Alan McSweeney, profile picture
Uploaded byAlan McSweeney
PDF, PPTX3,064 views

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

The document discusses GDPR's context, principles, and implementation, emphasizing its impact on data governance, privacy management, and the necessity for organizations to adapt their practices for compliance. It outlines the importance of utilizing existing methodologies for GDPR compliance rather than developing new frameworks and addresses the broader regulatory landscape, including related directives and information security measures. Additionally, it highlights the pivotal role of personal information as defined by GDPR and the challenges organizations face in managing and processing such data.

Embed presentation

Download as PDF, PPTX
1 / 171
2 / 171
3 / 171
4 / 171
5 / 171
6 / 171
7 / 171
8 / 171
9 / 171
10 / 171
11 / 171
12 / 171
13 / 171
14 / 171
15 / 171
16 / 171
17 / 171
18 / 171
19 / 171
20 / 171
21 / 171
22 / 171
23 / 171
24 / 171
25 / 171
26 / 171
27 / 171
28 / 171
29 / 171
30 / 171
31 / 171
32 / 171
33 / 171
34 / 171
35 / 171
36 / 171
37 / 171
38 / 171
39 / 171
40 / 171
41 / 171
42 / 171
43 / 171
44 / 171
45 / 171
46 / 171
47 / 171
48 / 171
49 / 171
50 / 171
51 / 171
52 / 171
53 / 171
54 / 171
55 / 171
56 / 171
57 / 171
58 / 171
59 / 171
60 / 171
61 / 171
62 / 171
63 / 171
64 / 171
65 / 171
66 / 171
67 / 171
68 / 171
69 / 171
70 / 171
71 / 171
72 / 171
73 / 171
74 / 171
75 / 171
76 / 171
77 / 171
78 / 171
79 / 171
80 / 171
81 / 171
82 / 171
83 / 171
84 / 171
85 / 171
86 / 171
87 / 171
88 / 171
89 / 171
90 / 171
91 / 171
92 / 171
93 / 171
94 / 171
95 / 171
96 / 171
97 / 171
98 / 171
99 / 171
100 / 171
101 / 171
102 / 171
103 / 171
104 / 171
105 / 171
106 / 171
107 / 171
108 / 171
109 / 171
110 / 171
111 / 171
112 / 171
113 / 171
114 / 171
115 / 171
116 / 171
117 / 171
118 / 171
119 / 171
120 / 171
121 / 171
122 / 171
123 / 171
124 / 171
125 / 171
126 / 171
127 / 171
128 / 171
129 / 171
130 / 171
131 / 171
132 / 171
133 / 171
134 / 171
135 / 171
136 / 171
137 / 171
138 / 171
139 / 171
140 / 171
141 / 171
142 / 171
143 / 171
144 / 171
145 / 171
146 / 171
147 / 171
148 / 171
149 / 171
150 / 171
151 / 171
152 / 171
153 / 171
154 / 171
155 / 171
156 / 171
157 / 171
158 / 171
159 / 171
160 / 171
161 / 171
162 / 171
163 / 171
164 / 171
165 / 171
166 / 171
167 / 171
168 / 171
169 / 171
170 / 171
171 / 171
GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney
Topics • Context of GDPR – this contains information on other directives and regulations relating to GDPR to provide details on its wider content • Personal Information – this reiterates what is meant by personal information and so what is covered by GDPR • Principles of GDPR – this identifies some of the key principles that underpin GDPR and will affect its operation and the particular provisions of the GDPR intended to give effect to those principles • Implementing and Operating GDPR – this discusses approaches to operationalising GDPR within organisations and the IT system changes required • GDPR and Outsourcing – this contains details on the particular topic of outsourcing that will be impacted by GDPR • Data Governance – this puts GDPR into wider Data Governance context • Data Ethics– this briefly discusses the wider issue of data ethics in the context of GDPR March 28, 2018 2
GDPR Impact • GDPR and its related regulations have different impacts depending on the profile of an organisation and the way in which it collects and process information about individuals • GDPR impacts on the areas of: − Data Governance − Privacy Management − Security Management − Risk Management • Existing business processes and IT systems will need to be modified and new processes and systems acquired to support the successful operation of GDPR • The operation of outsourcing arrangements will be impacted by GDPR March 28, 2018 3 Data Governance Privacy Management Security Management Risk Management
GDPR Impact • Organisations have personal data in many locations used by many different applications using different storage technologies • GDPR now requires a new and more strict data regime to implement, operate and enforce • Organisations should consider a consistent approach across all personal data platforms March 28, 2018 4 Personal Data Landscape
No One Solution • There is no one solution to achieving GDPR compliance that applies to all organisations and to all aspects of GDPR • Organisations need to define their GDPR compliance strategy and their approach to data governance before looking at long-term solutions March 28, 2018 5
Reuse Existing Standards And Methodologies • There are existing, detailed, well-proven, well-documented methodologies in the areas such as approaches to data governance, data privacy, information security management, digital filing, supplier governance and managing outsourcing relationships that can be successfully re-used to achieve the necessary GDPR compliance without the need to look for new approaches • The wheel is not getting any rounder - it does not need to be reinvented • So use existing well-proven frameworks and methodologies to systematically improve skills, experience and practise in key competency areas • The world does not need new frameworks and methodologies – it needs existing ones well-implemented March 28, 2018 6 r d πd πr2 1800 900 2700 3600
Reuse Existing Standards And Methodologies March 28, 2018 7 GDPR Data Governance Data Management Information Security Outsourcing Management Records Management COBIT TOGAF DMBOK ISO 15489 Records Management ISO 16175 Standard for Digital Filing ISO 27001 Information Security Management Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
ISO 15489 Records Management • ISO 15489 defines the concepts and principles from which approaches to the creation, capture and management of records are developed: − Records, metadata for records and records systems − Policies, assigned responsibilities, monitoring and training supporting the effective management of records − Recurrent analysis of business context and the identification of records requirements − Records controls − Processes for creating, capturing and managing records • ISO 15489 applies to the creation, capture and management of records regardless of structure or form, in all types of business and technological environments, over time March 28, 2018 8
No Silver Bullet • There is not silver bullet to achieve GDPR compliance • Just a bunch of regular bullets to fire at the problem March 28, 2018 9
Tactical And Strategic Approaches • Take a multi- track approach to achieving appropriate, risk-based GDPR compliance March 28, 2018 10 Tactical Analysis, Scope and Design Strategy, Strategic Sourcing and Implementation • Request Logging and Tracking Facility • Consent Tracking • Notices • Policies • DPO • Supplier Review • Personal data collection and processing profiling • Personal data business process definition and ownership assignment • Definition of wider set of GDPR processes • Personnel certification • Define and agree strategic approach and operating framework • Source and implement strategic solutions and associated operational processes
GDPR Context March 28, 2018 11
Wider Context Of GDPR • There are many related regulations and directives • The data protection landscape is becoming increasingly crowded and the burden on organisations more onerous March 28, 2018 12 Treaty on the Functioning of the European Union (TFEU) European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) GDPR ePrivacy Regulation EU Digital Single Market (DSM) NIS DirectiveeIDAS Directive on Privacy and Electronic Communications Police and Criminal Justice Directive
Wider Context Of GDPR • The GDPR (http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A32016R0679) exists within the context of the wider EU Digital Single Market (DSM) strategy and a related set of regulations and directives • The DSM is a strategy of the European Commission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues • The stated objective of the GDPR is to increase trust in and the security of digital services in order to advance digital opportunities for citizens and businesses in Europe • The stated aim is to strengthen the position of the EU as a digital economy world leader March 28, 2018 13
Police and Criminal Justice Directive • Police and Criminal Justice Directive - Directive (EU) 2016/680 on the protection of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repeals Council Framework Decision 2008/977/JHA – will apply from 6 May 2018 • Creates a coherent framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security • The Police and Criminal Justice Directive harmonises the laws in the Member States in respect of the exchange of information between police and judicial authorities • Applies to both cross-border and domestic processing of personal data and it aims to improve cooperation of the Member States in the fight against terrorism and other serious crime across the EU, in that, it guarantees that personal data transferred outside the EU by criminal law enforcement authorities will be adequately protected March 28, 2018 14
Directive on Security of Network and Information Systems (NIS Directive) • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) comes into force on 10 May, 2018 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194: TOC • NIS Directive applies to: − Operators of Essential Services (OES) that are established in the EU. Certain businesses operating in critical national infrastructure (CNIs) − Seven sectors affected by the NIS Directive are energy, transport, banking, financial market infrastructure, health, water and digital infrastructure − Digital Service Providers (DSP) with search engines, cloud computing services, and online marketplaces identified as the types of DSP that are subject to regulation − The onus is on organisations to determine for themselves whether they are DSPs and subject to the Directive’s security and notification requirements − The NIS Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million) March 28, 2018 15
Directive on Security of Network and Information Systems (NIS Directive) • Aim of the NIS Directive is to ensure there is a common and high-level of EU-wide information systems and network security and cyber security by: − Improving national information and network security capacity and effectiveness including having Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) − Increasing co-operation on information and network security across all Member States − Introducing binding security obligations and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) − Member States will be responsible for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in that country March 28, 2018 16
NIS Security Principles March 28, 2018 17 SecurityPrinciples Identify Asset Management Systems and/or services that are required to maintain or support essential services must be determined, understood and documented Business Environment Overall organisation mission, objectives, stakeholders, and activities are understood, prioritised and documented Governance Policies, procedures, and processes to manage and monitor the regulatory, legal, risk, environmental, and operational requirements are identified, understood and documented Risk Assessment and Risk Management Identify and understand the network security risk to operations, assets and individuals Protect Service Protection Policies and Processes Define, communicate and document policies to direct the overall approach to securing systems and data that support delivery of essential services Identity and Access Control Access to assets and associated facilities is limited to authorised users, processes or devices and to authorised activities and transactions/functions Data Security Information and records are managed and documented consistent with the risk strategy to protect the confidentiality, integrity, and availability of information System Security Network and information systems and technology critical for the delivery of essential services are protected from attack Resilient Networks and System Incorporate resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services Staff Awareness and Training Employees and partners are provided network security awareness education and training to perform their information security-related duties and responsibilities Detect Anomalies and Events Detection Anomalous and unusual activity is detected in a timely manner and the potential impact of events is understood Security Continuous Monitoring Information systems and assets are monitored in order to identify network security events and validate the effectiveness of protective measures Respond Response Planning Response processes are executed, maintained and documented to ensure timely response to detected network security events Analysis Analysis is conducted to ensure adequate response and to support recovery actions Mitigation Take actions to prevent expansion of an event, mitigate its effects and resolve the incident Improvements Response activities are improved and documented by incorporating lessons learned Communications Response activities are co-ordinated with internal and external stakeholders including law enforcement Recover Recovery Planning Execute recovery processes and procedures are executed to ensure timely restoration of systems affected by network security events Improvements Improve recovery planning by incorporating lessons learned Communications Coordinate restoration activities with internal and external parties, such as coordinating functions, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors
NIS Security Principles • Use these security principles to create an operational security framework to reduce the chances of a data breach March 28, 2018 18
ePrivacy Regulation • In January 2017, the European Commission published its Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) − http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 • The ePrivacy Regulation aims to make more effective and to increase the level of protection of privacy and personal data processed in relation with electronic communications in accordance with the Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union and ensure greater legal certainty − Complements and particularises the GDPR • While the ePrivacy Directive applied to telecommunication providers, the ePrivacy Regulation will apply to all providers of electronic communications services – described as Over-the-Top (OTT) communications services such as Facebook Messenger, LinkedIn, Skype, WhatsApp and others • ePrivacy Directive - Directive 2002/58/EC – will be replaced by the ePrivacy Regulation in due course March 28, 2018 19
eIDAS (electronic IDentification, Authentication and trust Services) • The eIDAS Regulation - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Electronic Signatures Directive) – came into effect on 1 July, 2016 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG • Aims to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of electronic ID and consistent rules on trust services across the EU • Focuses on two areas: − Interoperability – Member States are required to create a common framework that will recognise electronic Identifications (eIDs) from other Member States and ensuring their authenticity and security − Transparency – eIDAS provides a list of trusted services that may be used within a centralised signing framework March 28, 2018 20
European Union Agency for Network and Information Security (ENISA) • European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe • Privacy and Data Protection by Design - https://www.enisa.europa.eu/publications/privacy-and-data- protection-by-design/at_download/fullReport − View of what needs to be done to achieve privacy and data protection by default. For example, it specifies that encryption and decryption operations must be carried out locally and not remotely because both encryption/ decryption keys and data must remain in the power of the data controller and processor if any privacy is to be maintained − Covers topics such as the use of cloud data storage where the data controller, not the cloud service provider, holds the encryption/ decryption keys • Handbook on Security of Personal Data Processing - https://www.enisa.europa.eu/publications/recommendations-on- european-data-protection-certification/at_download/fullReport − Guidelines for small to medium businesses on data security March 28, 2018 21
Article 29 Working Party • Article 29 Working Party - Working Party on the Protection of Individuals with Regard to the Processing of Personal Data – was established under Article 29 the Data Protection Directive (Directive 95/46/EC) http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A31995L0046 • Produced much useful material on the implementation and operation of GDPR March 28, 2018 22 Document Link Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826 Guidelines on Data Protection Impact Assessment (DPIA) http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 Guidelines on Data Protection Officers http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 Guidelines on Personal Data Breach Notification Under Regulation 2016/679 http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827 Guidelines on the Application and Setting of Administrative Fines http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889 Guidelines on the Lead Supervisory Authority http://ec.europa.eu/newsroom/document.cfm?doc_id=44102 Guidelines on the Right to "Data Portability" http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
European Data Protection Board (EDPB) • Article 68 of the GDPR provides for the establishment of the European Data Protection Board (EDPB), which will replace the Article 29 Working Party • Members of the EDPB are the heads of the supervisory authorities in each Member State (or their representatives) and the European Data Protection Supervisor (or their representative March 28, 2018 23
European Data Protection Supervisor (EDPS) • The post of European Data Protection Supervisor (EDPS) was established in 2004 under Regulation (EC) 45/2001, which regulation sets out the data protection standards that apply to the Union institutions • The post of EDPS is recognised in GDPR − The EDPS is a member of the EDPB, although the EDPS will only have voting rights where the issues involve principles and rules that are applicable to the institutions of the Union March 28, 2018 24
Personal Information March 28, 2018 25
Personal Information • Personal information is at the core of GDPR • Personal data is defined in Article 4(1) of the GDPR: − ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person • Information is personal if it is: − Owned by a person − About a person − Directed towards a person − Sent or posted or communicated by a person − Experienced by a person − Relevant to a person • The definition of personal data is very important − It does not just include information a person explicitly supplies − It includes implicit information such as browsing history • GDPR identifies special categories of personal data for which processing is subject to additional constraints − Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited March 28, 2018 26
Personal Information March 28, 2018 27 Personal Data Type Personal Data Items Personal Information Name, such as full name, maiden name, mother‘s maiden name, or alias Date of birth Place of birth Full home address Country, state, postcode or city of residence Marital status Telephone numbers, including mobile, business and personal numbers Information identifying personally owned property, such as vehicle registration number Passport number Social insurance or national insurance number Residence and geographic records Sexual orientation Biographical Data Specific age Height Weight Eye colour Hair colour Photographic image Gender Racial or ethnic origin Any defining physical characteristics Digital Footprint Digital identities, such as avatars and usernames/handles Logon details such as name, screen name, nickname, or handle Email address (if private from an association/club membership, etc.) IP addresses (in the EU) Geo-tracking information and location-based data Web usage behaviour or user preferences using persistent cookies Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address (MAC) address or other host-specific persistent static identifier that consistently Any information that links a particular person to a small, well-defined group Medical or Heath Data Patient identifier Number of sick days taken from employer and other information relating to any sick leave Visits to doctors Medical data Biological traits including DNA Fitness data Medical images such as X-rays, CT scans and ultra sound Biometric data such as fingerprints, retinal scans, voice signature or facial geometry Medication
Principles of GDPR March 28, 2018 28
Principles of GDPR • Core of the GDPR are stated principles governing data processing, which are supported by detailed provisions − Lawfulness, Fairness and Transparency: Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − Specified, Explicit and Legitimate Purpose: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Article 5(1)(b) − Adequate, Relevant and Limited: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed; Article 5(1)(c) − Accurate and Up-To-Date: Personal data shall be accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without undue delay; Article 5(1)(d) − Pseudonymisation/Storage Limits: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; Article 5(1)(e) − Security: Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; Article 5(1)(f) March 28, 2018 29
Implementation And Operational Principles Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One-Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions March 28, 2018 30
GDPR Implementation And Operational Principles March 28, 2018 31 Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One- Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions
Data Protection By Design and By Default • Article 25 of the GDPR requires that data protection is designed into the development of business processes for products and services − Appropriate measures to implement the data protection principles and to safeguard data must be put in place in an effective manner at the time the means of processing is determined and at the time of the processing itself − This is a mandatory requirement, breach of which can lead to a fine • Article 25(2) addresses the concept of data minimisation and provides that the controller should implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed − Obligation applies to the amount of personal data collected, the extent of processing and the period of storage and accessibility − Data Protection by design and by default requires a combination of systems and processes − Changes to existing IT systems and possible new IT systems will be required to achieve this March 28, 2018 32
Limitation and Minimisation • The collection of personal data should limited for specific and justifiable purposes • The amount of personal data collected should be minimised • The storage interval should be limited • The type of processing should be limited and necessary • There should be a legal basis for processing • Access should be controlled and excluded by default rather than being inclusive • Processing of special categories of personal data should be avoided unless absolutely required • Data security should occur as a matter of course. • Essentially, if there are any doubts and the data is not necessary, do not collect it March 28, 2018 33
One Common Set of Rules and One-Stop Shop • There will be one set of data protection rules across all EU Member States. • Each Member State must create an independent supervisory authority to hear complaints, investigate them and to take administrative actions and enforce sanctions - Articles 51-54 • Article 51 requires each Member State to provide for one or more independent public authority to be responsible for monitoring the application of the GDPR. • Under Article 51(2), supervisory authorities have a duty to contribute to the consistent application of the GDPR, as well as specific obligations to cooperate with one another and the Commission through the consistency process. • Article 57 of the GDPR lists tasks of supervisory authorities, while Article 58 lists their powers • The general tasks of a supervisory authority is to monitor and enforce the application of the GDPR • Additionally, Chapter VII on Cooperation and Consistency sets out detailed provisions on mutual assistance (Article 61) and on the conduct of joint operations (Article 62) • Article 58(4) provides that the exercise of the powers of a supervisory authority must be subject to appropriate safeguards, including effective judicial remedies and due process • Where an entity such as a multi-national has multiple locations in multiple EU states, it will have a single supervisory authority as its lead supervisory authority, based on the location of its main office • In this instance, the lead supervisory authority will act as a one-stop shop (OSS) to supervise all the processing activities of that business throughout the EU March 28, 2018 34
Certification • GDPR provides for a voluntary data protection certification regime to be established • There is no certification approach or regime defined yet • ENISA has documented a possible certification approach March 28, 2018 35
Notices, Responsibility and Accountability • The need for and the content of privacy statements on web sites and other entry points to digital information and services that was specified in the Data Protection Directive has been expanded • Article 5(1) of the GDPR requires data controllers to process personal data fairly and lawfully and in a transparent manner: the objective is to ensure that data subjects are aware of the processing of their personal data, the purposes for which the processing is taking place and data subjects’ rights in relation to personal data • Article 13 of the GDPR specifies the information that must be provided to a data subject. The legal obligation is on the controller, although the controller may use a third party agent (such as the processor) to provide the information on the controller’s behalf as long as the notice meets the required standards • Information may be provided by a privacy notice (also known as a fair processing notice, privacy policy or data protection notice) • The information must be clearly accessible and available “at the time when the data are obtained”, which, in general terms, means the time when the data is collected • Under Article 13(1) of the GDPR, the privacy notice must state: − The identity of the controller (and where applicable, the controller’s representative) − The contact details of the Data Protection Officer, if applicable − The purposes of the processing for which the personal data is intended as well as the legal basis for the processing − The recipients or categories of recipient of the personal data − If the controller transfers personal data, the fact that the controller intends to do so to a third country or international organisation (and related information in relation to such transfers) • The purposes of the processing must be described in accessible terms and clearly distinguished from one another March 28, 2018 36
Notices, Responsibility and Accountability • Article 13(2) of the GDPR requires that additional information should be provided where necessary to ensure fair and transparent processing − The retention period for personal data (or, where that is not possible, the criteria used to determine that period); − The data subject’s rights in relation to the personal data (being the right to request access to and rectification of personal data, the right to erasure of personal data, to restrict the processing of personal data, to object of the processing of personal data and right to data portability) − The right to lodge a complaint with a supervisory authority; − Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract and whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide the data; and − The existence of any automated decision-making, including profiling, and if it is to be used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject March 28, 2018 37
Notices, Responsibility and Accountability • There can be one general notices or several notices throughout the web site on those pages where personal information is being collected • It is best practice to include notices on all pages where personal information is required to be entered • Where the data subject already has the relevant information, the controller will not need to provide the information to the data subject - Article 13(4) • The information must be concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child; Article 12(1) • The information shall be provided in writing, or by other means, including, where appropriate, by electronic means • When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means March 28, 2018 38
Notices, Responsibility and Accountability March 28, 2018 39 Mandatory Privacy Notice Contents Specific Personal Information Collection Privacy Notice Contents Identity and the contact details of the data controller The length of time for which the personal data will be stored, or if that is not possible, the criteria used to determine it Contact details of the data protection officer, if one exists – see below The right to:  Request from the data controller access to  Request rectification or erasure of personal data  Restrict processing  Object to processing  Data portability The purposes of the processing of personal data and the legal basis for this processing (Article 6 Lawfulness of Processing) The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal Who receives the personal data The right to complain to Supervisory Authority Whether data is being transferred to a third country or international organisation and, if so, the safeguards that are being used and the means by which to obtain a copy of them or where they have been made available If the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract, as well as whether the person is obliged to provide the personal data and of the possible consequences of failure to provide the data The use of automated decision-making, including profiling and where this applies meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person
Notices, Responsibility and Accountability • The principle of Privacy By Design and By Default requires that data protection measures are designed and incorporated into the development of business processes and systems • The data controller is responsible for implementing effective measures and being able to demonstrate the compliance of processing activities even if the processing is carried out by a separate data processor on behalf of the data controller • Personal data should be pseudonymised as soon as possible after collection and expiry of its original use March 28, 2018 40
Data Protection Impact Assessment (DPIA) • The use of Privacy Impact Assessments (PIAs) was developed outside the EU, with the UK being the first supervisory authority in the EU to adopt the use of PIAs • In the UK, PIAs have been mandatory for Government departments for several years, as well as being widely used in the privacy sector • GDPR, in Article 35, introduces mandatory Data Protection Impact Assessments (DPIAs) in respect of high-risk processing, that is to say, processing that poses a high risk to the rights and freedoms of natural persons • Article 35(3) designates three specific types of processing as high-risk so that a DPIA is required for: − Processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person − Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10 − Systematic monitoring of a publicly accessible area on a large scale • In addition to these three cases in which a DPIA is mandatory, there is a general obligation to conduct a DPIA where there processing is likely to result in a high risk to the rights and freedoms of natural persons – see Article 35(1). • Under Article 35(4), the supervisory authority is required to make public a list of the kind of processing operations that are subject to the requirement for a DPIA under Article 35(1) and shall communicate the list to the EDPB March 28, 2018 41
Data Protection Impact Assessment (DPIA) • A DPIA must address: − A systematic description of the envisaged processing operations – this should include the flow of personal data through the systems and business processes as business activities are performed − The purpose of the processing (including, where applicable, the legitimate interest pursued by the controller) − An assessment of why the processing is being performed and how this is proportional to the underlying need − An assessment of the risks to the rights and freedoms of the persons affected − The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR, taking into account the rights and legitimate interests of data subjects concerned • Where the DPIA indicates that the processing remains high risk despite the application of measures to mitigate that risk, the controller must consult the supervisory authority before processing – see Article 36(1) • Member States must similarly consult the supervisory authority where they are preparing a proposal for a legislative measure to be adopted by the national parliament or for a regulatory measure based on legislation – see Article 36(4) March 28, 2018 42
Lawful Basis For Processing • Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − The person has consented to the processing of their personal data for one or more specific and prior notified purposes − It is needed for the performance of a contract to which the person is a party or in order to take steps at the request of the person before to entering into a contract − It is required to protect the vital interests of the person in question or of another person. − It is required so the data controlled can comply with a specific legal obligation − It is needed to perform a task carried out in the public interest or in the exercise of an official function of data controller − It is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the person is a child March 28, 2018 43
Consent • Explicit consent of the person must be obtained for data collection and processing, with Article 7 setting out the basic conditions required for a consent to be valid: − The consent must be freely given − A proper explanation of what the individual is consenting to must have been provided before the consent is obtained − Separate consents must be given for separate purposes − Consent can be refused − Consent can be withdrawn at any time • Consent should be informed − The identity of the controller and the processing purposes should be detailed − Silence or implied consent and pre-checked boxes on web pages are no longer valid − The organisation must ask for consent and obtain explicit consent − Plain language should be used and consent is unlikely to be achieved if data protection notices are unintelligible or over-complicated − Consent must be specific − Where the data processing has multiple purposes, consent should be given for all of them − The burden of proof that consent was obtained in a correct and explicit manner resides with the data controller − Consent management needs to include both the recording of consent and the circumstances under which it was provide and while there is no requirement that consent should be in writing, the evidential burden suggests that, in practical terms, this will occur March 28, 2018 44
Right of Access • Persons have the right to access their personal data and to get details about how this personal data is being processed • The right of subject access is complemented by the right, under Article 20 of the GDPR, to data portability • A controller is under an express obligation to facilitate the exercise by a data subject of their rights, including to subject access and data portability; Article 12(2). • A controller’s obligation under Article 20 (right of data portability) is to “transmit … data to another controller without hindrance” • Article 15(1) provides that a data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the information • The data controller has to provide − Access to the data itself − The categories of personal data concerned − With whom the data is shared (that is to say, the recipients or categories of recipients to whom the personal data is or will be disclosed and in particular, recipients in third countries) − The envisaged storage period for the data or, if it is not possible to so specify, the criteria used to determine that period − How it acquired the data in the sense that where the personal data was not collected from the data subject, any available information as to the source of the personal data − The existence of the right of rectification or erasure or restriction of processing of personal data − The right to lodge a complaint with a supervisory authority − The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) March 28, 2018 45
Right to Rectification/ Right to Completion • Article 16 of the GDPR provides for a right to rectification of inaccurate data, as well as a right to have incomplete data completed • Data must be rectified by the data controller without undue delay if the data is inaccurate and the data subject has so notified the data controller • The right to completion of data applies where the purpose of the processing makes it appropriate and the right may be complied with by providing a supplementary statement March 28, 2018 46
Right to Erasure - The “Right To Be Forgotten” • Article 17 of the GDPR confers a right to request erasure of, and cessation of processing, personal data including any copies related to them − Where the personal data are no longer necessary in relation to the purposes for which they are collected − Where the person has withdrawn their consent − Where the person objects to the processing under Article 21(1)and there are no overriding legitimate grounds for the processing − Where the processing of the personal data does not otherwise comply with the GDPR − The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject − The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) • A request for erasure can be refused where the processing is necessary for one of the exempt purposes specified in Article 17(3), that is to say, where the processing is necessary for: − The exercise of the rights of freedom of expression and information; − Compliance with a legal obligation or the exercise of a discretionary power; − Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3); − Archiving and research purposes; − Establishment, exercise or defence of legal claims March 28, 2018 47
Right to Erasure - The “Right To Be Forgotten” • Article 19 requires a data controller to communicate any rectification or erasure of personal data or restriction of processing to any person to whom the data has been disclosed “unless this proves impossible or involves disproportionate effort” • If the data subject asks, the controller must provide details of those persons to whom the data was disclosed March 28, 2018 48
Right To Restriction Of Processing • Under Article 18, a data subject has the right to restrict processing of personal data in four specified circumstances: − The accuracy of the personal data is contested by the data subject, in which case the restriction will be for a period enabling the controller to verify the accuracy of the personal data − The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead – it is not entirely clear what is meant by this provision as, if the data subject does not want the erasure of the personal data, the inference is that the data subject consents to the processing of the data − The controller no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims − The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject March 28, 2018 49
Right to Object / Prohibition Automated Decision- Making • Article 21(1) confers on a data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning the data subject which is based on Article 6(1)(e) or (f), including profiling based on those provisions • Article 6(1)(e) permits data processing where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, while Article 6(1)(f) renders lawful processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party • The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims • Article 22(1) prohibits automated decision-making subject to a number of exceptions − Automated decisions subject to Article 22 are decisions based solely on automated processing that produce legal effects concerning the data subject or significantly affect the data subject March 28, 2018 50
Data Portability • A person must be able to transfer their personal data from one controller to another without being prevented by the data controller - Article 20 − This covers both the information content – what was supplied – and the metadata • The right to data portability is the “right to receive the personal data concerning [the data subject], which [the data subject] has provided to a controller” – see Article 20(1) • The right applies where consent to data processing has been provided under Article 6(1)(a) (express consent) or Article 9(2)(a) (special categories of personal data) and where the processing is automated • The right does not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – see Article 20(3) • The right to data portability does not arise − Where data is processed by a controller under a legal duty or in exercise of discretionary powers − Where processing is necessary in order to protect the vital interests of the data subject or of another natural person − Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller March 28, 2018 51
Data Protection Officer • Article 37 sets out the circumstances in which designation of a Data Protection Officer (DPO) is mandatory for certain data controllers and data processors • All public authorities (except for courts) • Where the core activities of the controller or processor monitor individuals systematically (such as tracking and profiling on the Internet) and on a large scale • Where the core activities of the controller or processor consist of large scale processing of the special categories of data under Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 • The DPO is independent (Article 38(3)) and must be given sufficient resources (Article 38(2)) to carry out their tasks effectively. • Article 37(5) provides that the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of a DPO set out in Article 39 − The DPO should be skilled and experienced in managing IT processes, data security (including dealing with network attacks) and be knowledgeable in the issues around the holding and processing of personal and sensitive data − The skills required depend on the organisation and the processing it performs − The DPO should also know the administrative rules and procedures of the organisation − The organisation should include the DPO in all issues relating to the protection of personal data in a timely manner March 28, 2018 52
Pseudonymisation • Pseudonymisation” is defined in Article 4(5) of the GDPR • Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person • Article 29 Working Party: − “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful security measure.” • Encryption is a form of pseudonymisation − The original data cannot be read − The process cannot be reversed without the correct decryption key − GDPR requires that this additional information be kept separate from the pseudonymised data. • Pseudonymisation reduces risks associated with data loss or unauthorised data access − Pseudonymised data is still regarded as personal data and so remains covered by the GDPR − It is viewed as part of the Data Protection By Design and By Default principle • Pseudonymisation is not mandatory − Implementing pseudonymisation with existing IT systems and processes would be complex and expensive and, to that extent, pseudonymisation might be considered an example of unnecessary complexity within the GDPR March 28, 2018 53
