVENTION CONTROLLED ACCESS AND DATA
MINIMIZATION.
• DEFINE ACCESS CONTROL POINTS.
• IMPLEMENT AUTOMATED COMPLIANCE CONTROLS.
• MAINTAIN INCIDENT LOGS.
• CONDUCT REGULAR COMPLIANCE, AUDIT AND
VULNERABILITY TESTS.
Information Systems
22. PRIVACY BY DESIGN
•PRIVACY BY DESIGN PRIVACY BY DESIGN REQUIRES THAT THE
ACTIONS AN ENTERPRISE PERFORMS WITH RESPECT TO PERSONAL
DATA BE CONDUCTED IN THE CONTEXT OF DATA PROTECTION AND
PRIVACY RIGHTS FROM THE OUTSET OF AN INITIATIVE, OR SIMPLY PUT,
THAT PRIVACY IS INTEGRATED INTO THE ENTIRE ENGINEERING
PROCESS.
•PRIVACY BY DEFAULT REQUIRES THAT ENTERPRISE LEADERSHIP SET A
STANDARD FOR PROTECTING DATA THAT GOES BEYOND MERE
COMPLIANCE REQUIREMENTS. ENTERPRISES THAT STRIVE FOR
PERSONAL DATA SECURITY BY DESIGN, AND ENABLE PRIVACY BY
DEFAULT, CREATE A SOLID BASIS FOR THEIR CUSTOMERS/CLIENTS AND
STAKEHOLDERS TO TRUST THAT THEIR PERSONAL DATA ARE IN GOOD
HANDS AND PROTECTED, A REWARDING OUTCOME FOR THE
ORGANIZATION
Third-Party Risk Management