Pseudonymisation • GDPR Recital 26 − The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. • Pseudonymisation is not anonymisation − Anonymisation means data cannot be attributed to a person − Pseudonymisation means data can be attributed to a person using additional information − Pseudonymisation just makes identifying persons from data more difficult, time-consuming and expensive March 28, 2018 54
Pseudonymisation • Article 89 (1): as a means of enhancing protection in case of further use of data for research and statistics • Article 6 (4): as a means of possibly contributing to the compatibility of further use of data • Article 25: as a means to contribute to “privacy by design” in data applications • Recital 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” March 28, 2018 55
Pseudonymisation • Pseudonymisation means removing the link between data and its attribution to a specific individual • Add a layer of complexity, time and expense to person identification • There are many (complex) approaches to pseudonymisation • Pseudonymisation aims to provide an extra layer of security − It does not stop personal data being lost − It just reduces the likelihood that lost personal data can be used March 28, 2018 56 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Key 2. Encrypted Data Read and Written And Decrypted Using Key
Handling of Data Breaches • is impossible to have 100% security 100% of the time and still collect and process information − So organisations should assume a data breach however minor will happen at some time − Security systems should be designed to facilitate the discovery of any breach as soon as possible; • It is important to reduce the scope and effect of the breach, the time to identify that the breach has occurred and to respond more quickly and effectively to limit the damage. − Organisations are responsible for the implementation and operation of sufficient countermeasures to prevent as much as possible, detect and handle breaches − A data breach in itself will not necessary attract administrative sanctions − The failure to have structures in place to prevent, detect and handle breaches will • A “personal data breach” is defined in Article 4(12) of the GDPR as: − “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” • A controller is required to document all cases of personal data breach comprising the facts relating to the personal data breach, its effects and the remedial action taken; Article 35(5) • Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller is under a legal obligation to notify the supervisory authority of a personal data breach within 72 hours (and if not an explanation of the delay) after having become aware of the data breach; Article 35(1) March 28, 2018 57
Handling of Data Breaches • Under Article 35(3), the notification must include: − A description of the nature of the personal data breach including, if possible, the categories and approximate number of persons affected and the categories and approximate number of personal data records affected − The name and contact details of the Data Protection Officer or other contact point where more information can be obtained − A description of the likely consequences of the personal data breach − A description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects • Persons affected by the data breach must be notified if the breach is likely to have a high risk to their rights – see Article 34(1) • Importantly, data controllers do not have to notify affected persons if protection measures were implemented that rendered the personal data unintelligible – see Article 34(3) − A notice required to be given to data subjects must describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the Data Protection Officer (or other contact point where more information can be obtained) − A description of the likely consequences of the personal data breach; and a description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects – see Article 34(2) (by reference to Article 33(b) to (d) March 28, 2018 58
Penalties and Sanctions • Failure to comply with GDPR can result in administrative penalties and other sanctions • Warnings – under Article 58(2), a supervisory authority has specific powers to issue warnings to a controller or processing that intended processing operations are likely to infringe the GDPR and reprimands where processing operations have infringed the GDPR • Data protection compliance audits – Article 58(1) confers on supervisory authorities investigative powers, including, at Article 58(1)(b) the power to carry out investigations in the form of data protection audits; • Fines - two levels of fines − €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is the greater, for failures relating to: • Conditions applicable to child's consent in relation to information society services • Failures in data processing and security • Notification of a personal data breach to the supervisory authority • Communication of a personal data breach to the data subject • Data protection impact assessment • Designation of the data protection officer • Certification − €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is the greater for failures relating to: • Principles relating to processing of personal data • Lawfulness of processing • Conditions for consent • Processing of special categories of personal data • Information and access to personal data • Information to be provided where personal data are collected from the data subject • Right of access by the data subject • Right to rectification • Right to erasure • Right to restriction of processing • Right to data portability • Automated individual decision-making, including profiling • Transfers of personal data to third countries or international organisations March 28, 2018 59
Implementing and Operating GDPR March 28, 2018 60
Implementing and Operating GDPR • GDPR compliance is achieved through a combination of processes and technology • Most of the impact that GDPR will have is on existing IT systems that process personal data • The effort to implement and operate GDPR will depend on the scope of the problem which is dictated by the amount of personal data the organisation collect and processes • The problem with many compliance initiatives is that they tend to be treated as single projects operating in an organisation silo rather than as being part of a wider and more general and shared compliance framework • Despite have a broad scope across the organisation, GDPR compliance will more likely in many cases be treated as yet another stand-alone initiative • It is simply not possible to quantify the volume and types of requests that individuals will make under GDPR March 28, 2018 61
GDPR Compliance Preparatory Steps 1. Determine the organisation’s role under the GDPR – data controller or data processor 2. Assign someone to the Data Protection Officer role/team 3. Implement consent management 4. Review and update data retention and data backup 5. Identify and document business processes and associated IT systems processing personal data 6. Identify and assess any cross-border data flows 7. Prepare for persons exercising their GDPR rights 8. Prepare for a data breach March 28, 2018 62
Determine The Organisation’s GDPR Role • Inform your employees about GDPR risks and appropriate behaviours by defining clear policies on the collection and use of personal data and any collaboration and sharing or maintenance of local uncontrolled copies • Implement security awareness and privacy training March 28, 2018 63
Fill The Data Protection Officer Role And Team • The primary role DPO is to ensure the organisation is compliant with GDPR • Initially, appoint someone to the DPO role irrespective of any legal necessity • The role does not have to be full-time • Once compliance is achieved the level of work may reduce • The DPO role is cross-functional. It spans the entire organisation, crossing the boundaries of business functions • These roles are often very difficult to implement as they encroach on the territories of business function leaders and, in doing so, encounter resistance • To be successful the DPO role needs to be supported from the highest levels in the organisation • Train personnel March 28, 2018 64
Implement Consent Management • Consent management involves: − Identifying all points where personal data is collected across all communication channels − Identifying the data processing processes where consent is required − Drafting GDPR consent management notices − Updating communication channels such as the organisation web site(s) with GDPR consent notices − If data is collected from children, implement an approach to collect consent from parents or guardians − Updating IT systems to record consent details and allow consents be subsequently updated March 28, 2018 65
Review And Update Data Retention And Backup • Reviewing existing approaches to data archival, retention and deletion, if any • Reviewing data backup processes to ensure data not being retained is not held on backups • Implement data retention and deletion policies and procedures • Update data backup policies and procedures March 28, 2018 66
Identify And Document Business Processes And Associated IT Systems Processing Personal Data • Create an inventory of personal data collected, created, processed and derived − Review the reasons why personal data is collected and stop collecting if it is not necessary or justifiable. • Identify any high-risk data collected or generated − Consider conducting DPIAs for these • Identify if you process any of the special categories of personal data and handle this instances in more detail − Consider conducting retrospective DPIAs for these • Where personal data is collected ensure explicit consent is obtained • Develop and implement notices on all personal data collection points − Identify points were consent is necessary. • Create an inventory of business processes where personal data is involved − Appoint business process owners − Document these business processes with those involved in their operation − Define business process review dates, at least annually • Document the legal grounds for processing this personal data • Create an inventory of IT systems that store and process personal data • Map the flow of personal data across business processes and IT systems from initial collection to its processing and ultimate deletion. • Consider initiating a business process review and update exercise that minimises the amount of personal data being collected and processed to reduce compliance overhead and risk March 28, 2018 67
Identify And Document Business Processes And Associated IT Systems Processing Personal Data • This data discovery and profiling work has the potential to be quite onerous, depending on the number of IT systems and processes involved in processing personal data. • Review your network security, especially on systems that contain personal data that can be accessed from outside the organisation • Identify any third-parties involved in data collection and data processing for your organisation such as IT outsourcing or business process outsourcing arrangements • For each of these outside organisations you must ensure that they too are compliant with GDPR: − Review their network security − Review their data retention policies to ensure personal data is deleted as soon as it is no longer needed − Review data backup processes and amend to ensure data not being retained is not held on backups − Ensure they appoint a DPO − Review their process for handling data breaches • Where suppliers fail to meet GDPR compliance requirements they must resolve these issues or you must replace the March 28, 2018 68
Organisation Conceptual Data Model • Consider building an organisation conceptual data model to assist with identifying personal data processing and data flows March 28, 2018 69
Generic Organisation Conceptual Data Model March 28, 2018 70
Generic Data Conceptual Data Model – Components - 1 of 2 28 March 2018 71 Component Description External Interacting Parties These are the range of external parties that supply data to and access data from the enterprise External Party Interaction Zones, Applications, Channels and Facilities These are the set of applications and data interface and exchange points provided specifically to External Interacting Parties to allow them supply data to and access data from the enterprise These can be hosted internally or externally or a mix of both External Third Party Applications These are third-party applications (such as social media platforms) that contain information about the enterprise or that are used by the enterprise to present information to or interact with External Interacting Parties or where the enterprise is referred to, affecting the perception or brand of the enterprise External Data Sensors Sources of remote data measurements External Party Interaction Zones Data Stores These are applications and sets of data created by the enterprise to be externally facing where external parties can access information and interact with the enterprise External Devices These are devices connected with services offered by the enterprise (such as ATMs and Kiosks) Date Intake/Gateway This is the set of facilities for handling data supplied to the enterprise including validation and transformation including a possible integration or service bus This can be hosted internally or externally or a mix of both Line of Business Applications This represents the set of line of business applications deployed on enterprise owned and managed infrastructure used by business functions to operate their business processes Organisation Operational Data Stores These are the various operational data stores used by the Line of Business Applications
Generic Data Conceptual Data Model – Components - 2 of 2 28 March 2018 72 Component Description Line of Business Applications Hosted Outside the Organisation This represents the set of line of business applications deployed on external infrastructure used by business functions to operate their business processes This includes cloud facilities such as external data storage and XaaS facilities and an integration service to connect external data to internal data External Application Operational Data Stores These are the various operational data stores used by the Line of Business Applications used by Line of Business Applications Hosted Outside the Organisation Data Mastering These are facilities to create and manage master data and data extracted from operational data to create a data warehouse and data extracts for reporting and analysis. This includes an extract, transformation and load facility These can be hosted internally or externally or a mix of both Data Reporting and Analysis Facilities This represents the range of tools and facilities to report on, analyse, mine and model data These can be hosted internally or externally or a mix of both Document Sharing and Collaboration These are tools used within the enterprise to share and collaborate on the authoring of documents Document Management Systems These are systems used to manage transactional and ad hoc structured and unstructured documents in a formal and controlled manner, including the metadata assigned to documents Desktop Applications These are applications used by individual users to view and author documents Document and Information Portal This provides structured access to documents and information including externally hosted applications providing these facilities Unstructured Data Stores These are storage locations for enterprise documentation
Zones Within Data Fabric Conceptual Data Model • Sets of components of conceptual data fabric model can be grouped into zones: − Internal – within the enterprise’s boundary − Cloud Extension – extensions to enterprise applications and data held in external cloud platforms − Interface – set of components responsible for getting data into and out of the enterprise and presenting data and applications externally − Externally Located Extension – infrastructure and applications that are connected to the wider enterprise network − External Controlled – components outside the enterprise but under the control of the enterprise − External Uncontrolled – components outside the enterprise and not under the direct control of the enterprise 28 March 2018 73
Why Create A Conceptual Data Fabric Model? • Conceptual data fabric model represents a rich picture of the enterprise’s data context − Embodies an idealised and target data view • Detailed visualisations represent information more effectively than lengthy narrative text − More easily understood and engaged with • Show relationships, interactions • Capture complexity easily • Provides a more concise illustration of state • Better tool to elicit information • Gaps, errors and omissions more easily identified • Assists informed discussions • Evolve and refine rich picture representations of as-in and to-be situations March 28, 2018 74
Identify and Assess Any Cross-Border Data Flows • The EDPS has produced guidance on international data transfers – see https://edps.europa.eu/data-protection/data-protection/reference-library/international- transfers_en • Transfers to any of the 28 EU member states (the status of the UK after BREXIT is not currently defined) are still allowed as well as to Norway, Liechtenstein and Iceland, that is countries that are members of the European Economic Area (EEA) • The European Commission has Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay to have an adequate level of protection so data transfers to these countries are also possible • In February 2016, after the previous Safe Harbour scheme was rendered invalid, the European Commission and the United States agreed on a framework for transatlantic data transfers called the EU-U.S. Privacy Shield • The European Commission officially deemed this to be adequate in July 2016 – see http://europa.eu/rapid/press-release_IP-16-2461_en.htm • In the absence of adequacy decisions for particular countries you should use proper and suitable safeguards such as Binding Corporate Rules (BCRs) and contracts. BCRs are described in Article 47 of GDPR and in the working document created by the Article 29 Working Party Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798 March 28, 2018 75
Binding Corporate Rules (BCR) • Any BCRs must be legally binding and must specify clearly the duties and responsibilities of each participating member of the group of undertakings or group of enterprises engaged in a joint economic activity including their employees. BCRs must apply to every member of the group • The group of undertakings can include international organisations, business alliances, joint ventures, outsourcing arrangement, or shared economic activities • The BCR should cover: − Structure and members of the group sharing the joint economic activity − Contact details of overall group and of each member − Contact details for DPO function of each member − Details on data protection training for staff with access to personal data − Obligations towards the relevant supervisory authorities − The tasks of any DPO or other business function responsible with compliance monitoring. − Numbers or and details on the data transfers including the data being transferred − Purpose of the data transfers − Processing perform by each member of the group − Legally binding obligations of each member towards one another and towards the persons whose data is being processed − Statement of liability of data controller or data processor in EU with regards to breaches of the BCRs by any member outside the EU − Persons rights, the ways to exercise those right including the right to complain − Provision of information on the BCRs towards persons to meet obligations, duties and rights of information of the GDPR − Complaint procedures and complaint handling − Data protection audits including scope and frequency and the methods of correction to protect persons’ rights − Application of general data processing principles and generally accepted privacy principles March 28, 2018 76
Binding Corporate Rules (BCR) • Outsourcing review activity should also include: − Review all external data processing arrangements, including data storage and use of external applications, that store personal data − Determine the GDPR compliance of these processing arrangements and consider rationalising suppliers − Review the contracts and agreements associated with these arrangements − Update the agreements to include GDPR-specific details − Review and update supplier selection and procurement processes to include GDPR-specific requirements in selection factors and in new service contracts March 28, 2018 77
Prepare for Persons Exercising Their GDPR Rights • The operation of GDPR will give rise to the need to develop, implement and operate a number of business processes and associated standard operating procedures to implement the rights of persons under GDPR • The inventory of these processes includes: 1. Request Tracking 2. Consent and Consent Recording and Tracking 3. Consent Withdrawal 4. Access to Data 5. Data Rectification 6. Restriction of Processing 7. Data Objection 8. Profiling Objection 9. Data Erasure 10. Data Portability 11. Complaint Handling 12. Personal Data Breach Notification 13. Person Data Breach Notification 14. Record of Audits of Third-Party Data Processors • This is lengthy list of processes • Their definition, implementation and operation has the potential to be onerous March 28, 2018 78
Generalised Information Lifecycle And GDPR • To achieve compliance with GDPR, the lifecycles of personal data processes should be documented and formalised • In particular data archival, data retention and data deletion – stages in the information lifecycle that are currently infrequently not handled well, if at all – need to be implemented March 28, 2018 79 Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Preserve, Protect and Recover Archive and Recall Delete/Remove Implement Underlying Technology Architect, Budget, Plan, Design and Specify Present, Report, Analyse, Model
Information Lifecycle And GDPR • Architect, Budget, Plan, Design and Specify - This relates to the design and specification of the data storage and management and their supporting processes. This establishes the data management framework • Implement Underlying Technology - This is concerned with implementing the data-related hardware and software technology components. This relates to database components, data storage hardware, backup and recovery software, monitoring and control software and other items • Enter, Create, Acquire, Derive, Update, Integrate, Capture - This stage is where data originated, such as data entry or data capture and acquired from other systems or sources • Secure, Store, Replicate and Distribute - In this stage, data is stored with appropriate security and access controls including data access and update audit. It may be replicated to other applications and distributed • Present, Report, Analyse, Model - This stage is concerned with the presentation of information, the generation of reports and analysis and the created of derived information • Preserve, Protect and Recover - This stage relates to the management of data in terms of backup, recovery and retention/preservation • Archive and Recall - This stage is where information that is no longer active but still required in archived to secondary data storage platforms and from which the information can be recovered if required • Delete/Remove - The stage is concerned with the deletion of data that cannot or does not need to be retained any longer. Data has to be able to be disposed of in a managed, systematic and auditable way • Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund - This is not a single stage but a set of processes and procedures that cross all stages and is concerned with ensuring that the processes associated with each of the lifestyle stages are operated correctly and that data assurance, quality and governance procedures exist and are operated March 28, 2018 80
Map GDPR Processes And Their Impacts To Information Lifecycle March 28, 2018 81 Architect, Budget, Plan, Design and Specify Implement Underlying Technology Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Present, Report, Analyse, Model Preserve, Protect and Recover Archive and Recall Delete/ Remove Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund Request Tracking X X X X Consent and Consent Recording and Tracking X X X X X X X Consent Withdrawal X X X X X X X Access to Data X X X X X X X Data Rectification X X X X X X X Restriction of Processing X X X X X X X Data Objection X X X X X X X Profiling Objection X X X X X X X Data Erasure X X X X X X X X Data Portability X X X X X X X Complaint Handling X X X X Personal Data Breach Notification X X X X Person Data Breach Notification X X X X Record of Audits of Third- Party Data Processors X X X X
Request Tracking Facility – Sample Facility Required March 28, 2018 82 Information Item Description Date and Time Request Received The date and time that the request is received from the individual/authorised entity Received By The person of business function who logged the request Source The source of the request Request Type The type of the request Priority A priority assigned to the request Request Details A description of the request Requester Contacted for Clarification A flag indicating if the requester needs to be or was contacted to clarification Clarification Received Notes on clarification received Request Reviewed and Approved for Processing A flag indicating that the request contains sufficient details to allow it to be processed Date Request Processing Started The date that formal response processing started. The due date is calculated from this date, based on the request type Date Request Response Due The due date of the response Business Functions Affected by Request A list of business functions within the organisation affected by the request Third Parties Affected by Request A list of third-parties within the organisation affected by the request Request Sent to Business Functions <N> Details on the request sent to the business function, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected business function. There will be a sub workflow for each business function Request Sent to Third Party <N> Details on the request sent to the third party, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected third party. There will be a sub workflow for each business function Response Reviewed Date and Time The date and time that the response is received and collated Response Reviewed By The person who reviewed the response Response Redaction Required A flag indicating that the response needs to be redacted before it is issued to the requester Response Redaction Notes Notes on the nature of and reason for the redaction of the response Response Redaction Completed By The person who completed the redaction Response Redaction Reviewed By The person who reviewed the redaction Response Redaction Reviewed Date and Time The date and time the redaction was reviewed and approved Response Release Authorised By The person who authorise the release of the response Date and Time Response Issued The date and time the response was issued Response The response or details on where the response is stored Response Covering Communication The covering communication that accompanied the response
Prepare For A Data Breach • At a high-level, the activities involved in this include: − Identify Supervisory Authority contact details − Document a list of breach scenarios and identify steps to be performed − Create draft breach notifications including Supervisory Authority and personal contacts − Document breach management process including roles and responsibilities March 28, 2018 83
Approaches To Achieving Compliance • The owner of the business processes where personal data is collected and processed is responsible for compliance − The DPO is not responsible for compliance − The DPO assists with compliance − So the organisation should formally appoint business process owners − These business process owners should conduct privacy impact and risk assessments regularly • Risk management plays a large part of achieving compliance with GDPR − Business process owners should be able to informed decisions on how to address risks in their data processing processes within the processes for which they are responsible − Risks can be mitigated until the residual risk is within tolerable limits • Achieving compliance with GDPR should, in the first instance, focus on personal simplification, reduction and minimising the amount of personal data you collect and process, is possible − Consider moving to excluding access to personal data by default. − Review any processing performed by third-parties, any outsourcing arrangements or use of cloud systems or platforms • Review your sourcing and supplier selection factors and ensure they explicitly include security controls, privacy management and privacy control functions, certifications and approach to auditing • Note that mobile devices come under the ambit of GDPR if they are used for the processing of personal data − Data breaches occur when mobile devices are lost, resulting in unintended loss of control over personal data − A mobile device management facility including the ability to remotely wipe lost devices might be required − Previous Bring Your Own Device (BYOD) policies might need to be revisited employees do not consent to his personal device being remotely monitored and controlled March 28, 2018 84
Approaches To Achieving Compliance • GDPR compliance cost could be substantial • PwC have conducted a number of surveys on the GDPR preparations and estimated budgets for 300 large organisations in the UK, US and Japan − The most recent survey is from July 2017 –see https://www.pwc.com/us/en/increasing-it- effectiveness/publications/general-data-protection-regulation-gdpr- budgets.html • Highlights − In July 2017, only 11% of executives surveyed said their companies have now finished operationalised preparations − Of the companies who said they have finished preparations, 88% reported spending more than USD 1 million on GDPR preparations and 40% reported spending more than USD 10 million − Among all companies, 60% said they plan to spend at least USD 1 million on GDPR preparation projects and 12% plan to spend more than USD 10 million March 28, 2018 85
Survey Of State Of GDPR Compliance – Preparation Status March 28, 2018 86
Survey Of State Of GDPR Compliance – Estimated Budget March 28, 2018 87
IT Systems And GDPR Compliance • There are multiple IT systems, each of which will store personal data − Personal data may also exist in the form of documents scanned into document management systems or documents generated and store in electronic folders or in email systems. • The same person will have different sets of data stored across these systems − The person may not uniquely identifiable across these systems − There may be variations in the spelling of names and addresses and different data formats March 28, 2018 88
High-Level Representation Of IT System Landscape And Personal Data March 28, 2018 89 Operational IT System 1 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Operational IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Scanned Documents External Documents Document Store Reporting IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Cloud Data Store
GDPR And Personal Data Landscape March 28, 2018 90 Personal Data Landscape Consent Fairness Lawful Transparency Retention and Deletion Anonymisation Pseudonymisation Accuracy and Currency Security Legitimate Purpose Accountability Minimisation Access Policies Appropriate Usage Data Lifecycle Data Ownership Data Governance
GDPR And Personal Data Landscape • GDPR now imposes strict and severe legislative constraints on the organisation’s personal data landscape March 28, 2018 91
IT System Compliance Options • Option 1: Modify each operational IT system to hold additional information such as GDPR flag indicating that the data is personal and comes under the scope of GDPR, retention details, consent details, deletion details − Potentially very expensive and time consuming − If the IT systems are sourced from third-parties these organisations may over time update their systems to allow the additional GDPR-related information to be stored • Option 2: Implement a separate system that takes data from the operational systems and that create a single consolidated view of personal data across these systems − Involves developing or sourcing a software system to provide this consolidated personal data management functionality − One of the issues with having a separate system is that changes that occur in the underlying operational systems have to be reflected in it • Both of these solution approaches just provide containers for GDPR- related information on personal data to be stored − That information has to be defined and completed and subsequently maintained March 28, 2018 92
GDPR Related Metadata • For each item of personal data collected after GDPR goes live and held in an application or stored outside IT systems, there is a need to maintain a set of GDPR-related metadata • Set of metadata will depend on the approach to handling the GDPR compliance processes • The metadata can be stored within each application or stored in a separate personal information management tool or be shared between them • The metadata can include: March 28, 2018 93 GDPR Metadata Description Personal Information Flag Flag indicating that the field contains personal data Sensitive Information Flag Flag indicating that the field contains sensitive personal data Retention Date The date up to which the information can be retained and after which it must be deleted Consent Identifier A link to where consent about the collection and processing of this data is held Consent Withdrawal Flag A flag indicating that consent to use the data has been withdrawn Data Erasure Flag A flag indicating that the data was erased GDPR Tracking Identifier Link to case management facility for activity relating to this field Restriction of Processing Flag A flag indicating that the processing of the data is restricted
Consolidated Personal Data Management • Implementation option 1 involves some form of Consolidated Personal Data Management that contains details on personal data being held in all organisation IT systems • Provides a centralised facility to operate GDPR without the need to make substantial changes to existing IT systems March 28, 2018 94 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Metadzta Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Consolidated Personal Data Management
Implementing Pseudonymisation • Pseudonymisation is concerned with removing the ability to link data to a person • Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format • Implementing pseudonymisation is complex • Remember - pseudonymisation is not a mandatory GDPR requirement March 28, 2018 95
Pseudonymisation • Pseudonymisation is widely used for research data containing personal information (such as medical trials) − https://www.openpseudonymiser.org/ • Data volumes very small and pseudonymisation performed in batch • Approach is not really suitable or scalable for a an operational business personal data processing environment March 28, 2018 96
Encryption And Key Pairs • Based on PKI (Public Key Infrastructure) • Based on Key Pairs • Each data sender and receiver gets a pair of keys: − Public Key − Private Key • The public keys are published and the private keys are kept secret • Communications involve only public keys and no private key is ever transmitted or shared • Anyone can encrypt with the public key, only one person can decrypt with the private key March 28, 2018 97
Key Pairs March 28, 2018 98 Data Application Data Store Public Key of Data Application Private Key of Data Application Public Key of Data Store Private Key of Data Store Data Application Knows This Data Store Knows This
Pseudonymisation And Key-Based Encryption • Pseudonymisation can be implemented using a single key pair or two key pairs • Single key pair − Encryption facility encrypts data using public key and decrypts using private key − Public and private keys are kept separate • Two key pairs − Data is encrypted twice – using the public key of the store and the private key of the application − Encryption facility encrypts data using public key of data store and the private key of data application and decrypts using private key − Public and private keys are kept separate March 28, 2018 99
Pseudonymisation And Single Key Pair March 28, 2018 100 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access – No Encryption 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Public Key 2. Encrypted Data Written Using Public Key 3. Encrypted Data Decrypted Using Private Key 4. Decrypted Data Available for Use Encryption/ Decryption Layer 3 4 Direct Data Access – Encryption
Pseudonymisation Using Separate Encryption • This involves using application-level encryption combined with Data Store Key − Data Application generates random characters − Data Application encrypts data using random character as key − Data Application encrypts random characters with Data Store public key − Combine encrypted data and encrypted key as data sent to Data Store March 28, 2018 101 1 Public Key Storeb1952360d460d463eefb9d7a a3b306668b3f5e36a064e4256 b546e6fdca93ee7 2 188a955f463ab8339ee7843ce 5f09a76ed702a457890186c74 2b2706e7ab0e63d51ebd8b19 f13e091182137f63856978 3 = +4
Key Encryption With Key Pairs March 28, 2018 102 Encrypted with Public Key of Data Store Encrypted with Private Key of Data Application Data Applicatio n Data StoreData Read and Write Layer Decrypted with Private Key of Data Store Decrypted with Public Key of Data Application Write Data Read Data Unencrypt ed Data Decrypted Data
Pseudonymisation With Separate Keys For Each Individual Person - Write March 28, 2018 103 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Write Data for Person 1 Step 1 Encrypt With Person 1 Public Key Step 2 Encrypt With Application Private Key Encrypted Data Decrypted Data Write
Pseudonymisation With Separate Keys For Each Individual Person - Read March 28, 2018 104 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Read Data for Person 1 Step 2 Encrypt With Data Application Public Key Step 3 Decrypt With Person 1 Private Key Encrypted Data Step 1 Request Data for Person 1 Decrypted Data Read
Pseudonymisation And Data Breaches • Pseudonymisation means removing the direct link between data and its attribution to a specific individual − Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format − Adds a layer of complexity, time and expense to person identification − There is still an indirect link so the data is usable − Data is not being anonymised • There are many (complex) approaches to pseudonymisation • Pseudonymisation provides an extra layer of security − It does not in itself stop personal data being lost − It just reduces the likelihood that lost or leaked personal data can be read – both the encrypted data and the means to decrypt it must be lost or leaked March 28, 2018 105
Implementing Pseudonymisation • Potentially complex and expensive, depending on the implementation approach − Pseudonymise at the level of the database of all data − Pseudonymise at the level of the individual data record • Multiple implementation options and approaches − Use encryption facilities provided by data store (such as database software) − Using single key pair encryption for all data − Use two key pairs encryption for all data − Using single key pair encryption for each data record − Use two key pairs encryption for each data record March 28, 2018 106
How Far To Pseudonymise? • What identifies a person − Name − Address − Sex on its own does not identify a person uniquely − Sex + Date Of Birth could − Sex + Date Of Birth + City could further − Image or video recording − Recording of telephone call March 28, 2018 107
GDPR Compliance Management • separate system approach can be extended to provide additional facilities for some or all of: − Define and manage business processes that use personal data − Log requests of various types and their processing − Continuously monitor operational systems to identify changes in personal data − Log details on personal data audits and DPIAs − Data breach management − Personal data access portal − Case management for GDPR work with workflow and tracking • There are software vendors that offer such compliance solutions that provide some or all of the range of functions − However, the market is still embryonic and the optimum approach to achieving GDPR compliance is still uncertain − Investing in such technologies now may be premature − There are vendors and developers of existing software products classified as Master Data Management (MDM) or Data Integration Hubs that offer similar facilities that may also be used March 28, 2018 108
GDPR Compliance Management • Separate compliance management system can implement required operational processes • Can include functions of Consolidated Personal Data Management to hold details on where personal data is held March 28, 2018 109 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Details Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 GDPR Compliance Management Business Process 1 Business Process 2 Request Manager
GDPR-Related Software And Vendors • There are very many software vendors (claiming to) offer solutions that offer GDPR-related functionality across the GDPR compliance spectrum – following pages contain a partial list of vendors − Privacy Program Management – solutions designed specifically for the privacy office • Assessment managers tend to automate different functions of a privacy program, such as operationalising PIAs, locating risk gaps, demonstrating compliance, and helping privacy officers scale complex tasks requiring spreadsheets, data entry, and reporting • Consent managers help organisations collect, track, demonstrate and manage users’ consent • Data mapping solutions can come in manual or automated form and help organisations determine data flows throughout the enterprise • Incident response solutions help companies respond to a data breach incident by providing information to relevant stakeholders of what was compromised and what notification obligations must be met • Privacy information managers provide organisations with extensive and often automated information on the latest privacy laws around the world • Website scanning is a service that primarily checks a client’s website in order to determine what cookies, beacons and other trackers are embedded in order to help ensure compliance with various cookie laws and other regulations − Enterprise Privacy Management – solutions designed to service the needs of the privacy office alongside the overall business needs of an organisation • Activity monitoring helps organisations determine who has access to personal data and when it is being accessed or processed. These solutions often come with controls to help manage activity • Data discovery tends to be an automated technology that helps organisations determine and classify what kind of personal data they possess to help manage privacy risk and compliance • De-identification/pseudonymity solutions help data scientists, researchers and other stakeholders derive value from datasets without compromising the privacy of the data subjects in a given dataset • Enterprise communications are solutions that help organisations communicate internally in a secure way in order to avoid embarrassing or dangerous leaks of employee communications March 28, 2018 110
GDPR-Related Software And Vendors - 1 March 28, 2018 111 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning 2B Advice https://www.2b- advice.com/ ● 3PHealth https://www.3phealth.com/ ● ● Aircloak http://www.aircloak.com/ ● Alation https://alation.com/ ● ● ● Anonos https://www.anonos.com/ ● Arcad http://arcadsoftware.com/ ● Audito https://www.audito.fr/ ● Automated Intelligence https://www.automated- intelligence.com/ ● ● ● AvePoint https://www.avepoint.com/ ● ● ● ● Baycloud https://baycloud.com/ ● ● BigID https://bigid.com/ ● ● ● BitSight https://www.bitsighttech.co m/ ● Bloomberg Law https://www.bna.com/priva cy-data-security/ ● BMC http://www.bmc.com/it- solutions/gdpr- compliance.html ● ● ● Chino.io https://chino.io/ ● CipherCloud https://www.ciphercloud.co m/ ● ● ● Clearswift https://www.clearswift.com / ● ● ●
GDPR-Related Software And Vendors - 2 March 28, 2018 112 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Clearwater Compliance https://www.clearswift.com / ● ● Cognigo https://cognigo.com/ Collibra https://www.collibra.com/ ● ● CompliancePoint http://compliancepoint.com / ● ● ● CompLions-GRC BV https://www.complions- grc.nl/ ● ● ● ● ● Consentric https://consentric.io/ ● Consentua http://www.consentua.com/ ● Crownpeak https://www.crownpeak.co m/ ● Cryptzone https://www.cryptzone.com / ● CSR https://csrps.com/ ● Cybernetica https://sharemind.cyber.ee/ ● D.Day Labs http://www.dataprotectionp eople.com/datawise/ ● ● ● ● Data Protection People https://www.dataguidance.c om/ ● DataGravity https://www.dataguise.com / ● ● ● DataGuidance https://www.datastreams.io / ● Dataguise http://www.datumstrategy.c om/gdpr-solution ● ● Datastreams.io http://de-id.com/ ● ● ● Datum https://www.didomi.io/en/ DE-ID Data Corp https://www.2b- advice.com/ ● Didomi https://www.3phealth.com/ ● ● ●
GDPR-Related Software And Vendors - 3 March 28, 2018 113 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning DLP Assured http://www.dlp- assured.com/ ● ● DocEx https://www.docex.com/ ● ● ● DPOrganizer https://www.dporganizer.co m/ ● ● DSS Consulting Ltd. http://www.dss.hu/en/ ● ● ● ● ● ● Egnyte https://www.egnyte.com/ ● ● ● Ensighten https://www.ensighten.com / ● ● EPI-USE Labs https://www.epiuselabs.co m/ ● ● EuroComply http://www.eurocomply.co m/ ● Evidon https://www.evidon.com/ ● ● Exonar https://www.exonar.com/ ● ● ● Fastweb http://www.fastweb.it/corp orate/ ● Frama Systems India https://www.frama.com/en/ ● Global IDs http://www.globalids.com/ ● ● ● HaloPrivacy http://www.haloprivacy.com / ● Heliometric https://heliometrics.net/ HexaTier http://www.hexatier.com/ ● ● ●
GDPR-Related Software And Vendors - 4 March 28, 2018 114 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Hytrust/DataGravity https://www.hytrust.com/ ● ● Immuta https://www.immuta.com/ ● ● ● ● Indica https://indica.nl/ ● ● Informatica https://www.informatica.co m/ ● ● ● ● ● Information Builders https://www.informationbui lders.com/ ● Integris https://integris.io/ ● ● ● ● ● ISMS.online https://www.isms.online/ ● ● iWelcome https://www.iwelcome.com / ● Kroll https://www.kroll.com/en- us/default.aspx ● ● Kryptowire https://www.kryptowire.co m/ ● ● The Media Trust http://www.mentisoftware.c om/ ● ● ● ● Mentis https://www.metacomplianc e.com/products/policy- management/ ● ● ● MetaCompliance https://minereye.com/ ● ● ● Miner Eye https://www.nymity.com/ ● ● ● Nymity https://www.obsequiosoftw are.com/ ● ● ● Obsequio Software https://onetrust.com/ ● OneTrust https://www.opus.com/ ● ● ● ● ● ● Opus https://www.pactsafe.com/f eatures ● ● ● PactSafe http://www.dlp- assured.com/ ●
GDPR-Related Software And Vendors - 5 March 28, 2018 115 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De- identification/ Pseudonymity Enterprise Communicatio ns Incident Response Privacy Information Manager Website Scanning PlanetVerify https://www.planetverify.co m/ ● Port.im https://www.port.im/ ● ● ● ● ● ● Predesto https://www.predesto.com/ ● ● Prifender http://www.prifender.com/ ● ● ● Prince Group NL http://www.princegroup.nl/ ● Privacera http://www.privacera.com/ ● ● Privacy Analytics https://privacy- analytics.com/ ● Privacy Company https://www.privacycompan y.eu/ ● ● ● Privacy Lab https://www.privacylab.it/ ● ● ● ● PrivacyCheq http://www.privacycheq.co m/ ● PrivacyPerfect https://www.privacyperfect. com/ ● ● Privaon https://privaon.com/ ● priVapp https://privapp.com/ ● Privitar https://www.privitar.com/ ● Proofpoint https://www.proofpoint.co m/ ● ● ● ● Protegrity http://www.protegrity.com/ ● Protenus https://www.protenus.com/ ● ● ●
GDPR-Related Software And Vendors - 6 March 28, 2018 116 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Proteus-Cyber Ltd https://www.protenus.com/ ● ● ● ● ● ● Qixium https://qixium.com/ ● ● ● Radar https://www.radarfirst.com/ ● ● Raptor Compliance https://www.raptorcomplia nce.com/ ● ● ● Resilient https://www.raptorcomplia nce.com/en/ ● Rever http://www.rever.eu/ ● ● RISMA Systems http://rismasystems.com/ ● ● SafeHarbour BV https://safeharbour.nl/ ● ● ● SAS Global Data Management https://www.sas.com/en_us /solutions/personal-data- protection.html ● ● ● SecuPi https://www.secupi.com/ ● ● ● ● SecureB2B https://www.secureb2b.co.u k/ ● ● Security Scorecard https://securityscorecard.co m/ ● Senzing https://senzing.com/ ● ● ● ● Signatu https://signatu.com/ ● ● ● SkyHigh https://www.skyhighnetwor ks.com/ ● ● ● Smartpipe Solutions http://www.smartpipesoluti ons.com/ ●
GDPR-Related Software And Vendors - 7 March 28, 2018 117 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning SoftwareAG https://www.softwareag.co m/ ● Solidatus https://www.solidatus.com/ ● ● ● SophiMail http://www.sophimail.com/ ● Statice https://www.statice.io/ ● Structure Systems https://www.structure.syste ms/ ● ● ● Sytorus https://sytorus.com/Privacy Engine ● Talend https://www.talend.com/pr oducts/metadata-manager/ ● ● Tealium https://tealium.com/ ● ● ● Thomson Reuters https://www.themediatrust. com/ ● Tresorit https://www.thomsonreuter s.ca/en/data-privacy- advisor.html ● ● Trunomi https://www.tresorit.com/ ● TrustArc https://www.tresorit.com/ ● ● ● ● Trust-Hub https://www.trustarc.com/ ● ● ● USoft https://www.trust-hub.com/ ● Varonis https://www.usoft.com/ ● ● ● Veritas https://www.varonis.com/ ● ● ● ● Virtru https://www.veritas.com/ ● Vysk https://www.virtru.com/ ● Whistic https://www.vysk.com/ ● Wickr https://www.whistic.com/ ● WireWheel.io https://www.wickr.com/ ● ● ● ● ● Wizuda https://www.wirewheel.io/ ● ● ZLTech https://wizuda.com/ ● ●
GDPR-Related Software And Vendors • Very crowded market with many small vendors • Existing vendors are claiming GDPR functionality for their products • Not all software will be available in all countries • There will be market consolidation and reduction as the real needs of organisations looking to achieve GDPR compliance become more well defined over time March 28, 2018 118
Beware Of Snake-Oil Salesmen Peddling Quick-Win Panaceas To GDPR Compliance March 28, 2018 119 • Don’t be confused by approaches to implementation or operation (the How) with the complexity of what has to be done (the What) and how it needs to operate in the long term
GDPR and Outsourcing March 28, 2018 120
GDPR And Outsourcing • Outsourcing of personal data processing occurs in many ways and is quite pervasive. It includes any third-party IT system or service provider that is located outside the organisation that is used to store and process personal data • Outsourcing includes: − Processing of personal data on behalf of the organisation (BPO - Business Process Outsourcing) − Provides information technology services (ITO – Information Technology Outsourcing) − Specific outsourcing arrangements such as HRO – Human Resources Outsourcing, LPO - Legal Process Outsourcing, Outsourced Document Processing, Contact Centre Outsourcing − Social media used to communicate with persons − Marketing and contact systems − External document and data storage − External applications (hosted, cloud) March 28, 2018 121
GDPR And Outsourcing • GDPR CHAPTER V Transfers of personal data to third countries or international organisations Articles 44-50 and recitals 111-116 covers the topic of outsourcing • Includes details on Binding Corporate Rules (BCRs) − Also covered in recitals 107-110 March 28, 2018 122
GDPR And Outsourcing • The impact of GDPR on outsourcing depends on factors such as: − The type of personal data − The type of processing performed on the personal data − How the personal data is accessed − Whether personal data, either original or derived, is stored on systems located in the outsourcing undertaking • The same GDPR principles regarding areas such as right of access, right of erasure and data portability apply to personal data being held in the outsourcing undertaking as apply to the organisation that has entered into the outsourcing arrangement March 28, 2018 123
GDPR And Outsourcing • The ultimate responsibility to comply with the GDPR ultimately lies with the organisation relying on these third parties • There are existing standards and approaches that can be adopted for use with GDPR compliance − There is no need to develop new GDPR-specific standards and approaches • Service Organisation Controls (SOC) originally related to auditing of financial transactions performed by third-parties and the controls in place. Over time, these have been extended to cover the operation of the service and its compliance with security, availability, reliability, confidentiality and privacy. This evolution consisted of: − 1993 – Statement on Auditing Standards (SAS) No. 70, Service Organizations − 2008 – Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy − 2010 – Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization − 2011 – International Auditing and Assurance Standards Board (IAASB) issued International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization − 2015 – Updated Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy − 2016 – Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation March 28, 2018 124
GDPR And Outsourcing • These standards have been developed by American Institute of Certified Public Accountants (AICPA - https://www.aicpa.org/ ) and International Auditing and Assurance Standards Board (IAASB - https://www.iaasb.org/ ) • While they originated from an auditing background, they are more widely and generally applicable • The material can be reused and applied when drafting service agreements with third-party suppliers and in defining the controls to be applied and audited. • There are five core Trust Services Principles: 1. Security -The system is protected against unauthorised access, use, or modification 2. Availability - The system is available for operation and use as committed or agreed 3. Processing Integrity - System processing is complete, valid, accurate, timely, and authorised 4. Confidentiality - Information designated as confidential is protected as committed or agreed 5. Privacy – This applies the generally accepted privacy principles (GAPP) • The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) − This closely mirrors the privacy principles of GDPR March 28, 2018 125
GDPR And Outsourcing • Generally Accepted Privacy Principles consists of 10 principles that are very similar to GDPR: 1. Management - The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures 2. Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed 3. Choice and Consent - The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information 4. Collection - The entity collects personal information only for the purposes identified in the notice 5. Use and Retention - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information 6. Access - The entity provides individuals with access to their personal information for re-view and update 7. Disclosure to Third Parties - The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual 8. Security for Privacy - The entity protects personal information against unauthorised access (both physical and logical) 9. Quality - The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice 10. Monitoring and Enforcement - The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes March 28, 2018 126
March 28, 2018 127 External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Outsourcing Arrangement 1 Desktop Devices Extension of Organisation Network to Provider of Outsourced Services 1 2 2 3 4 5 6 7 8 9 Internal Network Of Provider of Outsourced Services 10
GDPR and Outsourcing – High Level Representation Elements 1. Outsourcing Organisation – this is the organisation that is outsourcing the delivery of services to the service provider 2. Desktop Devices – these are desktop devices that access IT systems and applications that contain personal data 3. Application Servers – this represents the set of infrastructure and IT systems and applications that store and process personal data 4. External Network Access Infrastructure – this is the set of infrastructure – external and internal firewalls, routers, load balancers, proxy servers, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, remote access facilities such as VPN (Virtual Private Network) – that comprise the external network access provision and control within both the Outsourcing Organisation and the Provider of Outsourced Services 5. Provider of Outsourced Services – this is the organisation providing the outsourced services to the Outsourcing Organisation 6. Outsourcing Arrangement 1 – this represents the outsourcing arrangement between the Provider of Outsourced Services and the Outsourcing Organisation 7. Extension of Organisation Network to Provider of Outsourced Services – this represents the facility or mechanism by which the Provider of Outsourced Services accesses personal data contained in or collected by Outsourcing Organisation. Personal data can remain within the Outsourcing Organisation and be accessed remotely or the data can be transferred to the Provider of Outsourced Services 8. Outsourcing Arrangement 2 – this represents another outsourcing arrangement the Provider of Outsourced Services has with another different client 9. Outsourcing Arrangement 3 – this represents another outsourcing arrangement the Provider of Outsourced Services has with another different client 10. Internal Network Of Provider of Outsourced Services – this represents the entire internal IT network of the Provider of Outsourced Services March 28, 2018 128
Operating Option 1 - Data Remains with Outsourcing Organisation and Accessed By Provider of Outsourced Services • In this operating option, the personal data remains within the network of the Outsourcing Organisation where it is accessed over a secure network connection (such as IPsec over a VPN) by the Provider of Outsourced Services March 28, 2018 129
March 28, 2018 130 External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Application Servers Desktop Devices Application Servers Internal Network Of Provider of Outsourced Services
Operating Option 1 - Data Remains with Outsourcing Organisation and Accessed By Provider of Outsourced Services • The specific factors in the operation of this configuration that affect GDPR compliance include: − The nature of the desktop device used to perform the access − The degree to which the access to the Outsourcing Organisation is controlled within the network of the Provider of Outsourced Services and how isolated the access arrangements are • The access device can be a standard PC or a thin client. With a standard PC, the access can be using software such as Citrix or a hosted desktop or a virtual desktop (VDI or Virtualised Desktop Infrastructure) • If the access is by a standard PC that have remote access to applications that contain personal data within the Outsourcing Organisation it is possible that data from these applications could be copied and pasted to local applications and then printed, copied or sent elsewhere unless this copying and pasting is disabled. Even if this is disabled, screenshots of the application screens containing personal data could be taken and stored locally • If the access is by a thin client then the data copying options are fewer. It would still be possible for data to be transcribed manually or photographs be taken of the application screens containing personal data • The personal data is being viewed at a distance by people outside the EU even though the network on which the applications containing the personal data remain within the EU. GDPR applies to this processing arrangement March 28, 2018 131
Operating Option 2 - Data Transferred from Outsourcing Organisation to Provider of Outsourced Services • In this operating option, the personal data is transferred to the Provider of Outsourced Services where it is processed and the results transferred back to the Outsourcing Organisation March 28, 2018 132
March 28, 2018 133 External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services
Information Technology Outsourcing (ITO) • Organisation application infrastructure located in service provider facility • Users within organisation access remotely located applications − The access device can be a standard PC or a thin client − With a standard PC, the access can be using software such as Citrix or a hosted desktop or a virtual desktop (VDI or Virtualised Desktop Infrastructure) March 28, 2018 134
External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Outsourcing Arrangement 1 Desktop Devices Extension of Organisation Network to Provider of Outsourced Services 1 2 2 3 4 5 6 7 8 9 Internal Network Of Provider of Outsourced Services 10 March 28, 2018 135
External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services X X X X March 28, 2018 136
Isolating Outsourcing Operations Within the Provider of Outsourced Services • The team working on the outsourcing arrangement with the Outsourcing Organisation should be isolated from other teams and vice versa • Access to personal data, irrespective of how the data is accessed, should be restricted using internal network and security controls March 28, 2018 137
External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services Interim Data Transfer and Storage Facility March 28, 2018 138
Use of Third-Party Data Transfer Mechanisms • Third-party data transfer mechanisms are commonly used to transfer data between organisations • These mechanisms included externally hosted data storage and messaging queueing facilities such as Advanced Message Queuing Protocol (AMQP), (s)FTP and applications such as Dropbox • If personal data is being transferred using these mechanisms then the data transfer process and the temporary data storage platform GDPR applies to this data transfer arrangement March 28, 2018 139
Data Security • Physical data security is required where the data is: − In Transit - When data is being transferred between system, application and infrastructure components such as over the network − At Rest – When data is being stored • Data should be protected when it is in both states • In particular, protecting data in transit is an essential part of the organisation’s overall data protection strategy • Always, at the very least, use SSL/TLS protocols when exchanging data between different locations • May want to isolate the entire communication channel between the two data end-points by using a virtual private network (VPN) • If data is being transferred for processing elsewhere then it should be encrypted using a standard such as PKI (Public Key Encryption) March 28, 2018 140
Controls To Achieve GDPR Compliance Within Outsourcing Control Area Control Requirement Control Check • GDPR compliance is achieved using a combination of technology and business processes and associated controls March 28, 2018 141
Control Area - Build And Maintain A Secure Network And Systems March 28, 2018 142 Control Area Control Requirement Control Check Build And Maintain A Secure Network And Systems Install And Maintain A Firewall Configuration To Protect Data Firewall And Router Configuration Standards Established And Implemented Firewall And Router Configurations Restrict Connections Between Untrusted Networks And Any System In The Personal Data Environment Direct Public Access Prohibited Between The Internet And Any System Component In The Personal Data Environment, Personal Firewall Software (Or Equivalent Functionality) Installed And Active On Any Portable Computing Devices (Including Company And/Or Employee-Owned) That Connect To The Internet When Outside The Network (For Example, Laptops Used By Employees), And Which Are Also Used To Access Personal Firewall Software (Or Equivalent Functionality) Configured To Specific Configuration Settings, Actively Running, And Not Alterable By Users Of Mobile And/Or Employee-Owned Devices? Security Policies And Operational Procedures For Managing Firewalls Documented, In Use And Known To All Affected Parties Do Not Use Vendor-Supplied Defaults For System Passwords And Other Security Parameters Vendor-Supplied Defaults Always Changed Before Installing A System On The Network Configuration Standards Developed For All System Components And Are They Consistent With Industry-Accepted System Hardening Standards Non-Console Administrative Access Encrypted An Inventory Maintained For Systems Components That Are In Scope, Including A List Of Hardware And Software Components And A Description Of Function/Use For Each Security Policies And Operational Procedures For Managing Vendor Defaults And Other Security Parameters For A Shared Hosting Provider, Your Systems Configured To Protect Each Entity’s (Your Customers’) Hosted Environment And Personal Data
Control Area - Protect Personal Data March 28, 2018 143 Control Area Control Requirement Control Check Protect Personal Data Protect Stored Personal Data Data-Retention And Disposal Policies, Procedures, And Processes Implemented For Issuers And/Or Companies That Support Issuing Services And Store Sensitive Authentication Data Documented Business Justification For The Storage Of Sensitive Authentication Data Keys Used To Secure Stored Personal Data Protected Against Disclosure And Misuse All Key-Management Processes And Procedures Fully Documented And Implemented For Cryptographic Keys Used For Encryption Of Personal Data Security Policies And Operational Procedures For Protecting Stored Personal Data Encrypt Transmission Of Personal Data Across Open, Public Networks Strong Cryptography And Security Protocols Used To Safeguard Sensitive Personal Data During Transmission Over Open, Public Networks Security Policies And Operational Procedures For Encrypting Transmissions Of Personal Data
Control Area - Maintain A Vulnerability Management Program March 28, 2018 144 Control Area Control Requirement Control Check Maintain A Vulnerability Management Program Protect All Systems Against Malware And Regularly Update Anti-Virus Software Or Programs Anti-Virus Software Deployed On All Systems Anti-Virus Mechanisms Maintained All Anti-Virus Mechanisms Actively Running And Unable To Be Disabled Or Altered By Users Security Policies And Operational Procedures For Protecting Systems Against Malware Documented, In Use And Known To All Affected Parties Develop And Maintain Secure Systems And Applications Process To Identify Security Vulnerabilities All System Components And Software Protected From Known Vulnerabilities By Installing Applicable Vendor-Supplied Security Patches Software- Development Processes Based On Industry Standards And/Or Best Practices Change Control Processes And Procedures Followed For All Changes To System Components Software-Development Processes Address Common Coding Vulnerabilities Security Policies And Operational Procedures For Developing And Maintaining Secure Systems And Applications Documented, In Use And Known To All Affected Parties
Control Area - Implement Strong Access Control Measures March 28, 2018 145 Control Area Control Requirement Control Check Implement Strong Access Control Measures Restrict Access To Personal Data By Business Need To Know Access To System Components And Personal Data Limited To Only Those Individuals Whose Jobs Require Such Access Access Control System(S) In Place For System Components To Restrict Access Based On A User’s Need To Know, And Is It Set To “Deny All” Unless Specifically Allowed Security Policies And Operational Procedures For Restricting Access To Personal Data Documented, In Use And Known To All Affected Parties Identify And Authenticate Access To System Components Policies And Procedures For User Identification Management Controls Defined And In Place For Non-Consumer Users And Administrators On All System Components All Individual Non-Console Administrative Access And All Remote Access Secured Using Multi-Factor Authentication, Authentication Policies And Procedures Documented And Communicated To All Users Group, Shared, Or Generic Accounts, Passwords, Or Other Authentication Methods Prohibited Where Other Authentication Mechanisms Are Used (For Example, Physical Or Logical Security Tokens, Smart Cards, And Certificates, Etc.) Assigned To An Individual Account And Physical And/Or Logical Controls Must Be In Place To Ensure Only The Intended Account Can Use That Mechanism To Gain Access All Access To Any Database Containing Personal Data (Including Access By Applications, Administrators, And All Other Users) Restricted Security Policies And Operational Procedures For Id Identification And Authentication Documented, In Use And Known To All Affected Parties Restrict Physical Access To Personal Data Appropriate Facility Entry Controls In Place To Limit And Monitor Physical Access To Systems In The Personal Data Environment Procedures Developed To Easily Distinguish Between Onsite Personnel And Visitors Physical Access To Sensitive Areas Controlled For Onsite Personnel Visitor Identification And Access Handled All Media Physically Secured (Including But Not Limited To Computers, Removable Electronic Media, Paper Receipts, Paper Reports, And Faxes) Strict Control Maintained Over The Internal Or External Distribution Of Any Kind Of Media Strict Control Maintained Over The Storage And Accessibility Of Media All Media Destroyed When It Is No Longer Needed For Business Or Legal Reasons
Control Area - Regularly Monitor And Test Networks March 28, 2018 146 Control Area Control Requirement Control Check Regularly Monitor And Test Networks Track And Monitor All Access To Network Resources And Personal Data Audit Trails Enabled And Active For System Components Automated Audit Trails Implemented For All System Components To Reconstruct Events Audit Trail Entries Recorded For All System Components For Each Event All Critical System Clocks And Times Synchronised Through Use Of Time Synchronisation Technology, And Is The Technology Kept Current Audit Trails Secured So They Cannot Be Altered Logs And Security Events For All System Components Reviewed To Identify Anomalies Or Suspicious Activity Audit Log Retention Policies And Procedures In Place And Do They Require That Logs Are Retained For At Least One Year, With A Minimum Of Three Months Immediately Available For Analysis (For Example, Online, Archived, Or Restorable From Backup) Process Implemented For The Timely Detection And Reporting Of Failures Of Critical Security Control Systems Failures Of Any Critical Security Controls Responded To In A Timely Manner Security Policies And Operational Procedures For Monitoring All Access To Network Resources And Personal Data Documented, In Use And Known To All Affected Parties Regularly Test Security Systems And Processes Processes Implemented For Detection And Identification Of Both Authorised And Unauthorised Wireless Access Points On A Quarterly Basis Internal And External Network Vulnerability Scans Run At Least Quarterly And After Any Significant Change In The Network (Such As New System Component Installations, Changes In Network Topology, Firewall Rule Modifications, Product Upgrades) Industry-Accepted Penetration Testing Approaches (For Example, NIST SP800-115) Used Intrusion-Detection And/Or Intrusion-Prevention Techniques That Detect And/Or Prevent Intrusions Into The Network In Place To Monitor All Traffic: Change-Detection Mechanism (For Example, File-Integrity Monitoring Tools) Deployed To Detect Unauthorised Modification (Including Changes, Additions, And Deletions) Of Critical System Files, Configuration Files, Or Content Files Security Policies And Operational Procedures For Security Monitoring And Testing Documented, In Use And Known To All Affected Parties
Control Area - Maintain An Information Security Policy March 28, 2018 147 Control Area Control Requirement Control Check Maintain An Information Security Policy Maintain A Policy That Addresses Information Security For All Personnel Security Policy Established, Published, Maintained, And Disseminated To All Relevant Personnel An Annual Risk Assessment Process Implemented That Identifies Critical Assets, Threats, And Vulnerabilities And Results In A Formal, Documented Analysis Of Risk Usage Policies For Critical Technologies Developed To Define Proper Use Of These Technologies Security Policy And Procedures Clearly Define Information Security Responsibilities For All Personnel Responsibility For Information Security Formally Assigned To A Chief Security Officer Or Other Security-Knowledgeable Member Of Management Formal Security Awareness Program In Place To Make All Personnel Aware Of The Personal Data Security Policy And Procedures Potential Personnel Screened Prior To Hire To Minimise The Risk Of Attacks From Internal Sources Policies And Procedures Maintained And Implemented To Manage Service Providers With Whom Personal Data Is Shared, Or That Could Affect The Security Of Personal Data Acknowledge In Writing To Customers That They Are Responsible For The Security Of Personal Data The Service Provider Possesses Or Otherwise Stores, Processes, Or Transmits On Behalf Of The Customer, Or To The Extent That They Could Impact The Security Of The Customer’s Personal Data Environment Incident Response Plan Been Implemented In Preparation To Respond Immediately To A System Breach Reviews Performed At Least Quarterly To Confirm Personnel Are Following Security Policies And Operational Procedures
Control Area - Shared Hosting Configuration March 28, 2018 148 Control Area Control Requirement Control Check Shared Hosting Configuration Shared Hosting Configuration Each Entity’s Hosted Environment And Data Protected Each Entity Run Processes That Have Access To Only That Entity’s Personal Data Environment, And Are These Application Processes Run Using The Unique ID Of The Entity Each Entity’s Access And Privileges Restricted To Its Own Personal Data Environment Logging And Audit Trails Enabled And Unique To Each Entity’s Personal Data Environment Written Policies And Processes Enabled To Provide For Timely Forensic Investigation In The Event Of A Compromise To Any Hosted Entity
Outsourcing Compliance Standards • The IAASB principles and essential procedures for performing assurance engagements can be found in section INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 − http://www.ifrs.org.ua/wp-content/uploads/2014/11/2014-IAASB- HANDBOOK-VOLUME-2.pdf • The detailed Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy document − https://www.itm21st.com/Content/Documents/trustservicesprinciples- tsp100.pdf • The Service Organisation Controls (SOC) report is a formal review of the operation of these principles. More details on the SOC report covering Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy − https://www.isaca.org/Groups/Professional-English/isae- 3402/Documents/SOC2.pdf March 28, 2018 149
Outsourcing Compliance Standards March 28, 2018 150 Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Service Organisation Controls (SOC) Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy Defines Trust Standards Defines of Engagement Approach
Article 29 Working Party Guidelines on Article 49 of GDPR • The Article 29 Working Party has published draft Guidelines on Article 49 of the GDPR for comment – see: − http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614232 • Article 49 covers derogations for specific situations to Article 45 Transfers on the basis of an adequacy decision: − 1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: − (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; − (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; − (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; − (d) the transfer is necessary for important reasons of public interest; − (e) the transfer is necessary for the establishment, exercise or defence of legal claims; − (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; − (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case March 28, 2018 151
Data Governance March 28, 2018 152
Data Governance – Definition and Goals • Definition − The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets • Goals − To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics − To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and procedures − To sponsor, track, and oversee the delivery of data management projects and services − To manage and resolve data related issues − To understand and promote the value of data assets March 28, 2018 153
March 28, 2018 154 Data Governance • Capstone of Data Management initiatives Database Architecture Management Data Warehousing and Business Intelligence Management Data Quality Management Data Security Management Metadata Management Data Development Data Operations Management Reference and Master Data Management Document and Content Management Data Governance
Data Governance And GDPR • Data Governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets. • The scope of Data Governance is: − To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics − To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and procedures − To sponsor, track, and oversee the delivery of data management projects and services − To manage and resolve data related issues − To understand and promote the value of data assets • The objectives of Data Governance are: − Guide information management decision-making − Ensure information is consistently defined and well understood − Increase the use and trust of data as an organisation asset − Improve consistency of projects across the organisation − Ensure regulatory compliance − Eliminate data risks • Rather than being a siloed compliance project, GDPR belongs as part of a wider organisation data governance initiative • Data governance is accomplished most effectively as an on-going program and a continual improvement process March 28, 2018 155
Data Governance • Core function of Data Management • Interacts with and influences each of the surrounding ten data management functions • Data governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets • Data governance function guides how all other data management functions are performed • High-level, executive data stewardship • Data governance is not the same thing as IT governance • Data governance is focused exclusively on the management of data assets March 28, 2018 156
March 28, 2018 157 Data Governance • Shared decision making is the hallmark of data governance • Requires working across organisational and system boundaries • Some decisions are primarily business decisions made with input and guidance from IT • Other decisions are primarily technical decisions made with input and guidance from business data stewards at all levels Business Operating Model IT Leadership Capital Investments Research and Development Funding Data Governance Model Enterprise Information Model Information Needs Information Specifications Quality Requirements Issue Resolution Information Management Strategy Information Management Policies Information Management Standards Information Management Metrics Information Management Services Database Architecture Data Integration Architecture Data Warehousing Architecture Metadata Architecture Technical Metadata Decisions Made by Business Management Decisions Made by IT Management
Data Governance and IT Governance • IT Governance makes decisions about − IT investments − IT application portfolio − IT project portfolio • IT Governance aligns the IT strategies and investments with enterprise goals and strategies • COBIT (Control Objectives for Information and related Technology) provides standards for IT governance − Only a small portion of the COBIT framework addresses managing information • Some critical issues, such as Sarbanes- Oxley compliance, span the concerns of corporate governance, IT governance, and data • Data Governance is focused exclusively on the management of data assets • Data Governance is at the heart of managing data assets March 28, 2018 158
March 28, 2018 159 Data Governance - Overview •Business Goals •Business Strategies •IT Objectives •IT Strategies •Data Needs •Data Issues •Regulatory Requirements Inputs •Business Executives •IT Executives •Data Stewards •Regulatory Bodies Suppliers •Intranet Website •E-Mail •Metadata Tools •Metadata Repository •Issue Management Tools •Data Governance KPI •Dashboard Tools •Executive Data Stewards •Coordinating Data Stewards •Business Data Stewards •Data Professionals •DM Executive •CIO Participants •Data Policies •Data Standards •Resolved Issues •Data Management Projects and Services •Quality Data and Information •Recognised Data Value Primary Deliverables •Data Producers •Knowledge Workers •Managers and Executives •Data Professionals •Customers Consumers •Data Value •Data Management Cost •Achievement of Objectives •# of Decisions Made •Steward Representation / Coverage •Data Professional Headcount •Data Management Process Maturity Metrics Data Governance
March 28, 2018 160 DMBOK, TOGAF and COBIT TOGAF Defines the Process for Creating a Data Architecture as Part of an Overall Enterprise Architecture COBIT Provides Data Governance as Part of Overall IT Governance DMBOK Provides Detailed for Definition, Implementation and Operation of Data Management and Utilisation Can be a Precursor to Implementing Data Management Can Provide a Maturity Model for Assessing Data Management DMBOK Is a Specific and Comprehensive Data Oriented Framework
Data Governance Function, Activities and Sub- Activities March 28, 2018 161 Data Governance Data Management Planning Understand Strategic Enterprise Data Needs Develop and Maintain the Data Strategy Establish Data Professional Roles and Organisations Identify and Appoint Data Stewards Establish Data Governance and Stewardship Organisations Develop and Approve Data Policies, Standards, and Procedures Review and Approve Data Architecture Plan and Sponsor Data Management Projects and Services Estimate Data Asset Value and Associated Costs Data Management Control Supervise Data Professional Organisations and Staff Coordinate Data Governance Activities Manage and Resolve Data Related Issues Monitor and Ensure Regulatory Compliance Monitor and Enforce Conformance with Data Policies, Standards and Architecture Oversee Data Management Projects and Services Communicate and Promote the Value of Data Assets
March 28, 2018 162 Data Governance - Possible Organisation Structure Data Governance Structure Organisation Data Governance Council Business Unit Data Governance Councils Data Stewardship Committees Data Stewardship Teams Data Governance Office CIO Data Technologists Data Management Executive
March 28, 2018 163 DMBOK, TOGAF and COBIT – Scope and Overlap DMBOK COBIT TOGAF Data Governance Data Architecture Management Data Management Data Migration Data Development Data Operations Management Reference and Master Data Management Data Warehousing and Business Intelligence Management Document and Content Management Metadata Management Data Quality Management Data Security Management
COBIT 5 IT Governance Framework COBIT Evaluate, Direct and Monitor (EDM) 01 Ensure Governance Framework Setting And Maintenance 02 Ensure Benefits Delivery 03 Ensure Risk Optimisation 04 Ensure Resource Optimisation 05 Ensure Stakeholder Transparency Align, Plan and Organise (APO) 01 Manage The IT Management Framework 02 Manage Strategy 03 Manage Enterprise Architecture 04 Manage Innovation 05 Manage Portfolio 06 Manage Budget And Costs 07 Manage Human Resources 08 Manage Relationships 09 Manage Service Agreements 10 Manage Suppliers 11 Manage Quality 12 Manage Risk 13 Manage Security Build, Acquire and Implement (BAI) 01 Manage Programmes And Projects 02 Manage Requirements Definition 03 Manage Solutions Identification And Build 04 Manage Availability And Capacity 05 Manage Organisational Change Enablement 06 Manage Changes 07 Manage Change Acceptance And Transitioning 08 Manage Knowledge 09 Manage Assets 10 Manage Configuration Deliver, Service and Support (DSS) 01 Manage Operations 02 Manage Service Requests And Incidents 03 Manage Problems 04 Manage Continuity 05 Manage Security Services 06 Manage Business Process Controls Monitor, Evaluate and Assess (MEA) 01 Monitor, Evaluate And Assess Performance And Conformance 02 Monitor, Evaluate And Assess The System Of Internal Control 03 Monitor, Evaluate And Assess Compliance With External Requirements March 28, 2018 164
COBIT 5 – Data Governance Details March 28, 2018 165 COBIT Align, Plan and Organise (APO) APO 01 Manage The IT Management Framework APO 01.06 Define Information (Data) and System Ownership Data Classification Guidelines Data Security And Control Guidelines Data Integrity Procedures
Data Ethics March 28, 2018 166
Data Ethics • Data ethics is concerned with the study and assessment of moral problems related to (generally personal and possibly sensitive) data along its lifecycle from collection or generation to usage • Implicitly, GDPR is concerned with data ethics − While data ethics is an abstract topic and far removed from the initial concerns of becoming compliant with GDPR is the face of business, technical and time challenges it one that will become more important over time • Data ethics includes the use of data process algorithms to derive data products in relation to which there may be moral and ethical concerns • One objective of data ethics is to articulate and communicate what are morally good personal data processing solutions and approaches • The increasing volume of personal data available and collected, both directly and indirectly – behaviour-type data – and associated data technologies – both data storage and data analysis tools and facilities - has extended the gap between what is possible in terms of personal data processing and what is should or legally can happen • The data collectors have substantial power and influence • The growth of free social media platforms means that information directly supplied and information derived from usage patterns is the commodity from which value can be obtained March 28, 2018 167
Data Ethics • Data ethics issues now arise because: − A very wide range of personal data is readily available from many sources − The cost of integrating data from these many sources continues to fall − The technical abilities to integrate, correlate and derive insight from these data sources are becoming readily and easily available − Individuals, patterns of behaviour and insights about them can be identified very accurately − The locations of individuals can be identified quickly and accurately − Information can be collected, processed and results identified in real-time or near real-time March 28, 2018 168
Data Ethics • Decreasing sets of data and data processing activities − Data Processing The Organisation World Like to Do − Technical Possible Data Processing − Legally Allowed Data Processing − Ethical Data Processing March 28, 2018 169 Technically Possible Data Processing Data Processing The Organisation World Like to Do Legally Allowed Data Processing Ethical Data Processing
Summary • The impact of GDPR cannot really be estimated or quantified at this stage • There is a wider context for GDPR • The range of data compliance regulations is only growing • Achieving GDPR compliance has the potential to be very expensive, especially for larger organisations • GDPR compliance should be addressed in the context of wider data governance • Reuse existing methodologies where possible March 28, 2018 170
More Information Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney 28 March 2018 171

More Related Content

PDF
Introdution to Dataops and AIOps (or MLOps)
byAdrien Blind
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PPTX
GDPR and personal data protection in EU research projects
byLorenzo Mannella
 
PDF
Data Governance
byBoris Otto
 
PDF
Enterprise Data Management
byBhavendra Chavan
 
PPTX
Data ops in practice
byLars Albertsson
 
PDF
Data sharing: How, what and why?
bydancrane_open
 
PDF
Data Architecture vs Data Modeling
byDATAVERSITY
 
Introdution to Dataops and AIOps (or MLOps)
byAdrien Blind
 
Gdpr presentation
bySudarsan Reddy
 
GDPR and personal data protection in EU research projects
byLorenzo Mannella
 
Data Governance
byBoris Otto
 
Enterprise Data Management
byBhavendra Chavan
 
Data ops in practice
byLars Albertsson
 
Data sharing: How, what and why?
bydancrane_open
 
Data Architecture vs Data Modeling
byDATAVERSITY
 

What's hot

PPTX
Introduction to GDPR
byPriyab Satoshi
 
PPTX
Planning your Next-Gen Change Data Capture (CDC) Architecture in 2019 - Strea...
byImpetus Technologies
 
PPTX
Top 5 IoT Use Cases
byCloudera, Inc.
 
PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PDF
Checklist lgpd
byanselmo333
 
PDF
European Cybersecurity Context
byMiguel A. Amutio
 
PDF
LGPD | VISÃO GERAL DE ADEQUAÇÃO CORPORATIVA A LEGISLAÇÃO DE PROTEÇÃO DE DADOS...
byWellington Monaco
 
PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
PPTX
GDPR
byGopi PD
 
PPTX
GDPR Introduction and overview
byJane Lambert
 
PDF
Data Governance Best Practices and Lessons Learned
byDATAVERSITY
 
PPTX
Batch Processing vs Stream Processing Difference
byjeetendra mandal
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PDF
Master Data Management – Aligning Data, Process, and Governance
byDATAVERSITY
 
PDF
ADV Slides: Strategies for Fitting a Data Lake into a Modern Data Architecture
byDATAVERSITY
 
PDF
Data protection regulations in Nigeria
byMercy Akinseinde
 
PPTX
An Overview of GDPR
byThe Pathway Group
 
PPTX
Présentation RGPD/GDPR 2018
byPierre Ammeloot
 
PDF
Putting the Ops in DataOps: Orchestrate the Flow of Data Across Data Pipelines
byDATAVERSITY
 
PPTX
Achieving operational excellence and customer intimacy. enterprise applications
bySanmugam Marimuthu
 
Introduction to GDPR
byPriyab Satoshi
 
Planning your Next-Gen Change Data Capture (CDC) Architecture in 2019 - Strea...
byImpetus Technologies
 
Top 5 IoT Use Cases
byCloudera, Inc.
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
Checklist lgpd
byanselmo333
 
European Cybersecurity Context
byMiguel A. Amutio
 
LGPD | VISÃO GERAL DE ADEQUAÇÃO CORPORATIVA A LEGISLAÇÃO DE PROTEÇÃO DE DADOS...
byWellington Monaco
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
GDPR
byGopi PD
 
GDPR Introduction and overview
byJane Lambert
 
Data Governance Best Practices and Lessons Learned
byDATAVERSITY
 
Batch Processing vs Stream Processing Difference
byjeetendra mandal
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Master Data Management – Aligning Data, Process, and Governance
byDATAVERSITY
 
ADV Slides: Strategies for Fitting a Data Lake into a Modern Data Architecture
byDATAVERSITY
 
Data protection regulations in Nigeria
byMercy Akinseinde
 
An Overview of GDPR
byThe Pathway Group
 
Présentation RGPD/GDPR 2018
byPierre Ammeloot
 
Putting the Ops in DataOps: Orchestrate the Flow of Data Across Data Pipelines
byDATAVERSITY
 
Achieving operational excellence and customer intimacy. enterprise applications
bySanmugam Marimuthu
 

Similar to GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

PDF
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
byAlan McSweeney
 
PDF
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
byBlack Duck by Synopsys
 
PDF
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
PPTX
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
PPSX
Gdpr demystified - making sense of the regulation
byJames Mulhern
 
PPTX
GDPR Enforcement is here. Are you ready?
bySecurityScorecard
 
PDF
Enterprise Data World 2018
byjadams6
 
PPTX
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPT
New Security Legislation & It's Implications for OSS Management
byBlack Duck by Synopsys
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
PPTX
New Security Legislation and its Implications for OSS Management
byBlack Duck by Synopsys
 
PPTX
New Security Legislation & Its Implications for OSS Management
byJerika Phelps
 
PDF
Flight East 2018 Presentation–Data Breaches and the Law
bySynopsys Software Integrity Group
 
PPTX
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
byCodemotion
 
PDF
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
PDF
GDPR Jennifer Rose
byJennifer Rose
 
PPTX
Data Privacy for Information Security Professionals Part 1
byDione McBride, CISSP, CIPP/E
 
PDF
Data Flow Mapping and the EU GDPR
byIT Governance Ltd
 
PPTX
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
byIT Governance Ltd
 
PDF
GDPR 11/1/2017
byisc2-hellenic
 
GDPR - Context, Principles, Implementation, Operation, Data Governance, Data ...
byAlan McSweeney
 
FLIGHT Amsterdam Presentation - Data Breaches and the Law: A Practical Guide
byBlack Duck by Synopsys
 
#HR and #GDPR: Preparing for 2018 Compliance
byDovetail Software
 
BigID GDPR Compliance Automation Webinar Slides
byDimitri Sirota
 
Gdpr demystified - making sense of the regulation
byJames Mulhern
 
GDPR Enforcement is here. Are you ready?
bySecurityScorecard
 
Enterprise Data World 2018
byjadams6
 
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
New Security Legislation & It's Implications for OSS Management
byBlack Duck by Synopsys
 
Pronti per la legge sulla data protection GDPR? No Panic! - Domenico Maracci,...
byCodemotion
 
New Security Legislation and its Implications for OSS Management
byBlack Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
byJerika Phelps
 
Flight East 2018 Presentation–Data Breaches and the Law
bySynopsys Software Integrity Group
 
Pronti per la legge sulla data protection GDPR? No Panic! - Stefano Sali, Dom...
byCodemotion
 
GDPR (En) JM Tyszka
byJean-Michel Tyszka
 
GDPR Jennifer Rose
byJennifer Rose
 
Data Privacy for Information Security Professionals Part 1
byDione McBride, CISSP, CIPP/E
 
Data Flow Mapping and the EU GDPR
byIT Governance Ltd
 
The GDPR and NIS Directive Risk-Based Security Measures and Incident Notifica...
byIT Governance Ltd
 
GDPR 11/1/2017
byisc2-hellenic
 

More from Alan McSweeney

PDF
The Solution Architect As Product Manager.pdf
byAlan McSweeney
 
PDF
Data Architecture for Solutions.pdf
byAlan McSweeney
 
PDF
Solution Architecture and Solution Estimation.pdf
byAlan McSweeney
 
PDF
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
byAlan McSweeney
 
PDF
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
byAlan McSweeney
 
PDF
IT Architecture’s Role In Solving Technical Debt.pdf
byAlan McSweeney
 
PDF
Solution Architecture And Solution Security
byAlan McSweeney
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
PDF
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
PDF
Solution Security Architecture
byAlan McSweeney
 
PDF
Solution Architecture And (Robotic) Process Automation Solutions
byAlan McSweeney
 
PDF
Data Profiling, Data Catalogs and Metadata Harmonisation
byAlan McSweeney
 
PDF
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
byAlan McSweeney
 
PDF
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
byAlan McSweeney
 
PPTX
Operational Risk Management Data Validation Architecture
byAlan McSweeney
 
PDF
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
byAlan McSweeney
 
PDF
Ireland 2019 and 2020 Compared - Individual Charts
byAlan McSweeney
 
PDF
Analysis of Irish Mortality Using Public Data Sources 2014-2020
byAlan McSweeney
 
PDF
Ireland – 2019 And 2020 Compared In Data
byAlan McSweeney
 
PDF
Review of Information Technology Function Critical Capability Models
byAlan McSweeney
 
The Solution Architect As Product Manager.pdf
byAlan McSweeney
 
Data Architecture for Solutions.pdf
byAlan McSweeney
 
Solution Architecture and Solution Estimation.pdf
byAlan McSweeney
 
Validating COVID-19 Mortality Data and Deaths for Ireland March 2020 – March ...
byAlan McSweeney
 
Analysis of the Numbers of Catholic Clergy and Members of Religious in Irelan...
byAlan McSweeney
 
IT Architecture’s Role In Solving Technical Debt.pdf
byAlan McSweeney
 
Solution Architecture And Solution Security
byAlan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
byAlan McSweeney
 
Solution Security Architecture
byAlan McSweeney
 
Solution Architecture And (Robotic) Process Automation Solutions
byAlan McSweeney
 
Data Profiling, Data Catalogs and Metadata Harmonisation
byAlan McSweeney
 
Comparison of COVID-19 Mortality Data and Deaths for Ireland March 2020 – Mar...
byAlan McSweeney
 
Analysis of Decentralised, Distributed Decision-Making For Optimising Domesti...
byAlan McSweeney
 
Operational Risk Management Data Validation Architecture
byAlan McSweeney
 
Data Integration, Access, Flow, Exchange, Transfer, Load And Extract Architec...
byAlan McSweeney
 
Ireland 2019 and 2020 Compared - Individual Charts
byAlan McSweeney
 
Analysis of Irish Mortality Using Public Data Sources 2014-2020
byAlan McSweeney
 
Ireland – 2019 And 2020 Compared In Data
byAlan McSweeney
 
Review of Information Technology Function Critical Capability Models
byAlan McSweeney
 

Recently uploaded

PPTX
CertificateCertificateCertificateCertificate
bykrcheah
 
DOCX
17 Ways to Buy Verified Square Accounts.docx
bymarketing & business
 
DOCX
How to Buy, Verified Remitly Account.docx
bymarketing & business
 
PDF
Is it academically dishonest to buy likinden connections if ... (1).pdf
bydoritalozanoqnkg9
 
PDF
Equinox Gold - November Presentation.pdf
byEquinox Gold Corp.
 
PDF
David Link Verrency - The Founder Of Verrency
byDavid Link Verrency
 
PDF
Getting ready for MTD – obligations, process and software
byFelixPerez547899
 
DOCX
“The Hidden Dangers of Trying to Buy Verified Western Union Accounts”.docx
by5462k4mi3kf
 
PDF
Your Go-To Solution for Purchasing LinkedIn Accounts Safely.pdf
byonline Digital Marketing
 
DOCX
Step-by-Step Guide to Buying Verified Wise in 2026.docx
byTop 21 Sites to Buy Verified Wise Accounts
 
PDF
10 Best Sites to Buy Cash App Accounts in Business.pdf
bySinea kumar
 
PDF
Transform Entry Management with Nablle’s Intelligent AMS.pdf
byNablle
 
PDF
Why Verified Chime Accounts just worder calttion sit .pdf
bysl9erqxqn
 
PPTX
PensionPlayPen coffee presentation (1).pptx
byHenry Tapper
 
PDF
Management Handbook by Yawar Hassan .pdf
byhseofficer1987
 
PDF
Your Guide to Purchasing Verified OnlyFans Accounts ....pdf
bysl9erqxqn
 
PDF
Your Guide to Purchasing Verified OnlyFans Accounts ....pdf
bysl9erqxqn
 
PDF
Canadian Business at the Climate Crossroads in 2026
bySarah Mindeirro
 
PDF
Top Trusted Sites to Buy Verified Onlyfans Accounts in 2025.pdf
bydoritalozanoqnkg9
 
PDF
Is it academically dishonest to buy likinden connections if ....pdf
bydoritalozanoqnkg9
 
CertificateCertificateCertificateCertificate
bykrcheah
 
17 Ways to Buy Verified Square Accounts.docx
bymarketing & business
 
How to Buy, Verified Remitly Account.docx
bymarketing & business
 
Is it academically dishonest to buy likinden connections if ... (1).pdf
bydoritalozanoqnkg9
 
Equinox Gold - November Presentation.pdf
byEquinox Gold Corp.
 
David Link Verrency - The Founder Of Verrency
byDavid Link Verrency
 
Getting ready for MTD – obligations, process and software
byFelixPerez547899
 
“The Hidden Dangers of Trying to Buy Verified Western Union Accounts”.docx
by5462k4mi3kf
 
Your Go-To Solution for Purchasing LinkedIn Accounts Safely.pdf
byonline Digital Marketing
 
Step-by-Step Guide to Buying Verified Wise in 2026.docx
byTop 21 Sites to Buy Verified Wise Accounts
 
10 Best Sites to Buy Cash App Accounts in Business.pdf
bySinea kumar
 
Transform Entry Management with Nablle’s Intelligent AMS.pdf
byNablle
 
Why Verified Chime Accounts just worder calttion sit .pdf
bysl9erqxqn
 
PensionPlayPen coffee presentation (1).pptx
byHenry Tapper
 
Management Handbook by Yawar Hassan .pdf
byhseofficer1987
 
Your Guide to Purchasing Verified OnlyFans Accounts ....pdf
bysl9erqxqn
 
Your Guide to Purchasing Verified OnlyFans Accounts ....pdf
bysl9erqxqn
 
Canadian Business at the Climate Crossroads in 2026
bySarah Mindeirro
 
Top Trusted Sites to Buy Verified Onlyfans Accounts in 2025.pdf
bydoritalozanoqnkg9
 
Is it academically dishonest to buy likinden connections if ....pdf
bydoritalozanoqnkg9
 

GDPR - Context, Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics

  • 1.
    GDPR - Context,Principles, Implementation, Operation, Impact on Outsourcing, Data Governance and Data Ethics Alan McSweeney http://ie.linkedin.com/in/alanmcsweeney
  • 2.
    Topics • Context ofGDPR – this contains information on other directives and regulations relating to GDPR to provide details on its wider content • Personal Information – this reiterates what is meant by personal information and so what is covered by GDPR • Principles of GDPR – this identifies some of the key principles that underpin GDPR and will affect its operation and the particular provisions of the GDPR intended to give effect to those principles • Implementing and Operating GDPR – this discusses approaches to operationalising GDPR within organisations and the IT system changes required • GDPR and Outsourcing – this contains details on the particular topic of outsourcing that will be impacted by GDPR • Data Governance – this puts GDPR into wider Data Governance context • Data Ethics– this briefly discusses the wider issue of data ethics in the context of GDPR March 28, 2018 2
  • 3.
    GDPR Impact • GDPRand its related regulations have different impacts depending on the profile of an organisation and the way in which it collects and process information about individuals • GDPR impacts on the areas of: − Data Governance − Privacy Management − Security Management − Risk Management • Existing business processes and IT systems will need to be modified and new processes and systems acquired to support the successful operation of GDPR • The operation of outsourcing arrangements will be impacted by GDPR March 28, 2018 3 Data Governance Privacy Management Security Management Risk Management
  • 4.
    GDPR Impact • Organisationshave personal data in many locations used by many different applications using different storage technologies • GDPR now requires a new and more strict data regime to implement, operate and enforce • Organisations should consider a consistent approach across all personal data platforms March 28, 2018 4 Personal Data Landscape
  • 5.
    No One Solution •There is no one solution to achieving GDPR compliance that applies to all organisations and to all aspects of GDPR • Organisations need to define their GDPR compliance strategy and their approach to data governance before looking at long-term solutions March 28, 2018 5
  • 6.
    Reuse Existing StandardsAnd Methodologies • There are existing, detailed, well-proven, well-documented methodologies in the areas such as approaches to data governance, data privacy, information security management, digital filing, supplier governance and managing outsourcing relationships that can be successfully re-used to achieve the necessary GDPR compliance without the need to look for new approaches • The wheel is not getting any rounder - it does not need to be reinvented • So use existing well-proven frameworks and methodologies to systematically improve skills, experience and practise in key competency areas • The world does not need new frameworks and methodologies – it needs existing ones well-implemented March 28, 2018 6 r d πd πr2 1800 900 2700 3600
  • 7.
    Reuse Existing StandardsAnd Methodologies March 28, 2018 7 GDPR Data Governance Data Management Information Security Outsourcing Management Records Management COBIT TOGAF DMBOK ISO 15489 Records Management ISO 16175 Standard for Digital Filing ISO 27001 Information Security Management Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
  • 8.
    ISO 15489 RecordsManagement • ISO 15489 defines the concepts and principles from which approaches to the creation, capture and management of records are developed: − Records, metadata for records and records systems − Policies, assigned responsibilities, monitoring and training supporting the effective management of records − Recurrent analysis of business context and the identification of records requirements − Records controls − Processes for creating, capturing and managing records • ISO 15489 applies to the creation, capture and management of records regardless of structure or form, in all types of business and technological environments, over time March 28, 2018 8
  • 9.
    No Silver Bullet •There is not silver bullet to achieve GDPR compliance • Just a bunch of regular bullets to fire at the problem March 28, 2018 9
  • 10.
    Tactical And StrategicApproaches • Take a multi- track approach to achieving appropriate, risk-based GDPR compliance March 28, 2018 10 Tactical Analysis, Scope and Design Strategy, Strategic Sourcing and Implementation • Request Logging and Tracking Facility • Consent Tracking • Notices • Policies • DPO • Supplier Review • Personal data collection and processing profiling • Personal data business process definition and ownership assignment • Definition of wider set of GDPR processes • Personnel certification • Define and agree strategic approach and operating framework • Source and implement strategic solutions and associated operational processes
  • 11.
  • 12.
    Wider Context OfGDPR • There are many related regulations and directives • The data protection landscape is becoming increasingly crowded and the burden on organisations more onerous March 28, 2018 12 Treaty on the Functioning of the European Union (TFEU) European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) GDPR ePrivacy Regulation EU Digital Single Market (DSM) NIS DirectiveeIDAS Directive on Privacy and Electronic Communications Police and Criminal Justice Directive
  • 13.
    Wider Context OfGDPR • The GDPR (http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A32016R0679) exists within the context of the wider EU Digital Single Market (DSM) strategy and a related set of regulations and directives • The DSM is a strategy of the European Commission to ensure access to online activities for individuals and businesses under conditions of fair competition, consumer and data protection, removing geo-blocking and copyright issues • The stated objective of the GDPR is to increase trust in and the security of digital services in order to advance digital opportunities for citizens and businesses in Europe • The stated aim is to strengthen the position of the EU as a digital economy world leader March 28, 2018 13
  • 14.
    Police and CriminalJustice Directive • Police and Criminal Justice Directive - Directive (EU) 2016/680 on the protection of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repeals Council Framework Decision 2008/977/JHA – will apply from 6 May 2018 • Creates a coherent framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security • The Police and Criminal Justice Directive harmonises the laws in the Member States in respect of the exchange of information between police and judicial authorities • Applies to both cross-border and domestic processing of personal data and it aims to improve cooperation of the Member States in the fight against terrorism and other serious crime across the EU, in that, it guarantees that personal data transferred outside the EU by criminal law enforcement authorities will be adequately protected March 28, 2018 14
  • 15.
    Directive on Securityof Network and Information Systems (NIS Directive) • Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) comes into force on 10 May, 2018 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194: TOC • NIS Directive applies to: − Operators of Essential Services (OES) that are established in the EU. Certain businesses operating in critical national infrastructure (CNIs) − Seven sectors affected by the NIS Directive are energy, transport, banking, financial market infrastructure, health, water and digital infrastructure − Digital Service Providers (DSP) with search engines, cloud computing services, and online marketplaces identified as the types of DSP that are subject to regulation − The onus is on organisations to determine for themselves whether they are DSPs and subject to the Directive’s security and notification requirements − The NIS Directive does not apply to DSPs that are considered small and micro businesses (companies employing fewer than 50 people whose annual turnover and/or balance sheet total is less than €10 million) March 28, 2018 15
  • 16.
    Directive on Securityof Network and Information Systems (NIS Directive) • Aim of the NIS Directive is to ensure there is a common and high-level of EU-wide information systems and network security and cyber security by: − Improving national information and network security capacity and effectiveness including having Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) − Increasing co-operation on information and network security across all Member States − Introducing binding security obligations and incident reporting obligations for operators of essential services (OESs) in critical national infrastructure (CNI) − Member States will be responsible for dealing with the security of services provided by multinational companies across the European Union that have their European headquarters located in that country March 28, 2018 16
  • 17.
    NIS Security Principles March28, 2018 17 SecurityPrinciples Identify Asset Management Systems and/or services that are required to maintain or support essential services must be determined, understood and documented Business Environment Overall organisation mission, objectives, stakeholders, and activities are understood, prioritised and documented Governance Policies, procedures, and processes to manage and monitor the regulatory, legal, risk, environmental, and operational requirements are identified, understood and documented Risk Assessment and Risk Management Identify and understand the network security risk to operations, assets and individuals Protect Service Protection Policies and Processes Define, communicate and document policies to direct the overall approach to securing systems and data that support delivery of essential services Identity and Access Control Access to assets and associated facilities is limited to authorised users, processes or devices and to authorised activities and transactions/functions Data Security Information and records are managed and documented consistent with the risk strategy to protect the confidentiality, integrity, and availability of information System Security Network and information systems and technology critical for the delivery of essential services are protected from attack Resilient Networks and System Incorporate resilience against cyber-attack and system failure into the design, implementation, operation and management of systems that support the delivery of essential services Staff Awareness and Training Employees and partners are provided network security awareness education and training to perform their information security-related duties and responsibilities Detect Anomalies and Events Detection Anomalous and unusual activity is detected in a timely manner and the potential impact of events is understood Security Continuous Monitoring Information systems and assets are monitored in order to identify network security events and validate the effectiveness of protective measures Respond Response Planning Response processes are executed, maintained and documented to ensure timely response to detected network security events Analysis Analysis is conducted to ensure adequate response and to support recovery actions Mitigation Take actions to prevent expansion of an event, mitigate its effects and resolve the incident Improvements Response activities are improved and documented by incorporating lessons learned Communications Response activities are co-ordinated with internal and external stakeholders including law enforcement Recover Recovery Planning Execute recovery processes and procedures are executed to ensure timely restoration of systems affected by network security events Improvements Improve recovery planning by incorporating lessons learned Communications Coordinate restoration activities with internal and external parties, such as coordinating functions, Internet Service Providers, owners of attacking systems, victims, other CSIRTs and vendors
  • 18.
    NIS Security Principles •Use these security principles to create an operational security framework to reduce the chances of a data breach March 28, 2018 18
  • 19.
    ePrivacy Regulation • InJanuary 2017, the European Commission published its Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) COM (2017) − http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010 • The ePrivacy Regulation aims to make more effective and to increase the level of protection of privacy and personal data processed in relation with electronic communications in accordance with the Article 7 (respect for private and family life) and Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union and ensure greater legal certainty − Complements and particularises the GDPR • While the ePrivacy Directive applied to telecommunication providers, the ePrivacy Regulation will apply to all providers of electronic communications services – described as Over-the-Top (OTT) communications services such as Facebook Messenger, LinkedIn, Skype, WhatsApp and others • ePrivacy Directive - Directive 2002/58/EC – will be replaced by the ePrivacy Regulation in due course March 28, 2018 19
  • 20.
    eIDAS (electronic IDentification,Authentication and trust Services) • The eIDAS Regulation - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Electronic Signatures Directive) – came into effect on 1 July, 2016 − http://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG • Aims to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of electronic ID and consistent rules on trust services across the EU • Focuses on two areas: − Interoperability – Member States are required to create a common framework that will recognise electronic Identifications (eIDs) from other Member States and ensuring their authenticity and security − Transparency – eIDAS provides a list of trusted services that may be used within a centralised signing framework March 28, 2018 20
  • 21.
    European Union Agencyfor Network and Information Security (ENISA) • European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe • Privacy and Data Protection by Design - https://www.enisa.europa.eu/publications/privacy-and-data- protection-by-design/at_download/fullReport − View of what needs to be done to achieve privacy and data protection by default. For example, it specifies that encryption and decryption operations must be carried out locally and not remotely because both encryption/ decryption keys and data must remain in the power of the data controller and processor if any privacy is to be maintained − Covers topics such as the use of cloud data storage where the data controller, not the cloud service provider, holds the encryption/ decryption keys • Handbook on Security of Personal Data Processing - https://www.enisa.europa.eu/publications/recommendations-on- european-data-protection-certification/at_download/fullReport − Guidelines for small to medium businesses on data security March 28, 2018 21
  • 22.
    Article 29 WorkingParty • Article 29 Working Party - Working Party on the Protection of Individuals with Regard to the Processing of Personal Data – was established under Article 29 the Data Protection Directive (Directive 95/46/EC) http://eur-lex.europa.eu/legal- content/en/TXT/?uri=CELEX%3A31995L0046 • Produced much useful material on the implementation and operation of GDPR March 28, 2018 22 Document Link Guidelines on Automated Individual Decision-Making and Profiling for the Purposes of Regulation http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49826 Guidelines on Data Protection Impact Assessment (DPIA) http://ec.europa.eu/newsroom/document.cfm?doc_id=47711 Guidelines on Data Protection Officers http://ec.europa.eu/newsroom/document.cfm?doc_id=44100 Guidelines on Personal Data Breach Notification Under Regulation 2016/679 http://ec.europa.eu/newsroom/article29/document.cfm?doc_id=49827 Guidelines on the Application and Setting of Administrative Fines http://ec.europa.eu/newsroom/just/document.cfm?doc_id=47889 Guidelines on the Lead Supervisory Authority http://ec.europa.eu/newsroom/document.cfm?doc_id=44102 Guidelines on the Right to "Data Portability" http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798
  • 23.
    European Data ProtectionBoard (EDPB) • Article 68 of the GDPR provides for the establishment of the European Data Protection Board (EDPB), which will replace the Article 29 Working Party • Members of the EDPB are the heads of the supervisory authorities in each Member State (or their representatives) and the European Data Protection Supervisor (or their representative March 28, 2018 23
  • 24.
    European Data ProtectionSupervisor (EDPS) • The post of European Data Protection Supervisor (EDPS) was established in 2004 under Regulation (EC) 45/2001, which regulation sets out the data protection standards that apply to the Union institutions • The post of EDPS is recognised in GDPR − The EDPS is a member of the EDPB, although the EDPS will only have voting rights where the issues involve principles and rules that are applicable to the institutions of the Union March 28, 2018 24
  • 25.
  • 26.
    Personal Information • Personalinformation is at the core of GDPR • Personal data is defined in Article 4(1) of the GDPR: − ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person • Information is personal if it is: − Owned by a person − About a person − Directed towards a person − Sent or posted or communicated by a person − Experienced by a person − Relevant to a person • The definition of personal data is very important − It does not just include information a person explicitly supplies − It includes implicit information such as browsing history • GDPR identifies special categories of personal data for which processing is subject to additional constraints − Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited March 28, 2018 26
  • 27.
    Personal Information March 28,2018 27 Personal Data Type Personal Data Items Personal Information Name, such as full name, maiden name, mother‘s maiden name, or alias Date of birth Place of birth Full home address Country, state, postcode or city of residence Marital status Telephone numbers, including mobile, business and personal numbers Information identifying personally owned property, such as vehicle registration number Passport number Social insurance or national insurance number Residence and geographic records Sexual orientation Biographical Data Specific age Height Weight Eye colour Hair colour Photographic image Gender Racial or ethnic origin Any defining physical characteristics Digital Footprint Digital identities, such as avatars and usernames/handles Logon details such as name, screen name, nickname, or handle Email address (if private from an association/club membership, etc.) IP addresses (in the EU) Geo-tracking information and location-based data Web usage behaviour or user preferences using persistent cookies Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address (MAC) address or other host-specific persistent static identifier that consistently Any information that links a particular person to a small, well-defined group Medical or Heath Data Patient identifier Number of sick days taken from employer and other information relating to any sick leave Visits to doctors Medical data Biological traits including DNA Fitness data Medical images such as X-rays, CT scans and ultra sound Biometric data such as fingerprints, retinal scans, voice signature or facial geometry Medication
  • 28.
  • 29.
    Principles of GDPR •Core of the GDPR are stated principles governing data processing, which are supported by detailed provisions − Lawfulness, Fairness and Transparency: Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − Specified, Explicit and Legitimate Purpose: Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; Article 5(1)(b) − Adequate, Relevant and Limited: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed; Article 5(1)(c) − Accurate and Up-To-Date: Personal data shall be accurate, and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without undue delay; Article 5(1)(d) − Pseudonymisation/Storage Limits: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; Article 5(1)(e) − Security: Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unauthorised processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures; Article 5(1)(f) March 28, 2018 29
  • 30.
    Implementation And OperationalPrinciples Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One-Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions March 28, 2018 30
  • 31.
    GDPR Implementation AndOperational Principles March 28, 2018 31 Data Protection By Design and By Default Limitation and Minimisation One Common Set of Rules and One- Stop Shop Certification Notices, Responsibility and Accountability Data Protection Impact Assessment (DPIA) Lawful Basis For Processing Consent Right of Access Right to Rectification Right to Erasure Right to Object / Prohibition Automated Decision-Making Data Portability Data Protection Officer Pseudonymisation Handling of Data Breaches Penalties and Sanctions
  • 32.
    Data Protection ByDesign and By Default • Article 25 of the GDPR requires that data protection is designed into the development of business processes for products and services − Appropriate measures to implement the data protection principles and to safeguard data must be put in place in an effective manner at the time the means of processing is determined and at the time of the processing itself − This is a mandatory requirement, breach of which can lead to a fine • Article 25(2) addresses the concept of data minimisation and provides that the controller should implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed − Obligation applies to the amount of personal data collected, the extent of processing and the period of storage and accessibility − Data Protection by design and by default requires a combination of systems and processes − Changes to existing IT systems and possible new IT systems will be required to achieve this March 28, 2018 32
  • 33.
    Limitation and Minimisation •The collection of personal data should limited for specific and justifiable purposes • The amount of personal data collected should be minimised • The storage interval should be limited • The type of processing should be limited and necessary • There should be a legal basis for processing • Access should be controlled and excluded by default rather than being inclusive • Processing of special categories of personal data should be avoided unless absolutely required • Data security should occur as a matter of course. • Essentially, if there are any doubts and the data is not necessary, do not collect it March 28, 2018 33
  • 34.
    One Common Setof Rules and One-Stop Shop • There will be one set of data protection rules across all EU Member States. • Each Member State must create an independent supervisory authority to hear complaints, investigate them and to take administrative actions and enforce sanctions - Articles 51-54 • Article 51 requires each Member State to provide for one or more independent public authority to be responsible for monitoring the application of the GDPR. • Under Article 51(2), supervisory authorities have a duty to contribute to the consistent application of the GDPR, as well as specific obligations to cooperate with one another and the Commission through the consistency process. • Article 57 of the GDPR lists tasks of supervisory authorities, while Article 58 lists their powers • The general tasks of a supervisory authority is to monitor and enforce the application of the GDPR • Additionally, Chapter VII on Cooperation and Consistency sets out detailed provisions on mutual assistance (Article 61) and on the conduct of joint operations (Article 62) • Article 58(4) provides that the exercise of the powers of a supervisory authority must be subject to appropriate safeguards, including effective judicial remedies and due process • Where an entity such as a multi-national has multiple locations in multiple EU states, it will have a single supervisory authority as its lead supervisory authority, based on the location of its main office • In this instance, the lead supervisory authority will act as a one-stop shop (OSS) to supervise all the processing activities of that business throughout the EU March 28, 2018 34
  • 35.
    Certification • GDPR providesfor a voluntary data protection certification regime to be established • There is no certification approach or regime defined yet • ENISA has documented a possible certification approach March 28, 2018 35
  • 36.
    Notices, Responsibility andAccountability • The need for and the content of privacy statements on web sites and other entry points to digital information and services that was specified in the Data Protection Directive has been expanded • Article 5(1) of the GDPR requires data controllers to process personal data fairly and lawfully and in a transparent manner: the objective is to ensure that data subjects are aware of the processing of their personal data, the purposes for which the processing is taking place and data subjects’ rights in relation to personal data • Article 13 of the GDPR specifies the information that must be provided to a data subject. The legal obligation is on the controller, although the controller may use a third party agent (such as the processor) to provide the information on the controller’s behalf as long as the notice meets the required standards • Information may be provided by a privacy notice (also known as a fair processing notice, privacy policy or data protection notice) • The information must be clearly accessible and available “at the time when the data are obtained”, which, in general terms, means the time when the data is collected • Under Article 13(1) of the GDPR, the privacy notice must state: − The identity of the controller (and where applicable, the controller’s representative) − The contact details of the Data Protection Officer, if applicable − The purposes of the processing for which the personal data is intended as well as the legal basis for the processing − The recipients or categories of recipient of the personal data − If the controller transfers personal data, the fact that the controller intends to do so to a third country or international organisation (and related information in relation to such transfers) • The purposes of the processing must be described in accessible terms and clearly distinguished from one another March 28, 2018 36
  • 37.
    Notices, Responsibility andAccountability • Article 13(2) of the GDPR requires that additional information should be provided where necessary to ensure fair and transparent processing − The retention period for personal data (or, where that is not possible, the criteria used to determine that period); − The data subject’s rights in relation to the personal data (being the right to request access to and rectification of personal data, the right to erasure of personal data, to restrict the processing of personal data, to object of the processing of personal data and right to data portability) − The right to lodge a complaint with a supervisory authority; − Whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract and whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide the data; and − The existence of any automated decision-making, including profiling, and if it is to be used, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject March 28, 2018 37
  • 38.
    Notices, Responsibility andAccountability • There can be one general notices or several notices throughout the web site on those pages where personal information is being collected • It is best practice to include notices on all pages where personal information is required to be entered • Where the data subject already has the relevant information, the controller will not need to provide the information to the data subject - Article 13(4) • The information must be concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child; Article 12(1) • The information shall be provided in writing, or by other means, including, where appropriate, by electronic means • When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means March 28, 2018 38
  • 39.
    Notices, Responsibility andAccountability March 28, 2018 39 Mandatory Privacy Notice Contents Specific Personal Information Collection Privacy Notice Contents Identity and the contact details of the data controller The length of time for which the personal data will be stored, or if that is not possible, the criteria used to determine it Contact details of the data protection officer, if one exists – see below The right to:  Request from the data controller access to  Request rectification or erasure of personal data  Restrict processing  Object to processing  Data portability The purposes of the processing of personal data and the legal basis for this processing (Article 6 Lawfulness of Processing) The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal Who receives the personal data The right to complain to Supervisory Authority Whether data is being transferred to a third country or international organisation and, if so, the safeguards that are being used and the means by which to obtain a copy of them or where they have been made available If the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract, as well as whether the person is obliged to provide the personal data and of the possible consequences of failure to provide the data The use of automated decision-making, including profiling and where this applies meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the person
  • 40.
    Notices, Responsibility andAccountability • The principle of Privacy By Design and By Default requires that data protection measures are designed and incorporated into the development of business processes and systems • The data controller is responsible for implementing effective measures and being able to demonstrate the compliance of processing activities even if the processing is carried out by a separate data processor on behalf of the data controller • Personal data should be pseudonymised as soon as possible after collection and expiry of its original use March 28, 2018 40
  • 41.
    Data Protection ImpactAssessment (DPIA) • The use of Privacy Impact Assessments (PIAs) was developed outside the EU, with the UK being the first supervisory authority in the EU to adopt the use of PIAs • In the UK, PIAs have been mandatory for Government departments for several years, as well as being widely used in the privacy sector • GDPR, in Article 35, introduces mandatory Data Protection Impact Assessments (DPIAs) in respect of high-risk processing, that is to say, processing that poses a high risk to the rights and freedoms of natural persons • Article 35(3) designates three specific types of processing as high-risk so that a DPIA is required for: − Processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person − Processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10 − Systematic monitoring of a publicly accessible area on a large scale • In addition to these three cases in which a DPIA is mandatory, there is a general obligation to conduct a DPIA where there processing is likely to result in a high risk to the rights and freedoms of natural persons – see Article 35(1). • Under Article 35(4), the supervisory authority is required to make public a list of the kind of processing operations that are subject to the requirement for a DPIA under Article 35(1) and shall communicate the list to the EDPB March 28, 2018 41
  • 42.
    Data Protection ImpactAssessment (DPIA) • A DPIA must address: − A systematic description of the envisaged processing operations – this should include the flow of personal data through the systems and business processes as business activities are performed − The purpose of the processing (including, where applicable, the legitimate interest pursued by the controller) − An assessment of why the processing is being performed and how this is proportional to the underlying need − An assessment of the risks to the rights and freedoms of the persons affected − The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR, taking into account the rights and legitimate interests of data subjects concerned • Where the DPIA indicates that the processing remains high risk despite the application of measures to mitigate that risk, the controller must consult the supervisory authority before processing – see Article 36(1) • Member States must similarly consult the supervisory authority where they are preparing a proposal for a legislative measure to be adopted by the national parliament or for a regulatory measure based on legislation – see Article 36(4) March 28, 2018 42
  • 43.
    Lawful Basis ForProcessing • Article 5(1)(a) sets out the principle that personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject − The person has consented to the processing of their personal data for one or more specific and prior notified purposes − It is needed for the performance of a contract to which the person is a party or in order to take steps at the request of the person before to entering into a contract − It is required to protect the vital interests of the person in question or of another person. − It is required so the data controlled can comply with a specific legal obligation − It is needed to perform a task carried out in the public interest or in the exercise of an official function of data controller − It is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the person is a child March 28, 2018 43
  • 44.
    Consent • Explicit consentof the person must be obtained for data collection and processing, with Article 7 setting out the basic conditions required for a consent to be valid: − The consent must be freely given − A proper explanation of what the individual is consenting to must have been provided before the consent is obtained − Separate consents must be given for separate purposes − Consent can be refused − Consent can be withdrawn at any time • Consent should be informed − The identity of the controller and the processing purposes should be detailed − Silence or implied consent and pre-checked boxes on web pages are no longer valid − The organisation must ask for consent and obtain explicit consent − Plain language should be used and consent is unlikely to be achieved if data protection notices are unintelligible or over-complicated − Consent must be specific − Where the data processing has multiple purposes, consent should be given for all of them − The burden of proof that consent was obtained in a correct and explicit manner resides with the data controller − Consent management needs to include both the recording of consent and the circumstances under which it was provide and while there is no requirement that consent should be in writing, the evidential burden suggests that, in practical terms, this will occur March 28, 2018 44
  • 45.
    Right of Access •Persons have the right to access their personal data and to get details about how this personal data is being processed • The right of subject access is complemented by the right, under Article 20 of the GDPR, to data portability • A controller is under an express obligation to facilitate the exercise by a data subject of their rights, including to subject access and data portability; Article 12(2). • A controller’s obligation under Article 20 (right of data portability) is to “transmit … data to another controller without hindrance” • Article 15(1) provides that a data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the information • The data controller has to provide − Access to the data itself − The categories of personal data concerned − With whom the data is shared (that is to say, the recipients or categories of recipients to whom the personal data is or will be disclosed and in particular, recipients in third countries) − The envisaged storage period for the data or, if it is not possible to so specify, the criteria used to determine that period − How it acquired the data in the sense that where the personal data was not collected from the data subject, any available information as to the source of the personal data − The existence of the right of rectification or erasure or restriction of processing of personal data − The right to lodge a complaint with a supervisory authority − The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) March 28, 2018 45
  • 46.
    Right to Rectification/Right to Completion • Article 16 of the GDPR provides for a right to rectification of inaccurate data, as well as a right to have incomplete data completed • Data must be rectified by the data controller without undue delay if the data is inaccurate and the data subject has so notified the data controller • The right to completion of data applies where the purpose of the processing makes it appropriate and the right may be complied with by providing a supplementary statement March 28, 2018 46
  • 47.
    Right to Erasure- The “Right To Be Forgotten” • Article 17 of the GDPR confers a right to request erasure of, and cessation of processing, personal data including any copies related to them − Where the personal data are no longer necessary in relation to the purposes for which they are collected − Where the person has withdrawn their consent − Where the person objects to the processing under Article 21(1)and there are no overriding legitimate grounds for the processing − Where the processing of the personal data does not otherwise comply with the GDPR − The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject − The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) • A request for erasure can be refused where the processing is necessary for one of the exempt purposes specified in Article 17(3), that is to say, where the processing is necessary for: − The exercise of the rights of freedom of expression and information; − Compliance with a legal obligation or the exercise of a discretionary power; − Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3); − Archiving and research purposes; − Establishment, exercise or defence of legal claims March 28, 2018 47
  • 48.
    Right to Erasure- The “Right To Be Forgotten” • Article 19 requires a data controller to communicate any rectification or erasure of personal data or restriction of processing to any person to whom the data has been disclosed “unless this proves impossible or involves disproportionate effort” • If the data subject asks, the controller must provide details of those persons to whom the data was disclosed March 28, 2018 48
  • 49.
    Right To RestrictionOf Processing • Under Article 18, a data subject has the right to restrict processing of personal data in four specified circumstances: − The accuracy of the personal data is contested by the data subject, in which case the restriction will be for a period enabling the controller to verify the accuracy of the personal data − The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead – it is not entirely clear what is meant by this provision as, if the data subject does not want the erasure of the personal data, the inference is that the data subject consents to the processing of the data − The controller no longer needs the personal data for the purposes of the processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims − The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject March 28, 2018 49
  • 50.
    Right to Object/ Prohibition Automated Decision- Making • Article 21(1) confers on a data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning the data subject which is based on Article 6(1)(e) or (f), including profiling based on those provisions • Article 6(1)(e) permits data processing where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, while Article 6(1)(f) renders lawful processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party • The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims • Article 22(1) prohibits automated decision-making subject to a number of exceptions − Automated decisions subject to Article 22 are decisions based solely on automated processing that produce legal effects concerning the data subject or significantly affect the data subject March 28, 2018 50
  • 51.
    Data Portability • Aperson must be able to transfer their personal data from one controller to another without being prevented by the data controller - Article 20 − This covers both the information content – what was supplied – and the metadata • The right to data portability is the “right to receive the personal data concerning [the data subject], which [the data subject] has provided to a controller” – see Article 20(1) • The right applies where consent to data processing has been provided under Article 6(1)(a) (express consent) or Article 9(2)(a) (special categories of personal data) and where the processing is automated • The right does not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – see Article 20(3) • The right to data portability does not arise − Where data is processed by a controller under a legal duty or in exercise of discretionary powers − Where processing is necessary in order to protect the vital interests of the data subject or of another natural person − Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller March 28, 2018 51
  • 52.
    Data Protection Officer •Article 37 sets out the circumstances in which designation of a Data Protection Officer (DPO) is mandatory for certain data controllers and data processors • All public authorities (except for courts) • Where the core activities of the controller or processor monitor individuals systematically (such as tracking and profiling on the Internet) and on a large scale • Where the core activities of the controller or processor consist of large scale processing of the special categories of data under Article 9 and personal data relating to criminal convictions and offences referred to in Article 10 • The DPO is independent (Article 38(3)) and must be given sufficient resources (Article 38(2)) to carry out their tasks effectively. • Article 37(5) provides that the DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of a DPO set out in Article 39 − The DPO should be skilled and experienced in managing IT processes, data security (including dealing with network attacks) and be knowledgeable in the issues around the holding and processing of personal and sensitive data − The skills required depend on the organisation and the processing it performs − The DPO should also know the administrative rules and procedures of the organisation − The organisation should include the DPO in all issues relating to the protection of personal data in a timely manner March 28, 2018 52
  • 53.
    Pseudonymisation • Pseudonymisation” isdefined in Article 4(5) of the GDPR • Means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person • Article 29 Working Party: − “pseudonymisation is not a method of anonymisation. It merely reduces the linkability of a dataset with the original identity of a data subject, and is accordingly a useful security measure.” • Encryption is a form of pseudonymisation − The original data cannot be read − The process cannot be reversed without the correct decryption key − GDPR requires that this additional information be kept separate from the pseudonymised data. • Pseudonymisation reduces risks associated with data loss or unauthorised data access − Pseudonymised data is still regarded as personal data and so remains covered by the GDPR − It is viewed as part of the Data Protection By Design and By Default principle • Pseudonymisation is not mandatory − Implementing pseudonymisation with existing IT systems and processes would be complex and expensive and, to that extent, pseudonymisation might be considered an example of unnecessary complexity within the GDPR March 28, 2018 53
  • 54.
    Pseudonymisation • GDPR Recital26 − The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. • Pseudonymisation is not anonymisation − Anonymisation means data cannot be attributed to a person − Pseudonymisation means data can be attributed to a person using additional information − Pseudonymisation just makes identifying persons from data more difficult, time-consuming and expensive March 28, 2018 54
  • 55.
    Pseudonymisation • Article 89(1): as a means of enhancing protection in case of further use of data for research and statistics • Article 6 (4): as a means of possibly contributing to the compatibility of further use of data • Article 25: as a means to contribute to “privacy by design” in data applications • Recital 28: “The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.” March 28, 2018 55
  • 56.
    Pseudonymisation • Pseudonymisation meansremoving the link between data and its attribution to a specific individual • Add a layer of complexity, time and expense to person identification • There are many (complex) approaches to pseudonymisation • Pseudonymisation aims to provide an extra layer of security − It does not stop personal data being lost − It just reduces the likelihood that lost personal data can be used March 28, 2018 56 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Key 2. Encrypted Data Read and Written And Decrypted Using Key
  • 57.
    Handling of DataBreaches • is impossible to have 100% security 100% of the time and still collect and process information − So organisations should assume a data breach however minor will happen at some time − Security systems should be designed to facilitate the discovery of any breach as soon as possible; • It is important to reduce the scope and effect of the breach, the time to identify that the breach has occurred and to respond more quickly and effectively to limit the damage. − Organisations are responsible for the implementation and operation of sufficient countermeasures to prevent as much as possible, detect and handle breaches − A data breach in itself will not necessary attract administrative sanctions − The failure to have structures in place to prevent, detect and handle breaches will • A “personal data breach” is defined in Article 4(12) of the GDPR as: − “means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed” • A controller is required to document all cases of personal data breach comprising the facts relating to the personal data breach, its effects and the remedial action taken; Article 35(5) • Unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the controller is under a legal obligation to notify the supervisory authority of a personal data breach within 72 hours (and if not an explanation of the delay) after having become aware of the data breach; Article 35(1) March 28, 2018 57
  • 58.
    Handling of DataBreaches • Under Article 35(3), the notification must include: − A description of the nature of the personal data breach including, if possible, the categories and approximate number of persons affected and the categories and approximate number of personal data records affected − The name and contact details of the Data Protection Officer or other contact point where more information can be obtained − A description of the likely consequences of the personal data breach − A description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects • Persons affected by the data breach must be notified if the breach is likely to have a high risk to their rights – see Article 34(1) • Importantly, data controllers do not have to notify affected persons if protection measures were implemented that rendered the personal data unintelligible – see Article 34(3) − A notice required to be given to data subjects must describe in clear and plain language the nature of the personal data breach and contain at least the name and contact details of the Data Protection Officer (or other contact point where more information can be obtained) − A description of the likely consequences of the personal data breach; and a description of the measures taken or that are proposed to be taken by the data controller to address the personal data breach, including any measures to mitigate its possible adverse effects – see Article 34(2) (by reference to Article 33(b) to (d) March 28, 2018 58
  • 59.
    Penalties and Sanctions •Failure to comply with GDPR can result in administrative penalties and other sanctions • Warnings – under Article 58(2), a supervisory authority has specific powers to issue warnings to a controller or processing that intended processing operations are likely to infringe the GDPR and reprimands where processing operations have infringed the GDPR • Data protection compliance audits – Article 58(1) confers on supervisory authorities investigative powers, including, at Article 58(1)(b) the power to carry out investigations in the form of data protection audits; • Fines - two levels of fines − €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year, whichever is the greater, for failures relating to: • Conditions applicable to child's consent in relation to information society services • Failures in data processing and security • Notification of a personal data breach to the supervisory authority • Communication of a personal data breach to the data subject • Data protection impact assessment • Designation of the data protection officer • Certification − €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is the greater for failures relating to: • Principles relating to processing of personal data • Lawfulness of processing • Conditions for consent • Processing of special categories of personal data • Information and access to personal data • Information to be provided where personal data are collected from the data subject • Right of access by the data subject • Right to rectification • Right to erasure • Right to restriction of processing • Right to data portability • Automated individual decision-making, including profiling • Transfers of personal data to third countries or international organisations March 28, 2018 59
  • 60.
    Implementing and OperatingGDPR March 28, 2018 60
  • 61.
    Implementing and OperatingGDPR • GDPR compliance is achieved through a combination of processes and technology • Most of the impact that GDPR will have is on existing IT systems that process personal data • The effort to implement and operate GDPR will depend on the scope of the problem which is dictated by the amount of personal data the organisation collect and processes • The problem with many compliance initiatives is that they tend to be treated as single projects operating in an organisation silo rather than as being part of a wider and more general and shared compliance framework • Despite have a broad scope across the organisation, GDPR compliance will more likely in many cases be treated as yet another stand-alone initiative • It is simply not possible to quantify the volume and types of requests that individuals will make under GDPR March 28, 2018 61
  • 62.
    GDPR Compliance PreparatorySteps 1. Determine the organisation’s role under the GDPR – data controller or data processor 2. Assign someone to the Data Protection Officer role/team 3. Implement consent management 4. Review and update data retention and data backup 5. Identify and document business processes and associated IT systems processing personal data 6. Identify and assess any cross-border data flows 7. Prepare for persons exercising their GDPR rights 8. Prepare for a data breach March 28, 2018 62
  • 63.
    Determine The Organisation’sGDPR Role • Inform your employees about GDPR risks and appropriate behaviours by defining clear policies on the collection and use of personal data and any collaboration and sharing or maintenance of local uncontrolled copies • Implement security awareness and privacy training March 28, 2018 63
  • 64.
    Fill The DataProtection Officer Role And Team • The primary role DPO is to ensure the organisation is compliant with GDPR • Initially, appoint someone to the DPO role irrespective of any legal necessity • The role does not have to be full-time • Once compliance is achieved the level of work may reduce • The DPO role is cross-functional. It spans the entire organisation, crossing the boundaries of business functions • These roles are often very difficult to implement as they encroach on the territories of business function leaders and, in doing so, encounter resistance • To be successful the DPO role needs to be supported from the highest levels in the organisation • Train personnel March 28, 2018 64
  • 65.
    Implement Consent Management •Consent management involves: − Identifying all points where personal data is collected across all communication channels − Identifying the data processing processes where consent is required − Drafting GDPR consent management notices − Updating communication channels such as the organisation web site(s) with GDPR consent notices − If data is collected from children, implement an approach to collect consent from parents or guardians − Updating IT systems to record consent details and allow consents be subsequently updated March 28, 2018 65
  • 66.
    Review And UpdateData Retention And Backup • Reviewing existing approaches to data archival, retention and deletion, if any • Reviewing data backup processes to ensure data not being retained is not held on backups • Implement data retention and deletion policies and procedures • Update data backup policies and procedures March 28, 2018 66
  • 67.
    Identify And DocumentBusiness Processes And Associated IT Systems Processing Personal Data • Create an inventory of personal data collected, created, processed and derived − Review the reasons why personal data is collected and stop collecting if it is not necessary or justifiable. • Identify any high-risk data collected or generated − Consider conducting DPIAs for these • Identify if you process any of the special categories of personal data and handle this instances in more detail − Consider conducting retrospective DPIAs for these • Where personal data is collected ensure explicit consent is obtained • Develop and implement notices on all personal data collection points − Identify points were consent is necessary. • Create an inventory of business processes where personal data is involved − Appoint business process owners − Document these business processes with those involved in their operation − Define business process review dates, at least annually • Document the legal grounds for processing this personal data • Create an inventory of IT systems that store and process personal data • Map the flow of personal data across business processes and IT systems from initial collection to its processing and ultimate deletion. • Consider initiating a business process review and update exercise that minimises the amount of personal data being collected and processed to reduce compliance overhead and risk March 28, 2018 67
  • 68.
    Identify And DocumentBusiness Processes And Associated IT Systems Processing Personal Data • This data discovery and profiling work has the potential to be quite onerous, depending on the number of IT systems and processes involved in processing personal data. • Review your network security, especially on systems that contain personal data that can be accessed from outside the organisation • Identify any third-parties involved in data collection and data processing for your organisation such as IT outsourcing or business process outsourcing arrangements • For each of these outside organisations you must ensure that they too are compliant with GDPR: − Review their network security − Review their data retention policies to ensure personal data is deleted as soon as it is no longer needed − Review data backup processes and amend to ensure data not being retained is not held on backups − Ensure they appoint a DPO − Review their process for handling data breaches • Where suppliers fail to meet GDPR compliance requirements they must resolve these issues or you must replace the March 28, 2018 68
  • 69.
    Organisation Conceptual DataModel • Consider building an organisation conceptual data model to assist with identifying personal data processing and data flows March 28, 2018 69
  • 70.
    Generic Organisation ConceptualData Model March 28, 2018 70
  • 71.
    Generic Data ConceptualData Model – Components - 1 of 2 28 March 2018 71 Component Description External Interacting Parties These are the range of external parties that supply data to and access data from the enterprise External Party Interaction Zones, Applications, Channels and Facilities These are the set of applications and data interface and exchange points provided specifically to External Interacting Parties to allow them supply data to and access data from the enterprise These can be hosted internally or externally or a mix of both External Third Party Applications These are third-party applications (such as social media platforms) that contain information about the enterprise or that are used by the enterprise to present information to or interact with External Interacting Parties or where the enterprise is referred to, affecting the perception or brand of the enterprise External Data Sensors Sources of remote data measurements External Party Interaction Zones Data Stores These are applications and sets of data created by the enterprise to be externally facing where external parties can access information and interact with the enterprise External Devices These are devices connected with services offered by the enterprise (such as ATMs and Kiosks) Date Intake/Gateway This is the set of facilities for handling data supplied to the enterprise including validation and transformation including a possible integration or service bus This can be hosted internally or externally or a mix of both Line of Business Applications This represents the set of line of business applications deployed on enterprise owned and managed infrastructure used by business functions to operate their business processes Organisation Operational Data Stores These are the various operational data stores used by the Line of Business Applications
  • 72.
    Generic Data ConceptualData Model – Components - 2 of 2 28 March 2018 72 Component Description Line of Business Applications Hosted Outside the Organisation This represents the set of line of business applications deployed on external infrastructure used by business functions to operate their business processes This includes cloud facilities such as external data storage and XaaS facilities and an integration service to connect external data to internal data External Application Operational Data Stores These are the various operational data stores used by the Line of Business Applications used by Line of Business Applications Hosted Outside the Organisation Data Mastering These are facilities to create and manage master data and data extracted from operational data to create a data warehouse and data extracts for reporting and analysis. This includes an extract, transformation and load facility These can be hosted internally or externally or a mix of both Data Reporting and Analysis Facilities This represents the range of tools and facilities to report on, analyse, mine and model data These can be hosted internally or externally or a mix of both Document Sharing and Collaboration These are tools used within the enterprise to share and collaborate on the authoring of documents Document Management Systems These are systems used to manage transactional and ad hoc structured and unstructured documents in a formal and controlled manner, including the metadata assigned to documents Desktop Applications These are applications used by individual users to view and author documents Document and Information Portal This provides structured access to documents and information including externally hosted applications providing these facilities Unstructured Data Stores These are storage locations for enterprise documentation
  • 73.
    Zones Within DataFabric Conceptual Data Model • Sets of components of conceptual data fabric model can be grouped into zones: − Internal – within the enterprise’s boundary − Cloud Extension – extensions to enterprise applications and data held in external cloud platforms − Interface – set of components responsible for getting data into and out of the enterprise and presenting data and applications externally − Externally Located Extension – infrastructure and applications that are connected to the wider enterprise network − External Controlled – components outside the enterprise but under the control of the enterprise − External Uncontrolled – components outside the enterprise and not under the direct control of the enterprise 28 March 2018 73
  • 74.
    Why Create AConceptual Data Fabric Model? • Conceptual data fabric model represents a rich picture of the enterprise’s data context − Embodies an idealised and target data view • Detailed visualisations represent information more effectively than lengthy narrative text − More easily understood and engaged with • Show relationships, interactions • Capture complexity easily • Provides a more concise illustration of state • Better tool to elicit information • Gaps, errors and omissions more easily identified • Assists informed discussions • Evolve and refine rich picture representations of as-in and to-be situations March 28, 2018 74
  • 75.
    Identify and AssessAny Cross-Border Data Flows • The EDPS has produced guidance on international data transfers – see https://edps.europa.eu/data-protection/data-protection/reference-library/international- transfers_en • Transfers to any of the 28 EU member states (the status of the UK after BREXIT is not currently defined) are still allowed as well as to Norway, Liechtenstein and Iceland, that is countries that are members of the European Economic Area (EEA) • The European Commission has Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay to have an adequate level of protection so data transfers to these countries are also possible • In February 2016, after the previous Safe Harbour scheme was rendered invalid, the European Commission and the United States agreed on a framework for transatlantic data transfers called the EU-U.S. Privacy Shield • The European Commission officially deemed this to be adequate in July 2016 – see http://europa.eu/rapid/press-release_IP-16-2461_en.htm • In the absence of adequacy decisions for particular countries you should use proper and suitable safeguards such as Binding Corporate Rules (BCRs) and contracts. BCRs are described in Article 47 of GDPR and in the working document created by the Article 29 Working Party Elements and Principles to be Found in Binding Corporate Rules (BCR) http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48798 March 28, 2018 75
  • 76.
    Binding Corporate Rules(BCR) • Any BCRs must be legally binding and must specify clearly the duties and responsibilities of each participating member of the group of undertakings or group of enterprises engaged in a joint economic activity including their employees. BCRs must apply to every member of the group • The group of undertakings can include international organisations, business alliances, joint ventures, outsourcing arrangement, or shared economic activities • The BCR should cover: − Structure and members of the group sharing the joint economic activity − Contact details of overall group and of each member − Contact details for DPO function of each member − Details on data protection training for staff with access to personal data − Obligations towards the relevant supervisory authorities − The tasks of any DPO or other business function responsible with compliance monitoring. − Numbers or and details on the data transfers including the data being transferred − Purpose of the data transfers − Processing perform by each member of the group − Legally binding obligations of each member towards one another and towards the persons whose data is being processed − Statement of liability of data controller or data processor in EU with regards to breaches of the BCRs by any member outside the EU − Persons rights, the ways to exercise those right including the right to complain − Provision of information on the BCRs towards persons to meet obligations, duties and rights of information of the GDPR − Complaint procedures and complaint handling − Data protection audits including scope and frequency and the methods of correction to protect persons’ rights − Application of general data processing principles and generally accepted privacy principles March 28, 2018 76
  • 77.
    Binding Corporate Rules(BCR) • Outsourcing review activity should also include: − Review all external data processing arrangements, including data storage and use of external applications, that store personal data − Determine the GDPR compliance of these processing arrangements and consider rationalising suppliers − Review the contracts and agreements associated with these arrangements − Update the agreements to include GDPR-specific details − Review and update supplier selection and procurement processes to include GDPR-specific requirements in selection factors and in new service contracts March 28, 2018 77
  • 78.
    Prepare for PersonsExercising Their GDPR Rights • The operation of GDPR will give rise to the need to develop, implement and operate a number of business processes and associated standard operating procedures to implement the rights of persons under GDPR • The inventory of these processes includes: 1. Request Tracking 2. Consent and Consent Recording and Tracking 3. Consent Withdrawal 4. Access to Data 5. Data Rectification 6. Restriction of Processing 7. Data Objection 8. Profiling Objection 9. Data Erasure 10. Data Portability 11. Complaint Handling 12. Personal Data Breach Notification 13. Person Data Breach Notification 14. Record of Audits of Third-Party Data Processors • This is lengthy list of processes • Their definition, implementation and operation has the potential to be onerous March 28, 2018 78
  • 79.
    Generalised Information LifecycleAnd GDPR • To achieve compliance with GDPR, the lifecycles of personal data processes should be documented and formalised • In particular data archival, data retention and data deletion – stages in the information lifecycle that are currently infrequently not handled well, if at all – need to be implemented March 28, 2018 79 Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Preserve, Protect and Recover Archive and Recall Delete/Remove Implement Underlying Technology Architect, Budget, Plan, Design and Specify Present, Report, Analyse, Model
  • 80.
    Information Lifecycle AndGDPR • Architect, Budget, Plan, Design and Specify - This relates to the design and specification of the data storage and management and their supporting processes. This establishes the data management framework • Implement Underlying Technology - This is concerned with implementing the data-related hardware and software technology components. This relates to database components, data storage hardware, backup and recovery software, monitoring and control software and other items • Enter, Create, Acquire, Derive, Update, Integrate, Capture - This stage is where data originated, such as data entry or data capture and acquired from other systems or sources • Secure, Store, Replicate and Distribute - In this stage, data is stored with appropriate security and access controls including data access and update audit. It may be replicated to other applications and distributed • Present, Report, Analyse, Model - This stage is concerned with the presentation of information, the generation of reports and analysis and the created of derived information • Preserve, Protect and Recover - This stage relates to the management of data in terms of backup, recovery and retention/preservation • Archive and Recall - This stage is where information that is no longer active but still required in archived to secondary data storage platforms and from which the information can be recovered if required • Delete/Remove - The stage is concerned with the deletion of data that cannot or does not need to be retained any longer. Data has to be able to be disposed of in a managed, systematic and auditable way • Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund - This is not a single stage but a set of processes and procedures that cross all stages and is concerned with ensuring that the processes associated with each of the lifestyle stages are operated correctly and that data assurance, quality and governance procedures exist and are operated March 28, 2018 80
  • 81.
    Map GDPR ProcessesAnd Their Impacts To Information Lifecycle March 28, 2018 81 Architect, Budget, Plan, Design and Specify Implement Underlying Technology Enter, Create, Acquire, Derive, Update, Integrate, Capture Secure, Store, Replicate and Distribute Present, Report, Analyse, Model Preserve, Protect and Recover Archive and Recall Delete/ Remove Define, Design, Implement, Measure, Manage, Monitor, Control, Staff, Train and Administer, Standards, Governance, Fund Request Tracking X X X X Consent and Consent Recording and Tracking X X X X X X X Consent Withdrawal X X X X X X X Access to Data X X X X X X X Data Rectification X X X X X X X Restriction of Processing X X X X X X X Data Objection X X X X X X X Profiling Objection X X X X X X X Data Erasure X X X X X X X X Data Portability X X X X X X X Complaint Handling X X X X Personal Data Breach Notification X X X X Person Data Breach Notification X X X X Record of Audits of Third- Party Data Processors X X X X
  • 82.
    Request Tracking Facility– Sample Facility Required March 28, 2018 82 Information Item Description Date and Time Request Received The date and time that the request is received from the individual/authorised entity Received By The person of business function who logged the request Source The source of the request Request Type The type of the request Priority A priority assigned to the request Request Details A description of the request Requester Contacted for Clarification A flag indicating if the requester needs to be or was contacted to clarification Clarification Received Notes on clarification received Request Reviewed and Approved for Processing A flag indicating that the request contains sufficient details to allow it to be processed Date Request Processing Started The date that formal response processing started. The due date is calculated from this date, based on the request type Date Request Response Due The due date of the response Business Functions Affected by Request A list of business functions within the organisation affected by the request Third Parties Affected by Request A list of third-parties within the organisation affected by the request Request Sent to Business Functions <N> Details on the request sent to the business function, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected business function. There will be a sub workflow for each business function Request Sent to Third Party <N> Details on the request sent to the third party, date and time, person, details of request, date due, date received, clarification required and received. This will be repeated for each affected third party. There will be a sub workflow for each business function Response Reviewed Date and Time The date and time that the response is received and collated Response Reviewed By The person who reviewed the response Response Redaction Required A flag indicating that the response needs to be redacted before it is issued to the requester Response Redaction Notes Notes on the nature of and reason for the redaction of the response Response Redaction Completed By The person who completed the redaction Response Redaction Reviewed By The person who reviewed the redaction Response Redaction Reviewed Date and Time The date and time the redaction was reviewed and approved Response Release Authorised By The person who authorise the release of the response Date and Time Response Issued The date and time the response was issued Response The response or details on where the response is stored Response Covering Communication The covering communication that accompanied the response
  • 83.
    Prepare For AData Breach • At a high-level, the activities involved in this include: − Identify Supervisory Authority contact details − Document a list of breach scenarios and identify steps to be performed − Create draft breach notifications including Supervisory Authority and personal contacts − Document breach management process including roles and responsibilities March 28, 2018 83
  • 84.
    Approaches To AchievingCompliance • The owner of the business processes where personal data is collected and processed is responsible for compliance − The DPO is not responsible for compliance − The DPO assists with compliance − So the organisation should formally appoint business process owners − These business process owners should conduct privacy impact and risk assessments regularly • Risk management plays a large part of achieving compliance with GDPR − Business process owners should be able to informed decisions on how to address risks in their data processing processes within the processes for which they are responsible − Risks can be mitigated until the residual risk is within tolerable limits • Achieving compliance with GDPR should, in the first instance, focus on personal simplification, reduction and minimising the amount of personal data you collect and process, is possible − Consider moving to excluding access to personal data by default. − Review any processing performed by third-parties, any outsourcing arrangements or use of cloud systems or platforms • Review your sourcing and supplier selection factors and ensure they explicitly include security controls, privacy management and privacy control functions, certifications and approach to auditing • Note that mobile devices come under the ambit of GDPR if they are used for the processing of personal data − Data breaches occur when mobile devices are lost, resulting in unintended loss of control over personal data − A mobile device management facility including the ability to remotely wipe lost devices might be required − Previous Bring Your Own Device (BYOD) policies might need to be revisited employees do not consent to his personal device being remotely monitored and controlled March 28, 2018 84
  • 85.
    Approaches To AchievingCompliance • GDPR compliance cost could be substantial • PwC have conducted a number of surveys on the GDPR preparations and estimated budgets for 300 large organisations in the UK, US and Japan − The most recent survey is from July 2017 –see https://www.pwc.com/us/en/increasing-it- effectiveness/publications/general-data-protection-regulation-gdpr- budgets.html • Highlights − In July 2017, only 11% of executives surveyed said their companies have now finished operationalised preparations − Of the companies who said they have finished preparations, 88% reported spending more than USD 1 million on GDPR preparations and 40% reported spending more than USD 10 million − Among all companies, 60% said they plan to spend at least USD 1 million on GDPR preparation projects and 12% plan to spend more than USD 10 million March 28, 2018 85
  • 86.
    Survey Of StateOf GDPR Compliance – Preparation Status March 28, 2018 86
  • 87.
    Survey Of StateOf GDPR Compliance – Estimated Budget March 28, 2018 87
  • 88.
    IT Systems AndGDPR Compliance • There are multiple IT systems, each of which will store personal data − Personal data may also exist in the form of documents scanned into document management systems or documents generated and store in electronic folders or in email systems. • The same person will have different sets of data stored across these systems − The person may not uniquely identifiable across these systems − There may be variations in the spelling of names and addresses and different data formats March 28, 2018 88
  • 89.
    High-Level Representation OfIT System Landscape And Personal Data March 28, 2018 89 Operational IT System 1 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Operational IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Scanned Documents External Documents Document Store Reporting IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Cloud Data Store
  • 90.
    GDPR And PersonalData Landscape March 28, 2018 90 Personal Data Landscape Consent Fairness Lawful Transparency Retention and Deletion Anonymisation Pseudonymisation Accuracy and Currency Security Legitimate Purpose Accountability Minimisation Access Policies Appropriate Usage Data Lifecycle Data Ownership Data Governance
  • 91.
    GDPR And PersonalData Landscape • GDPR now imposes strict and severe legislative constraints on the organisation’s personal data landscape March 28, 2018 91
  • 92.
    IT System ComplianceOptions • Option 1: Modify each operational IT system to hold additional information such as GDPR flag indicating that the data is personal and comes under the scope of GDPR, retention details, consent details, deletion details − Potentially very expensive and time consuming − If the IT systems are sourced from third-parties these organisations may over time update their systems to allow the additional GDPR-related information to be stored • Option 2: Implement a separate system that takes data from the operational systems and that create a single consolidated view of personal data across these systems − Involves developing or sourcing a software system to provide this consolidated personal data management functionality − One of the issues with having a separate system is that changes that occur in the underlying operational systems have to be reflected in it • Both of these solution approaches just provide containers for GDPR- related information on personal data to be stored − That information has to be defined and completed and subsequently maintained March 28, 2018 92
  • 93.
    GDPR Related Metadata •For each item of personal data collected after GDPR goes live and held in an application or stored outside IT systems, there is a need to maintain a set of GDPR-related metadata • Set of metadata will depend on the approach to handling the GDPR compliance processes • The metadata can be stored within each application or stored in a separate personal information management tool or be shared between them • The metadata can include: March 28, 2018 93 GDPR Metadata Description Personal Information Flag Flag indicating that the field contains personal data Sensitive Information Flag Flag indicating that the field contains sensitive personal data Retention Date The date up to which the information can be retained and after which it must be deleted Consent Identifier A link to where consent about the collection and processing of this data is held Consent Withdrawal Flag A flag indicating that consent to use the data has been withdrawn Data Erasure Flag A flag indicating that the data was erased GDPR Tracking Identifier Link to case management facility for activity relating to this field Restriction of Processing Flag A flag indicating that the processing of the data is restricted
  • 94.
    Consolidated Personal DataManagement • Implementation option 1 involves some form of Consolidated Personal Data Management that contains details on personal data being held in all organisation IT systems • Provides a centralised facility to operate GDPR without the need to make substantial changes to existing IT systems March 28, 2018 94 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Metadzta Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Consolidated Personal Data Management
  • 95.
    Implementing Pseudonymisation • Pseudonymisationis concerned with removing the ability to link data to a person • Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format • Implementing pseudonymisation is complex • Remember - pseudonymisation is not a mandatory GDPR requirement March 28, 2018 95
  • 96.
    Pseudonymisation • Pseudonymisation iswidely used for research data containing personal information (such as medical trials) − https://www.openpseudonymiser.org/ • Data volumes very small and pseudonymisation performed in batch • Approach is not really suitable or scalable for a an operational business personal data processing environment March 28, 2018 96
  • 97.
    Encryption And KeyPairs • Based on PKI (Public Key Infrastructure) • Based on Key Pairs • Each data sender and receiver gets a pair of keys: − Public Key − Private Key • The public keys are published and the private keys are kept secret • Communications involve only public keys and no private key is ever transmitted or shared • Anyone can encrypt with the public key, only one person can decrypt with the private key March 28, 2018 97
  • 98.
    Key Pairs March 28,2018 98 Data Application Data Store Public Key of Data Application Private Key of Data Application Public Key of Data Store Private Key of Data Store Data Application Knows This Data Store Knows This
  • 99.
    Pseudonymisation And Key-BasedEncryption • Pseudonymisation can be implemented using a single key pair or two key pairs • Single key pair − Encryption facility encrypts data using public key and decrypts using private key − Public and private keys are kept separate • Two key pairs − Data is encrypted twice – using the public key of the store and the private key of the application − Encryption facility encrypts data using public key of data store and the private key of data application and decrypts using private key − Public and private keys are kept separate March 28, 2018 99
  • 100.
    Pseudonymisation And SingleKey Pair March 28, 2018 100 IT System Person Personal Data Field 1 Personal Data Field 2 Person 1 Data 1 P 1 Data 2 P 1 Person 2 Data 1 P 2 Data 2 P 2 Person 3 Data 1 P 3 Personal Data Lose Or Allow Access To This And Personal Data Can Be Read By Anyone IT System Person Personal Data Field 1 Personal Data Field 2 6AC1B12B A51B6F4B E78A52F3 A27E3B3A 6E4DA618 CB9FC8AE 4F5C7F63 925A58D2 Personal Data Direct Data Access – No Encryption 1 Lose Or Allow Access To This And Personal Data Cannot Be Read With Ability to Decrypt 2 1. System Retrieves Encryption Public Key 2. Encrypted Data Written Using Public Key 3. Encrypted Data Decrypted Using Private Key 4. Decrypted Data Available for Use Encryption/ Decryption Layer 3 4 Direct Data Access – Encryption
  • 101.
    Pseudonymisation Using SeparateEncryption • This involves using application-level encryption combined with Data Store Key − Data Application generates random characters − Data Application encrypts data using random character as key − Data Application encrypts random characters with Data Store public key − Combine encrypted data and encrypted key as data sent to Data Store March 28, 2018 101 1 Public Key Storeb1952360d460d463eefb9d7a a3b306668b3f5e36a064e4256 b546e6fdca93ee7 2 188a955f463ab8339ee7843ce 5f09a76ed702a457890186c74 2b2706e7ab0e63d51ebd8b19 f13e091182137f63856978 3 = +4
  • 102.
    Key Encryption WithKey Pairs March 28, 2018 102 Encrypted with Public Key of Data Store Encrypted with Private Key of Data Application Data Applicatio n Data StoreData Read and Write Layer Decrypted with Private Key of Data Store Decrypted with Public Key of Data Application Write Data Read Data Unencrypt ed Data Decrypted Data
  • 103.
    Pseudonymisation With SeparateKeys For Each Individual Person - Write March 28, 2018 103 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Write Data for Person 1 Step 1 Encrypt With Person 1 Public Key Step 2 Encrypt With Application Private Key Encrypted Data Decrypted Data Write
  • 104.
    Pseudonymisation With SeparateKeys For Each Individual Person - Read March 28, 2018 104 Person Identifier Person Public Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Person Identifier Person Private Key 6AC1B12B A27E3B3A 4F5C7F63 A51B6F4B Data Application Public Key of Data Application Private Key of Data Application Data Store Read Data for Person 1 Step 2 Encrypt With Data Application Public Key Step 3 Decrypt With Person 1 Private Key Encrypted Data Step 1 Request Data for Person 1 Decrypted Data Read
  • 105.
    Pseudonymisation And DataBreaches • Pseudonymisation means removing the direct link between data and its attribution to a specific individual − Direct data access is replaced with indirect data access that requires some form of key, held separately from the personal data, to translate personal data into a usable format − Adds a layer of complexity, time and expense to person identification − There is still an indirect link so the data is usable − Data is not being anonymised • There are many (complex) approaches to pseudonymisation • Pseudonymisation provides an extra layer of security − It does not in itself stop personal data being lost − It just reduces the likelihood that lost or leaked personal data can be read – both the encrypted data and the means to decrypt it must be lost or leaked March 28, 2018 105
  • 106.
    Implementing Pseudonymisation • Potentiallycomplex and expensive, depending on the implementation approach − Pseudonymise at the level of the database of all data − Pseudonymise at the level of the individual data record • Multiple implementation options and approaches − Use encryption facilities provided by data store (such as database software) − Using single key pair encryption for all data − Use two key pairs encryption for all data − Using single key pair encryption for each data record − Use two key pairs encryption for each data record March 28, 2018 106
  • 107.
    How Far ToPseudonymise? • What identifies a person − Name − Address − Sex on its own does not identify a person uniquely − Sex + Date Of Birth could − Sex + Date Of Birth + City could further − Image or video recording − Recording of telephone call March 28, 2018 107
  • 108.
    GDPR Compliance Management •separate system approach can be extended to provide additional facilities for some or all of: − Define and manage business processes that use personal data − Log requests of various types and their processing − Continuously monitor operational systems to identify changes in personal data − Log details on personal data audits and DPIAs − Data breach management − Personal data access portal − Case management for GDPR work with workflow and tracking • There are software vendors that offer such compliance solutions that provide some or all of the range of functions − However, the market is still embryonic and the optimum approach to achieving GDPR compliance is still uncertain − Investing in such technologies now may be premature − There are vendors and developers of existing software products classified as Master Data Management (MDM) or Data Integration Hubs that offer similar facilities that may also be used March 28, 2018 108
  • 109.
    GDPR Compliance Management •Separate compliance management system can implement required operational processes • Can include functions of Consolidated Personal Data Management to hold details on where personal data is held March 28, 2018 109 IT System 1 Person Personal Data Field 1 GDPR Details Personal Data Field 2 GDPR Details Person 1 Person 2 Person 3 Data Store IT System 2 Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 Data Store Person Personal Data Field 1 Personal Data Field 2 Person 1 Person 2 Person 3 GDPR Compliance Management Business Process 1 Business Process 2 Request Manager
  • 110.
    GDPR-Related Software AndVendors • There are very many software vendors (claiming to) offer solutions that offer GDPR-related functionality across the GDPR compliance spectrum – following pages contain a partial list of vendors − Privacy Program Management – solutions designed specifically for the privacy office • Assessment managers tend to automate different functions of a privacy program, such as operationalising PIAs, locating risk gaps, demonstrating compliance, and helping privacy officers scale complex tasks requiring spreadsheets, data entry, and reporting • Consent managers help organisations collect, track, demonstrate and manage users’ consent • Data mapping solutions can come in manual or automated form and help organisations determine data flows throughout the enterprise • Incident response solutions help companies respond to a data breach incident by providing information to relevant stakeholders of what was compromised and what notification obligations must be met • Privacy information managers provide organisations with extensive and often automated information on the latest privacy laws around the world • Website scanning is a service that primarily checks a client’s website in order to determine what cookies, beacons and other trackers are embedded in order to help ensure compliance with various cookie laws and other regulations − Enterprise Privacy Management – solutions designed to service the needs of the privacy office alongside the overall business needs of an organisation • Activity monitoring helps organisations determine who has access to personal data and when it is being accessed or processed. These solutions often come with controls to help manage activity • Data discovery tends to be an automated technology that helps organisations determine and classify what kind of personal data they possess to help manage privacy risk and compliance • De-identification/pseudonymity solutions help data scientists, researchers and other stakeholders derive value from datasets without compromising the privacy of the data subjects in a given dataset • Enterprise communications are solutions that help organisations communicate internally in a secure way in order to avoid embarrassing or dangerous leaks of employee communications March 28, 2018 110
  • 111.
    GDPR-Related Software AndVendors - 1 March 28, 2018 111 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning 2B Advice https://www.2b- advice.com/ ● 3PHealth https://www.3phealth.com/ ● ● Aircloak http://www.aircloak.com/ ● Alation https://alation.com/ ● ● ● Anonos https://www.anonos.com/ ● Arcad http://arcadsoftware.com/ ● Audito https://www.audito.fr/ ● Automated Intelligence https://www.automated- intelligence.com/ ● ● ● AvePoint https://www.avepoint.com/ ● ● ● ● Baycloud https://baycloud.com/ ● ● BigID https://bigid.com/ ● ● ● BitSight https://www.bitsighttech.co m/ ● Bloomberg Law https://www.bna.com/priva cy-data-security/ ● BMC http://www.bmc.com/it- solutions/gdpr- compliance.html ● ● ● Chino.io https://chino.io/ ● CipherCloud https://www.ciphercloud.co m/ ● ● ● Clearswift https://www.clearswift.com / ● ● ●
  • 112.
    GDPR-Related Software AndVendors - 2 March 28, 2018 112 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Clearwater Compliance https://www.clearswift.com / ● ● Cognigo https://cognigo.com/ Collibra https://www.collibra.com/ ● ● CompliancePoint http://compliancepoint.com / ● ● ● CompLions-GRC BV https://www.complions- grc.nl/ ● ● ● ● ● Consentric https://consentric.io/ ● Consentua http://www.consentua.com/ ● Crownpeak https://www.crownpeak.co m/ ● Cryptzone https://www.cryptzone.com / ● CSR https://csrps.com/ ● Cybernetica https://sharemind.cyber.ee/ ● D.Day Labs http://www.dataprotectionp eople.com/datawise/ ● ● ● ● Data Protection People https://www.dataguidance.c om/ ● DataGravity https://www.dataguise.com / ● ● ● DataGuidance https://www.datastreams.io / ● Dataguise http://www.datumstrategy.c om/gdpr-solution ● ● Datastreams.io http://de-id.com/ ● ● ● Datum https://www.didomi.io/en/ DE-ID Data Corp https://www.2b- advice.com/ ● Didomi https://www.3phealth.com/ ● ● ●
  • 113.
    GDPR-Related Software AndVendors - 3 March 28, 2018 113 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning DLP Assured http://www.dlp- assured.com/ ● ● DocEx https://www.docex.com/ ● ● ● DPOrganizer https://www.dporganizer.co m/ ● ● DSS Consulting Ltd. http://www.dss.hu/en/ ● ● ● ● ● ● Egnyte https://www.egnyte.com/ ● ● ● Ensighten https://www.ensighten.com / ● ● EPI-USE Labs https://www.epiuselabs.co m/ ● ● EuroComply http://www.eurocomply.co m/ ● Evidon https://www.evidon.com/ ● ● Exonar https://www.exonar.com/ ● ● ● Fastweb http://www.fastweb.it/corp orate/ ● Frama Systems India https://www.frama.com/en/ ● Global IDs http://www.globalids.com/ ● ● ● HaloPrivacy http://www.haloprivacy.com / ● Heliometric https://heliometrics.net/ HexaTier http://www.hexatier.com/ ● ● ●
  • 114.
    GDPR-Related Software AndVendors - 4 March 28, 2018 114 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Hytrust/DataGravity https://www.hytrust.com/ ● ● Immuta https://www.immuta.com/ ● ● ● ● Indica https://indica.nl/ ● ● Informatica https://www.informatica.co m/ ● ● ● ● ● Information Builders https://www.informationbui lders.com/ ● Integris https://integris.io/ ● ● ● ● ● ISMS.online https://www.isms.online/ ● ● iWelcome https://www.iwelcome.com / ● Kroll https://www.kroll.com/en- us/default.aspx ● ● Kryptowire https://www.kryptowire.co m/ ● ● The Media Trust http://www.mentisoftware.c om/ ● ● ● ● Mentis https://www.metacomplianc e.com/products/policy- management/ ● ● ● MetaCompliance https://minereye.com/ ● ● ● Miner Eye https://www.nymity.com/ ● ● ● Nymity https://www.obsequiosoftw are.com/ ● ● ● Obsequio Software https://onetrust.com/ ● OneTrust https://www.opus.com/ ● ● ● ● ● ● Opus https://www.pactsafe.com/f eatures ● ● ● PactSafe http://www.dlp- assured.com/ ●
  • 115.
    GDPR-Related Software AndVendors - 5 March 28, 2018 115 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De- identification/ Pseudonymity Enterprise Communicatio ns Incident Response Privacy Information Manager Website Scanning PlanetVerify https://www.planetverify.co m/ ● Port.im https://www.port.im/ ● ● ● ● ● ● Predesto https://www.predesto.com/ ● ● Prifender http://www.prifender.com/ ● ● ● Prince Group NL http://www.princegroup.nl/ ● Privacera http://www.privacera.com/ ● ● Privacy Analytics https://privacy- analytics.com/ ● Privacy Company https://www.privacycompan y.eu/ ● ● ● Privacy Lab https://www.privacylab.it/ ● ● ● ● PrivacyCheq http://www.privacycheq.co m/ ● PrivacyPerfect https://www.privacyperfect. com/ ● ● Privaon https://privaon.com/ ● priVapp https://privapp.com/ ● Privitar https://www.privitar.com/ ● Proofpoint https://www.proofpoint.co m/ ● ● ● ● Protegrity http://www.protegrity.com/ ● Protenus https://www.protenus.com/ ● ● ●
  • 116.
    GDPR-Related Software AndVendors - 6 March 28, 2018 116 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning Proteus-Cyber Ltd https://www.protenus.com/ ● ● ● ● ● ● Qixium https://qixium.com/ ● ● ● Radar https://www.radarfirst.com/ ● ● Raptor Compliance https://www.raptorcomplia nce.com/ ● ● ● Resilient https://www.raptorcomplia nce.com/en/ ● Rever http://www.rever.eu/ ● ● RISMA Systems http://rismasystems.com/ ● ● SafeHarbour BV https://safeharbour.nl/ ● ● ● SAS Global Data Management https://www.sas.com/en_us /solutions/personal-data- protection.html ● ● ● SecuPi https://www.secupi.com/ ● ● ● ● SecureB2B https://www.secureb2b.co.u k/ ● ● Security Scorecard https://securityscorecard.co m/ ● Senzing https://senzing.com/ ● ● ● ● Signatu https://signatu.com/ ● ● ● SkyHigh https://www.skyhighnetwor ks.com/ ● ● ● Smartpipe Solutions http://www.smartpipesoluti ons.com/ ●
  • 117.
    GDPR-Related Software AndVendors - 7 March 28, 2018 117 Activity Monitoring Assessment Manager Consent Manager Data Discovery Data Mapping De-identification/ Pseudonymity Enterprise Communications Incident Response Privacy Information Manager Website Scanning SoftwareAG https://www.softwareag.co m/ ● Solidatus https://www.solidatus.com/ ● ● ● SophiMail http://www.sophimail.com/ ● Statice https://www.statice.io/ ● Structure Systems https://www.structure.syste ms/ ● ● ● Sytorus https://sytorus.com/Privacy Engine ● Talend https://www.talend.com/pr oducts/metadata-manager/ ● ● Tealium https://tealium.com/ ● ● ● Thomson Reuters https://www.themediatrust. com/ ● Tresorit https://www.thomsonreuter s.ca/en/data-privacy- advisor.html ● ● Trunomi https://www.tresorit.com/ ● TrustArc https://www.tresorit.com/ ● ● ● ● Trust-Hub https://www.trustarc.com/ ● ● ● USoft https://www.trust-hub.com/ ● Varonis https://www.usoft.com/ ● ● ● Veritas https://www.varonis.com/ ● ● ● ● Virtru https://www.veritas.com/ ● Vysk https://www.virtru.com/ ● Whistic https://www.vysk.com/ ● Wickr https://www.whistic.com/ ● WireWheel.io https://www.wickr.com/ ● ● ● ● ● Wizuda https://www.wirewheel.io/ ● ● ZLTech https://wizuda.com/ ● ●
  • 118.
    GDPR-Related Software AndVendors • Very crowded market with many small vendors • Existing vendors are claiming GDPR functionality for their products • Not all software will be available in all countries • There will be market consolidation and reduction as the real needs of organisations looking to achieve GDPR compliance become more well defined over time March 28, 2018 118
  • 119.
    Beware Of Snake-OilSalesmen Peddling Quick-Win Panaceas To GDPR Compliance March 28, 2018 119 • Don’t be confused by approaches to implementation or operation (the How) with the complexity of what has to be done (the What) and how it needs to operate in the long term
  • 120.
  • 121.
    GDPR And Outsourcing •Outsourcing of personal data processing occurs in many ways and is quite pervasive. It includes any third-party IT system or service provider that is located outside the organisation that is used to store and process personal data • Outsourcing includes: − Processing of personal data on behalf of the organisation (BPO - Business Process Outsourcing) − Provides information technology services (ITO – Information Technology Outsourcing) − Specific outsourcing arrangements such as HRO – Human Resources Outsourcing, LPO - Legal Process Outsourcing, Outsourced Document Processing, Contact Centre Outsourcing − Social media used to communicate with persons − Marketing and contact systems − External document and data storage − External applications (hosted, cloud) March 28, 2018 121
  • 122.
    GDPR And Outsourcing •GDPR CHAPTER V Transfers of personal data to third countries or international organisations Articles 44-50 and recitals 111-116 covers the topic of outsourcing • Includes details on Binding Corporate Rules (BCRs) − Also covered in recitals 107-110 March 28, 2018 122
  • 123.
    GDPR And Outsourcing •The impact of GDPR on outsourcing depends on factors such as: − The type of personal data − The type of processing performed on the personal data − How the personal data is accessed − Whether personal data, either original or derived, is stored on systems located in the outsourcing undertaking • The same GDPR principles regarding areas such as right of access, right of erasure and data portability apply to personal data being held in the outsourcing undertaking as apply to the organisation that has entered into the outsourcing arrangement March 28, 2018 123
  • 124.
    GDPR And Outsourcing •The ultimate responsibility to comply with the GDPR ultimately lies with the organisation relying on these third parties • There are existing standards and approaches that can be adopted for use with GDPR compliance − There is no need to develop new GDPR-specific standards and approaches • Service Organisation Controls (SOC) originally related to auditing of financial transactions performed by third-parties and the controls in place. Over time, these have been extended to cover the operation of the service and its compliance with security, availability, reliability, confidentiality and privacy. This evolution consisted of: − 1993 – Statement on Auditing Standards (SAS) No. 70, Service Organizations − 2008 – Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy − 2010 – Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization − 2011 – International Auditing and Assurance Standards Board (IAASB) issued International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization − 2015 – Updated Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy − 2016 – Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation March 28, 2018 124
  • 125.
    GDPR And Outsourcing •These standards have been developed by American Institute of Certified Public Accountants (AICPA - https://www.aicpa.org/ ) and International Auditing and Assurance Standards Board (IAASB - https://www.iaasb.org/ ) • While they originated from an auditing background, they are more widely and generally applicable • The material can be reused and applied when drafting service agreements with third-party suppliers and in defining the controls to be applied and audited. • There are five core Trust Services Principles: 1. Security -The system is protected against unauthorised access, use, or modification 2. Availability - The system is available for operation and use as committed or agreed 3. Processing Integrity - System processing is complete, valid, accurate, timely, and authorised 4. Confidentiality - Information designated as confidential is protected as committed or agreed 5. Privacy – This applies the generally accepted privacy principles (GAPP) • The privacy principle addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) − This closely mirrors the privacy principles of GDPR March 28, 2018 125
  • 126.
    GDPR And Outsourcing •Generally Accepted Privacy Principles consists of 10 principles that are very similar to GDPR: 1. Management - The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures 2. Notice - The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed 3. Choice and Consent - The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information 4. Collection - The entity collects personal information only for the purposes identified in the notice 5. Use and Retention - The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfil the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information 6. Access - The entity provides individuals with access to their personal information for re-view and update 7. Disclosure to Third Parties - The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual 8. Security for Privacy - The entity protects personal information against unauthorised access (both physical and logical) 9. Quality - The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice 10. Monitoring and Enforcement - The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes March 28, 2018 126
  • 127.
    March 28, 2018 127 ExternalNetwork Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Outsourcing Arrangement 1 Desktop Devices Extension of Organisation Network to Provider of Outsourced Services 1 2 2 3 4 5 6 7 8 9 Internal Network Of Provider of Outsourced Services 10
  • 128.
    GDPR and Outsourcing– High Level Representation Elements 1. Outsourcing Organisation – this is the organisation that is outsourcing the delivery of services to the service provider 2. Desktop Devices – these are desktop devices that access IT systems and applications that contain personal data 3. Application Servers – this represents the set of infrastructure and IT systems and applications that store and process personal data 4. External Network Access Infrastructure – this is the set of infrastructure – external and internal firewalls, routers, load balancers, proxy servers, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, remote access facilities such as VPN (Virtual Private Network) – that comprise the external network access provision and control within both the Outsourcing Organisation and the Provider of Outsourced Services 5. Provider of Outsourced Services – this is the organisation providing the outsourced services to the Outsourcing Organisation 6. Outsourcing Arrangement 1 – this represents the outsourcing arrangement between the Provider of Outsourced Services and the Outsourcing Organisation 7. Extension of Organisation Network to Provider of Outsourced Services – this represents the facility or mechanism by which the Provider of Outsourced Services accesses personal data contained in or collected by Outsourcing Organisation. Personal data can remain within the Outsourcing Organisation and be accessed remotely or the data can be transferred to the Provider of Outsourced Services 8. Outsourcing Arrangement 2 – this represents another outsourcing arrangement the Provider of Outsourced Services has with another different client 9. Outsourcing Arrangement 3 – this represents another outsourcing arrangement the Provider of Outsourced Services has with another different client 10. Internal Network Of Provider of Outsourced Services – this represents the entire internal IT network of the Provider of Outsourced Services March 28, 2018 128
  • 129.
    Operating Option 1- Data Remains with Outsourcing Organisation and Accessed By Provider of Outsourced Services • In this operating option, the personal data remains within the network of the Outsourcing Organisation where it is accessed over a secure network connection (such as IPsec over a VPN) by the Provider of Outsourced Services March 28, 2018 129
  • 130.
    March 28, 2018130 External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Application Servers Desktop Devices Application Servers Internal Network Of Provider of Outsourced Services
  • 131.
    Operating Option 1- Data Remains with Outsourcing Organisation and Accessed By Provider of Outsourced Services • The specific factors in the operation of this configuration that affect GDPR compliance include: − The nature of the desktop device used to perform the access − The degree to which the access to the Outsourcing Organisation is controlled within the network of the Provider of Outsourced Services and how isolated the access arrangements are • The access device can be a standard PC or a thin client. With a standard PC, the access can be using software such as Citrix or a hosted desktop or a virtual desktop (VDI or Virtualised Desktop Infrastructure) • If the access is by a standard PC that have remote access to applications that contain personal data within the Outsourcing Organisation it is possible that data from these applications could be copied and pasted to local applications and then printed, copied or sent elsewhere unless this copying and pasting is disabled. Even if this is disabled, screenshots of the application screens containing personal data could be taken and stored locally • If the access is by a thin client then the data copying options are fewer. It would still be possible for data to be transcribed manually or photographs be taken of the application screens containing personal data • The personal data is being viewed at a distance by people outside the EU even though the network on which the applications containing the personal data remain within the EU. GDPR applies to this processing arrangement March 28, 2018 131
  • 132.
    Operating Option 2- Data Transferred from Outsourcing Organisation to Provider of Outsourced Services • In this operating option, the personal data is transferred to the Provider of Outsourced Services where it is processed and the results transferred back to the Outsourcing Organisation March 28, 2018 132
  • 133.
    March 28, 2018133 External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extension of Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services
  • 134.
    Information Technology Outsourcing(ITO) • Organisation application infrastructure located in service provider facility • Users within organisation access remotely located applications − The access device can be a standard PC or a thin client − With a standard PC, the access can be using software such as Citrix or a hosted desktop or a virtual desktop (VDI or Virtualised Desktop Infrastructure) March 28, 2018 134
  • 135.
    External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Outsourcing Arrangement1 Desktop Devices Extension of Organisation Network to Provider of Outsourced Services 1 2 2 3 4 5 6 7 8 9 Internal Network Of Provider of Outsourced Services 10 March 28, 2018 135
  • 136.
    External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extensionof Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services X X X X March 28, 2018 136
  • 137.
    Isolating Outsourcing OperationsWithin the Provider of Outsourced Services • The team working on the outsourcing arrangement with the Outsourcing Organisation should be isolated from other teams and vice versa • Access to personal data, irrespective of how the data is accessed, should be restricted using internal network and security controls March 28, 2018 137
  • 138.
    External Network Access Infrastructure Provider of Outsourced Services Outsourcing Organisation Application Servers Desktop Devices Desktop Devices Extensionof Organisation Network to Provider of Outsourced Services Application Servers External Network Access Infrastructure Internal Network Of Provider of Outsourced Services Interim Data Transfer and Storage Facility March 28, 2018 138
  • 139.
    Use of Third-PartyData Transfer Mechanisms • Third-party data transfer mechanisms are commonly used to transfer data between organisations • These mechanisms included externally hosted data storage and messaging queueing facilities such as Advanced Message Queuing Protocol (AMQP), (s)FTP and applications such as Dropbox • If personal data is being transferred using these mechanisms then the data transfer process and the temporary data storage platform GDPR applies to this data transfer arrangement March 28, 2018 139
  • 140.
    Data Security • Physicaldata security is required where the data is: − In Transit - When data is being transferred between system, application and infrastructure components such as over the network − At Rest – When data is being stored • Data should be protected when it is in both states • In particular, protecting data in transit is an essential part of the organisation’s overall data protection strategy • Always, at the very least, use SSL/TLS protocols when exchanging data between different locations • May want to isolate the entire communication channel between the two data end-points by using a virtual private network (VPN) • If data is being transferred for processing elsewhere then it should be encrypted using a standard such as PKI (Public Key Encryption) March 28, 2018 140
  • 141.
    Controls To AchieveGDPR Compliance Within Outsourcing Control Area Control Requirement Control Check • GDPR compliance is achieved using a combination of technology and business processes and associated controls March 28, 2018 141
  • 142.
    Control Area -Build And Maintain A Secure Network And Systems March 28, 2018 142 Control Area Control Requirement Control Check Build And Maintain A Secure Network And Systems Install And Maintain A Firewall Configuration To Protect Data Firewall And Router Configuration Standards Established And Implemented Firewall And Router Configurations Restrict Connections Between Untrusted Networks And Any System In The Personal Data Environment Direct Public Access Prohibited Between The Internet And Any System Component In The Personal Data Environment, Personal Firewall Software (Or Equivalent Functionality) Installed And Active On Any Portable Computing Devices (Including Company And/Or Employee-Owned) That Connect To The Internet When Outside The Network (For Example, Laptops Used By Employees), And Which Are Also Used To Access Personal Firewall Software (Or Equivalent Functionality) Configured To Specific Configuration Settings, Actively Running, And Not Alterable By Users Of Mobile And/Or Employee-Owned Devices? Security Policies And Operational Procedures For Managing Firewalls Documented, In Use And Known To All Affected Parties Do Not Use Vendor-Supplied Defaults For System Passwords And Other Security Parameters Vendor-Supplied Defaults Always Changed Before Installing A System On The Network Configuration Standards Developed For All System Components And Are They Consistent With Industry-Accepted System Hardening Standards Non-Console Administrative Access Encrypted An Inventory Maintained For Systems Components That Are In Scope, Including A List Of Hardware And Software Components And A Description Of Function/Use For Each Security Policies And Operational Procedures For Managing Vendor Defaults And Other Security Parameters For A Shared Hosting Provider, Your Systems Configured To Protect Each Entity’s (Your Customers’) Hosted Environment And Personal Data
  • 143.
    Control Area -Protect Personal Data March 28, 2018 143 Control Area Control Requirement Control Check Protect Personal Data Protect Stored Personal Data Data-Retention And Disposal Policies, Procedures, And Processes Implemented For Issuers And/Or Companies That Support Issuing Services And Store Sensitive Authentication Data Documented Business Justification For The Storage Of Sensitive Authentication Data Keys Used To Secure Stored Personal Data Protected Against Disclosure And Misuse All Key-Management Processes And Procedures Fully Documented And Implemented For Cryptographic Keys Used For Encryption Of Personal Data Security Policies And Operational Procedures For Protecting Stored Personal Data Encrypt Transmission Of Personal Data Across Open, Public Networks Strong Cryptography And Security Protocols Used To Safeguard Sensitive Personal Data During Transmission Over Open, Public Networks Security Policies And Operational Procedures For Encrypting Transmissions Of Personal Data
  • 144.
    Control Area -Maintain A Vulnerability Management Program March 28, 2018 144 Control Area Control Requirement Control Check Maintain A Vulnerability Management Program Protect All Systems Against Malware And Regularly Update Anti-Virus Software Or Programs Anti-Virus Software Deployed On All Systems Anti-Virus Mechanisms Maintained All Anti-Virus Mechanisms Actively Running And Unable To Be Disabled Or Altered By Users Security Policies And Operational Procedures For Protecting Systems Against Malware Documented, In Use And Known To All Affected Parties Develop And Maintain Secure Systems And Applications Process To Identify Security Vulnerabilities All System Components And Software Protected From Known Vulnerabilities By Installing Applicable Vendor-Supplied Security Patches Software- Development Processes Based On Industry Standards And/Or Best Practices Change Control Processes And Procedures Followed For All Changes To System Components Software-Development Processes Address Common Coding Vulnerabilities Security Policies And Operational Procedures For Developing And Maintaining Secure Systems And Applications Documented, In Use And Known To All Affected Parties
  • 145.
    Control Area -Implement Strong Access Control Measures March 28, 2018 145 Control Area Control Requirement Control Check Implement Strong Access Control Measures Restrict Access To Personal Data By Business Need To Know Access To System Components And Personal Data Limited To Only Those Individuals Whose Jobs Require Such Access Access Control System(S) In Place For System Components To Restrict Access Based On A User’s Need To Know, And Is It Set To “Deny All” Unless Specifically Allowed Security Policies And Operational Procedures For Restricting Access To Personal Data Documented, In Use And Known To All Affected Parties Identify And Authenticate Access To System Components Policies And Procedures For User Identification Management Controls Defined And In Place For Non-Consumer Users And Administrators On All System Components All Individual Non-Console Administrative Access And All Remote Access Secured Using Multi-Factor Authentication, Authentication Policies And Procedures Documented And Communicated To All Users Group, Shared, Or Generic Accounts, Passwords, Or Other Authentication Methods Prohibited Where Other Authentication Mechanisms Are Used (For Example, Physical Or Logical Security Tokens, Smart Cards, And Certificates, Etc.) Assigned To An Individual Account And Physical And/Or Logical Controls Must Be In Place To Ensure Only The Intended Account Can Use That Mechanism To Gain Access All Access To Any Database Containing Personal Data (Including Access By Applications, Administrators, And All Other Users) Restricted Security Policies And Operational Procedures For Id Identification And Authentication Documented, In Use And Known To All Affected Parties Restrict Physical Access To Personal Data Appropriate Facility Entry Controls In Place To Limit And Monitor Physical Access To Systems In The Personal Data Environment Procedures Developed To Easily Distinguish Between Onsite Personnel And Visitors Physical Access To Sensitive Areas Controlled For Onsite Personnel Visitor Identification And Access Handled All Media Physically Secured (Including But Not Limited To Computers, Removable Electronic Media, Paper Receipts, Paper Reports, And Faxes) Strict Control Maintained Over The Internal Or External Distribution Of Any Kind Of Media Strict Control Maintained Over The Storage And Accessibility Of Media All Media Destroyed When It Is No Longer Needed For Business Or Legal Reasons
  • 146.
    Control Area -Regularly Monitor And Test Networks March 28, 2018 146 Control Area Control Requirement Control Check Regularly Monitor And Test Networks Track And Monitor All Access To Network Resources And Personal Data Audit Trails Enabled And Active For System Components Automated Audit Trails Implemented For All System Components To Reconstruct Events Audit Trail Entries Recorded For All System Components For Each Event All Critical System Clocks And Times Synchronised Through Use Of Time Synchronisation Technology, And Is The Technology Kept Current Audit Trails Secured So They Cannot Be Altered Logs And Security Events For All System Components Reviewed To Identify Anomalies Or Suspicious Activity Audit Log Retention Policies And Procedures In Place And Do They Require That Logs Are Retained For At Least One Year, With A Minimum Of Three Months Immediately Available For Analysis (For Example, Online, Archived, Or Restorable From Backup) Process Implemented For The Timely Detection And Reporting Of Failures Of Critical Security Control Systems Failures Of Any Critical Security Controls Responded To In A Timely Manner Security Policies And Operational Procedures For Monitoring All Access To Network Resources And Personal Data Documented, In Use And Known To All Affected Parties Regularly Test Security Systems And Processes Processes Implemented For Detection And Identification Of Both Authorised And Unauthorised Wireless Access Points On A Quarterly Basis Internal And External Network Vulnerability Scans Run At Least Quarterly And After Any Significant Change In The Network (Such As New System Component Installations, Changes In Network Topology, Firewall Rule Modifications, Product Upgrades) Industry-Accepted Penetration Testing Approaches (For Example, NIST SP800-115) Used Intrusion-Detection And/Or Intrusion-Prevention Techniques That Detect And/Or Prevent Intrusions Into The Network In Place To Monitor All Traffic: Change-Detection Mechanism (For Example, File-Integrity Monitoring Tools) Deployed To Detect Unauthorised Modification (Including Changes, Additions, And Deletions) Of Critical System Files, Configuration Files, Or Content Files Security Policies And Operational Procedures For Security Monitoring And Testing Documented, In Use And Known To All Affected Parties
  • 147.
    Control Area -Maintain An Information Security Policy March 28, 2018 147 Control Area Control Requirement Control Check Maintain An Information Security Policy Maintain A Policy That Addresses Information Security For All Personnel Security Policy Established, Published, Maintained, And Disseminated To All Relevant Personnel An Annual Risk Assessment Process Implemented That Identifies Critical Assets, Threats, And Vulnerabilities And Results In A Formal, Documented Analysis Of Risk Usage Policies For Critical Technologies Developed To Define Proper Use Of These Technologies Security Policy And Procedures Clearly Define Information Security Responsibilities For All Personnel Responsibility For Information Security Formally Assigned To A Chief Security Officer Or Other Security-Knowledgeable Member Of Management Formal Security Awareness Program In Place To Make All Personnel Aware Of The Personal Data Security Policy And Procedures Potential Personnel Screened Prior To Hire To Minimise The Risk Of Attacks From Internal Sources Policies And Procedures Maintained And Implemented To Manage Service Providers With Whom Personal Data Is Shared, Or That Could Affect The Security Of Personal Data Acknowledge In Writing To Customers That They Are Responsible For The Security Of Personal Data The Service Provider Possesses Or Otherwise Stores, Processes, Or Transmits On Behalf Of The Customer, Or To The Extent That They Could Impact The Security Of The Customer’s Personal Data Environment Incident Response Plan Been Implemented In Preparation To Respond Immediately To A System Breach Reviews Performed At Least Quarterly To Confirm Personnel Are Following Security Policies And Operational Procedures
  • 148.
    Control Area -Shared Hosting Configuration March 28, 2018 148 Control Area Control Requirement Control Check Shared Hosting Configuration Shared Hosting Configuration Each Entity’s Hosted Environment And Data Protected Each Entity Run Processes That Have Access To Only That Entity’s Personal Data Environment, And Are These Application Processes Run Using The Unique ID Of The Entity Each Entity’s Access And Privileges Restricted To Its Own Personal Data Environment Logging And Audit Trails Enabled And Unique To Each Entity’s Personal Data Environment Written Policies And Processes Enabled To Provide For Timely Forensic Investigation In The Event Of A Compromise To Any Hosted Entity
  • 149.
    Outsourcing Compliance Standards •The IAASB principles and essential procedures for performing assurance engagements can be found in section INTERNATIONAL STANDARD ON ASSURANCE ENGAGEMENTS 3000 − http://www.ifrs.org.ua/wp-content/uploads/2014/11/2014-IAASB- HANDBOOK-VOLUME-2.pdf • The detailed Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy document − https://www.itm21st.com/Content/Documents/trustservicesprinciples- tsp100.pdf • The Service Organisation Controls (SOC) report is a formal review of the operation of these principles. More details on the SOC report covering Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy − https://www.isaca.org/Groups/Professional-English/isae- 3402/Documents/SOC2.pdf March 28, 2018 149
  • 150.
    Outsourcing Compliance Standards March28, 2018 150 Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organisation Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Service Organisation Controls (SOC) Report on Controls at a Service Organisation Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy Defines Trust Standards Defines of Engagement Approach
  • 151.
    Article 29 WorkingParty Guidelines on Article 49 of GDPR • The Article 29 Working Party has published draft Guidelines on Article 49 of the GDPR for comment – see: − http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614232 • Article 49 covers derogations for specific situations to Article 45 Transfers on the basis of an adequacy decision: − 1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: − (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; − (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; − (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; − (d) the transfer is necessary for important reasons of public interest; − (e) the transfer is necessary for the establishment, exercise or defence of legal claims; − (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; − (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case March 28, 2018 151
  • 152.
  • 153.
    Data Governance –Definition and Goals • Definition − The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets • Goals − To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics − To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and procedures − To sponsor, track, and oversee the delivery of data management projects and services − To manage and resolve data related issues − To understand and promote the value of data assets March 28, 2018 153
  • 154.
    March 28, 2018154 Data Governance • Capstone of Data Management initiatives Database Architecture Management Data Warehousing and Business Intelligence Management Data Quality Management Data Security Management Metadata Management Data Development Data Operations Management Reference and Master Data Management Document and Content Management Data Governance
  • 155.
    Data Governance AndGDPR • Data Governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets. • The scope of Data Governance is: − To define, approve, and communicate data strategies, policies, standards, architecture, procedures, and metrics − To track and enforce regulatory compliance and conformance to data policies, standards, architecture, and procedures − To sponsor, track, and oversee the delivery of data management projects and services − To manage and resolve data related issues − To understand and promote the value of data assets • The objectives of Data Governance are: − Guide information management decision-making − Ensure information is consistently defined and well understood − Increase the use and trust of data as an organisation asset − Improve consistency of projects across the organisation − Ensure regulatory compliance − Eliminate data risks • Rather than being a siloed compliance project, GDPR belongs as part of a wider organisation data governance initiative • Data governance is accomplished most effectively as an on-going program and a continual improvement process March 28, 2018 155
  • 156.
    Data Governance • Corefunction of Data Management • Interacts with and influences each of the surrounding ten data management functions • Data governance is the exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets • Data governance function guides how all other data management functions are performed • High-level, executive data stewardship • Data governance is not the same thing as IT governance • Data governance is focused exclusively on the management of data assets March 28, 2018 156
  • 157.
    March 28, 2018157 Data Governance • Shared decision making is the hallmark of data governance • Requires working across organisational and system boundaries • Some decisions are primarily business decisions made with input and guidance from IT • Other decisions are primarily technical decisions made with input and guidance from business data stewards at all levels Business Operating Model IT Leadership Capital Investments Research and Development Funding Data Governance Model Enterprise Information Model Information Needs Information Specifications Quality Requirements Issue Resolution Information Management Strategy Information Management Policies Information Management Standards Information Management Metrics Information Management Services Database Architecture Data Integration Architecture Data Warehousing Architecture Metadata Architecture Technical Metadata Decisions Made by Business Management Decisions Made by IT Management
  • 158.
    Data Governance andIT Governance • IT Governance makes decisions about − IT investments − IT application portfolio − IT project portfolio • IT Governance aligns the IT strategies and investments with enterprise goals and strategies • COBIT (Control Objectives for Information and related Technology) provides standards for IT governance − Only a small portion of the COBIT framework addresses managing information • Some critical issues, such as Sarbanes- Oxley compliance, span the concerns of corporate governance, IT governance, and data • Data Governance is focused exclusively on the management of data assets • Data Governance is at the heart of managing data assets March 28, 2018 158
  • 159.
    March 28, 2018159 Data Governance - Overview •Business Goals •Business Strategies •IT Objectives •IT Strategies •Data Needs •Data Issues •Regulatory Requirements Inputs •Business Executives •IT Executives •Data Stewards •Regulatory Bodies Suppliers •Intranet Website •E-Mail •Metadata Tools •Metadata Repository •Issue Management Tools •Data Governance KPI •Dashboard Tools •Executive Data Stewards •Coordinating Data Stewards •Business Data Stewards •Data Professionals •DM Executive •CIO Participants •Data Policies •Data Standards •Resolved Issues •Data Management Projects and Services •Quality Data and Information •Recognised Data Value Primary Deliverables •Data Producers •Knowledge Workers •Managers and Executives •Data Professionals •Customers Consumers •Data Value •Data Management Cost •Achievement of Objectives •# of Decisions Made •Steward Representation / Coverage •Data Professional Headcount •Data Management Process Maturity Metrics Data Governance
  • 160.
    March 28, 2018160 DMBOK, TOGAF and COBIT TOGAF Defines the Process for Creating a Data Architecture as Part of an Overall Enterprise Architecture COBIT Provides Data Governance as Part of Overall IT Governance DMBOK Provides Detailed for Definition, Implementation and Operation of Data Management and Utilisation Can be a Precursor to Implementing Data Management Can Provide a Maturity Model for Assessing Data Management DMBOK Is a Specific and Comprehensive Data Oriented Framework
  • 161.
    Data Governance Function,Activities and Sub- Activities March 28, 2018 161 Data Governance Data Management Planning Understand Strategic Enterprise Data Needs Develop and Maintain the Data Strategy Establish Data Professional Roles and Organisations Identify and Appoint Data Stewards Establish Data Governance and Stewardship Organisations Develop and Approve Data Policies, Standards, and Procedures Review and Approve Data Architecture Plan and Sponsor Data Management Projects and Services Estimate Data Asset Value and Associated Costs Data Management Control Supervise Data Professional Organisations and Staff Coordinate Data Governance Activities Manage and Resolve Data Related Issues Monitor and Ensure Regulatory Compliance Monitor and Enforce Conformance with Data Policies, Standards and Architecture Oversee Data Management Projects and Services Communicate and Promote the Value of Data Assets
  • 162.
    March 28, 2018162 Data Governance - Possible Organisation Structure Data Governance Structure Organisation Data Governance Council Business Unit Data Governance Councils Data Stewardship Committees Data Stewardship Teams Data Governance Office CIO Data Technologists Data Management Executive
  • 163.
    March 28, 2018163 DMBOK, TOGAF and COBIT – Scope and Overlap DMBOK COBIT TOGAF Data Governance Data Architecture Management Data Management Data Migration Data Development Data Operations Management Reference and Master Data Management Data Warehousing and Business Intelligence Management Document and Content Management Metadata Management Data Quality Management Data Security Management
  • 164.
    COBIT 5 ITGovernance Framework COBIT Evaluate, Direct and Monitor (EDM) 01 Ensure Governance Framework Setting And Maintenance 02 Ensure Benefits Delivery 03 Ensure Risk Optimisation 04 Ensure Resource Optimisation 05 Ensure Stakeholder Transparency Align, Plan and Organise (APO) 01 Manage The IT Management Framework 02 Manage Strategy 03 Manage Enterprise Architecture 04 Manage Innovation 05 Manage Portfolio 06 Manage Budget And Costs 07 Manage Human Resources 08 Manage Relationships 09 Manage Service Agreements 10 Manage Suppliers 11 Manage Quality 12 Manage Risk 13 Manage Security Build, Acquire and Implement (BAI) 01 Manage Programmes And Projects 02 Manage Requirements Definition 03 Manage Solutions Identification And Build 04 Manage Availability And Capacity 05 Manage Organisational Change Enablement 06 Manage Changes 07 Manage Change Acceptance And Transitioning 08 Manage Knowledge 09 Manage Assets 10 Manage Configuration Deliver, Service and Support (DSS) 01 Manage Operations 02 Manage Service Requests And Incidents 03 Manage Problems 04 Manage Continuity 05 Manage Security Services 06 Manage Business Process Controls Monitor, Evaluate and Assess (MEA) 01 Monitor, Evaluate And Assess Performance And Conformance 02 Monitor, Evaluate And Assess The System Of Internal Control 03 Monitor, Evaluate And Assess Compliance With External Requirements March 28, 2018 164
  • 165.
    COBIT 5 –Data Governance Details March 28, 2018 165 COBIT Align, Plan and Organise (APO) APO 01 Manage The IT Management Framework APO 01.06 Define Information (Data) and System Ownership Data Classification Guidelines Data Security And Control Guidelines Data Integrity Procedures
  • 166.
  • 167.
    Data Ethics • Dataethics is concerned with the study and assessment of moral problems related to (generally personal and possibly sensitive) data along its lifecycle from collection or generation to usage • Implicitly, GDPR is concerned with data ethics − While data ethics is an abstract topic and far removed from the initial concerns of becoming compliant with GDPR is the face of business, technical and time challenges it one that will become more important over time • Data ethics includes the use of data process algorithms to derive data products in relation to which there may be moral and ethical concerns • One objective of data ethics is to articulate and communicate what are morally good personal data processing solutions and approaches • The increasing volume of personal data available and collected, both directly and indirectly – behaviour-type data – and associated data technologies – both data storage and data analysis tools and facilities - has extended the gap between what is possible in terms of personal data processing and what is should or legally can happen • The data collectors have substantial power and influence • The growth of free social media platforms means that information directly supplied and information derived from usage patterns is the commodity from which value can be obtained March 28, 2018 167
  • 168.
    Data Ethics • Dataethics issues now arise because: − A very wide range of personal data is readily available from many sources − The cost of integrating data from these many sources continues to fall − The technical abilities to integrate, correlate and derive insight from these data sources are becoming readily and easily available − Individuals, patterns of behaviour and insights about them can be identified very accurately − The locations of individuals can be identified quickly and accurately − Information can be collected, processed and results identified in real-time or near real-time March 28, 2018 168
  • 169.
    Data Ethics • Decreasingsets of data and data processing activities − Data Processing The Organisation World Like to Do − Technical Possible Data Processing − Legally Allowed Data Processing − Ethical Data Processing March 28, 2018 169 Technically Possible Data Processing Data Processing The Organisation World Like to Do Legally Allowed Data Processing Ethical Data Processing
  • 170.
    Summary • The impactof GDPR cannot really be estimated or quantified at this stage • There is a wider context for GDPR • The range of data compliance regulations is only growing • Achieving GDPR compliance has the potential to be very expensive, especially for larger organisations • GDPR compliance should be addressed in the context of wider data governance • Reuse existing methodologies where possible March 28, 2018 170
  • 171.